'use strict';
var async = require('async'),
winston = require('winston'),
_ = require('underscore'),
crypto = require('crypto'),
path = require('path'),
nconf = require('nconf'),
fs = require('fs'),
validator = require('validator'),
user = require('./user'),
meta = require('./meta'),
db = require('./database'),
plugins = require('./plugins'),
posts = require('./posts'),
privileges = require('./privileges'),
utils = require('../public/src/utils'),
util = require('util'),
uploadsController = require('./controllers/uploads');
(function(Groups) {
var ephemeralGroups = ['guests'],
internals = {
filterGroups: function(groups, options) {
// Remove system, hidden, or deleted groups from this list
if (groups && !options.showAllGroups) {
return groups.filter(function (group) {
if (!group) {
return false;
if (group.deleted || (group.hidden && !(group.system || group.isMember || options.isAdmin || group.isInvited)) || (!options.showSystemGroups && group.system)) {
return false;
} else if (options.removeEphemeralGroups && ephemeralGroups.indexOf(group.name) !== -1) {
return false;
} else {
return true;
} else {
return groups;
getEphemeralGroup: function(groupName) {
return {
name: groupName,
slug: utils.slugify(groupName),
description: '',
deleted: '0',
hidden: '0',
system: '1'
removeEphemeralGroups: function(groups) {
var x = groups.length;
while(x--) {
if (ephemeralGroups.indexOf(groups[x]) !== -1) {
groups.splice(x, 1);
return groups;
var isPrivilegeGroupRegex = /^cid:\d+:privileges:[\w:]+$/;
Groups.isPrivilegeGroup = function(groupName) {
return isPrivilegeGroupRegex.test(groupName);
Groups.getEphemeralGroups = function() {
return ephemeralGroups;
Groups.list = function(options, callback) {
db.getSortedSetRevRange('groups:createtime', 0, -1, function (err, groupNames) {
if (err) {
return callback(err);
groupNames = groupNames.filter(function(groupName) {
return groupName && groupName.indexOf(':privileges:') === -1 && groupName !== 'registered-users' && groupName !== 'guests';
groups: async.apply(async.map, groupNames, function (groupName, next) {
Groups.get(groupName, options, next);
isAdmin: function(next) {
if (!options.uid || parseInt(options.uid, 10) === 0) { return next(null, false); }
user.isAdministrator(parseInt(options.uid, 10), next);
}, function (err, data) {
options.isAdmin = options.isAdmin || data.isAdmin;
callback(err, internals.filterGroups(data.groups, options));
Groups.getGroups = function(start, stop, callback) {
db.getSortedSetRevRange('groups:createtime', start, stop, callback);
Groups.get = function(groupName, options, callback) {
var truncated = false,
base: function (next) {
if (ephemeralGroups.indexOf(groupName) === -1) {
db.getObject('group:' + groupName, next);
} else {
next(null, internals.getEphemeralGroup(groupName));
users: function (next) {
db.getSortedSetRevRange('group:' + groupName + ':members', 0, -1, function (err, uids) {
if (err) {
return next(err);
uids = uids.filter(function(uid) {
return uid && parseInt(uid, 10);
if (options.truncateUserList) {
var userListCount = parseInt(options.userListCount, 10) || 4;
if (uids.length > userListCount) {
numUsers = uids.length;
uids.length = userListCount;
truncated = true;
if (options.expand) {
async.apply(user.getUsers, uids, options.uid || 0),
function(users, next) {
// Filter out non-matches
users = users.filter(Boolean);
async.mapLimit(users, 10, function(userObj, next) {
Groups.ownership.isOwner(userObj.uid, groupName, function(err, isOwner) {
if (err) {
winston.warn('[groups.get] Could not determine ownership in group `' + groupName + '` for uid `' + userObj.uid + '`: ' + err.message);
return next(null, userObj);
userObj.isOwner = isOwner;
next(null, userObj);
