DEV: Reuse can_invite_to_forum? in can_invite_to? (#14392)

This commit resolves refactors can_invite_to? to use can_invite_to_forum? for checking the site-wide permissions and then perform topic specific checkups. Similarly, can_invite_to? is always used with a topic object and this is now enforced. There was another problem before when `must_approve_users` site setting was not checked when inviting users to forum, but was checked when inviting to a topic. Another minor security issue was that group owners could invite to group topics even if they did not have the minimum trust level to do it.
2025-02-25 18:55:32 -06:00 · 2021-09-29 17:40:16 +03:00
parent 7737d56dd0
commit 76a7b75d8a
4 changed files with 21 additions and 32 deletions
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -357,33 +357,19 @@ class Guardian
  end

  def can_invite_to_forum?(groups = nil)
-    return false if !authenticated?
-
-    invites_available = SiteSetting.max_invites_per_day.to_i.positive?
-    trust_level_requirement_met = @user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)
-
-    if !is_staff?
-      return false if !invites_available
-      return false if !trust_level_requirement_met
-    end
-
-    if groups.present?
-      return is_admin? || groups.all? { |g| can_edit_group?(g) }
-    end
-
-    true
+    authenticated? &&
+    (is_staff? || !SiteSetting.must_approve_users?) &&
+    (is_staff? || SiteSetting.max_invites_per_day.to_i.positive?) &&
+    (is_staff? || @user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)) &&
+    (is_admin? || groups.blank? || groups.all? { |g| can_edit_group?(g) })
  end

  def can_invite_to?(object, groups = nil)
-    return false unless authenticated?
-    is_topic = object.is_a?(Topic)
-    return true if is_admin? && !is_topic
-    return false if SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?
-    return false if SiteSetting.must_approve_users? && !is_staff?
-    return false unless can_see?(object)
+    return false if !can_invite_to_forum?(groups)
+    return false if !object.is_a?(Topic) || !can_see?(object)
    return false if groups.present?

-    if is_topic
+    if object.is_a?(Topic)
      if object.private_message?
        return true if is_admin?
        return false unless SiteSetting.enable_personal_messages?
@@ -391,19 +377,16 @@ class Guardian
      end

      if (category = object.category) && category.read_restricted
-        if (groups = category.groups&.where(automatic: false))&.any?
-          return groups.any? { |g| can_edit_group?(g) } ? true : false
-        else
-          return false
-        end
+        return category.groups&.where(automatic: false).any? { |g| can_edit_group?(g) }
      end
    end

-    user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)
+    true
  end

  def can_invite_via_email?(object)
-    return false unless can_invite_to?(object)
+    return false if !can_invite_to?(object)
+
    (SiteSetting.enable_local_logins || SiteSetting.enable_discourse_connect) &&
      (!SiteSetting.must_approve_users? || is_staff?)
  end