invite: Fix validation of referred_by field.

Previously, we could 500 if an organization administrator scanned
possible PreregistrationUser IDs looking for a valid invitation they
can interact with.

They couldn't do anything, so no security issue, but this fixes that
case to just be a 400 error as it should be.

zerver/lib/actions.py

@@ -4957,6 +4957,10 @@ def do_revoke_multi_use_invite(multiuse_invite: MultiuseInvite) -> None:
     notify_invites_changed(multiuse_invite.referred_by)
 
 def do_resend_user_invite_email(prereg_user: PreregistrationUser) -> int:
+    # These are two structurally for the caller's code path.
+    assert prereg_user.referred_by is not None
+    assert prereg_user.realm is not None
+
     check_invite_limit(prereg_user.referred_by.realm, 1)
 
     prereg_user.invited_at = timezone_now()

zerver/views/invite.py

@@ -109,7 +109,9 @@ def resend_user_invite_email(request: HttpRequest, user_profile: UserProfile,
     except PreregistrationUser.DoesNotExist:
         raise JsonableError(_("No such invitation"))
 
-    if (prereg_user.referred_by.realm != user_profile.realm):
+    # Structurally, any invitation the user can actually access should
+    # have a referred_by set for the user who created it.
+    if prereg_user.referred_by is None or prereg_user.referred_by.realm != user_profile.realm:
         raise JsonableError(_("No such invitation"))
 
     timestamp = do_resend_user_invite_email(prereg_user)