Invite is now also separate

src/routes/users.js

@@ -8,7 +8,6 @@ exports = module.exports = {
     del,
     setPassword,
     verifyPassword,
-    sendInvite,
     setGroups,
     setGhost,
     makeOwner,
@@ -16,6 +15,9 @@ exports = module.exports = {
     getPasswordResetLink,
     sendPasswordResetEmail,
 
+    getInviteLink,
+    sendInviteEmail,
+
     disableTwoFactorAuthentication,
 
     load
@@ -156,17 +158,6 @@ async function disableTwoFactorAuthentication(req, res, next) {
     next(new HttpSuccess(200, {}));
 }
 
-async function sendInvite(req, res, next) {
-    assert.strictEqual(typeof req.resource, 'object');
-
-    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
-
-    const [error, inviteLink ] = await safe(users.sendInvite(req.resource, { invitor: req.user }, AuditSource.fromRequest(req)));
-    if (error) return next(BoxError.toHttpError(error));
-
-    next(new HttpSuccess(200, { inviteLink }));
-}
-
 async function setGroups(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
     assert.strictEqual(typeof req.resource, 'object');
@@ -224,6 +215,8 @@ async function makeOwner(req, res, next) {
 async function getPasswordResetLink(req, res, next) {
     assert.strictEqual(typeof req.resource, 'object');
 
+    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
+
     let [error, passwordResetLink] = await safe(users.getPasswordResetLink(req.resource, AuditSource.fromRequest(req)));
     if (error) return next(BoxError.toHttpError(error));
 
@@ -234,9 +227,33 @@ async function sendPasswordResetEmail(req, res, next) {
     assert.strictEqual(typeof req.resource, 'object');
 
     if (!req.body.email || typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be a non-empty string'));
+    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
 
     let [error] = await safe(users.sendPasswordResetEmail(req.resource, req.body.email, AuditSource.fromRequest(req)));
     if (error)  return next(BoxError.toHttpError(error));
 
     next(new HttpSuccess(202, {}));
 }
+
+async function getInviteLink(req, res, next) {
+    assert.strictEqual(typeof req.resource, 'object');
+
+    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
+
+    let [error, inviteLink] = await safe(users.getInviteLink(req.resource, AuditSource.fromRequest(req)));
+    if (error) return next(BoxError.toHttpError(error));
+
+    next(new HttpSuccess(200, { inviteLink }));
+}
+
+async function sendInviteEmail(req, res, next) {
+    assert.strictEqual(typeof req.resource, 'object');
+
+    if (!req.body.email || typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be a non-empty string'));
+    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
+
+    let [error] = await safe(users.sendInviteEmail(req.resource, req.body.email, AuditSource.fromRequest(req)));
+    if (error)  return next(BoxError.toHttpError(error));
+
+    next(new HttpSuccess(202, {}));
+}