FIX: check trust level of user creating invite for group (#12993)

FIX: check trust level of user creating invite for group (#12993)

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 4239986..9dc1c43 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -322,6 +322,8 @@ class GroupsController < ApplicationController
       unless current_user.staff?
         RateLimiter.new(current_user, "public_group_membership", 3, 1.minute).performed!
       end
+    elsif !current_user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)
+      raise Discourse::InvalidAccess
     end
 
     emails = []
diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb
index 110d9a1..1f35f3d 100644
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@@ -1211,6 +1211,16 @@ describe GroupsController do
         expect(Topic.last.topic_users.map(&:user_id)).to include(Discourse::SYSTEM_USER_ID, user2.id)
       end
 
+      it 'does not add users without sufficient permission' do
+        sign_in(user)
+        SiteSetting.min_trust_level_to_allow_invite = user.trust_level + 1
+        user2 = Fabricate(:user)
+
+        put "/groups/#{group.id}/members.json", params: { usernames: user2.username }
+
+        expect(response.status).to eq(403)
+      end
+
       context "is able to add several members to a group" do
         fab!(:user1) { Fabricate(:user) }
         fab!(:user2) { Fabricate(:user, username: "UsEr2") }

GitHub sha: c473cde9

This commit appears in #12993 which was approved by eviltrout. It was merged by eviltrout.