fix: allow admins adding users to global moderators

add new test
2025-10-26 16:46:12 +01:00 · 2020-10-20 18:43:45 -04:00
parent bbafa1b82a
commit 1f43e98f8b
2 changed files with 16 additions and 6 deletions
--- a/src/api/groups.js
+++ b/src/api/groups.js
@@ -54,19 +54,21 @@ groupsAPI.join = async function (caller, data) {
 		throw new Error('[[error:invalid-uid]]');
 	}

-	const isSelf = parseInt(caller.uid, 10) === parseInt(data.uid, 10);
 	const groupName = await groups.getGroupNameByGroupSlug(data.slug);
 	if (!groupName) {
 		throw new Error('[[error:no-group]]');
 	}

-	if (groups.systemGroups.includes(groupName) || groups.isPrivilegeGroup(groupName)) {
+	const isCallerAdmin = await user.isAdministrator(caller.uid);
+	if (!isCallerAdmin && (
+		groups.systemGroups.includes(groupName) ||
+		groups.isPrivilegeGroup(groupName)
+	)) {
 		throw new Error('[[error:not-allowed]]');
 	}

-	const [groupData, isCallerAdmin, isCallerOwner, userExists] = await Promise.all([
+	const [groupData, isCallerOwner, userExists] = await Promise.all([
 		groups.getGroupData(groupName),
-		user.isAdministrator(caller.uid),
 		groups.ownership.isOwner(caller.uid, groupName),
 		user.exists(data.uid),
 	]);
@@ -75,6 +77,7 @@ groupsAPI.join = async function (caller, data) {
 		throw new Error('[[error:invalid-uid]]');
 	}

+	const isSelf = parseInt(caller.uid, 10) === parseInt(data.uid, 10);
 	if (!meta.config.allowPrivateGroups && isSelf) {
 		// all groups are public!
 		await groups.join(groupName, data.uid);
@@ -85,7 +88,7 @@ groupsAPI.join = async function (caller, data) {
 		return;
 	}

-	if (groupData.private && groupData.disableJoinRequests) {
+	if (isSelf && groupData.private && groupData.disableJoinRequests) {
 		throw new Error('[[error:group-join-disabled]]');
 	}

--- a/test/groups.js
+++ b/test/groups.js
@@ -655,6 +655,13 @@ describe('Groups', function () {
 			});
 		});

+		it('should add user to Global Moderators group', async function () {
+			const uid = await User.create({ username: 'glomod' });
+			await socketGroups.join({ uid: adminUid }, { groupName: 'Global Moderators', uid: uid });
+			const isGlobalMod = await User.isGlobalModerator(uid);
+			assert.strictEqual(isGlobalMod, true);
+		});
+
 		it('should add user to multiple groups', function (done) {
 			var groupNames = ['test-hidden1', 'Test', 'test-hidden2', 'empty group'];
 			Groups.create({ name: 'empty group' }, function (err) {
@@ -804,7 +811,7 @@ describe('Groups', function () {
 		});

 		it('should return error if group name is special', function (done) {
-			socketGroups.join({ uid: adminUid }, { groupName: 'administrators' }, function (err) {
+			socketGroups.join({ uid: testUid }, { groupName: 'administrators' }, function (err) {
 				assert.equal(err.message, '[[error:not-allowed]]');
 				done();
 			});