DEV: Reuse can_invite_to_forum? in can_invite_to? (#14392)

This commit resolves refactors can_invite_to? to use can_invite_to_forum? for checking the site-wide permissions and then perform topic specific checkups. Similarly, can_invite_to? is always used with a topic object and this is now enforced. There was another problem before when `must_approve_users` site setting was not checked when inviting users to forum, but was checked when inviting to a topic. Another minor security issue was that group owners could invite to group topics even if they did not have the minimum trust level to do it.
2025-05-31 01:27:15 +08:00 · 2021-09-29 17:40:16 +03:00
parent 7737d56dd0
commit 76a7b75d8a
4 changed files with 21 additions and 32 deletions
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@ -3868,7 +3868,7 @@ RSpec.describe TopicsController do
        fab!(:topic) { Fabricate(:topic, user: user) }

        it 'should return the right response' do
-          user.update!(trust_level: TrustLevel[2])
+          user.update!(trust_level: SiteSetting.min_trust_level_to_allow_invite)

          expect do
            post "/t/#{topic.id}/invite.json", params: {
@ -3891,6 +3891,10 @@ RSpec.describe TopicsController do

        let!(:recipient) { 'jake@adventuretime.ooo' }

+        before do
+          user.update!(trust_level: SiteSetting.min_trust_level_to_allow_invite)
+        end
+
        it "should attach group to the invite" do
          post "/t/#{group_private_topic.id}/invite.json", params: {
            user: recipient,