SECURITY: Require groups to be given when inviting to a restricted category. (#6715)

2025-05-31 02:58:48 +08:00 · 2018-12-05 23:43:07 +08:00
parent 57ba4b7cb2
commit 978f0db109
12 changed files with 309 additions and 195 deletions
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@ -2071,14 +2071,46 @@ RSpec.describe TopicsController do
        let(:recipient) { 'jake@adventuretime.ooo' }

        it "should attach group to the invite" do
-
          post "/t/#{group_private_topic.id}/invite.json", params: {
-            user: recipient
+            user: recipient,
+            group_ids: "#{group.id},123"
          }

          expect(response.status).to eq(200)
          expect(Invite.find_by(email: recipient).groups).to eq([group])
        end
+
+        describe 'when group is available to automatic groups only' do
+          before do
+            group.update!(automatic: true)
+          end
+
+          it 'should return the right response' do
+            post "/t/#{group_private_topic.id}/invite.json", params: {
+              user: Fabricate(:user)
+            }
+
+            expect(response.status).to eq(403)
+          end
+        end
+
+        describe 'when user is not part of the required group' do
+          it 'should return the right response' do
+            post "/t/#{group_private_topic.id}/invite.json", params: {
+              user: Fabricate(:user)
+            }
+
+            expect(response.status).to eq(422)
+
+            response_body = JSON.parse(response.body)
+
+            expect(response_body["errors"]).to eq([
+              I18n.t("topic_invite.failed_to_invite",
+                group_names: group.name
+              )
+            ])
+          end
+        end
      end

      describe 'when topic id is invalid' do