From a9bcc935b70bdb069c8b9e4750d38cd02b14fb84 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Wed, 11 Oct 2017 09:49:45 +1100
Subject: [PATCH] SECURITY: verify that inviter can invite new user to a topics

---
 app/controllers/invites_controller.rb | 1 +
 app/models/invite.rb                  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index d6a207b502..47b972d0d2 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -86,6 +86,7 @@ class InvitesController < ApplicationController
     group_ids = Group.lookup_group_ids(params)
     topic = Topic.find_by(id: params[:topic_id])
     guardian.ensure_can_invite_to_forum!(group_ids)
+    guardian.ensure_can_invite_to!(topic) if topic.present?
 
     invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
     if invite_exists && !guardian.can_send_multiple_invites?(current_user)
diff --git a/app/models/invite.rb b/app/models/invite.rb
index bd2c68c910..c667cafc94 100644
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@@ -137,7 +137,7 @@ class Invite < ActiveRecord::Base
         invite.invited_groups.create!(group_id: group_id)
       end
     else
-      if topic && topic.category # && Guardian.new(invited_by).can_invite_to?(topic)
+      if topic && topic.category && Guardian.new(invited_by).can_invite_to?(topic)
         group_ids = topic.category.groups.pluck(:id) - invite.invited_groups.pluck(:group_id)
         group_ids.each { |group_id| invite.invited_groups.create!(group_id: group_id) }
       end