From 0fc9fdd53d726c6822857ac32ede520cfa91474f Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 6 Apr 2023 16:10:40 -0400
Subject: [PATCH] fix: throw generic not-allowed error on groups.join if a
 non-owner tries to add another user to a group

---
 src/api/groups.js | 2 ++
 test/groups.js    | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/src/api/groups.js b/src/api/groups.js
index 3109a9b1e1..840f5cf97a 100644
--- a/src/api/groups.js
+++ b/src/api/groups.js
@@ -121,6 +121,8 @@ groupsAPI.join = async function (caller, data) {
 			groupName: groupName,
 			targetUid: data.uid,
 		});
+	} else {
+		throw new Error('[[error:not-allowed]]');
 	}
 };
 
diff --git a/test/groups.js b/test/groups.js
index 58ccb1dfcf..107f81cf5b 100644
--- a/test/groups.js
+++ b/test/groups.js
@@ -10,6 +10,7 @@ const db = require('./mocks/databasemock');
 const helpers = require('./helpers');
 const Groups = require('../src/groups');
 const User = require('../src/user');
+const utils = require('../src/utils');
 const socketGroups = require('../src/socket.io/groups');
 const apiGroups = require('../src/api/groups');
 const meta = require('../src/meta');
@@ -732,6 +733,13 @@ describe('Groups', () => {
 			meta.config.allowPrivateGroups = oldValue;
 		});
 
+		it('should fail to add user to group if calling uid is non-self and non-admin', async () => {
+			const uid1 = await User.create({ username: utils.generateUUID().slice(0, 8) });
+			const uid2 = await User.create({ username: utils.generateUUID().slice(0, 8) });
+
+			assert.rejects(apiGroups.join({ uid: uid1 }, { slug: 'test', uid: uid2 }, '[[error:not-allowed]]'));
+		});
+
 		it('should allow admins to join private groups', async () => {
 			await apiGroups.join({ uid: adminUid }, { uid: adminUid, slug: 'global-moderators' });
 			assert(await Groups.isMember(adminUid, 'Global Moderators'));