FIX: Do not require trust level to invite to group (#13230)

It used to require SiteSetting.min_trust_level_to_allow_invite to invite a user to a group, even if the user existed and the inviter was a group owner.
2021-06-02 16:28:21 +03:00 · 2021-06-02 16:28:21 +03:00 · d2135b23c4
parent 9d6780f03d
commit d2135b23c4
2 changed files with 11 additions and 5 deletions
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@ -328,8 +328,6 @@ class GroupsController < ApplicationController
      unless current_user.staff?
        RateLimiter.new(current_user, "public_group_membership", 3, 1.minute).performed!
      end
-    elsif !current_user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)
-      raise Discourse::InvalidAccess
    end

    emails = []
@ -340,6 +338,8 @@ class GroupsController < ApplicationController
      end
    end

+    guardian.ensure_can_invite_to_forum!([group]) if emails.present?
+
    if users.empty? && emails.empty?
      raise Discourse::InvalidParameters.new(I18n.t("groups.errors.usernames_or_emails_required"))
    end
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@ -1212,12 +1212,18 @@ describe GroupsController do
      end

      it 'does not add users without sufficient permission' do
+        group.add_owner(user)
        sign_in(user)
-        SiteSetting.min_trust_level_to_allow_invite = user.trust_level + 1
-        user2 = Fabricate(:user)

-        put "/groups/#{group.id}/members.json", params: { usernames: user2.username }
+        put "/groups/#{group.id}/members.json", params: { usernames: Fabricate(:user).username }
+        expect(response.status).to eq(200)
+      end

+      it 'does not send invites if user cannot invite' do
+        group.add_owner(user)
+        sign_in(user)
+
+        put "/groups/#{group.id}/members.json", params: { emails: "test@example.com" }
        expect(response.status).to eq(403)
      end