Merge branch 'add-post-invitations-with-email' into 'master'

Add API post /invitations by email

See merge request gitlab-org/gitlab!45950

app/graphql/types/group_invitation_type.rb

+# frozen_string_literal: true
+
+module Types
+  class GroupInvitationType < BaseObject
+    expose_permissions Types::PermissionTypes::Group
+    authorize :read_group
+
+    implements InvitationInterface
+
+    graphql_name 'GroupInvitation'
+    description 'Represents a Group Invitation'
+
+    field :group, Types::GroupType, null: true,
+          description: 'Group that a User is invited to',
+          resolve: -> (obj, _args, _ctx) { Gitlab::Graphql::Loaders::BatchModelLoader.new(Group, obj.source_id).find }
+  end
+end

app/graphql/types/invitation_interface.rb

+# frozen_string_literal: true
+
+module Types
+  module InvitationInterface
+    include BaseInterface
+
+    field :email, GraphQL::STRING_TYPE, null: false,
+          description: 'Email of the member to invite'
+
+    field :access_level, Types::AccessLevelType, null: true,
+          description: 'GitLab::Access level'
+
+    field :created_by, Types::UserType, null: true,
+          description: 'User that authorized membership'
+
+    field :created_at, Types::TimeType, null: true,
+          description: 'Date and time the membership was created'
+
+    field :updated_at, Types::TimeType, null: true,
+          description: 'Date and time the membership was last updated'
+
+    field :expires_at, Types::TimeType, null: true,
+          description: 'Date and time the membership expires'
+
+    field :user, Types::UserType, null: true,
+          description: 'User that is associated with the member object'
+
+    definition_methods do
+      def resolve_type(object, context)
+        case object
+        when GroupMember
+          Types::GroupInvitationType
+        when ProjectMember
+          Types::ProjectInvitationType
+        else
+          raise ::Gitlab::Graphql::Errors::BaseError, "Unknown member type #{object.class.name}"
+        end
+      end
+    end
+  end
+end

app/graphql/types/project_invitation_type.rb

+# frozen_string_literal: true
+
+module Types
+  class ProjectInvitationType < BaseObject
+    graphql_name 'ProjectInvitation'
+    description 'Represents a Project Membership Invitation'
+
+    expose_permissions Types::PermissionTypes::Project
+
+    implements InvitationInterface
+
+    authorize :read_project
+
+    field :project, Types::ProjectType, null: true,
+          description: 'Project ID for the project of the invitation'
+
+    def project
+      Gitlab::Graphql::Loaders::BatchModelLoader.new(Project, object.source_id).find
+    end
+  end
+end

app/models/member.rb

@@ -96,6 +96,8 @@ class Member < ApplicationRecord
   scope :owners, -> { active.where(access_level: OWNER) }
   scope :owners_and_maintainers, -> { active.where(access_level: [OWNER, MAINTAINER]) }
   scope :with_user, -> (user) { where(user: user) }
+  scope :with_user_by_email, -> (email) { left_join_users.where(users: { email: email } ) }
+
   scope :preload_user_and_notification_settings, -> { preload(user: :notification_settings) }
 
   scope :with_source_id, ->(source_id) { where(source_id: source_id) }

app/presenters/invitation_presenter.rb

+# frozen_string_literal: true
+
+class InvitationPresenter < Gitlab::View::Presenter::Delegated
+  presents :invitation
+end

