From 97e40c81f3f32cd1a3e948432320991e1a8a8a22 Mon Sep 17 00:00:00 2001
From: Keith Holliday <krh121791@yahoo.com>
Date: Fri, 30 Dec 2016 13:17:22 -0600
Subject: [PATCH] Added error when nonleader attempts to invite to group plan
 (#8331)

---
 .../groups/POST-groups_invite.test.js         | 20 +++++++++++++++++++
 website/common/locales/en/groups.json         |  3 ++-
 website/server/controllers/api-v3/groups.js   |  2 ++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/test/api/v3/integration/groups/POST-groups_invite.test.js b/test/api/v3/integration/groups/POST-groups_invite.test.js
index 171f080e84..d163964c37 100644
--- a/test/api/v3/integration/groups/POST-groups_invite.test.js
+++ b/test/api/v3/integration/groups/POST-groups_invite.test.js
@@ -300,6 +300,26 @@ describe('Post /groups/:groupId/invite', () => {
         message: t('userAlreadyInGroup'),
       });
     });
+
+    // @TODO: Add this after we are able to mock the group plan route
+    xit('returns an error when a non-leader invites to a group plan', async () => {
+      let userToInvite = await generateUser();
+
+      let nonGroupLeader = await generateUser();
+      await inviter.post(`/groups/${group._id}/invite`, {
+        uuids: [nonGroupLeader._id],
+      });
+      await nonGroupLeader.post(`/groups/${group._id}/join`);
+
+      await expect(nonGroupLeader.post(`/groups/${group._id}/invite`, {
+        uuids: [userToInvite._id],
+      }))
+      .to.eventually.be.rejected.and.eql({
+        code: 401,
+        error: 'NotAuthorized',
+        message: t('onlyGroupLeaderCanInviteToGroupPlan'),
+      });
+    });
   });
 
   describe('party invites', () => {
diff --git a/website/common/locales/en/groups.json b/website/common/locales/en/groups.json
index 0fbabdee56..4ab912db44 100644
--- a/website/common/locales/en/groups.json
+++ b/website/common/locales/en/groups.json
@@ -253,5 +253,6 @@
   "refreshGroupTasks": "Refresh Group Tasks",
   "claimedBy": "\n\nClaimed by: <%= claimingUsers %>",
   "cantDeleteAssignedGroupTasks": "Can't delete group tasks that are assigned to you.",
-  "confirmGuildPlanCreation": "Create this group?"
+  "confirmGuildPlanCreation": "Create this group?",
+  "onlyGroupLeaderCanInviteToGroupPlan": "Only the group leader can invite users to a group with a subscription."
 }
diff --git a/website/server/controllers/api-v3/groups.js b/website/server/controllers/api-v3/groups.js
index 9e52b4808f..dd6f2de1e9 100644
--- a/website/server/controllers/api-v3/groups.js
+++ b/website/server/controllers/api-v3/groups.js
@@ -893,6 +893,8 @@ api.inviteToGroup = {
     let group = await Group.getGroup({user, groupId: req.params.groupId, fields: '-chat'});
     if (!group) throw new NotFound(res.t('groupNotFound'));
 
+    if (group.purchased && group.purchased.plan.customerId && user._id !== group.leader) throw new NotAuthorized(res.t('onlyGroupLeaderCanInviteToGroupPlan'));
+
     let uuids = req.body.uuids;
     let emails = req.body.emails;