FIX: Regular users shouldn't be able to invite to PMs if disabled

2025-06-03 19:39:30 +08:00 · 2017-05-19 12:55:26 -04:00
parent c0c6cb8124
commit 28f486cb7a
2 changed files with 59 additions and 29 deletions
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -232,10 +232,11 @@ class Guardian
  end

  def can_invite_to?(object, group_ids=nil)
-    return false if ! authenticated?
+    return false unless authenticated?
    return true if is_admin?
+    return false unless SiteSetting.enable_private_messages?
    return false if (SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?)
-    return false if ! can_see?(object)
+    return false unless can_see?(object)
    return false if group_ids.present?

    if object.is_a?(Topic) && object.category
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -330,6 +330,8 @@ describe Guardian do
  end

  describe 'can_invite_to?' do
+
+    describe "regular topics" do
      let(:group) { Fabricate(:group) }
      let(:category) { Fabricate(:category, read_restricted: true) }
      let(:topic) { Fabricate(:topic) }
@ -340,6 +342,7 @@ describe Guardian do
      let(:private_category)  { Fabricate(:private_category, group: group) }
      let(:group_private_topic) { Fabricate(:topic, category: private_category) }
      let(:group_owner) { group_private_topic.user.tap { |u| group.add_owner(u) } }
+      let(:pm) { Fabricate(:topic) }

      it 'handles invitation correctly' do
        expect(Guardian.new(nil).can_invite_to?(topic)).to be_falsey
@ -367,6 +370,32 @@ describe Guardian do
      end
    end

+    describe "private messages" do
+      let(:user) { Fabricate(:user, trust_level: TrustLevel[2]) }
+      let!(:pm) { Fabricate(:private_message_topic, user: user) }
+      let(:admin) { Fabricate(:admin) }
+
+      context "when private messages are disabled" do
+        it "allows an admin to invite to the pm" do
+          expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
+          expect(Guardian.new(user).can_invite_to?(pm)).to be_truthy
+        end
+      end
+
+      context "when private messages are disabled" do
+        before do
+          SiteSetting.enable_private_messages = false
+        end
+
+        it "doesn't allow a regular user to invite" do
+          expect(Guardian.new(admin).can_invite_to?(pm)).to be_truthy
+          expect(Guardian.new(user).can_invite_to?(pm)).to be_falsey
+        end
+      end
+    end
+  end
+
+
  describe 'can_invite_via_email?' do
    it 'returns true for all (tl2 and above) users when sso is disabled, local logins are enabled, user approval is not required' do
      expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_truthy