FIX: check for inviter group permissions at the time of redeeming invite

FIX: check for inviter group permissions at the time of redeeming invite

diff --git a/app/models/invite_redeemer.rb b/app/models/invite_redeemer.rb
index ad49c18..997d970 100644
--- a/app/models/invite_redeemer.rb
+++ b/app/models/invite_redeemer.rb
@@ -128,10 +128,14 @@ InviteRedeemer = Struct.new(:invite, :email, :username, :name, :password, :user_
   end
 
   def add_user_to_groups
+    guardian = Guardian.new(invite.invited_by)
     new_group_ids = invite.groups.pluck(:id) - invited_user.group_users.pluck(:group_id)
     new_group_ids.each do |id|
-      invited_user.group_users.create!(group_id: id)
-      DiscourseEvent.trigger(:user_added_to_group, invited_user, Group.find_by(id: id), automatic: false)
+      group = Group.find_by(id: id)
+      if guardian.can_edit_group?(group)
+        invited_user.group_users.create!(group_id: group.id)
+        DiscourseEvent.trigger(:user_added_to_group, invited_user, group, automatic: false)
+      end
     end
   end
 
diff --git a/spec/models/invite_redeemer_spec.rb b/spec/models/invite_redeemer_spec.rb
index d29c9b6..fd3d52c 100644
--- a/spec/models/invite_redeemer_spec.rb
+++ b/spec/models/invite_redeemer_spec.rb
@@ -144,9 +144,19 @@ describe InviteRedeemer do
       expect(user.custom_fields["user_field_#{optional_field.id}"]).to eq('value2')
     end
 
+    it "does not add user to group if inviter does not have permissions" do
+      group = Fabricate(:group, grant_trust_level: 2)
+      InvitedGroup.create(group_id: group.id, invite_id: invite.id)
+      user = InviteRedeemer.new(invite: invite, email: invite.email, username: username, name: name, password: password).redeem
+
+      expect(user.group_users.count).to eq(0)
+    end
+
     it "adds user to group" do
       group = Fabricate(:group, grant_trust_level: 2)
       InvitedGroup.create(group_id: group.id, invite_id: invite.id)
+      group.add_owner(invite.invited_by)
+
       user = InviteRedeemer.new(invite: invite, email: invite.email, username: username, name: name, password: password).redeem
 
       expect(user.group_users.count).to eq(4)
diff --git a/spec/models/invite_spec.rb b/spec/models/invite_spec.rb
index bd896e0..047b58c 100644
--- a/spec/models/invite_spec.rb
+++ b/spec/models/invite_spec.rb
@@ -306,6 +306,7 @@ describe Invite do
     context "when inviting to groups" do
       it "add the user to the correct groups" do
         group = Fabricate(:group)
+        group.add_owner(invite.invited_by)
         invite.invited_groups.build(group_id: group.id)
         invite.save
 

GitHub sha: a94387c0

1 Like