diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index 38d6c8d73..8e87c63cf 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -8,9 +8,9 @@ class InvitesController < ApplicationController
   before_action :authenticate_user!
 
   def index
-    authorize :invite, :create?
+    authorize :invite, :index?
 
-    @invites = Invite.where(user: current_user)
+    @invites = invites
     @invite  = Invite.new(expires_in: 1.day.to_i)
   end
 
@@ -23,13 +23,13 @@ class InvitesController < ApplicationController
     if @invite.save
       redirect_to invites_path
     else
-      @invites = Invite.where(user: current_user)
+      @invites = invites
       render :index
     end
   end
 
   def destroy
-    @invite = Invite.where(user: current_user).find(params[:id])
+    @invite = invites.find(params[:id])
     authorize @invite, :destroy?
     @invite.expire!
     redirect_to invites_path
@@ -37,6 +37,10 @@ class InvitesController < ApplicationController
 
   private
 
+  def invites
+    Invite.where(user: current_user)
+  end
+
   def resource_params
     params.require(:invite).permit(:max_uses, :expires_in)
   end
diff --git a/spec/controllers/invites_controller_spec.rb b/spec/controllers/invites_controller_spec.rb
new file mode 100644
index 000000000..c5c6cb651
--- /dev/null
+++ b/spec/controllers/invites_controller_spec.rb
@@ -0,0 +1,67 @@
+require 'rails_helper'
+
+describe InvitesController do
+  render_views
+
+  before do
+    sign_in user
+  end
+
+  describe 'GET #index' do
+    subject { get :index }
+
+    let!(:invite) { Fabricate(:invite, user: user) }
+
+    context 'when user is a staff' do
+      let(:user) { Fabricate(:user, moderator: true, admin: false) }
+
+      it 'renders index page' do
+        expect(subject).to render_template :index
+        expect(assigns(:invites)).to include invite
+        expect(assigns(:invites).count).to eq 1
+      end
+    end
+
+    context 'when user is not a staff' do
+      let(:user) { Fabricate(:user, moderator: false, admin: false) }
+
+      it 'returns 403' do
+        expect(subject).to have_http_status 403
+      end
+    end
+  end
+
+  describe 'POST #create' do
+    subject { post :create, params: { invite: { max_uses: '10', expires_in: 1800 } } }
+
+    context 'when user is an admin' do
+      let(:user) { Fabricate(:user, moderator: false, admin: true) }
+
+      it 'succeeds to create a invite' do
+        expect{ subject }.to change { Invite.count }.by(1)
+        expect(subject).to redirect_to invites_path
+        expect(Invite.last).to have_attributes(user_id: user.id, max_uses: 10)
+      end
+    end
+
+    context 'when user is not an admin' do
+      let(:user) { Fabricate(:user, moderator: true, admin: false) }
+
+      it 'returns 403' do
+        expect(subject).to have_http_status 403
+      end
+    end
+  end
+
+  describe 'DELETE #create' do
+    subject { delete :destroy, params: { id: invite.id } }
+
+    let!(:invite) { Fabricate(:invite, user: user, expires_at: nil) }
+    let(:user) { Fabricate(:user, moderator: false, admin: true) }
+
+    it 'expires invite' do
+      expect(subject).to redirect_to invites_path
+      expect(invite.reload).to be_expired
+    end
+  end
+end