🐛 invite existing users

refs #8692 - protect invite endpoint
TryGhost · Jul 18, 2017 · 91f36fc · 91f36fc
1 parent d4c74e7
commit 91f36fc
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/core/server/api/invites.js b/core/server/api/invites.js
@@ -201,6 +201,19 @@ invites = {
             });
         }
 
+        function checkIfUserExists(options) {
+            return dataProvider.User.findOne({email: options.data.invites[0].email}, options)
+                .then(function (user) {
+                    if (user) {
+                        return Promise.reject(new errors.ValidationError({
+                            message: i18n.t('errors.api.users.userAlreadyRegistered')
+                        }));
+                    }
+
+                    return options;
+                });
+        }
+
         function fetchLoggedInUser(options) {
             return dataProvider.User.findOne({id: loggedInUser}, _.merge({}, options, {include: ['roles']}))
                 .then(function (user) {
@@ -219,6 +232,7 @@ invites = {
             utils.convertOptions(allowedIncludes),
             fetchLoggedInUser,
             validation,
+            checkIfUserExists,
             destroyOldInvite,
             addInvite
         ];

diff --git a/core/test/integration/api/api_invites_spec.js b/core/test/integration/api/api_invites_spec.js
@@ -13,7 +13,7 @@ var should = require('should'),
 
 describe('Invites API', function () {
     beforeEach(testUtils.teardown);
-    beforeEach(testUtils.setup('invites', 'users:roles', 'perms:invite', 'perms:init'));
+    beforeEach(testUtils.setup('invites', 'settings', 'users:roles', 'perms:invite', 'perms:init'));
 
     beforeEach(function () {
         sandbox.stub(mail, 'send', function () {
@@ -72,6 +72,22 @@ describe('Invites API', function () {
                         done();
                     });
             });
+
+            it('add invite: invite existing user', function (done) {
+                InvitesAPI.add({
+                    invites: [{
+                        email: testUtils.DataGenerator.Content.users[0].email,
+                        role_id: testUtils.roles.ids.author
+                    }]
+                }, testUtils.context.owner)
+                    .then(function () {
+                        throw new Error('expected validation error');
+                    })
+                    .catch(function (err) {
+                        (err instanceof errors.ValidationError).should.eql(true);
+                        done();
+                    });
+            });
         });
 
         describe('Browse', function () {