diff --git a/ghost/core/core/server/models/invite.js b/ghost/core/core/server/models/invite.js index a957509498..f2af62b6de 100644 --- a/ghost/core/core/server/models/invite.js +++ b/ghost/core/core/server/models/invite.js @@ -93,8 +93,7 @@ Invite = ghostBookshelf.Model.extend({ } else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) { allowed = ['Author', 'Contributor']; } - } - if (loadedPermissions.apiKey) { + } else if (loadedPermissions.apiKey) { allowed = ['Editor', 'Author', 'Contributor']; } diff --git a/ghost/core/test/unit/server/models/invite.test.js b/ghost/core/test/unit/server/models/invite.test.js index 70e052516c..166af92b34 100644 --- a/ghost/core/test/unit/server/models/invite.test.js +++ b/ghost/core/test/unit/server/models/invite.test.js @@ -153,6 +153,21 @@ describe('Unit: models/invite', function () { }); }); + it('invite editor with staff token', function () { + loadedPermissions.apiKey = { + roles: [{name: 'Admin Integration'}] + }; + sinon.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); + roleModel.get.withArgs('name').returns('Editor'); + + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true, true) + .then(Promise.reject) + .catch((err) => { + (err instanceof errors.NoPermissionError).should.eql(true); + delete loadedPermissions.apiKey; + }); + }); + it('invite author', function () { sinon.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Author');