fix: Disable 'Invite people…' control for non-admins (#1903)

closes #1902

app/components/Sidebar/Main.js

@@ -171,13 +171,15 @@ function MainSidebar() {
           </Section>
         </Secondary>
       </Flex>
-      <Modal
+      {can.invite && (
-        title={t("Invite people")}
+        <Modal
-        onRequestClose={handleInviteModalClose}
+          title={t("Invite people")}
-        isOpen={inviteModalOpen}
+          onRequestClose={handleInviteModalClose}
-      >
+          isOpen={inviteModalOpen}
-        <Invite onSubmit={handleInviteModalClose} />
+        >
-      </Modal>
+          <Invite onSubmit={handleInviteModalClose} />
+        </Modal>
+      )}
       <Modal
         title={t("Create a collection")}
         onRequestClose={handleCreateCollectionModalClose}

app/scenes/Settings/People.js

@@ -87,17 +87,19 @@ class People extends React.Component<Props> {
             {team.signinMethods} but haven’t signed in yet.
           </Trans>
         </HelpText>
-        <Button
+        {can.invite && (
-          type="button"
+          <Button
-          data-on="click"
+            type="button"
-          data-event-category="invite"
+            data-on="click"
-          data-event-action="peoplePage"
+            data-event-category="invite"
-          onClick={this.handleInviteModalOpen}
+            data-event-action="peoplePage"
-          icon={<PlusIcon />}
+            onClick={this.handleInviteModalOpen}
-          neutral
+            icon={<PlusIcon />}
-        >
+            neutral
-          {t("Invite people")}…
+          >
-        </Button>
+            {t("Invite people")}…
+          </Button>
+        )}
 
         <Tabs>
           <Tab to="/settings/people" exact>
@@ -135,14 +137,15 @@ class People extends React.Component<Props> {
             />
           )}
         />
-
+        {can.invite && (
-        <Modal
+          <Modal
-          title={t("Invite people")}
+            title={t("Invite people")}
-          onRequestClose={this.handleInviteModalClose}
+            onRequestClose={this.handleInviteModalClose}
-          isOpen={this.inviteModalOpen}
+            isOpen={this.inviteModalOpen}
-        >
+          >
-          <Invite onSubmit={this.handleInviteModalClose} />
+            <Invite onSubmit={this.handleInviteModalClose} />
-        </Modal>
+          </Modal>
+        )}
       </CenteredContent>
     );
   }

server/api/users.js

@@ -195,8 +195,9 @@ router.post("users.invite", auth(), async (ctx) => {
   const { invites } = ctx.body;
   ctx.assertPresent(invites, "invites is required");
 
-  const user = ctx.state.user;
+  const { user } = ctx.state;
-  authorize(user, "invite", User);
+  const team = await Team.findByPk(user.teamId);
+  authorize(user, "invite", team);
 
   const response = await userInviter({ user, invites, ip: ctx.request.ip });
 

server/api/users.test.js

@@ -107,7 +107,7 @@ describe("#users.info", () => {
 
 describe("#users.invite", () => {
   it("should return sent invites", async () => {
-    const user = await buildUser();
+    const user = await buildUser({ isAdmin: true });
     const res = await server.post("/api/users.invite", {
       body: {
         token: user.getJwtToken(),
@@ -119,6 +119,17 @@ describe("#users.invite", () => {
     expect(body.data.sent.length).toEqual(1);
   });
 
+  it("should require admin", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/users.invite", {
+      body: {
+        token: user.getJwtToken(),
+        invites: [{ email: "test@example.com", name: "Test", guest: false }],
+      },
+    });
+    expect(res.status).toEqual(403);
+  });
+
   it("should require authentication", async () => {
     const res = await server.post("/api/users.invite");
     expect(res.status).toEqual(401);