send invites as owner if added via an admin api key

Author: kevinansfield

core/server/api/invites.js

@@ -101,7 +101,6 @@ const invites = {
                 .then((response) => {
                     const adminUrl = urlService.utils.urlFor('admin', true);
 
-                    // TODO: how to handle invitedBy for API Key requests
                     emailData = {
                         blogName: response.settings[0].value,
                         invitedByName: loggedInUser.get('name'),
@@ -194,7 +193,10 @@ const invites = {
                 const loggedInUserRole = loggedInUser.related('roles').models[0].get('name');
                 let allowed = [];
 
-                if (loggedInUserRole === 'Owner' || loggedInUserRole === 'Administrator') {
+                let userHasAdminRole = options.context.user && (loggedInUserRole === 'Owner' || loggedInUserRole === 'Administrator');
+
+                // admin api keys have an equivalent of the Adminstrator role
+                if (options.context.api_key || userHasAdminRole) {
                     allowed = ['Administrator', 'Editor', 'Author', 'Contributor'];
                 } else if (loggedInUserRole === 'Editor') {
                     allowed = ['Author', 'Contributor'];
@@ -235,11 +237,29 @@ const invites = {
                 });
         }
 
+        function fetchOwner(options) {
+            return models.User.getOwnerUser(merge({}, omit(options, 'data'), {withRelated: ['roles']}))
+                .then((owner) => {
+                    loggedInUser = owner;
+                    return options;
+                });
+        }
+
+        // API Key requests are not tied to a user so send the invite from the
+        // owner user instead
+        function fetchLoggedInUserOrOwner(options) {
+            if (options.context.api_key && !options.context.user) {
+                return fetchOwner(options);
+            }
+
+            return fetchLoggedInUser(options);
+        }
+
         tasks = [
             localUtils.validate(docName, {opts: ['email']}),
             localUtils.convertOptions(allowedIncludes),
             localUtils.handlePermissions(docName, 'add'),
-            fetchLoggedInUser,
+            fetchLoggedInUserOrOwner,
             validation,
             checkIfUserExists,
             destroyOldInvite,

core/test/integration/api/api_invites_spec.js

@@ -13,7 +13,14 @@ var should = require('should'),
 
 describe('Invites API', function () {
     before(testUtils.teardown);
-    before(testUtils.setup('invites', 'settings', 'users:roles', 'perms:invite', 'perms:init'));
+    before(testUtils.setup(
+        'invites',
+        'settings',
+        'users:roles',
+        'api_keys',
+        'perms:invite',
+        'perms:init'
+    ));
 
     beforeEach(function () {
         sandbox.stub(mail, 'send').callsFake(function () {
@@ -440,5 +447,65 @@ describe('Invites API', function () {
                 }).catch(done);
             });
         });
+
+        describe('Admin API Key', function () {
+            it('CANNOT invite an Owner', function (done) {
+                InvitesAPI.add({
+                    invites: [
+                        {
+                            email: '[email protected]',
+                            role_id: testUtils.roles.ids.owner
+                        }
+                    ]
+                }, testUtils.context.admin_api_key).then(function () {
+                    done(new Error('API Key should not be able to add an owner'));
+                }).catch(checkForErrorType('NoPermissionError', done));
+            });
+
+            it('Can invite an Admin', function (done) {
+                InvitesAPI.add({
+                    invites: [
+                        {
+                            email: '[email protected]',
+                            role_id: testUtils.roles.ids.admin
+                        }
+                    ]
+                }, _.merge({}, {include: 'roles'}, testUtils.context.admin_api_key)).then(function (response) {
+                    checkAddResponse(response);
+                    response.invites[0].role_id.should.equal(testUtils.roles.ids.admin);
+                    done();
+                }).catch(done);
+            });
+
+            it('Can invite an Editor', function (done) {
+                InvitesAPI.add({
+                    invites: [
+                        {
+                            email: '[email protected]',
+                            role_id: testUtils.roles.ids.editor
+                        }
+                    ]
+                }, testUtils.context.admin_api_key).then(function (response) {
+                    checkAddResponse(response);
+                    response.invites[0].role_id.should.equal(testUtils.roles.ids.editor);
+                    done();
+                }).catch(done);
+            });
+
+            it('Can invite an Author', function (done) {
+                InvitesAPI.add({
+                    invites: [
+                        {
+                            email: '[email protected]',
+                            role_id: testUtils.roles.ids.author
+                        }
+                    ]
+                }, testUtils.context.admin_api_key).then(function (response) {
+                    checkAddResponse(response);
+                    response.invites[0].role_id.should.equal(testUtils.roles.ids.author);
+                    done();
+                }).catch(done);
+            });
+        });
     });
 });

core/test/utils/index.js

@@ -1158,7 +1158,9 @@ module.exports = {
         admin: {context: {user: DataGenerator.Content.users[1].id}},
         editor: {context: {user: DataGenerator.Content.users[2].id}},
         author: {context: {user: DataGenerator.Content.users[3].id}},
-        contributor: {context: {user: DataGenerator.Content.users[7].id}}
+        contributor: {context: {user: DataGenerator.Content.users[7].id}},
+        admin_api_key: {context: {api_key: DataGenerator.Content.api_keys[0].id}},
+        content_api_key: {context: {api_key: DataGenerator.Content.api_keys[1].id}}
     },
     permissions: {
         owner: {user: {roles: [DataGenerator.Content.roles[3]]}},