Missing "invite others..." button for staff moderators when PM is disabled

bug
1

Greetings!

I’ve encountered a slight issue, not sure if this is by design for some reason, but it seems that staff moderators are not included in can_invite_to(o,g) when SiteSetting.enable_private_messages is disabled. This makes mods unable to invite other moderators or groups to private messages / warnings.

Lines 248-260 in guardian.rb seem to describe that administrators can ignore the enable_private_messages just fine, but staff moderators appear to be left out.

Would it be viable to replace is_admin with is_staff here?

  def can_invite_to?(object, group_ids=nil)
    return false unless authenticated?
-    return true if is_admin?
+    return true if is_staff?
    return false unless SiteSetting.enable_private_messages?
    return false if (SiteSetting.max_invites_per_day.to_i == 0 && !is_staff?)
    return false unless can_see?(object)
    return false if group_ids.present?

    if object.is_a?(Topic) && object.category
      if object.category.groups.any?
        return true if object.category.groups.all? { |g| can_edit_group?(g) }
      end
    end

Reproduction steps:

As admin

  • Have private messages disabled
  • Send a message / warning to any user
  • Invite moderators group to convo with “invite others…” button

As staff moderator

  • Have private messages disabled
  • Send a message / warning to any user
  • Notice missing “invite other…” button, cannot involve other moderators / staff members
2

What do you think @sam?

3

Another thing with the can_invite_to, users with TL below the SiteSetting.min_trust_to_send_messages can circumvent creating new PMs by inviting users to PMs created by system (and possibly discobot) when PMs are enabled.

Yes, our users are a creative bunch. :stuck_out_tongue:

Example repro (I’ve verified this works on our forum):

  • Have private messages enabled
  • Have SiteSetting.min_trust_to_send_messages = TL4
  • Create user with TL2
  • Go to /u/:username/activity
  • Click Download All button
  • @system will message you with a download link
  • Notice there’s a “Invite others…” button in message
  • Invite another user to message
4 Likes
4

Yes we should patch that hole @eviltrout… if PMs are disabled globally (which affects everyone but staff) they shouldn’t be able to do that!

Thanks for the detailed repro report!

2 Likes
5

I apologize if I caused some confusion. The issues are separate one with PMs disabled, the other with PMs enabled but required TL set to 4.

Top report

  • Private messages disabled
  • Staff can send send messages
  • Admins can invite others, staff (moderators) cannot

Second post (with repro)

  • Private messages enabled
  • Min trust to create new posts set to TL4
  • Users can circumvent “creating new posts” if they are TL2 with the “Invite others…” button on system messages
4 Likes