app/services/members/invite_service.rb

+# frozen_string_literal: true
+
+module Members
+  class InviteService < Members::BaseService
+    DEFAULT_LIMIT = 100
+
+    attr_reader :errors
+
+    def initialize(current_user, params)
+      @current_user, @params = current_user, params.dup
+      @errors = {}
+    end
+
+    def execute(source)
+      return error(s_('Email cannot be blank')) if params[:email].blank?
+
+      emails = params[:email].split(',').uniq.flatten
+      return error(s_("Too many users specified (limit is %{user_limit})") % { user_limit: user_limit }) if
+        user_limit && emails.size > user_limit
+
+      emails.each do |email|
+        next if existing_member?(source, email)
+
+        next if existing_invite?(source, email)
+
+        if existing_user?(email)
+          add_existing_user_as_member(current_user, source, params, email)
+          next
+        end
+
+        invite_new_member_and_user(current_user, source, params, email)
+      end
+
+      return success unless errors.any?
+
+      error(errors)
+    end
+
+    private
+
+    def invite_new_member_and_user(current_user, source, params, email)
+      new_member = (source.class.name + 'Member').constantize.create(source_id: source.id,
+        user_id: nil,
+        access_level: params[:access_level],
+        invite_email: email,
+        created_by_id: current_user.id,
+        expires_at: params[:expires_at],
+        requested_at: Time.current.utc)
+
+      unless new_member.valid? && new_member.persisted?
+        errors[params[:email]] = new_member.errors.full_messages.to_sentence
+      end
+    end
+
+    def add_existing_user_as_member(current_user, source, params, email)
+      new_member = create_member(current_user, existing_user(email), source, params.merge({ invite_email: email }))
+
+      unless new_member.valid? && new_member.persisted?
+        errors[email] = new_member.errors.full_messages.to_sentence
+      end
+    end
+
+    def create_member(current_user, user, source, params)
+      source.add_user(user, params[:access_level], current_user: current_user, expires_at: params[:expires_at])
+    end
+
+    def user_limit
+      limit = params.fetch(:limit, DEFAULT_LIMIT)
+
+      limit && limit < 0 ? nil : limit
+    end
+
+    def existing_member?(source, email)
+      existing_member = source.members.with_user_by_email(email).exists?
+
+      if existing_member
+        errors[email] = "Already a member of #{source.name}"
+        return true
+      end
+
+      false
+    end
+
+    def existing_invite?(source, email)
+      existing_invite = source.members.search_invite_email(email).exists?
+
+      if existing_invite
+        errors[email] = "Member already invited to #{source.name}"
+        return true
+      end
+
+      false
+    end
+
+    def existing_user(email)
+      User.find_by_email(email)
+    end
+
+    def existing_user?(email)
+      existing_user(email).present?
+    end
+  end
+end

changelogs/unreleased/add-post-invitations-with-email.yml

+---
+title: Add API post /invitations by email
+merge_request: 45950
+author:
+type: added

config/initializers/grape_validators.rb

@@ -8,3 +8,4 @@ Grape::Validations.register_validator(:integer_none_any, ::API::Validations::Val
 Grape::Validations.register_validator(:array_none_any, ::API::Validations::Validators::ArrayNoneAny)
 Grape::Validations.register_validator(:check_assignees_count, ::API::Validations::Validators::CheckAssigneesCount)
 Grape::Validations.register_validator(:untrusted_regexp, ::API::Validations::Validators::UntrustedRegexp)
+Grape::Validations.register_validator(:email_or_email_list, ::API::Validations::Validators::EmailOrEmailList)

doc/api/api_resources.md

@@ -40,6 +40,7 @@ The following API resources are available in the project context:
 | [Events](events.md)                                                 | `/projects/:id/events` (also available for users and standalone)                                                                                                                                      |
 | [Feature Flags](feature_flags.md)                                   | `/projects/:id/feature_flags`                                                                                                                                                                         |
 | [Feature Flag User Lists](feature_flag_user_lists.md)               | `/projects/:id/feature_flags_user_lists`                                                                                                                                                              |
+| [Invitations](invitations.md)                                       | `/projects/:id/invitations` (also available for groups)                                                                                                                                              |
 | [Issues](issues.md)                                                 | `/projects/:id/issues` (also available for groups and standalone)                                                                                                                                     |
 | [Issues Statistics](issues_statistics.md)                           | `/projects/:id/issues_statistics` (also available for groups and standalone)                                                                                                                          |
 | [Issue boards](boards.md)                                           | `/projects/:id/boards`                                                                                                                                                                                |
@@ -108,6 +109,7 @@ The following API resources are available in the group context:
 | [Group labels](group_labels.md)                                  | `/groups/:id/labels`                                                             |
 | [Group-level variables](group_level_variables.md)                | `/groups/:id/variables`                                                          |
 | [Group milestones](group_milestones.md)                          | `/groups/:id/milestones`                                                         |
+| [Invitations](invitations.md)                                    | `/groups/:id/invitations` (also available for projects)                          |
 | [Issues](issues.md)                                              | `/groups/:id/issues` (also available for projects and standalone)                |
 | [Issues Statistics](issues_statistics.md)                        | `/groups/:id/issues_statistics` (also available for projects and standalone)     |
 | [Members](members.md)                                            | `/groups/:id/members` (also available for projects)                              |

