EE: Add the ability to restrict the user roles that can send team invites (#3442)

2 files changed, 61 insertions, 4 deletions

diff --git a/api/team.go b/api/team.go
index 0f7298b57..cb942bb35 100644
--- a/api/team.go
+++ b/api/team.go
@@ -394,11 +394,23 @@ func revokeAllSessions(c *Context, w http.ResponseWriter, r *http.Request) {
 func inviteMembers(c *Context, w http.ResponseWriter, r *http.Request) {
 	invites := model.InvitesFromJson(r.Body)
 	if len(invites.Invites) == 0 {
-		c.Err = model.NewLocAppError("Team.InviteMembers", "api.team.invite_members.no_one.app_error", nil, "")
+		c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.no_one.app_error", nil, "")
 		c.Err.StatusCode = http.StatusBadRequest
 		return
 	}
 
+	if utils.IsLicensed {
+		if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.TEAM_INVITE_SYSTEM_ADMIN && !c.IsSystemAdmin() {
+			c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_system_admin.app_error", nil, "")
+			return
+		}
+
+		if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.TEAM_INVITE_TEAM_ADMIN && !c.IsTeamAdmin() {
+			c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_team_admin.app_error", nil, "")
+			return
+		}
+	}
+
 	tchan := Srv.Store.Team().Get(c.TeamId)
 	uchan := Srv.Store.User().Get(c.Session.UserId)
 
diff --git a/api/team_test.go b/api/team_test.go
index 30952b4d8..91c73bed5 100644
--- a/api/team_test.go
+++ b/api/team_test.go
@@ -363,9 +363,10 @@ func TestTeamPermDelete(t *testing.T) {
 }
 
 func TestInviteMembers(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	th.BasicClient.Logout()
 	Client := th.BasicClient
+	SystemAdminClient := th.SystemAdminClient
 
 	team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN}
 	team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team)
@@ -389,10 +390,54 @@ func TestInviteMembers(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	invites = &model.Invites{Invites: []map[string]string{}}
-	if _, err := Client.InviteMembers(invites); err == nil {
+	invites2 := &model.Invites{Invites: []map[string]string{}}
+	if _, err := Client.InviteMembers(invites2); err == nil {
 		t.Fatal("Should have errored out on no invites to send")
 	}
+
+	restrictTeamInvite := *utils.Cfg.TeamSettings.RestrictTeamInvite
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite
+	}()
+	*utils.Cfg.TeamSettings.RestrictTeamInvite = model.TEAM_INVITE_TEAM_ADMIN
+
+	th.LoginBasic2()
+	LinkUserToTeam(th.BasicUser2, team)
+
+	if _, err := Client.InviteMembers(invites); err != nil {
+		t.Fatal(err)
+	}
+
+	isLicensed := utils.IsLicensed
+	defer func() {
+		utils.IsLicensed = isLicensed
+	}()
+	utils.IsLicensed = true
+
+	if _, err := Client.InviteMembers(invites); err == nil {
+		t.Fatal("should have errored not team admin and licensed")
+	}
+
+	UpdateUserToTeamAdmin(th.BasicUser2, team)
+	Client.Logout()
+	th.LoginBasic2()
+	Client.SetTeamId(team.Id)
+
+	if _, err := Client.InviteMembers(invites); err != nil {
+		t.Fatal(err)
+	}
+
+	*utils.Cfg.TeamSettings.RestrictTeamInvite = model.TEAM_INVITE_SYSTEM_ADMIN
+
+	if _, err := Client.InviteMembers(invites); err == nil {
+		t.Fatal("should have errored not system admin and licensed")
+	}
+
+	LinkUserToTeam(th.SystemAdminUser, team)
+
+	if _, err := SystemAdminClient.InviteMembers(invites); err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestUpdateTeamDisplayName(t *testing.T) {