invite: Fix invite_by_admins_only to be enforced in backend.

Apparently, this setting never actually was wired up to anything other
than hiding the UI widget.

Huge thanks to Ibram Marzouk from the HackerOne community for finding
this security bug.

zerver/tests/test_signup.py

@@ -407,6 +407,29 @@ def test_successful_invite_user_with_name_and_normal_one(self):
         self.assertTrue(find_key_by_email(email2))
         self.check_sent_emails([email, email2])
 
+    def test_require_realm_admin(self):
+        # type: () -> None
+        """
+        The invite_by_admins_only realm setting works properly.
+        """
+        realm = get_realm('zulip')
+        realm.invite_by_admins_only = True
+        realm.save()
+
+        self.login("hamlet@zulip.com")
+        email = "alice-test@zulip.com"
+        email2 = "bob-test@zulip.com"
+        invitee = "Alice Test <{}>, {}".format(email, email2)
+        self.assert_json_error(self.invite(invitee, ["Denmark"]),
+                               "Must be a realm administrator")
+
+        # Now verify an administrator can do it
+        self.login("iago@zulip.com")
+        self.assert_json_success(self.invite(invitee, ["Denmark"]))
+        self.assertTrue(find_key_by_email(email))
+        self.assertTrue(find_key_by_email(email2))
+        self.check_sent_emails([email, email2])
+
     def test_invite_user_signup_initial_history(self):
         # type: () -> None
         """

zerver/views/invite.py

@@ -22,6 +22,8 @@
 @has_request_variables
 def json_invite_users(request, user_profile, invitee_emails_raw=REQ("invitee_emails")):
     # type: (HttpRequest, UserProfile, str) -> HttpResponse
+    if user_profile.realm.invite_by_admins_only and not user_profile.is_realm_admin:
+        return json_error(_("Must be a realm administrator"))
     if not invitee_emails_raw:
         return json_error(_("You must specify at least one email address."))