doc/api/invitations.md

+---
+stage: Growth
+group: Expansion
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+---
+
+# Invitations API
+
+Use the Invitations API to send email to users you want to join a group or project.
+
+## Valid access levels
+
+To send an invitation, you must have access to the project or group you are sending email for. Valid access
+levels are defined in the `Gitlab::Access` module. Currently, these levels are valid:
+
+- No access (`0`)
+- Guest (`10`)
+- Reporter (`20`)
+- Developer (`30`)
+- Maintainer (`40`)
+- Owner (`50`) - Only valid to set for groups
+
+CAUTION: **Caution:**
+Due to [an issue](https://gitlab.com/gitlab-org/gitlab/-/issues/219299),
+projects in personal namespaces will not show owner (`50`) permission.
+
+## Invite by email to group or project
+
+Invites a new user by email to join a group or project.
+
+```plaintext
+POST /groups/:id/invitations
+POST /projects/:id/invitations
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project or group](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `email` | integer/string | yes | The email of the new member or multiple emails separated by commas |
+| `access_level` | integer | yes | A valid access level |
+| `expires_at` | string | no | A date string in the format YEAR-MONTH-DAY |
+
+```shell
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" --data "email=test@example.com&access_level=30" "https://gitlab.example.com/api/v4/groups/:id/invitations"
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" --data "email=test@example.com&access_level=30" "https://gitlab.example.com/api/v4/projects/:id/invitations"
+```
+
+Example responses:
+
+When all emails were successfully sent:
+
+```json
+{  "status":  "success"  }
+```
+
+When there was any error sending the email:
+
+```json
+{
+  "status": "error",
+  "message": {
+               "test@example.com": "Already invited",
+               "test2@example.com": "Member already exsists"
+             }
+}
+```

doc/development/api_styleguide.md

@@ -207,6 +207,12 @@ guide on how you can add a new custom validator.
   checks if the value of the given parameter is either an `Array`, `None`, or `Any`.
   It allows only either of these mentioned values to move forward in the request.
 
+- `EmailOrEmailList`:
+
+  The [`EmailOrEmailList` validator](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/validations/validators/email_or_email_list.rb)
+  checks if the value of a string or a list of strings contains only valid
+  email addresses. It allows only lists with all valid email addresses to move forward in the request.
+
 ### Adding a new custom validator
 
 Custom validators are a great way to validate parameters before sending

lib/api/api.rb

@@ -186,6 +186,7 @@ module API
       mount ::API::ImportBitbucketServer
       mount ::API::ImportGithub
       mount ::API::IssueLinks
+      mount ::API::Invitations
       mount ::API::Issues
       mount ::API::JobArtifacts
       mount ::API::Jobs

lib/api/entities/invitation.rb

+# frozen_string_literal: true
+
+module API
+  module Entities
+    class Invitation < Grape::Entity
+      expose :access_level
+      expose :requested_at
+      expose :expires_at
+      expose :invite_email
+      expose :invite_token
+      expose :user_id
+    end
+  end
+end

lib/api/invitations.rb

+# frozen_string_literal: true
+
+module API
+  class Invitations < ::API::Base
+    feature_category :users
+
+    before { authenticate! }
+
+    helpers ::API::Helpers::MembersHelpers
+
+    %w[group project].each do |source_type|
+      params do
+        requires :id, type: String, desc: "The #{source_type} ID"
+      end
+      resource source_type.pluralize, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+        desc 'Invite non-members by email address to a group or project.' do
+          detail 'This feature was introduced in GitLab 13.6'
+          success Entities::Invitation
+        end
+        params do
+          requires :email, types: [String, Array[String]], email_or_email_list: true, desc: 'The email address to invite, or multiple emails separated by comma'
+          requires :access_level, type: Integer, values: Gitlab::Access.all_values, desc: 'A valid access level (defaults: `30`, developer access level)'
+          optional :expires_at, type: DateTime, desc: 'Date string in the format YEAR-MONTH-DAY'
+        end
+        post ":id/invitations" do
+          source = find_source(source_type, params[:id])
+
+          authorize_admin_source!(source_type, source)
+
+          ::Members::InviteService.new(current_user, params).execute(source)
+        end
+      end
+    end
+  end
+end

