From d1e1da858068c8e4ed0212a99c8185f05c448470 Mon Sep 17 00:00:00 2001
From: Anton Ignatov <aignatov@biosistemika.com>
Date: Wed, 14 Aug 2019 14:47:02 +0200
Subject: [PATCH] Fix permission check for invite users

---
 app/controllers/users/invitations_controller.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/controllers/users/invitations_controller.rb b/app/controllers/users/invitations_controller.rb
index 9742c643c..259dd2ce3 100644
--- a/app/controllers/users/invitations_controller.rb
+++ b/app/controllers/users/invitations_controller.rb
@@ -188,10 +188,10 @@ module Users
       @team = Team.find_by_id(params['teamId'])
       @role = params['role']
 
-      return render_403 unless @emails && @team && @role
-      return render_403 if @emails.empty?
-      return render_403 unless can_manage_team_users?(@team)
-      return render_403 unless UserTeam.roles.key?(@role)
+      return render_403 if @team && @role.nil? # if we select team, we must select role
+      return render_403 if @emails.blank? # We must have at least one email
+      return render_403 if @team && !can_manage_team_users?(@team) # if we select team, we must check permission
+      return render_403 if @role && !UserTeam.roles.key?(@role) # if we select role, we must check that this role exist
     end
   end
 end