}, function(err, users) {
if (err) {
return next();
next(null, users.sort(function(a, b) {
if (a.isOwner === b.isOwner) {
return 0;
} else {
return a.isOwner && !b.isOwner ? -1 : 1;
], next);
} else {
next(err, uids);
pending: function (next) {
db.getSetMembers('group:' + groupName + ':pending', function (err, uids) {
if (err) {
return next(err);
if (options.expand && uids.length) {
async.map(uids, user.getUserData, next);
} else {
next(err, uids);
isMember: function(next) {
// Retrieve group membership state, if uid is passed in
if (!options.uid) {
return next();
Groups.isMember(options.uid, groupName, function(err, isMember) {
if (err) {
winston.warn('[groups.get] Could not determine membership in group `' + groupName + '` for uid `' + options.uid + '`: ' + err.message);
return next();
next(null, isMember);
isPending: function(next) {
// Retrieve group membership state, if uid is passed in
if (!options.uid) {
return next();
db.isSetMember('group:' + groupName + ':pending', options.uid, next);
isInvited: async.apply(Groups.isInvited, options.uid, groupName),
isOwner: function(next) {
// Retrieve group ownership state, if uid is passed in
if (!options.uid) {
return next();
Groups.ownership.isOwner(options.uid, groupName, function(err, isOwner) {
if (err) {
winston.warn('[groups.get] Could not determine ownership in group `' + groupName + '` for uid `' + options.uid + '`: ' + err.message);
return next();
next(null, isOwner);
}, function (err, results) {
if (err) {
return callback(err);
} else if (!results.base) {
return callback(new Error('[[error:no-group]]'));
// Default image
if (!results.base['cover:url']) {
results.base['cover:url'] = nconf.get('relative_path') + '/images/cover-default.png';
results.base['cover:position'] = '50% 50%';
plugins.fireHook('filter:parse.raw', results.base.description, function(err, descriptionParsed) {
if (err) {
return callback(err);
results.base.name = !options.unescape ? validator.escape(results.base.name) : results.base.name;
results.base.description = !options.unescape ? validator.escape(results.base.description) : results.base.description;
results.base.descriptionParsed = descriptionParsed;
results.base.userTitle = !options.unescape ? validator.escape(results.base.userTitle) : results.base.userTitle;
results.base.userTitleEnabled = results.base.userTitleEnabled ? !!parseInt(results.base.userTitleEnabled, 10) : true;
results.base.createtimeISO = utils.toISOString(results.base.createtime);
results.base.members = results.users.filter(Boolean);
results.base.pending = results.pending.filter(Boolean);
results.base.count = numUsers || results.base.members.length;
results.base.memberCount = numUsers || results.base.members.length;
results.base.deleted = !!parseInt(results.base.deleted, 10);
results.base.hidden = !!parseInt(results.base.hidden, 10);
results.base.system = !!parseInt(results.base.system, 10);
results.base.private = results.base.private ? !!parseInt(results.base.private, 10) : true;
results.base.deletable = !results.base.system;
results.base.truncated = truncated;
results.base.isMember = results.isMember;
results.base.isPending = results.isPending;
results.base.isInvited = results.isInvited;
results.base.isOwner = results.isOwner;
plugins.fireHook('filter:group.get', {group: results.base}, function(err, data) {
callback(err, data ? data.group : null);
Groups.getByGroupslug = function(slug, options, callback) {
db.getObjectField('groupslug:groupname', slug, function(err, groupName) {
if (err) {
return callback(err);
} else if (!groupName) {
return callback(new Error('[[error:no-group]]'));
Groups.get.call(Groups, groupName, options, callback);
Groups.getGroupNameByGroupSlug = function(slug, callback) {
