From 4f523ae1b9876c3fcf4b0371f924859bdc5a087b Mon Sep 17 00:00:00 2001
From: Neil Lalonde <neillalonde@gmail.com>
Date: Wed, 18 Jun 2014 16:46:04 -0400
Subject: [PATCH] Don't allow invites if local logins are disabled, since it
 provides a way to bypass external auth

---
 lib/guardian.rb                  |  1 +
 spec/components/guardian_spec.rb | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/lib/guardian.rb b/lib/guardian.rb
index bec29dc3f16..42632512706 100644
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -191,6 +191,7 @@ class Guardian
   def can_invite_to_forum?(groups=nil)
     authenticated? &&
     !SiteSetting.enable_sso &&
+    SiteSetting.enable_local_logins &&
     (
       (!SiteSetting.must_approve_users? && @user.has_trust_level?(:regular)) ||
       is_staff?
diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb
index 45be1d7d936..063bcc74d80 100644
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -232,6 +232,12 @@ describe Guardian do
       Guardian.new(user).can_invite_to_forum?.should be_false
     end
 
+    it 'returns false when the local logins are disabled' do
+      SiteSetting.stubs(:enable_local_logins).returns(false)
+      Guardian.new(user).can_invite_to_forum?.should be_false
+      Guardian.new(moderator).can_invite_to_forum?.should be_false
+    end
+
   end
 
   describe 'can_invite_to?' do
@@ -256,6 +262,12 @@ describe Guardian do
       Guardian.new(coding_horror).can_invite_to?(topic).should be_false
     end
 
+    it 'returns false when local logins are disabled' do
+      SiteSetting.stubs(:enable_local_logins).returns(false)
+      Guardian.new(moderator).can_invite_to?(topic).should be_false
+      Guardian.new(user).can_invite_to?(topic).should be_false
+    end
+
   end
 
   describe 'can_see?' do