lib/api/validations/validators/email_or_email_list.rb

+# frozen_string_literal: true
+
+module API
+  module Validations
+    module Validators
+      class EmailOrEmailList < Grape::Validations::Base
+        def validate_param!(attr_name, params)
+          value = params[attr_name]
+
+          return unless value
+
+          return if value.split(',').map { |v| ValidateEmail.valid?(v) }.all?
+
+          raise Grape::Exceptions::Validation,
+            params: [@scope.full_name(attr_name)],
+            message: "contains an invalid email address"
+        end
+      end
+    end
+  end
+end

locale/gitlab.pot

@@ -9866,6 +9866,9 @@ msgstr ""
 msgid "Email Notification"
 msgstr ""
 
+msgid "Email cannot be blank"
+msgstr ""
+
 msgid "Email could not be sent"
 msgstr ""
 
@@ -28202,6 +28205,9 @@ msgstr ""
 msgid "Too many projects enabled. You will need to manage them via the console or the API."
 msgstr ""
 
+msgid "Too many users specified (limit is %{user_limit})"
+msgstr ""
+
 msgid "Too much data"
 msgstr ""
 

spec/graphql/types/group_invitation_type_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Types::GroupInvitationType do
+  specify { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Group) }
+
+  specify { expect(described_class.graphql_name).to eq('GroupInvitation') }
+
+  specify { expect(described_class).to require_graphql_authorizations(:read_group) }
+
+  it 'has the expected fields' do
+    expected_fields = %w[
+      email access_level created_by created_at updated_at expires_at group
+    ]
+
+    expect(described_class).to include_graphql_fields(*expected_fields)
+  end
+end

spec/graphql/types/invitation_interface_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Types::InvitationInterface do
+  it 'exposes the expected fields' do
+    expected_fields = %i[
+      email
+      access_level
+      created_by
+      created_at
+      updated_at
+      expires_at
+      user
+    ]
+
+    expect(described_class).to have_graphql_fields(*expected_fields)
+  end
+
+  describe '.resolve_type' do
+    subject { described_class.resolve_type(object, {}) }
+
+    context 'for project member' do
+      let(:object) { build(:project_member) }
+
+      it { is_expected.to be Types::ProjectInvitationType }
+    end
+
+    context 'for group member' do
+      let(:object) { build(:group_member) }
+
+      it { is_expected.to be Types::GroupInvitationType }
+    end
+
+    context 'for an unknown type' do
+      let(:object) { build(:user) }
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::BaseError)
+      end
+    end
+  end
+end

spec/graphql/types/project_invitation_type_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Types::ProjectInvitationType do
+  specify { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Project) }
+
+  specify { expect(described_class.graphql_name).to eq('ProjectInvitation') }
+
+  specify { expect(described_class).to require_graphql_authorizations(:read_project) }
+
+  it 'has the expected fields' do
+    expected_fields = %w[
+      access_level created_by created_at updated_at expires_at project user
+    ]
+
+    expect(described_class).to include_graphql_fields(*expected_fields)
+  end
+end

spec/lib/api/validations/validators/email_or_email_list_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe API::Validations::Validators::EmailOrEmailList do
+  include ApiValidatorsHelpers
+
+  subject do
+    described_class.new(['email'], {}, false, scope.new)
+  end
+
+  context 'with valid email addresses' do
+    it 'does not raise a validation error' do
+      expect_no_validation_error('test' => 'test@example.org')
+      expect_no_validation_error('test' => 'test1@example.com,test2@example.org')
+      expect_no_validation_error('test' => 'test1@example.com,test2@example.org,test3@example.co.uk')
+    end
+  end
+
+  context 'including any invalid email address' do
+    it 'raises a validation error' do
+      expect_validation_error('test' => 'not')
+      expect_validation_error('test' => '@example.com')
+      expect_validation_error('test' => 'test1@example.com,asdf')
+      expect_validation_error('test' => 'asdf,testa1@example.com,asdf')
+    end
+  end
+end

