From c62242c6b38654b3ebc222a83b8b25749f259098 Mon Sep 17 00:00:00 2001 From: Vinoth Kannan Date: Thu, 28 Oct 2021 21:03:00 +0530 Subject: [PATCH] FIX: should not receive topic invites from ignored users. (#14746) Previously, ignored users can send notifications by inviting the ignorer to topics or PMs. --- app/models/topic.rb | 27 ++++++++++++++++++++------- config/locales/server.en.yml | 1 - spec/models/topic_spec.rb | 17 ++++++++++++++--- 3 files changed, 34 insertions(+), 11 deletions(-) diff --git a/app/models/topic.rb b/app/models/topic.rb index 2dd6f955fa0..f79a177054e 100644 --- a/app/models/topic.rb +++ b/app/models/topic.rb @@ -1022,13 +1022,7 @@ class Topic < ActiveRecord::Base raise UserExists.new(I18n.t("topic_invite.user_exists")) end - if MutedUser - .where(user: target_user, muted_user: invited_by) - .joins(:muted_user) - .where('NOT admin AND NOT moderator') - .exists? - raise NotAllowed.new(I18n.t("topic_invite.muted_invitee")) - end + ensure_can_invite!(target_user, invited_by) if TopicUser .where(topic: self, @@ -1066,6 +1060,22 @@ class Topic < ActiveRecord::Base end end + def ensure_can_invite!(target_user, invited_by) + if MutedUser + .where(user: target_user, muted_user: invited_by) + .joins(:muted_user) + .where('NOT admin AND NOT moderator') + .exists? + raise NotAllowed + elsif IgnoredUser + .where(user: target_user, ignored_user: invited_by) + .joins(:ignored_user) + .where('NOT admin AND NOT moderator') + .exists? + raise NotAllowed + end + end + def email_already_exists_for?(invite) invite.email_already_exists && private_message? end @@ -1733,6 +1743,9 @@ class Topic < ActiveRecord::Base end def create_invite_notification!(target_user, notification_type, username) + invited_by = User.find_by_username(username) + ensure_can_invite!(target_user, invited_by) + target_user.notifications.create!( notification_type: notification_type, topic_id: self.id, diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index ae51ce98382..ce1740ea64a 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -270,7 +270,6 @@ en: topic_invite: failed_to_invite: "The user cannot be invited into this topic without a group membership in either one of the following groups: %{group_names}." user_exists: "Sorry, that user has already been invited. You may only invite a user to a topic once." - muted_invitee: "Sorry, that user muted you." muted_topic: "Sorry, that user muted this topic." receiver_does_not_allow_pm: "Sorry, that user does not allow you to send them private messages." sender_does_not_allow_pm: "Sorry, you do not allow that user to send you private messages." diff --git a/spec/models/topic_spec.rb b/spec/models/topic_spec.rb index e356d11d19a..20d1721a8c7 100644 --- a/spec/models/topic_spec.rb +++ b/spec/models/topic_spec.rb @@ -711,12 +711,23 @@ describe Topic do end context "from a muted user" do - before { MutedUser.create!(user: another_user, muted_user: user) } + before { Fabricate(:muted_user, user: another_user, muted_user: user) } - it 'fails with an error message' do + it 'fails with an error' do + expect { topic.invite(user, another_user.username) } + .to raise_error(Topic::NotAllowed) + expect(topic.allowed_users).to_not include(another_user) + expect(Post.last).to be_blank + expect(Notification.last).to be_blank + end + end + + context "from a ignored user" do + before { Fabricate(:ignored_user, user: another_user, ignored_user: user) } + + it 'fails with an error' do expect { topic.invite(user, another_user.username) } .to raise_error(Topic::NotAllowed) - .with_message(I18n.t("topic_invite.muted_invitee")) expect(topic.allowed_users).to_not include(another_user) expect(Post.last).to be_blank expect(Notification.last).to be_blank