fix: Only admins can generate invite codes (#1611)

* fix: Only admins can generate invite codes

* fix: raise error if user is not an admin when creating invite codesss

app/controllers/invite_codes_controller.rb

@@ -6,6 +6,7 @@ class InviteCodesController < ApplicationController
   end
 
   def create
+    raise StandardError, "You are not allowed to generate invite codes" unless Current.user.admin?
     InviteCode.generate!
     redirect_back_or_to invite_codes_path, notice: "Code generated"
   end

app/views/settings/hostings/_invite_code_settings.html.erb

@@ -7,7 +7,7 @@
 
     <%= styled_form_with model: Setting.new, url: settings_hosting_path, method: :patch, data: { controller: "auto-submit-form", "auto-submit-form-trigger-event-value" => "blur" } do |form| %>
       <div class="relative inline-block select-none">
-        <%= form.check_box :require_invite_for_signup, class: "sr-only peer", "data-auto-submit-form-target": "auto", "data-autosubmit-trigger-event": "input" %>
+        <%= form.check_box :require_invite_for_signup, class: "sr-only peer", "data-auto-submit-form-target": "auto", "data-autosubmit-trigger-event": "input", disabled: !Current.user.admin? %>
         <%= form.label :require_invite_for_signup, "&nbsp;".html_safe, class: "maybe-switch" %>
       </div>
     <% end %>

test/controllers/invite_codes_controller_test.rb

@@ -0,0 +1,20 @@
+require "test_helper"
+
+class InviteCodesControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    Rails.application.config.app_mode.stubs(:self_hosted?).returns(true)
+  end
+  test "admin can generate invite codes" do
+    sign_in users(:family_admin)
+
+    assert_difference("InviteCode.count") do
+      post invite_codes_url, params: {}
+    end
+  end
+
+  test "non-admin cannot generate invite codes" do
+    sign_in users(:family_member)
+
+    assert_raises(StandardError) { post invite_codes_url, params: {} }
+  end
+end