spec/requests/api/invitations_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe API::Invitations do
+  let(:maintainer) { create(:user, username: 'maintainer_user') }
+  let(:developer) { create(:user) }
+  let(:access_requester) { create(:user) }
+  let(:stranger) { create(:user) }
+  let(:email) { 'email@example.org' }
+
+  let(:project) do
+    create(:project, :public, creator_id: maintainer.id, namespace: maintainer.namespace) do |project|
+      project.add_developer(developer)
+      project.add_maintainer(maintainer)
+      project.request_access(access_requester)
+    end
+  end
+
+  let!(:group) do
+    create(:group, :public) do |group|
+      group.add_developer(developer)
+      group.add_owner(maintainer)
+      group.request_access(access_requester)
+    end
+  end
+
+  def invitations_url(source, user)
+    api("/#{source.model_name.plural}/#{source.id}/invitations", user)
+  end
+
+  shared_examples 'POST /:source_type/:id/invitations' do |source_type|
+    context "with :source_type == #{source_type.pluralize}" do
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) do
+          post invitations_url(source, stranger),
+               params: { email: email, access_level: Member::MAINTAINER }
+        end
+      end
+
+      context 'when authenticated as a non-member or member with insufficient rights' do
+        %i[access_requester stranger developer].each do |type|
+          context "as a #{type}" do
+            it 'returns 403' do
+              user = public_send(type)
+
+              post invitations_url(source, user), params: { email: email, access_level: Member::MAINTAINER }
+
+              expect(response).to have_gitlab_http_status(:forbidden)
+            end
+          end
+        end
+      end
+
+      context 'when authenticated as a maintainer/owner' do
+        context 'and new member is already a requester' do
+          it 'does not transform the requester into a proper member' do
+            expect do
+              post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+                   params: { email: email, access_level: Member::MAINTAINER }
+
+              expect(response).to have_gitlab_http_status(:created)
+            end.not_to change { source.members.count }
+          end
+        end
+
+        it 'invites a new member' do
+          expect do
+            post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+                 params: { email: email, access_level: Member::DEVELOPER }
+
+            expect(response).to have_gitlab_http_status(:created)
+          end.to change { source.requesters.count }.by(1)
+        end
+
+        it 'invites a list of new email addresses' do
+          expect do
+            email_list = 'email1@example.com,email2@example.com'
+
+            post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+                 params: { email: email_list, access_level: Member::DEVELOPER }
+
+            expect(response).to have_gitlab_http_status(:created)
+          end.to change { source.requesters.count }.by(2)
+        end
+      end
+
+      context 'access levels' do
+        it 'does not create the member if group level is higher' do
+          parent = create(:group)
+
+          group.update!(parent: parent)
+          project.update!(group: group)
+          parent.add_developer(stranger)
+
+          post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+               params: { email: stranger.email, access_level: Member::REPORTER }
+
+          expect(response).to have_gitlab_http_status(:created)
+          expect(json_response['message'][stranger.email]).to eq("Access level should be greater than or equal to Developer inherited membership from group #{parent.name}")
+        end
+
+        it 'creates the member if group level is lower' do
+          parent = create(:group)
+
+          group.update!(parent: parent)
+          project.update!(group: group)
+          parent.add_developer(stranger)
+
+          post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+               params: { email: stranger.email, access_level: Member::MAINTAINER }
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+
+      context 'access expiry date' do
+        subject do
+          post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+               params: { email: email, access_level: Member::DEVELOPER, expires_at: expires_at }
+        end
+
+        context 'when set to a date in the past' do
+          let(:expires_at) { 2.days.ago.to_date }
+
+          it 'does not create a member' do
+            expect do
+              subject
+            end.not_to change { source.members.count }
+
+            expect(response).to have_gitlab_http_status(:created)
+            expect(json_response['message'][email]).to eq('Expires at cannot be a date in the past')
+          end
+        end
+
+        context 'when set to a date in the future' do
+          let(:expires_at) { 2.days.from_now.to_date }
+
+          it 'invites a member' do
+            expect do
+              subject
+            end.to change { source.requesters.count }.by(1)
+
+            expect(response).to have_gitlab_http_status(:created)
+          end
+        end
+      end
+
+      it "returns a message if member already exists" do
+        post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+             params: { email: maintainer.email, access_level: Member::MAINTAINER }
+
+        expect(response).to have_gitlab_http_status(:created)
+        expect(json_response['message'][maintainer.email]).to eq("Already a member of #{source.name}")
+      end
+
+      it 'returns 404 when the email is not valid' do
+        post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+             params: { email: '', access_level: Member::MAINTAINER }
+
+        expect(response).to have_gitlab_http_status(:created)
+        expect(json_response['message']).to eq('Email cannot be blank')
+      end
+
+      it 'returns 404 when the email list is not a valid format' do
+        post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+             params: { email: 'email1@example.com,not-an-email', access_level: Member::MAINTAINER }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(json_response['error']).to eq('email contains an invalid email address')
+      end
+
+      it 'returns 400 when email is not given' do
+        post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+             params: { access_level: Member::MAINTAINER }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'returns 400 when access_level is not given' do
+        post api("/#{source_type.pluralize}/#{source.id}/invitations", maintainer),
+             params: { email: email }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'returns 400 when access_level is not valid' do
+        post invitations_url(source, maintainer),
+             params: { email: email, access_level: non_existing_record_access_level }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+    end
+  end
+
+  describe 'POST /projects/:id/invitations' do
+    it_behaves_like 'POST /:source_type/:id/invitations', 'project' do
+      let(:source) { project }
+    end
+  end
+
+  describe 'POST /groups/:id/invitations' do
+    it_behaves_like 'POST /:source_type/:id/invitations', 'group' do
+      let(:source) { group }
+    end
+  end
+end

