FIX: Allow staff to view pending/expired invites of other users (#14602)

FIX: Allow staff to view pending/expired invites of other users (#14602)

/u/username/invited.json?filter=expired and /u/username/invited.json?filter=pending APIs are already returning data to admins. However, the can_see_invite_details? boolean was false, which prevented the Ember frontend from showing the tabs correctly. This commit updates the guardian method to match reality.

diff --git a/lib/guardian.rb b/lib/guardian.rb
index e2f7d7d..6932228 100644
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -353,7 +353,7 @@ class Guardian
   end
 
   def can_see_invite_details?(user)
-    is_me?(user)
+    is_staff? || is_me?(user)
   end
 
   def can_see_invite_emails?(user)
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index dcd52ee..5a4e860 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -1877,6 +1877,7 @@ describe UsersController do
             invites = response.parsed_body['invites']
             expect(invites.size).to eq(1)
             expect(invites.first).to include("email" => invite.email)
+            expect(response.parsed_body['can_see_invite_details']).to eq(true)
           end
         end
 
@@ -1896,8 +1897,22 @@ describe UsersController do
         end
 
         context 'with permission to see invite links' do
-          it 'returns invites' do
-            inviter = sign_in(Fabricate(:admin))
+          it 'returns own invites' do
+            inviter = sign_in(Fabricate(:user, trust_level: 2))
+            invite = Fabricate(:invite, invited_by: inviter,  email: nil, max_redemptions_allowed: 5, expires_at: 1.month.from_now, emailed_status: Invite.emailed_status_types[:not_required])
+
+            get "/u/#{inviter.username}/invited/pending.json"
+            expect(response.status).to eq(200)
+
+            invites = response.parsed_body['invites']
+            expect(invites.size).to eq(1)
+            expect(invites.first).to include("id" => invite.id)
+            expect(response.parsed_body['can_see_invite_details']).to eq(true)
+          end
+
+          it 'allows admin to see invites' do
+            inviter = Fabricate(:user, trust_level: 2)
+            admin = sign_in(Fabricate(:admin))
             invite = Fabricate(:invite, invited_by: inviter,  email: nil, max_redemptions_allowed: 5, expires_at: 1.month.from_now, emailed_status: Invite.emailed_status_types[:not_required])
 
             get "/u/#{inviter.username}/invited/pending.json"
@@ -1906,6 +1921,7 @@ describe UsersController do
             invites = response.parsed_body['invites']
             expect(invites.size).to eq(1)
             expect(invites.first).to include("id" => invite.id)
+            expect(response.parsed_body['can_see_invite_details']).to eq(true)
           end
         end
 

GitHub sha: 567c47036199b33a44d081b83a2c1919ce9477c6

This commit appears in #14602 which was approved by pmusaraj. It was merged by davidtaylorhq.