Added email invite limit (#8664)

* Added email invite limit * change error message for sending too many invitations to instruct them to email us * fix test error message to use variable in locales string * add comment to warn about keeping INVITES_LIMIT low If INVITES_LIMIT is allowed to be greater than MAX_EMAIL_INVITES_BY_USER then the inviter can send more than MAX_EMAIL_INVITES_BY_USER invitations at once.
2025-12-17 14:47:53 +01:00 · 2017-04-12 14:54:35 -06:00
parent 0442b87608
commit 7d42e8fc71
5 changed files with 40 additions and 1 deletions
--- a/test/api/v3/integration/groups/POST-groups_invite.test.js
+++ b/test/api/v3/integration/groups/POST-groups_invite.test.js
@@ -4,9 +4,11 @@ import {
  translate as t,
 } from '../../../../helpers/api-v3-integration.helper';
 import { v4 as generateUUID } from 'uuid';
+import nconf from 'nconf';

 const INVITES_LIMIT = 100;
 const PARTY_LIMIT_MEMBERS = 30;
+const MAX_EMAIL_INVITES_BY_USER = 200;

 describe('Post /groups/:groupId/invite', () => {
  let inviter;
@@ -205,13 +207,37 @@ describe('Post /groups/:groupId/invite', () => {
      });
    });

+    it('returns an error when a user has sent the max number of email invites', async () => {
+      let inviterWithMax = await generateUser({
+        invitesSent: MAX_EMAIL_INVITES_BY_USER,
+        balance: 4,
+      });
+      let tmpGroup = await inviterWithMax.post('/groups', {
+        name: groupName,
+        type: 'guild',
+      });
+
+      await expect(inviterWithMax.post(`/groups/${tmpGroup._id}/invite`, {
+        emails: [testInvite],
+        inviter: 'inviter name',
+      }))
+      .to.eventually.be.rejected.and.eql({
+        code: 401,
+        error: 'NotAuthorized',
+        message: t('inviteLimitReached', {techAssistanceEmail: nconf.get('EMAILS:TECH_ASSISTANCE_EMAIL')}),
+      });
+    });
+
    it('invites a user to a group by email', async () => {
      let res = await inviter.post(`/groups/${group._id}/invite`, {
        emails: [testInvite],
        inviter: 'inviter name',
      });

+      let updatedUser = await inviter.sync();
+
      expect(res).to.exist;
+      expect(updatedUser.invitesSent).to.eql(1);
    });

    it('invites multiple users to a group by email', async () => {
@@ -219,7 +245,10 @@ describe('Post /groups/:groupId/invite', () => {
        emails: [testInvite, {name: 'test2', email: 'test2@habitica.com'}],
      });

+      let updatedUser = await inviter.sync();
+
      expect(res).to.exist;
+      expect(updatedUser.invitesSent).to.eql(2);
    });
  });

--- a/website/common/locales/en/groups.json
+++ b/website/common/locales/en/groups.json
@@ -148,6 +148,7 @@
  "invitationsSent": "Invitations sent!",
  "invitationSent": "Invitation sent!",
  "inviteAlertInfo2": "Or share this link (copy/paste):",
+  "inviteLimitReached": "You have already sent the maximum number of email invitations. We have a limit to prevent spamming, however if you would like more, please contact us at <%= techAssistanceEmail %> and we'll be happy to discuss it!",
  "sendGiftHeading": "Send Gift to <%= name %>",
  "sendGiftGemsBalance": "From <%= number %> Gems",
  "sendGiftCost": "Total: $<%= cost %> USD",
--- a/website/server/controllers/api-v3/groups.js
+++ b/website/server/controllers/api-v3/groups.js
@@ -1,6 +1,7 @@
 import { authWithHeaders } from '../../middlewares/auth';
 import Bluebird from 'bluebird';
 import _ from 'lodash';
+import nconf from 'nconf';
 import {
  model as Group,
  basicFields as basicGroupFields,
@@ -27,6 +28,9 @@ import amzLib from '../../libs/amazonPayments';
 import shared from '../../../common';
 import apiMessages from '../../libs/apiMessages';

+const MAX_EMAIL_INVITES_BY_USER = 200;
+const TECH_ASSISTANCE_EMAIL = nconf.get('EMAILS:TECH_ASSISTANCE_EMAIL');
+
 /**
 * @apiDefine GroupBodyInvalid
 * @apiError (400) {BadRequest} GroupBodyInvalid A parameter in the group body was invalid.
@@ -1056,6 +1060,8 @@ api.inviteToGroup = {

    req.checkParams('groupId', res.t('groupIdRequired')).notEmpty();

+    if (user.invitesSent >= MAX_EMAIL_INVITES_BY_USER) throw new NotAuthorized(res.t('inviteLimitReached', { techAssistanceEmail: TECH_ASSISTANCE_EMAIL }));
+
    let validationErrors = req.validationErrors();
    if (validationErrors) throw validationErrors;

@@ -1079,6 +1085,8 @@ api.inviteToGroup = {

    if (emails) {
      let emailInvites = emails.map((invite) => _inviteByEmail(invite, group, user, req, res));
+      user.invitesSent += emails.length;
+      await user.save();
      let emailResults = await Bluebird.all(emailInvites);
      results.push(...emailResults);
    }
--- a/website/server/models/group.js
+++ b/website/server/models/group.js
@@ -35,7 +35,7 @@ import stripePayments from '../libs/stripePayments';
 const questScrolls = shared.content.quests;
 const Schema = mongoose.Schema;

-export const INVITES_LIMIT = 100;
+export const INVITES_LIMIT = 100; // must not be greater than MAX_EMAIL_INVITES_BY_USER
 export const TAVERN_ID = shared.TAVERN_ID;

 const NO_CHAT_NOTIFICATIONS = [TAVERN_ID];
--- a/website/server/models/user/schema.js
+++ b/website/server/models/user/schema.js
@@ -550,6 +550,7 @@ let schema = new Schema({
  }},
  webhooks: [WebhookSchema],
  loginIncentives: {type: Number, default: 0},
+  invitesSent: {type: Number, default: 0},
 }, {
  strict: true,
  minimize: false, // So empty objects are returned