From 61321f6b1665bac054de7c1452159ab2f82c9a91 Mon Sep 17 00:00:00 2001
From: Tony Vincent <tonyvince7@gmail.com>
Date: Fri, 24 Jan 2025 02:47:51 +0100
Subject: [PATCH] fix: Only admins can generate invite codes (#1611)

* fix: Only admins can generate invite codes

* fix: raise error if user is not an admin when creating invite codesss
---
 app/controllers/invite_codes_controller.rb    |  1 +
 .../hostings/_invite_code_settings.html.erb   |  2 +-
 .../invite_codes_controller_test.rb           | 20 +++++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 test/controllers/invite_codes_controller_test.rb

diff --git a/app/controllers/invite_codes_controller.rb b/app/controllers/invite_codes_controller.rb
index f636a65a..fa8aa97c 100644
--- a/app/controllers/invite_codes_controller.rb
+++ b/app/controllers/invite_codes_controller.rb
@@ -6,6 +6,7 @@ class InviteCodesController < ApplicationController
   end
 
   def create
+    raise StandardError, "You are not allowed to generate invite codes" unless Current.user.admin?
     InviteCode.generate!
     redirect_back_or_to invite_codes_path, notice: "Code generated"
   end
diff --git a/app/views/settings/hostings/_invite_code_settings.html.erb b/app/views/settings/hostings/_invite_code_settings.html.erb
index 49828365..e9889d75 100644
--- a/app/views/settings/hostings/_invite_code_settings.html.erb
+++ b/app/views/settings/hostings/_invite_code_settings.html.erb
@@ -7,7 +7,7 @@
 
     <%= styled_form_with model: Setting.new, url: settings_hosting_path, method: :patch, data: { controller: "auto-submit-form", "auto-submit-form-trigger-event-value" => "blur" } do |form| %>
       <div class="relative inline-block select-none">
-        <%= form.check_box :require_invite_for_signup, class: "sr-only peer", "data-auto-submit-form-target": "auto", "data-autosubmit-trigger-event": "input" %>
+        <%= form.check_box :require_invite_for_signup, class: "sr-only peer", "data-auto-submit-form-target": "auto", "data-autosubmit-trigger-event": "input", disabled: !Current.user.admin? %>
         <%= form.label :require_invite_for_signup, "&nbsp;".html_safe, class: "maybe-switch" %>
       </div>
     <% end %>
diff --git a/test/controllers/invite_codes_controller_test.rb b/test/controllers/invite_codes_controller_test.rb
new file mode 100644
index 00000000..ea39395f
--- /dev/null
+++ b/test/controllers/invite_codes_controller_test.rb
@@ -0,0 +1,20 @@
+require "test_helper"
+
+class InviteCodesControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    Rails.application.config.app_mode.stubs(:self_hosted?).returns(true)
+  end
+  test "admin can generate invite codes" do
+    sign_in users(:family_admin)
+
+    assert_difference("InviteCode.count") do
+      post invite_codes_url, params: {}
+    end
+  end
+
+  test "non-admin cannot generate invite codes" do
+    sign_in users(:family_member)
+
+    assert_raises(StandardError) { post invite_codes_url, params: {} }
+  end
+end