fix: Disable 'Invite people…' control for non-admins (#1903)

closes #1902

app/components/Sidebar/Main.js

@@ -171,6 +171,7 @@ function MainSidebar() {
           </Section>
         </Secondary>
       </Flex>
+      {can.invite && (
         <Modal
           title={t("Invite people")}
           onRequestClose={handleInviteModalClose}
@@ -178,6 +179,7 @@ function MainSidebar() {
         >
           <Invite onSubmit={handleInviteModalClose} />
         </Modal>
+      )}
       <Modal
         title={t("Create a collection")}
         onRequestClose={handleCreateCollectionModalClose}

app/scenes/Settings/People.js

@@ -87,6 +87,7 @@ class People extends React.Component<Props> {
             {team.signinMethods} but haven’t signed in yet.
           </Trans>
         </HelpText>
+        {can.invite && (
           <Button
             type="button"
             data-on="click"
@@ -98,6 +99,7 @@ class People extends React.Component<Props> {
           >
             {t("Invite people")}…
           </Button>
+        )}
 
         <Tabs>
           <Tab to="/settings/people" exact>
@@ -135,7 +137,7 @@ class People extends React.Component<Props> {
             />
           )}
         />
-
+        {can.invite && (
           <Modal
             title={t("Invite people")}
             onRequestClose={this.handleInviteModalClose}
@@ -143,6 +145,7 @@ class People extends React.Component<Props> {
           >
             <Invite onSubmit={this.handleInviteModalClose} />
           </Modal>
+        )}
       </CenteredContent>
     );
   }

server/api/users.js

@@ -195,8 +195,9 @@ router.post("users.invite", auth(), async (ctx) => {
   const { invites } = ctx.body;
   ctx.assertPresent(invites, "invites is required");
 
-  const user = ctx.state.user;
+  const { user } = ctx.state;
-  authorize(user, "invite", User);
+  const team = await Team.findByPk(user.teamId);
+  authorize(user, "invite", team);
 
   const response = await userInviter({ user, invites, ip: ctx.request.ip });
 

server/api/users.test.js

@@ -107,7 +107,7 @@ describe("#users.info", () => {
 
 describe("#users.invite", () => {
   it("should return sent invites", async () => {
-    const user = await buildUser();
+    const user = await buildUser({ isAdmin: true });
     const res = await server.post("/api/users.invite", {
       body: {
         token: user.getJwtToken(),
@@ -119,6 +119,17 @@ describe("#users.invite", () => {
     expect(body.data.sent.length).toEqual(1);
   });
 
+  it("should require admin", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/users.invite", {
+      body: {
+        token: user.getJwtToken(),
+        invites: [{ email: "test@example.com", name: "Test", guest: false }],
+      },
+    });
+    expect(res.status).toEqual(403);
+  });
+
   it("should require authentication", async () => {
     const res = await server.post("/api/users.invite");
     expect(res.status).toEqual(401);