diff --git a/app/components/Sidebar/Main.js b/app/components/Sidebar/Main.js index 8c948ccac..69c4f021c 100644 --- a/app/components/Sidebar/Main.js +++ b/app/components/Sidebar/Main.js @@ -171,13 +171,15 @@ function MainSidebar() { - - - + {can.invite && ( + + + + )} { {team.signinMethods} but haven’t signed in yet. - + {can.invite && ( + + )} @@ -135,14 +137,15 @@ class People extends React.Component { /> )} /> - - - - + {can.invite && ( + + + + )} ); } diff --git a/server/api/users.js b/server/api/users.js index aec2be379..8788925a9 100644 --- a/server/api/users.js +++ b/server/api/users.js @@ -195,8 +195,9 @@ router.post("users.invite", auth(), async (ctx) => { const { invites } = ctx.body; ctx.assertPresent(invites, "invites is required"); - const user = ctx.state.user; - authorize(user, "invite", User); + const { user } = ctx.state; + const team = await Team.findByPk(user.teamId); + authorize(user, "invite", team); const response = await userInviter({ user, invites, ip: ctx.request.ip }); diff --git a/server/api/users.test.js b/server/api/users.test.js index 43cce4546..a0be7a8be 100644 --- a/server/api/users.test.js +++ b/server/api/users.test.js @@ -107,7 +107,7 @@ describe("#users.info", () => { describe("#users.invite", () => { it("should return sent invites", async () => { - const user = await buildUser(); + const user = await buildUser({ isAdmin: true }); const res = await server.post("/api/users.invite", { body: { token: user.getJwtToken(), @@ -119,6 +119,17 @@ describe("#users.invite", () => { expect(body.data.sent.length).toEqual(1); }); + it("should require admin", async () => { + const user = await buildUser(); + const res = await server.post("/api/users.invite", { + body: { + token: user.getJwtToken(), + invites: [{ email: "test@example.com", name: "Test", guest: false }], + }, + }); + expect(res.status).toEqual(403); + }); + it("should require authentication", async () => { const res = await server.post("/api/users.invite"); expect(res.status).toEqual(401);