db.getObjectField('groupslug:groupname', slug, callback);
Groups.getGroupFields = function(groupName, fields, callback) {
Groups.getMultipleGroupFields([groupName], fields, function(err, groups) {
callback(err, groups ? groups[0] : null);
Groups.getMultipleGroupFields = function(groups, fields, callback) {
db.getObjectsFields(groups.map(function(group) {
return 'group:' + group;
}), fields, callback);
Groups.setGroupField = function(groupName, field, value, callback) {
plugins.fireHook('action:group.set', {field: field, value: value, type: 'set'});
db.setObjectField('group:' + groupName, field, value, callback);
Groups.isPrivate = function(groupName, callback) {
db.getObjectField('group:' + groupName, 'private', function(err, isPrivate) {
isPrivate = isPrivate || isPrivate === null;
if (typeof isPrivate === 'string') {
isPrivate = (isPrivate === '0' ? false : true);
callback(err, isPrivate); // Private, if not set at all
Groups.isHidden = function(groupName, callback) {
Groups.getGroupFields(groupName, ['hidden'], function(err, values) {
if (err) {
winston.warn('[groups.isHidden] Could not determine group hidden state (group: ' + groupName + ')');
return callback(null, true); // Default true
callback(null, parseInt(values.hidden, 10));
Groups.getMembers = function(groupName, start, stop, callback) {
db.getSortedSetRevRange('group:' + groupName + ':members', start, stop, callback);
Groups.getMembersOfGroups = function(groupNames, callback) {
db.getSortedSetsMembers(groupNames.map(function(name) {
return 'group:' + name + ':members';
}), callback);
Groups.isMember = function(uid, groupName, callback) {
if (!uid || parseInt(uid, 10) <= 0) {
return callback(null, false);
db.isSortedSetMember('group:' + groupName + ':members', uid, callback);
Groups.isMembers = function(uids, groupName, callback) {
db.isSortedSetMembers('group:' + groupName + ':members', uids, callback);
Groups.isMemberOfGroups = function(uid, groups, callback) {
if (!uid || parseInt(uid, 10) <= 0) {
return callback(null, groups.map(function() {return false;}));
groups = groups.map(function(groupName) {
return 'group:' + groupName + ':members';
db.isMemberOfSortedSets(groups, uid, callback);
Groups.getMemberCount = function(groupName, callback) {
db.getObjectField('group:' + groupName, 'memberCount', callback);
Groups.isMemberOfGroupList = function(uid, groupListKey, callback) {
db.getSortedSetRange('group:' + groupListKey + ':members', 0, -1, function(err, groupNames) {
if (err) {
return callback(err);
groupNames = internals.removeEphemeralGroups(groupNames);
if (groupNames.length === 0) {
return callback(null, false);
Groups.isMemberOfGroups(uid, groupNames, function(err, isMembers) {
if (err) {
return callback(err);
callback(null, isMembers.indexOf(true) !== -1);
Groups.isMemberOfGroupsList = function(uid, groupListKeys, callback) {
var sets = groupListKeys.map(function(groupName) {
return 'group:' + groupName + ':members';
db.getSortedSetsMembers(sets, function(err, members) {
if (err) {
return callback(err);
var uniqueGroups = _.unique(_.flatten(members));
uniqueGroups = internals.removeEphemeralGroups(uniqueGroups);
Groups.isMemberOfGroups(uid, uniqueGroups, function(err, isMembers) {
if (err) {
return callback(err);
var map = {};
uniqueGroups.forEach(function(groupName, index) {
map[groupName] = isMembers[index];
var result = members.map(function(groupNames) {
for (var i=0; i<groupNames.length; ++i) {
if (map[groupNames[i]]) {
return true;
return false;
callback(null, result);
Groups.isMembersOfGroupList = function(uids, groupListKey, callback) {
db.getSortedSetRange('group:' + groupListKey + ':members', 0, -1, function(err, groupNames) {
if (err) {
return callback(err);
var results = [];
