diff --git a/src/api/groups.js b/src/api/groups.js index 52a759af1217..88d42df183fb 100644 --- a/src/api/groups.js +++ b/src/api/groups.js @@ -54,19 +54,21 @@ groupsAPI.join = async function (caller, data) { throw new Error('[[error:invalid-uid]]'); } - const isSelf = parseInt(caller.uid, 10) === parseInt(data.uid, 10); const groupName = await groups.getGroupNameByGroupSlug(data.slug); if (!groupName) { throw new Error('[[error:no-group]]'); } - if (groups.systemGroups.includes(groupName) || groups.isPrivilegeGroup(groupName)) { + const isCallerAdmin = await user.isAdministrator(caller.uid); + if (!isCallerAdmin && ( + groups.systemGroups.includes(groupName) || + groups.isPrivilegeGroup(groupName) + )) { throw new Error('[[error:not-allowed]]'); } - const [groupData, isCallerAdmin, isCallerOwner, userExists] = await Promise.all([ + const [groupData, isCallerOwner, userExists] = await Promise.all([ groups.getGroupData(groupName), - user.isAdministrator(caller.uid), groups.ownership.isOwner(caller.uid, groupName), user.exists(data.uid), ]); @@ -75,6 +77,7 @@ groupsAPI.join = async function (caller, data) { throw new Error('[[error:invalid-uid]]'); } + const isSelf = parseInt(caller.uid, 10) === parseInt(data.uid, 10); if (!meta.config.allowPrivateGroups && isSelf) { // all groups are public! await groups.join(groupName, data.uid); @@ -85,7 +88,7 @@ groupsAPI.join = async function (caller, data) { return; } - if (groupData.private && groupData.disableJoinRequests) { + if (isSelf && groupData.private && groupData.disableJoinRequests) { throw new Error('[[error:group-join-disabled]]'); } diff --git a/test/groups.js b/test/groups.js index 5f0f64c0faf9..643eff6ee004 100644 --- a/test/groups.js +++ b/test/groups.js @@ -655,6 +655,13 @@ describe('Groups', function () { }); }); + it('should add user to Global Moderators group', async function () { + const uid = await User.create({ username: 'glomod' }); + await socketGroups.join({ uid: adminUid }, { groupName: 'Global Moderators', uid: uid }); + const isGlobalMod = await User.isGlobalModerator(uid); + assert.strictEqual(isGlobalMod, true); + }); + it('should add user to multiple groups', function (done) { var groupNames = ['test-hidden1', 'Test', 'test-hidden2', 'empty group']; Groups.create({ name: 'empty group' }, function (err) { @@ -804,7 +811,7 @@ describe('Groups', function () { }); it('should return error if group name is special', function (done) { - socketGroups.join({ uid: adminUid }, { groupName: 'administrators' }, function (err) { + socketGroups.join({ uid: testUid }, { groupName: 'administrators' }, function (err) { assert.equal(err.message, '[[error:not-allowed]]'); done(); });