mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-14 21:27:23 +01:00
prevent a user with no chat privileges from inviting any player to a guild or party (#10194)
This is because they could use private group chat messages to bypass the restriction on talking to other players.
This commit is contained in:
Alys
Matteo Pagliazzi
@@ -24,6 +24,19 @@ describe('Post /groups/:groupId/invite', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
describe('user id invites', () => {
|
describe('user id invites', () => {
|
||||||
|
it('returns an error when inviter has no chat privileges', async () => {
|
||||||
|
let inviterMuted = await inviter.update({'flags.chatRevoked': true});
|
||||||
|
let userToInvite = await generateUser();
|
||||||
|
await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
|
||||||
|
uuids: [userToInvite._id],
|
||||||
|
}))
|
||||||
|
.to.eventually.be.rejected.and.eql({
|
||||||
|
code: 401,
|
||||||
|
error: 'NotAuthorized',
|
||||||
|
message: t('cannotInviteWhenMuted'),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it('returns an error when invited user is not found', async () => {
|
it('returns an error when invited user is not found', async () => {
|
||||||
let fakeID = generateUUID();
|
let fakeID = generateUUID();
|
||||||
|
|
||||||
@@ -160,6 +173,19 @@ describe('Post /groups/:groupId/invite', () => {
|
|||||||
describe('email invites', () => {
|
describe('email invites', () => {
|
||||||
let testInvite = {name: 'test', email: 'test@habitica.com'};
|
let testInvite = {name: 'test', email: 'test@habitica.com'};
|
||||||
|
|
||||||
|
it('returns an error when inviter has no chat privileges', async () => {
|
||||||
|
let inviterMuted = await inviter.update({'flags.chatRevoked': true});
|
||||||
|
await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
|
||||||
|
emails: [testInvite],
|
||||||
|
inviter: 'inviter name',
|
||||||
|
}))
|
||||||
|
.to.eventually.be.rejected.and.eql({
|
||||||
|
code: 401,
|
||||||
|
error: 'NotAuthorized',
|
||||||
|
message: t('cannotInviteWhenMuted'),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it('returns an error when invite is missing an email', async () => {
|
it('returns an error when invite is missing an email', async () => {
|
||||||
await expect(inviter.post(`/groups/${group._id}/invite`, {
|
await expect(inviter.post(`/groups/${group._id}/invite`, {
|
||||||
emails: [{name: 'test'}],
|
emails: [{name: 'test'}],
|
||||||
@@ -321,6 +347,19 @@ describe('Post /groups/:groupId/invite', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
describe('guild invites', () => {
|
describe('guild invites', () => {
|
||||||
|
it('returns an error when inviter has no chat privileges', async () => {
|
||||||
|
let inviterMuted = await inviter.update({'flags.chatRevoked': true});
|
||||||
|
let userToInvite = await generateUser();
|
||||||
|
await expect(inviterMuted.post(`/groups/${group._id}/invite`, {
|
||||||
|
uuids: [userToInvite._id],
|
||||||
|
}))
|
||||||
|
.to.eventually.be.rejected.and.eql({
|
||||||
|
code: 401,
|
||||||
|
error: 'NotAuthorized',
|
||||||
|
message: t('cannotInviteWhenMuted'),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it('returns an error when invited user is already invited to the group', async () => {
|
it('returns an error when invited user is already invited to the group', async () => {
|
||||||
let userToInvite = await generateUser();
|
let userToInvite = await generateUser();
|
||||||
await inviter.post(`/groups/${group._id}/invite`, {
|
await inviter.post(`/groups/${group._id}/invite`, {
|
||||||
@@ -398,6 +437,19 @@ describe('Post /groups/:groupId/invite', () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('returns an error when inviter has no chat privileges', async () => {
