mirror of
https://github.com/discourse/discourse.git
synced 2025-06-06 13:06:56 +08:00
SECURITY: verify that inviter can invite new user to a topic
This commit is contained in:
Arpit Jalan
@ -93,9 +93,11 @@ class InvitesController < ApplicationController
|
|||||||
group_ids: params[:group_ids],
|
group_ids: params[:group_ids],
|
||||||
group_names: params[:group_names]
|
group_names: params[:group_names]
|
||||||
)
|
)
|
||||||
|
|
||||||
guardian.ensure_can_invite_to_forum!(groups)
|
guardian.ensure_can_invite_to_forum!(groups)
|
||||||
|
|
||||||
topic = Topic.find_by(id: params[:topic_id])
|
topic = Topic.find_by(id: params[:topic_id])
|
||||||
|
guardian.ensure_can_invite_to!(topic) if topic.present?
|
||||||
|
|
||||||
group_ids = groups.map(&:id)
|
group_ids = groups.map(&:id)
|
||||||
|
|
||||||
invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
|
invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
|
||||||
|
|||||||
@ -138,7 +138,7 @@ class Invite < ActiveRecord::Base
|
|||||||
invite.invited_groups.create!(group_id: group_id)
|
invite.invited_groups.create!(group_id: group_id)
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
if topic && topic.category # && Guardian.new(invited_by).can_invite_to?(topic)
|
if topic && topic.category && Guardian.new(invited_by).can_invite_to?(topic)
|
||||||
group_ids = topic.category.groups.pluck(:id) - invite.invited_groups.pluck(:group_id)
|
group_ids = topic.category.groups.pluck(:id) - invite.invited_groups.pluck(:group_id)
|
||||||
group_ids.each { |group_id| invite.invited_groups.create!(group_id: group_id) }
|
group_ids.each { |group_id| invite.invited_groups.create!(group_id: group_id) }
|
||||||
end
|
end
|
||||||
|
|||||||
@ -164,6 +164,19 @@ describe InvitesController do
|
|||||||
expect(response).not_to be_success
|
expect(response).not_to be_success
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "verifies that inviter is authorized to invite new user to a group-private topic" do
|
||||||
|
group = Fabricate(:group)
|
||||||
|
private_category = Fabricate(:private_category, group: group)
|
||||||
|
group_private_topic = Fabricate(:topic, category: private_category)
|
||||||
|
log_in(:trust_level_4)
|
||||||
|
|
||||||
|
post :create_invite_link, params: {
|
||||||
|
email: email, topic_id: group_private_topic.id
|
||||||
|
}, format: :json
|
||||||
|
|
||||||
|
expect(response).not_to be_success
|
||||||
|
end
|
||||||
|
|
||||||
it "allows admins to invite to groups" do
|
it "allows admins to invite to groups" do
|
||||||
group = Fabricate(:group)
|
group = Fabricate(:group)
|
||||||
log_in(:admin)
|
log_in(:admin)
|
||||||
|
|||||||
@ -141,6 +141,7 @@ describe Invite do
|
|||||||
let(:inviter) { group_private_topic.user }
|
let(:inviter) { group_private_topic.user }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
|
group.add_owner(inviter)
|
||||||
@invite = group_private_topic.invite_by_email(inviter, iceking)
|
@invite = group_private_topic.invite_by_email(inviter, iceking)
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -154,6 +155,13 @@ describe Invite do
|
|||||||
expect(@invite.groups).to eq([group])
|
expect(@invite.groups).to eq([group])
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'verifies that inviter is authorized to invite user to a topic' do
|
||||||
|
tl2_user = Fabricate(:user, trust_level: 2)
|
||||||
|
|
||||||
|
invite = group_private_topic.invite_by_email(tl2_user, 'foo@bar.com')
|
||||||
|
expect(invite.groups.count).to eq(0)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'an existing user' do
|
context 'an existing user' do
|
||||||
|
|||||||
Reference in New Issue
Block a user