SECURITY: Any group can be invited into a PM.

2025-02-25 18:55:32 -06:00 · 2017-12-14 10:53:21 +08:00
parent 14cfce2827
commit f2565f6c7e
8 changed files with 97 additions and 9 deletions
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@@ -211,12 +211,30 @@ describe Guardian do
      it "returns true if target is a staff group" do
        Group::STAFF_GROUPS.each do |name|
          g = Group[name]
-          g.messageable_level = Group::ALIAS_LEVELS[:everyone]
+          g.update!(messageable_level: Group::ALIAS_LEVELS[:everyone])
          expect(Guardian.new(user).can_send_private_message?(g)).to be_truthy
        end
      end
    end

+    it "respects the group's messageable_level" do
+      group = Fabricate(:group)
+
+      Group::ALIAS_LEVELS.each do |level, _|
+        group.update!(messageable_level: Group::ALIAS_LEVELS[level])
+        output = level == :everyone ? true : false
+
+        expect(Guardian.new(user).can_send_private_message?(group)).to eq(output)
+      end
+
+      admin = Fabricate(:admin)
+
+      Group::ALIAS_LEVELS.each do |level, _|
+        group.update!(messageable_level: Group::ALIAS_LEVELS[level])
+        expect(Guardian.new(admin).can_send_private_message?(group)).to eq(true)
+      end
+    end
+
    context 'target user has private message disabled' do
      before do
        another_user.user_option.update!(allow_private_messages: false)
--- a/spec/components/post_creator_spec.rb
+++ b/spec/components/post_creator_spec.rb
@@ -765,7 +765,7 @@ describe PostCreator do
    let(:target_user1) { Fabricate(:coding_horror) }
    let(:target_user2) { Fabricate(:moderator) }
    let(:group) do
-      g = Fabricate.build(:group)
+      g = Fabricate.build(:group, messageable_level: Group::ALIAS_LEVELS[:everyone])
      g.add(target_user1)
      g.add(target_user2)
      g.save
@@ -773,10 +773,12 @@ describe PostCreator do
    end
    let(:unrelated) { Fabricate(:user) }
    let(:post) do
-      PostCreator.create(user, title: 'hi there welcome to my topic',
-                               raw: "this is my awesome message @#{unrelated.username_lower}",
-                               archetype: Archetype.private_message,
-                               target_group_names: group.name)
+      PostCreator.create!(user,
+        title: 'hi there welcome to my topic',
+        raw: "this is my awesome message @#{unrelated.username_lower}",
+        archetype: Archetype.private_message,
+        target_group_names: group.name
+      )
    end

    it 'can post to a group correctly' do
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@@ -158,4 +158,59 @@ RSpec.describe TopicsController do
      end
    end
  end
+
+  describe 'invite_group' do
+    let(:admins) { Group[:admins] }
+    let(:pm) { Fabricate(:private_message_topic) }
+
+    def invite_group(topic, expected_status)
+      post "/t/#{topic.id}/invite-group.json", params: { group: admins.name }
+      expect(response.status).to eq(expected_status)
+    end
+
+    before do
+      admins.update!(messageable_level: Group::ALIAS_LEVELS[:everyone])
+    end
+
+    describe 'as an anon user' do
+      it 'should be forbidden' do
+        invite_group(pm, 403)
+      end
+    end
+
+    describe 'as a normal user' do
+      let!(:user) { sign_in(Fabricate(:user)) }
+
+      describe 'when user does not have permission to view the topic' do
+        it 'should be forbidden' do
+          invite_group(pm, 403)
+        end
+      end
+
+      describe 'when user has permission to view the topic' do
+        before do
+          pm.allowed_users << user
+        end
+
+        it 'should allow user to invite group to topic' do
+          invite_group(pm, 200)
+          expect(pm.allowed_groups.first.id).to eq(admins.id)
+        end
+      end
+    end
+
+    describe 'as an admin user' do
+      let!(:admin) { sign_in(Fabricate(:admin)) }
+
+      it "disallows inviting a group to a topic" do
+        topic = Fabricate(:topic)
+        invite_group(topic, 422)
+      end
+
+      it "allows inviting a group to a PM" do
+        invite_group(pm, 200)
+        expect(pm.allowed_groups.first.id).to eq(admins.id)
+      end
+    end
+  end
 end
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -278,7 +278,7 @@ RSpec.describe UsersController do
          }

          expect(response).to be_success
-          expect(JSON.parse(response.body)["groups"].first['name']).to eq(messageable_group.name)
+          expect(JSON.parse(response.body)["groups"].last['name']).to eq(messageable_group.name)
        end

        it 'searches for mentionable groups' do
--- a/spec/support/integration_helpers.rb
+++ b/spec/support/integration_helpers.rb
@@ -29,5 +29,6 @@ module IntegrationHelpers
    Fabricate(:email_token, confirmed: true, user: user)
    post "/session.json", params: { login: user.username, password: password }
    expect(response).to be_success
+    user
  end
 end