prevent a user with no chat privileges from inviting any player to a guild or party (#10194)

This is because they could use private group chat messages to bypass the restriction on talking to other players.
2025-12-14 21:27:23 +01:00 · 2018-03-31 21:29:08 +10:00
parent 08d07cdd67
commit df69208caa
3 changed files with 56 additions and 0 deletions
--- a/test/api/v3/integration/groups/POST-groups_invite.test.js
+++ b/test/api/v3/integration/groups/POST-groups_invite.test.js
@@ -24,6 +24,19 @@ describe('Post /groups/:groupId/invite', () => {
  });

  describe('user id invites', () => {
+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      let userToInvite = await generateUser();
+      await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
+        uuids: [userToInvite._id],
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
    it('returns an error when invited user is not found', async () => {
      let fakeID = generateUUID();

@@ -160,6 +173,19 @@ describe('Post /groups/:groupId/invite', () => {
  describe('email invites', () => {
    let testInvite = {name: 'test', email: 'test@habitica.com'};

+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
+        emails: [testInvite],
+        inviter: 'inviter name',
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
    it('returns an error when invite is missing an email', async () => {
      await expect(inviter.post(`/groups/${group._id}/invite`, {
        emails: [{name: 'test'}],
@@ -321,6 +347,19 @@ describe('Post /groups/:groupId/invite', () => {
  });

  describe('guild invites', () => {
+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      let userToInvite = await generateUser();
+      await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
+        uuids: [userToInvite._id],
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
    it('returns an error when invited user is already invited to the group', async () => {
      let userToInvite = await generateUser();
      await inviter.post(`/groups/${group._id}/invite`, {
@@ -398,6 +437,19 @@ describe('Post /groups/:groupId/invite', () => {
      });
    });

+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      let userToInvite = await generateUser();
+      await expect(inviterMuted.post(`/groups/${party._id}/invite`, {
+        uuids: [userToInvite._id],
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
    it('returns an error when invited user has a pending invitation to the party', async () => {
      let userToInvite = await generateUser();
      await inviter.post(`/groups/${party._id}/invite`, {