fix: remove socketGroups.addMember; update admin checks to allow admin:groups privilege, hide add member controls if not admin

src/api/groups.js

@@ -77,7 +77,7 @@ groupsAPI.join = async function (caller, data) {
 		throw new Error('[[error:no-group]]');
 	}
 
-	const isCallerAdmin = await user.isAdministrator(caller.uid);
+	const isCallerAdmin = await privileges.admin.can('admin:groups', caller.uid);
 	if (!isCallerAdmin && (
 		groups.systemGroups.includes(groupName) ||
 		groups.isPrivilegeGroup(groupName)
@@ -85,9 +85,8 @@ groupsAPI.join = async function (caller, data) {
 		throw new Error('[[error:not-allowed]]');
 	}
 
-	const [groupData, isCallerOwner, userExists] = await Promise.all([
+	const [groupData, userExists] = await Promise.all([
 		groups.getGroupData(groupName),
-		groups.ownership.isOwner(caller.uid, groupName),
 		user.exists(data.uid),
 	]);
 
@@ -110,9 +109,9 @@ groupsAPI.join = async function (caller, data) {
 		throw new Error('[[error:group-join-disabled]]');
 	}
 
-	if ((!groupData.private && isSelf) || isCallerAdmin || isCallerOwner) {
+	if ((!groupData.private && isSelf) || isCallerAdmin) {
 		await groups.join(groupName, data.uid);
-		logGroupEvent(caller, 'group-join', {
+		logGroupEvent(caller, `group-${isSelf ? 'join' : 'add-member'}`, {
 			groupName: groupName,
 			targetUid: data.uid,
 		});

src/controllers/groups.js

@@ -46,7 +46,7 @@ groupsController.details = async function (req, res, next) {
 	const [exists, isHidden, isAdmin, isGlobalMod] = await Promise.all([
 		groups.exists(groupName),
 		groups.isHidden(groupName),
-		user.isAdministrator(req.uid),
+		privileges.admin.can('admin:groups', req.uid),
 		user.isGlobalModerator(req.uid),
 	]);
 	if (!exists) {

src/socket.io/groups.js

@@ -3,7 +3,6 @@
 const groups = require('../groups');
 const user = require('../user');
 const utils = require('../utils');
-const events = require('../events');
 const privileges = require('../privileges');
 
 const SocketGroups = module.exports;
@@ -14,48 +13,6 @@ SocketGroups.before = async (socket, method, data) => {
 	}
 };
 
-SocketGroups.addMember = async (socket, data) => {
-	await isOwner(socket, data);
-	if (data.groupName === 'administrators' || groups.isPrivilegeGroup(data.groupName)) {
-		throw new Error('[[error:not-allowed]]');
-	}
-	if (!data.uid) {
-		throw new Error('[[error:invalid-data]]');
-	}
-	data.uid = !Array.isArray(data.uid) ? [data.uid] : data.uid;
-	if (data.uid.filter(uid => !(parseInt(uid, 10) > 0)).length) {
-		throw new Error('[[error:invalid-uid]]');
-	}
-	for (const uid of data.uid) {
-		// eslint-disable-next-line no-await-in-loop
-		await groups.join(data.groupName, uid);
-	}
-
-	logGroupEvent(socket, 'group-add-member', {
-		groupName: data.groupName,
-		targetUid: String(data.uid),
-	});
-};
-
-async function isOwner(socket, data) {
-	if (typeof data.groupName !== 'string') {
-		throw new Error('[[error:invalid-group-name]]');
-	}
-	const results = await utils.promiseParallel({
-		hasAdminPrivilege: privileges.admin.can('admin:groups', socket.uid),
-		isGlobalModerator: user.isGlobalModerator(socket.uid),
-		isOwner: groups.ownership.isOwner(socket.uid, data.groupName),
-		group: groups.getGroupData(data.groupName),
-	});
-
-	const isOwner = results.isOwner ||
-		results.hasAdminPrivilege ||
-		(results.isGlobalModerator && !results.group.system);
-	if (!isOwner) {
-		throw new Error('[[error:no-privileges]]');
-	}
-}
-
 SocketGroups.search = async (socket, data) => {
 	data.options = data.options || {};
 
@@ -166,13 +123,4 @@ async function canModifyGroup(uid, groupName) {
 	}
 }
 
-function logGroupEvent(socket, event, additional) {
-	events.log({
-		type: event,
-		uid: socket.uid,
-		ip: socket.ip,
-		...additional,
-	});
-}
-
 require('../promisify')(SocketGroups);