spec/services/members/invite_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Members::InviteService do
+  let(:project) { create(:project) }
+  let(:user) { create(:user) }
+  let(:project_user) { create(:user) }
+
+  before do
+    project.add_maintainer(user)
+  end
+
+  it 'adds an existing user to members' do
+    params = { email: project_user.email.to_s, access_level: Gitlab::Access::GUEST }
+    result = described_class.new(user, params).execute(project)
+
+    expect(result[:status]).to eq(:success)
+    expect(project.users).to include project_user
+  end
+
+  it 'creates a new user for an unknown email address' do
+    params = { email: 'email@example.org', access_level: Gitlab::Access::GUEST }
+    result = described_class.new(user, params).execute(project)
+
+    expect(result[:status]).to eq(:success)
+  end
+
+  it 'limits the number of emails to 100' do
+    emails = Array.new(101).map { |n| "email#{n}@example.com" }
+    params = { email: emails, access_level: Gitlab::Access::GUEST }
+
+    result = described_class.new(user, params).execute(project)
+
+    expect(result[:status]).to eq(:error)
+    expect(result[:message]).to eq('Too many users specified (limit is 100)')
+  end
+
+  it 'does not invite an invalid email' do
+    params = { email: project_user.id.to_s, access_level: Gitlab::Access::GUEST }
+    result = described_class.new(user, params).execute(project)
+
+    expect(result[:status]).to eq(:error)
+    expect(result[:message][project_user.id.to_s]).to eq("Invite email is invalid")
+    expect(project.users).not_to include project_user
+  end
+
+  it 'does not invite to an invalid access level' do
+    params = { email: project_user.email, access_level: -1 }
+    result = described_class.new(user, params).execute(project)
+
+    expect(result[:status]).to eq(:error)
+    expect(result[:message][project_user.email]).to eq("Access level is not included in the list")
+  end
+
+  it 'does not add a member with an existing invite' do
+    invited_member = create(:project_member, :invited, project: project)
+
+    params = { email: invited_member.invite_email,
+               access_level: Gitlab::Access::GUEST }
+    result = described_class.new(user, params).execute(project)
+
+    expect(result[:status]).to eq(:error)
+    expect(result[:message][invited_member.invite_email]).to eq("Member already invited to #{project.name}")
+  end
+end