prevent a user with no chat privileges from inviting any player to a guild or party (#10194)

This is because they could use private group chat messages to bypass
the restriction on talking to other players.

test/api/v3/integration/groups/POST-groups_invite.test.js

@@ -24,6 +24,19 @@ describe('Post /groups/:groupId/invite', () => {
   });
 
   describe('user id invites', () => {
+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      let userToInvite = await generateUser();
+      await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
+        uuids: [userToInvite._id],
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
     it('returns an error when invited user is not found', async () => {
       let fakeID = generateUUID();
 
@@ -160,6 +173,19 @@ describe('Post /groups/:groupId/invite', () => {
   describe('email invites', () => {
     let testInvite = {name: 'test', email: 'test@habitica.com'};
 
+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
+        emails: [testInvite],
+        inviter: 'inviter name',
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
     it('returns an error when invite is missing an email', async () => {
       await expect(inviter.post(`/groups/${group._id}/invite`, {
         emails: [{name: 'test'}],
@@ -321,6 +347,19 @@ describe('Post /groups/:groupId/invite', () => {
   });
 
   describe('guild invites', () => {
+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      let userToInvite = await generateUser();
+      await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
+        uuids: [userToInvite._id],
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
     it('returns an error when invited user is already invited to the group', async () => {
       let userToInvite = await generateUser();
       await inviter.post(`/groups/${group._id}/invite`, {
@@ -398,6 +437,19 @@ describe('Post /groups/:groupId/invite', () => {
       });
     });
 
+    it('returns an error when inviter has no chat privileges', async () => {
+      let inviterMuted = await inviter.update({'flags.chatRevoked': true});
+      let userToInvite = await generateUser();
+      await expect(inviterMuted.post(`/groups/${party._id}/invite`, {
+        uuids: [userToInvite._id],
+      }))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          error: 'NotAuthorized',
+          message: t('cannotInviteWhenMuted'),
+        });
+    });
+
     it('returns an error when invited user has a pending invitation to the party', async () => {
       let userToInvite = await generateUser();
       await inviter.post(`/groups/${party._id}/invite`, {

website/common/locales/en/groups.json

@@ -256,6 +256,7 @@
   "userCountRequestsApproval": "<%= userCount %> request approval",
   "youAreRequestingApproval": "You are requesting approval",
   "chatPrivilegesRevoked": "Your chat privileges have been revoked.",
+  "cannotInviteWhenMuted": "You cannot invite anyone to a guild or party because your chat privileges have been revoked.",
   "newChatMessagePlainNotification": "New message in <%= groupName %> by <%= authorName %>. Click here to open the chat page!",
   "newChatMessageTitle": "New message in <%= groupName %>",
   "exportInbox": "Export Messages",

website/server/controllers/api-v3/groups.js

@@ -1138,6 +1138,7 @@ async function _inviteByEmail (invite, group, inviter, req, res) {
  *
  * @apiError (401) {NotAuthorized} UserAlreadyInvited The user has already been invited to the group.
  * @apiError (401) {NotAuthorized} UserAlreadyInGroup The user is already a member of the group.
+ * @apiError (401) {NotAuthorized} CannotInviteWhenMuted You cannot invite anyone to a guild or party because your chat privileges have been revoked.
  *
  * @apiUse GroupNotFound
  * @apiUse UserNotFound
@@ -1150,6 +1151,8 @@ api.inviteToGroup = {
   async handler (req, res) {
     let user = res.locals.user;
 
+    if (user.flags.chatRevoked) throw new NotAuthorized(res.t('cannotInviteWhenMuted'));
+
     req.checkParams('groupId', res.t('groupIdRequired')).notEmpty();
 
     if (user.invitesSent >= MAX_EMAIL_INVITES_BY_USER) throw new NotAuthorized(res.t('inviteLimitReached', { techAssistanceEmail: TECH_ASSISTANCE_EMAIL }));