uids.forEach(function() {
groupNames = internals.removeEphemeralGroups(groupNames);
if (groupNames.length === 0) {
return callback(null, results);
async.each(groupNames, function(groupName, next) {
Groups.isMembers(uids, groupName, function(err, isMembers) {
if (err) {
return next(err);
results.forEach(function(isMember, index) {
if (!isMember && isMembers[index]) {
results[index] = true;
}, function(err) {
callback(err, results);
Groups.isInvited = function(uid, groupName, callback) {
if (!uid) { return callback(null, false); }
db.isSetMember('group:' + groupName + ':invited', uid, callback);
Groups.exists = function(name, callback) {
if (Array.isArray(name)) {
var slugs = name.map(function(groupName) {
return utils.slugify(groupName);
function(next) {
callback(null, slugs.map(function(slug) {
return ephemeralGroups.indexOf(slug) !== -1;
async.apply(db.isSortedSetMembers, 'groups:createtime', name)
], function(err, results) {
if (err) {
return callback(err);
callback(null, results.map(function(result) {
return result[0] || result[1];
} else {
var slug = utils.slugify(name);
function(next) {
next(null, ephemeralGroups.indexOf(slug) !== -1);
async.apply(db.isSortedSetMember, 'groups:createtime', name)
], function(err, results) {
callback(err, !err ? (results[0] || results[1]) : null);
Groups.existsBySlug = function(slug, callback) {
if (Array.isArray(slug)) {
db.isObjectFields('groupslug:groupName', slug, callback);
} else {
db.isObjectField('groupslug:groupname', slug, callback);
Groups.hide = function(groupName, callback) {
callback = callback || function() {};
db.setObjectField('group:' + groupName, 'hidden', 1, callback);
Groups.join = function(groupName, uid, callback) {
function join() {
var tasks = [
async.apply(db.sortedSetAdd, 'group:' + groupName + ':members', Date.now(), uid),
async.apply(db.incrObjectField, 'group:' + groupName, 'memberCount')
function(next) {
user.isAdministrator(uid, next);
function(isAdmin, next) {
if (isAdmin) {
tasks.push(async.apply(db.setAdd, 'group:' + groupName + ':owners', uid));
async.parallel(tasks, next);
function(results, next) {
user.setGroupTitle(groupName, uid, next);
function(next) {
plugins.fireHook('action:group.join', {
groupName: groupName,
uid: uid
], callback);
callback = callback || function() {};
Groups.exists(groupName, function(err, exists) {
if (err) {
return callback(err);
if (exists) {
return join();
name: groupName,
description: '',
hidden: 1
}, function(err) {
if (err && err.message !== '[[error:group-already-exists]]') {
winston.error('[groups.join] Could not create new hidden group: ' + err.message);
return callback(err);
Groups.requestMembership = function(groupName, uid, callback) {
exists: async.apply(Groups.exists, groupName),
isMember: async.apply(Groups.isMember, uid, groupName)
}, function(err, checks) {
if (!checks.exists) {
return callback(new Error('[[error:no-group]]'));
} else if (checks.isMember) {
return callback(new Error('[[error:group-already-member]]'));
if (parseInt(uid, 10) > 0) {
db.setAdd('group:' + groupName + ':pending', uid, callback);
plugins.fireHook('action:group.requestMembership', {
groupName: groupName,
uid: uid
} else {
callback(new Error('[[error:not-logged-in]]'));
Groups.acceptMembership = function(groupName, uid, callback) {
// Note: For simplicity, this method intentially doesn't check the caller uid for ownership!
async.apply(db.setRemove, 'group:' + groupName + ':pending', uid),
async.apply(db.setRemove, 'group:' + groupName + ':invited', uid),
async.apply(Groups.join, groupName, uid)
], callback);
Groups.rejectMembership = function(groupName, uid, callback) {
// Note: For simplicity, this method intentially doesn't check the caller uid for ownership!
