prevent a user with no chat privileges from inviting any player to a guild or party (#10194)

This is because they could use private group chat messages to bypass the restriction on talking to other players.
2025-12-17 22:57:21 +01:00 · 2018-03-31 21:29:08 +10:00
parent 08d07cdd67
commit df69208caa
3 changed files with 56 additions and 0 deletions
--- a/website/server/controllers/api-v3/groups.js
+++ b/website/server/controllers/api-v3/groups.js
@@ -1138,6 +1138,7 @@ async function _inviteByEmail (invite, group, inviter, req, res) {
 *
 * @apiError (401) {NotAuthorized} UserAlreadyInvited The user has already been invited to the group.
 * @apiError (401) {NotAuthorized} UserAlreadyInGroup The user is already a member of the group.
+ * @apiError (401) {NotAuthorized} CannotInviteWhenMuted You cannot invite anyone to a guild or party because your chat privileges have been revoked.
 *
 * @apiUse GroupNotFound
 * @apiUse UserNotFound
@@ -1150,6 +1151,8 @@ api.inviteToGroup = {
  async handler (req, res) {
    let user = res.locals.user;

+    if (user.flags.chatRevoked) throw new NotAuthorized(res.t('cannotInviteWhenMuted'));
+
    req.checkParams('groupId', res.t('groupIdRequired')).notEmpty();

    if (user.invitesSent >= MAX_EMAIL_INVITES_BY_USER) throw new NotAuthorized(res.t('inviteLimitReached', { techAssistanceEmail: TECH_ASSISTANCE_EMAIL }));