fix: Non-admin users can create invites (#4653)

Flagsmith · Sep 23, 2024 · 025f178 · 025f178
1 parent b4d3310
commit 025f178
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/api/organisations/permissions/permissions.py b/api/organisations/permissions/permissions.py
@@ -95,7 +95,7 @@ def has_permission(self, request, view):
         if organisation_id and not organisation_id.isnumeric():
             raise ValidationError("Invalid organisation ID")
 
-        if view.action == "remove_users":
+        if view.action in {"remove_users", "invite"}:
             return request.user.is_organisation_admin(int(organisation_id))
 
         if organisation_id:

diff --git a/api/tests/unit/organisations/test_unit_organisations_views.py b/api/tests/unit/organisations/test_unit_organisations_views.py
@@ -143,7 +143,7 @@ def test_should_update_organisation_data(
 
 def test_should_invite_users_to_organisation(
     settings: SettingsWrapper,
-    staff_client: APIClient,
+    admin_client: APIClient,
     organisation: Organisation,
 ) -> None:
     # Given
@@ -153,7 +153,7 @@ def test_should_invite_users_to_organisation(
     data = {"emails": ["[email protected]"]}
 
     # When
-    response = staff_client.post(
+    response = admin_client.post(
         url, data=json.dumps(data), content_type="application/json"
     )
 
@@ -188,6 +188,28 @@ def test_should_fail_if_invite_exists_already(
     assert Invite.objects.filter(email=email, organisation=organisation).count() == 1
 
 
+def test_organisation_invite__non_admin__return_expected(
+    settings: SettingsWrapper,
+    staff_client: APIClient,
+    organisation: Organisation,
+) -> None:
+    # Given
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["invite"] = None
+
+    email = "[email protected]"
+    data = {"invites": [{"email": email, "role": "ADMIN"}]}
+    url = reverse("api-v1:organisations:organisation-invite", args=[organisation.pk])
+
+    # When
+    response = staff_client.post(
+        url, data=json.dumps(data), content_type="application/json"
+    )
+
+    # Then
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+    assert not Invite.objects.filter(email=email, organisation=organisation).exists()
+
+
 def test_should_return_all_invites_and_can_resend(
     settings: SettingsWrapper,
     admin_client: APIClient,