Dont allow guests..developers to manage group members

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/lib/api/group_members.rb b/lib/api/group_members.rb
index 24c141e9b71..d596517c816 100644
--- a/lib/api/group_members.rb
+++ b/lib/api/group_members.rb
@@ -39,14 +39,18 @@ module API
       # Example Request:
       #  POST /groups/:id/members
       post ":id/members" do
+        group = find_group(params[:id])
+        authorize! :manage_group, group
         required_attributes! [:user_id, :access_level]
+
         unless validate_access_level?(params[:access_level])
           render_api_error!("Wrong access level", 422)
         end
-        group = find_group(params[:id])
+
         if group.group_members.find_by(user_id: params[:user_id])
           render_api_error!("Already exists", 409)
         end
+
         group.add_users([params[:user_id]], params[:access_level])
         member = group.group_members.find_by(user_id: params[:user_id])
         present member.user, with: Entities::GroupMember, group: group
@@ -62,7 +66,9 @@ module API
       #   DELETE /groups/:id/members/:user_id
       delete ":id/members/:user_id" do
         group = find_group(params[:id])
-        member =  group.group_members.find_by(user_id: params[:user_id])
+        authorize! :manage_group, group
+        member = group.group_members.find_by(user_id: params[:user_id])
+
         if member.nil?
           render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404)
         else