async.apply(db.setRemove, 'group:' + groupName + ':pending', uid),
async.apply(db.setRemove, 'group:' + groupName + ':invited', uid)
], callback);
Groups.invite = function(groupName, uid, callback) {
exists: async.apply(Groups.exists, groupName),
isMember: async.apply(Groups.isMember, uid, groupName)
}, function(err, checks) {
if (!checks.exists) {
return callback(new Error('[[error:no-group]]'));
} else if (checks.isMember) {
return callback(new Error('[[error:group-already-member]]'));
if (parseInt(uid, 10) > 0) {
db.setAdd('group:' + groupName + ':invited', uid, callback);
plugins.fireHook('action:group.inviteMember', {
groupName: groupName,
uid: uid
} else {
callback(new Error('[[error:not-logged-in]]'));
Groups.leave = function(groupName, uid, callback) {
callback = callback || function() {};
var tasks = [
async.apply(db.sortedSetRemove, 'group:' + groupName + ':members', uid),
async.apply(db.setRemove, 'group:' + groupName + ':owners', uid),
async.apply(db.decrObjectField, 'group:' + groupName, 'memberCount')
async.parallel(tasks, function(err) {
if (err) {
return callback(err);
plugins.fireHook('action:group.leave', {
groupName: groupName,
uid: uid
Groups.getGroupFields(groupName, ['hidden', 'memberCount'], function(err, groupData) {
if (err || !groupData) {
return callback(err);
if (parseInt(groupData.hidden, 10) === 1 && parseInt(groupData.memberCount, 10) === 0) {
Groups.destroy(groupName, callback);
} else {
Groups.leaveAllGroups = function(uid, callback) {
db.getSortedSetRange('groups:createtime', 0, -1, function(err, groups) {
if (err) {
return callback(err);
async.each(groups, function(groupName, next) {
Groups.isMember(uid, groupName, function(err, isMember) {
if (!err && isMember) {
Groups.leave(groupName, uid, next);
} else {
}, callback);
Groups.getLatestMemberPosts = function(groupName, max, uid, callback) {
async.apply(Groups.getMembers, groupName, 0, -1),
function(uids, next) {
if (!Array.isArray(uids) || !uids.length) {
return callback(null, []);
var keys = uids.map(function(uid) {
return 'uid:' + uid + ':posts';
db.getSortedSetRevUnion(keys, 0, max - 1, next);
function(pids, next) {
privileges.posts.filter('read', pids, uid, next);
function(pids, next) {
posts.getPostSummaryByPids(pids, uid, {stripTags: false}, next);
], callback);
Groups.getGroupsData = function(groupNames, callback) {
if (!Array.isArray(groupNames) || !groupNames.length) {
return callback(null, []);
var keys = groupNames.map(function(groupName) {
return 'group:' + groupName;
db.getObjects(keys, function(err, groupData) {
if (err) {
return callback(err);
groupData = groupData.map(function(group) {
if (group) {
group.userTitle = validator.escape(group.userTitle) || validator.escape(group.name);
group.userTitleEnabled = group.userTitleEnabled ? parseInt(group.userTitleEnabled, 10) === 1 : true;
group.labelColor = group.labelColor || '#000000';
group.createtimeISO = utils.toISOString(group.createtime);
group.hidden = parseInt(group.hidden, 10) === 1;
if (!group['cover:url']) {
group['cover:url'] = nconf.get('relative_path') + '/images/cover-default.png';
group['cover:position'] = '50% 50%';
return group;
plugins.fireHook('filter:groups.get', {groups: groupData}, function(err, data) {
callback(err, data ? data.groups : null);
Groups.getUserGroups = function(uids, callback) {
db.getSortedSetRevRange('groups:createtime', 0, -1, function(err, groupNames) {
if (err) {
return callback(err);
groupNames = groupNames.filter(function(groupName) {
return groupName !== 'registered-users' && groupName.indexOf(':privileges:') === -1;
Groups.getMultipleGroupFields(groupNames, ['name', 'hidden'], function(err, groupData) {
if (err) {
return callback(err);
groupData = groupData.filter(function(group) {
return group && !parseInt(group.hidden, 10);
