From 025f1788e5b15149890b67b23509efef3b4905b0 Mon Sep 17 00:00:00 2001
From: Kim Gustyr <kim.gustyr@flagsmith.com>
Date: Mon, 23 Sep 2024 16:30:06 +0100
Subject: [PATCH] fix: Non-admin users can create invites (#4653)

---
 api/organisations/permissions/permissions.py  |  2 +-
 .../test_unit_organisations_views.py          | 26 +++++++++++++++++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/api/organisations/permissions/permissions.py b/api/organisations/permissions/permissions.py
index 1c496ab4eaf2..0f1f797e1d13 100644
--- a/api/organisations/permissions/permissions.py
+++ b/api/organisations/permissions/permissions.py
@@ -95,7 +95,7 @@ def has_permission(self, request, view):
         if organisation_id and not organisation_id.isnumeric():
             raise ValidationError("Invalid organisation ID")
 
-        if view.action == "remove_users":
+        if view.action in {"remove_users", "invite"}:
             return request.user.is_organisation_admin(int(organisation_id))
 
         if organisation_id:
diff --git a/api/tests/unit/organisations/test_unit_organisations_views.py b/api/tests/unit/organisations/test_unit_organisations_views.py
index ddade0bd039a..e10eac5f0604 100644
--- a/api/tests/unit/organisations/test_unit_organisations_views.py
+++ b/api/tests/unit/organisations/test_unit_organisations_views.py
@@ -143,7 +143,7 @@ def test_should_update_organisation_data(
 
 def test_should_invite_users_to_organisation(
     settings: SettingsWrapper,
-    staff_client: APIClient,
+    admin_client: APIClient,
     organisation: Organisation,
 ) -> None:
     # Given
@@ -153,7 +153,7 @@ def test_should_invite_users_to_organisation(
     data = {"emails": ["test@example.com"]}
 
     # When
-    response = staff_client.post(
+    response = admin_client.post(
         url, data=json.dumps(data), content_type="application/json"
     )
 
@@ -188,6 +188,28 @@ def test_should_fail_if_invite_exists_already(
     assert Invite.objects.filter(email=email, organisation=organisation).count() == 1
 
 
+def test_organisation_invite__non_admin__return_expected(
+    settings: SettingsWrapper,
+    staff_client: APIClient,
+    organisation: Organisation,
+) -> None:
+    # Given
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["invite"] = None
+
+    email = "test_2@example.com"
+    data = {"invites": [{"email": email, "role": "ADMIN"}]}
+    url = reverse("api-v1:organisations:organisation-invite", args=[organisation.pk])
+
+    # When
+    response = staff_client.post(
+        url, data=json.dumps(data), content_type="application/json"
+    )
+
+    # Then
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+    assert not Invite.objects.filter(email=email, organisation=organisation).exists()
+
+
 def test_should_return_all_invites_and_can_resend(
     settings: SettingsWrapper,
     admin_client: APIClient,