Prevent submission of blank invitation, fixes #7807 (#8080)

test/api/v3/integration/groups/POST-groups_invite.test.js

@@ -57,11 +57,28 @@ describe('Post /groups/:groupId/invite', () => {
       });
     });
 
-    it('returns empty when uuids is empty', async () => {
+    it('returns an error when uuids and emails are empty', async () => {
       await expect(inviter.post(`/groups/${group._id}/invite`, {
+        emails: [],
         uuids: [],
       }))
-      .to.eventually.be.empty;
+      .to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('inviteMustNotBeEmpty'),
+      });
+    });
+
+    it('returns an error when uuids is empty and emails is undefined', async () => {
+      await expect(inviter.post(`/groups/${group._id}/invite`, {
+        emails: undefined,
+        uuids: [],
+      }))
+      .to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('inviteMissingUuid'),
+      });
     });
 
     it('returns an error when there are more than INVITES_LIMIT uuids', async () => {
@@ -159,11 +176,16 @@ describe('Post /groups/:groupId/invite', () => {
       });
     });
 
-    it('returns empty when emails is an empty array', async () => {
+    it('returns an error when emails is empty and uuids is undefined', async () => {
       await expect(inviter.post(`/groups/${group._id}/invite`, {
         emails: [],
+        uuids: undefined,
       }))
-      .to.eventually.be.empty;
+      .to.eventually.be.rejected.and.eql({
+        code: 400,
+        error: 'BadRequest',
+        message: t('inviteMissingEmail'),
+      });
     });
 
     it('returns an error when there are more than INVITES_LIMIT emails', async () => {

website/common/locales/en/groups.json

@@ -186,6 +186,8 @@
     "keepOrRemove": "req.query.keep must be either \"keep\" or \"remove\"",
     "canOnlyInviteEmailUuid": "Can only invite using uuids or emails.",
     "inviteMissingEmail": "Missing email address in invite.",
+    "inviteMissingUuid": "Missing user id in invite",
+    "inviteMustNotBeEmpty": "Invite must not be empty.",
     "partyMustbePrivate": "Parties must be private",
     "userAlreadyInGroup": "User already in that group.",
     "cannotInviteSelfToGroup": "You cannot invite yourself to a group.",

website/server/controllers/api-v3/groups.js

@@ -675,29 +675,34 @@ api.inviteToGroup = {
 
     let uuidsIsArray = Array.isArray(uuids);
     let emailsIsArray = Array.isArray(emails);
+    let emptyEmails = emailsIsArray && emails.length < 1;
+    let emptyUuids = uuidsIsArray && uuids.length < 1;
+
 
     if (!uuids && !emails) {
       throw new BadRequest(res.t('canOnlyInviteEmailUuid'));
+    } else if (uuids && !uuidsIsArray) {
+      throw new BadRequest(res.t('uuidsMustBeAnArray'));
+    } else if (emails && !emailsIsArray) {
+      throw new BadRequest(res.t('emailsMustBeAnArray'));
+    } else if (!emails && emptyUuids) {
+      throw new BadRequest(res.t('inviteMissingUuid'));
+    } else if (!uuids && emptyEmails) {
+      throw new BadRequest(res.t('inviteMissingEmail'));
+    } else if (emptyEmails && emptyUuids) {
+      throw new BadRequest(res.t('inviteMustNotBeEmpty'));
     }
 
     let results = [];
     let totalInvites = 0;
 
     if (uuids) {
-      if (!uuidsIsArray) {
-        throw new BadRequest(res.t('uuidsMustBeAnArray'));
-      } else {
       totalInvites += uuids.length;
     }
-    }
 
     if (emails) {
-      if (!emailsIsArray) {
-        throw new BadRequest(res.t('emailsMustBeAnArray'));
-      } else {
       totalInvites += emails.length;
     }
-    }
 
     if (totalInvites > INVITES_LIMIT) {
       throw new BadRequest(res.t('canOnlyInviteMaxInvites', {maxInvites: INVITES_LIMIT}));