fix: throw generic not-allowed error on groups.join if a non-owner tries to add another user to a group

This commit is contained in:
Julian Lam
2023-04-06 16:10:40 -04:00
parent 18447b06af
commit 0fc9fdd53d
2 changed files with 10 additions and 0 deletions

View File

@@ -121,6 +121,8 @@ groupsAPI.join = async function (caller, data) {
groupName: groupName,
targetUid: data.uid,
});
} else {
throw new Error('[[error:not-allowed]]');
}
};

View File

@@ -10,6 +10,7 @@ const db = require('./mocks/databasemock');
const helpers = require('./helpers');
const Groups = require('../src/groups');
const User = require('../src/user');
const utils = require('../src/utils');
const socketGroups = require('../src/socket.io/groups');
const apiGroups = require('../src/api/groups');
const meta = require('../src/meta');
@@ -732,6 +733,13 @@ describe('Groups', () => {
meta.config.allowPrivateGroups = oldValue;
});
it('should fail to add user to group if calling uid is non-self and non-admin', async () => {
const uid1 = await User.create({ username: utils.generateUUID().slice(0, 8) });
const uid2 = await User.create({ username: utils.generateUUID().slice(0, 8) });
assert.rejects(apiGroups.join({ uid: uid1 }, { slug: 'test', uid: uid2 }, '[[error:not-allowed]]'));
});
it('should allow admins to join private groups', async () => {
await apiGroups.join({ uid: adminUid }, { uid: adminUid, slug: 'global-moderators' });
assert(await Groups.isMember(adminUid, 'Global Moderators'));