|
||||||
|
let inviterMuted = await inviter.update({'flags.chatRevoked': true});
|
||||||
|
let userToInvite = await generateUser();
|
||||||
|
await expect(inviterMuted.post(`/groups/${party._id}/invite`, {
|
||||||
|
uuids: [userToInvite._id],
|
||||||
|
}))
|
||||||
|
.to.eventually.be.rejected.and.eql({
|
||||||
|
code: 401,
|
||||||
|
error: 'NotAuthorized',
|
||||||
|
message: t('cannotInviteWhenMuted'),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it('returns an error when invited user has a pending invitation to the party', async () => {
|
it('returns an error when invited user has a pending invitation to the party', async () => {
|
||||||
let userToInvite = await generateUser();
|
let userToInvite = await generateUser();
|
||||||
await inviter.post(`/groups/${party._id}/invite`, {
|
await inviter.post(`/groups/${party._id}/invite`, {
|
||||||
|
|||||||
@@ -256,6 +256,7 @@
|
|||||||
"userCountRequestsApproval": "<%= userCount %> request approval",
|
"userCountRequestsApproval": "<%= userCount %> request approval",
|
||||||
"youAreRequestingApproval": "You are requesting approval",
|
"youAreRequestingApproval": "You are requesting approval",
|
||||||
"chatPrivilegesRevoked": "Your chat privileges have been revoked.",
|
"chatPrivilegesRevoked": "Your chat privileges have been revoked.",
|
||||||
|
"cannotInviteWhenMuted": "You cannot invite anyone to a guild or party because your chat privileges have been revoked.",
|
||||||
"newChatMessagePlainNotification": "New message in <%= groupName %> by <%= authorName %>. Click here to open the chat page!",
|
"newChatMessagePlainNotification": "New message in <%= groupName %> by <%= authorName %>. Click here to open the chat page!",
|
||||||
"newChatMessageTitle": "New message in <%= groupName %>",
|
"newChatMessageTitle": "New message in <%= groupName %>",
|
||||||
"exportInbox": "Export Messages",
|
"exportInbox": "Export Messages",
|
||||||
|
|||||||
@@ -1138,6 +1138,7 @@ async function _inviteByEmail (invite, group, inviter, req, res) {
|
|||||||
*
|
*
|
||||||
* @apiError (401) {NotAuthorized} UserAlreadyInvited The user has already been invited to the group.
|
* @apiError (401) {NotAuthorized} UserAlreadyInvited The user has already been invited to the group.
|
||||||
* @apiError (401) {NotAuthorized} UserAlreadyInGroup The user is already a member of the group.
|
* @apiError (401) {NotAuthorized} UserAlreadyInGroup The user is already a member of the group.
|
||||||
|
* @apiError (401) {NotAuthorized} CannotInviteWhenMuted You cannot invite anyone to a guild or party because your chat privileges have been revoked.
|
||||||
*
|
*
|
||||||
* @apiUse GroupNotFound
|
* @apiUse GroupNotFound
|
||||||
* @apiUse UserNotFound
|
* @apiUse UserNotFound
|
||||||
@@ -1150,6 +1151,8 @@ api.inviteToGroup = {
|
|||||||
async handler (req, res) {
|
async handler (req, res) {
|
||||||
let user = res.locals.user;
|
let user = res.locals.user;
|
||||||
|
|
||||||
|
if (user.flags.chatRevoked) throw new NotAuthorized(res.t('cannotInviteWhenMuted'));
|
||||||
|
|
||||||
req.checkParams('groupId', res.t('groupIdRequired')).notEmpty();
|
req.checkParams('groupId', res.t('groupIdRequired')).notEmpty();
|
||||||
|
|
||||||
if (user.invitesSent >= MAX_EMAIL_INVITES_BY_USER) throw new NotAuthorized(res.t('inviteLimitReached', { techAssistanceEmail: TECH_ASSISTANCE_EMAIL }));
|
if (user.invitesSent >= MAX_EMAIL_INVITES_BY_USER) throw new NotAuthorized(res.t('inviteLimitReached', { techAssistanceEmail: TECH_ASSISTANCE_EMAIL }));
|
||||||
|
|||||||
Reference in New Issue
Block a user