var groupSets = groupData.map(function(group) {
return 'group:' + group.name + ':members';
async.map(uids, function(uid, next) {
db.isMemberOfSortedSets(groupSets, uid, function(err, isMembers) {
if (err) {
return next(err);
var memberOf = [];
isMembers.forEach(function(isMember, index) {
if (isMember) {
Groups.getGroupsData(memberOf, next);
}, callback);
Groups.updateCoverPosition = function(groupName, position, callback) {
Groups.setGroupField(groupName, 'cover:position', position, callback);
Groups.updateCover = function(data, callback) {
var tempPath, md5sum, url;
// Position only? That's fine
if (!data.imageData && data.position) {
return Groups.updateCoverPosition(data.groupName, data.position, callback);
function(next) {
// Calculate md5sum of image
// This is required because user data can be private
md5sum = crypto.createHash('md5');
md5sum = md5sum.digest('hex');
function(next) {
// Save image
tempPath = path.join(nconf.get('base_dir'), nconf.get('upload_path'), md5sum);
var buffer = new Buffer(data.imageData.slice(data.imageData.indexOf('base64') + 7), 'base64');
fs.writeFile(tempPath, buffer, {
encoding: 'base64'
}, next);
function(next) {
path: tempPath
}, function(err, uploadData) {
if (err) {
return next(err);
url = uploadData.url;
function(next) {
Groups.setGroupField(data.groupName, 'cover:url', url, next);
function(next) {
fs.unlink(tempPath, next); // Delete temporary file
], function(err) {
if (err) {
return callback(err);
Groups.updateCoverPosition(data.groupName, data.position, callback);
Groups.ownership = {};
Groups.ownership.isOwner = function(uid, groupName, callback) {
// Note: All admins automatically become owners upon joining
db.isSetMember('group:' + groupName + ':owners', uid, callback);
Groups.ownership.grant = function(toUid, groupName, callback) {
// Note: No ownership checking is done here on purpose!
db.setAdd('group:' + groupName + ':owners', toUid, callback);
Groups.ownership.rescind = function(toUid, groupName, callback) {
// Note: No ownership checking is done here on purpose!
// If the owners set only contains one member, error out!
db.setCount('group:' + groupName + ':owners', function(err, numOwners) {
if (numOwners <= 1) {
return callback(new Error('[[error:group-needs-owner]]'));
db.setRemove('group:' + groupName + ':owners', toUid, callback);
Groups.search = function(query, options, callback) {
if (!query) {
return callback(null, []);
query = query.toLowerCase();
async.apply(db.getObjectValues, 'groupslug:groupname'),
function(groupNames, next) {
groupNames = groupNames.filter(function(name) {
return name.toLowerCase().indexOf(query) !== -1 && name !== 'administrators';
groupNames = groupNames.slice(0, 100);
Groups.getGroupsData(groupNames, next);
async.apply(Groups.sort, options.sort)
], callback);
Groups.sort = function(strategy, groups, next) {
switch(strategy) {
case 'count':
groups = groups.sort(function(a, b) {
return a.slug > b.slug;
}).sort(function(a, b) {
return a.memberCount < b.memberCount;
case 'date':
groups = groups.sort(function(a, b) {
return a.createtime < b.createtime;
case 'alpha': // intentional fall-through
groups = groups.sort(function(a, b) {
return a.slug > b.slug ? 1 : -1;
next(null, groups);
Groups.searchMembers = function(data, callback) {
function findUids(query, searchBy, callback) {
if (!query) {
return Groups.getMembers(data.groupName, 0, -1, callback);
query = query.toLowerCase();
function(next) {
Groups.getMembers(data.groupName, 0, -1, next);
function(members, next) {
user.getMultipleUserFields(members, ['uid'].concat([searchBy]), next);
function(users, next) {
var uids = [];
for(var i=0; i<users.length; ++i) {
var field = users[i][searchBy];
if (field.toLowerCase().startsWith(query)) {
next(null, uids);
], callback);
data.findUids = findUids;
user.search(data, callback);