nodebb/src/privileges/topics.js


'use strict';

var async = require('async');

var meta = require('../meta');
var topics = require('../topics');
var user = require('../user');
var helpers = require('./helpers');
var categories = require('../categories');
var plugins = require('../plugins');

module.exports = function(privileges) {

	privileges.topics = {};

	privileges.topics.get = function(tid, uid, callback) {
		var topic;
		async.waterfall([
			async.apply(topics.getTopicFields, tid, ['cid', 'uid', 'locked', 'deleted']),
			function(_topic, next) {
				topic = _topic;
				async.parallel({
					'topics:reply': async.apply(helpers.isUserAllowedTo, 'topics:reply', uid, [topic.cid]),
					'topics:read': async.apply(helpers.isUserAllowedTo, 'topics:read', uid, [topic.cid]),
					'topics:delete': async.apply(helpers.isUserAllowedTo, 'topics:delete', uid, [topic.cid]),
					'posts:edit': async.apply(helpers.isUserAllowedTo, 'posts:edit', uid, [topic.cid]),
					'posts:delete': async.apply(helpers.isUserAllowedTo, 'posts:delete', uid, [topic.cid]),
					read: async.apply(helpers.isUserAllowedTo, 'read', uid, [topic.cid]),
					isOwner: function(next) {
						next(null, !!parseInt(uid, 10) && parseInt(uid, 10) === parseInt(topic.uid, 10));
					},
					isAdministrator: async.apply(user.isAdministrator, uid),
					isModerator: async.apply(user.isModerator, uid, topic.cid),
					disabled: async.apply(categories.getCategoryField, topic.cid, 'disabled')
				}, next);
			}
		], function(err, results) {
			if (err) {
				return callback(err);
			}

			var disabled = parseInt(results.disabled, 10) === 1;
			var locked = parseInt(topic.locked, 10) === 1;
			var deleted = parseInt(topic.deleted, 10) === 1;

			var isAdminOrMod = results.isAdministrator || results.isModerator;
			var editable = isAdminOrMod;
			var deletable = isAdminOrMod || (results.isOwner && results['topics:delete'][0]);

			plugins.fireHook('filter:privileges.topics.get', {
				'topics:reply': (results['topics:reply'][0] && !locked && !deleted) || isAdminOrMod,
				'topics:read': results['topics:read'][0] || isAdminOrMod,
				'topics:delete': (results.isOwner && results['topics:delete'][0]) || isAdminOrMod,
				'posts:edit': (results['posts:edit'][0] && !locked) || isAdminOrMod,
				'posts:delete': (results['posts:delete'][0] && !locked) || isAdminOrMod,
				read: results.read[0] || isAdminOrMod,
				view_thread_tools: editable || deletable,
				editable: editable,
				deletable: deletable,
				view_deleted: isAdminOrMod || results.isOwner,
				isAdminOrMod: isAdminOrMod,
				disabled: disabled,
				tid: tid,
				uid: uid
			}, callback);
		});
	};

	privileges.topics.can = function(privilege, tid, uid, callback) {
		topics.getTopicField(tid, 'cid', function(err, cid) {
			if (err) {
				return callback(err);
			}

			privileges.categories.can(privilege, cid, uid, callback);
		});
	};

	privileges.topics.filterTids = function(privilege, tids, uid, callback) {
		if (!Array.isArray(tids) || !tids.length) {
			return callback(null, []);
		}
		var cids;
		var topicsData;
		async.waterfall([
			function(next) {
				topics.getTopicsFields(tids, ['tid', 'cid', 'deleted'], next);
			},
			function(_topicsData, next) {
				topicsData = _topicsData;
				cids = topicsData.map(function(topic) {
					return topic.cid;
				}).filter(function(cid, index, array) {
					return cid && array.indexOf(cid) === index;
				});

				privileges.categories.getBase(privilege, cids, uid, next);
			},
			function(results, next) {

				var isModOf = {};
				cids = cids.filter(function(cid, index) {
					isModOf[cid] = results.isModerators[index];
					return !results.categories[index].disabled &&
						(results.allowedTo[index] || results.isAdmin || results.isModerators[index]);
				});

				tids = topicsData.filter(function(topic) {
					return cids.indexOf(topic.cid) !== -1 &&
						(parseInt(topic.deleted, 10) !== 1 || results.isAdmin || isModOf[topic.cid]);
				}).map(function(topic) {
					return topic.tid;
				});

				plugins.fireHook('filter:privileges.topics.filter', {
					privilege: privilege,
					uid: uid,
					tids: tids
				}, function(err, data) {
					next(err, data ? data.tids : null);
				});
			}
		], callback);
	};

	privileges.topics.filterUids = function(privilege, tid, uids, callback) {
		if (!Array.isArray(uids) || !uids.length) {
			return callback(null, []);
		}

		uids = uids.filter(function(uid, index, array) {
			return array.indexOf(uid) === index;
		});

		async.waterfall([
			function(next) {
				topics.getTopicFields(tid, ['tid', 'cid', 'deleted'], next);
			},
			function(topicData, next) {
				async.parallel({
					disabled: function(next) {
						categories.getCategoryField(topicData.cid, 'disabled', next);
					},
					allowedTo: function(next) {
						helpers.isUsersAllowedTo(privilege, uids, topicData.cid, next);
					},
					isModerators: function(next) {
						user.isModerator(uids, topicData.cid, next);
					},
					isAdmins: function(next) {
						user.isAdministrator(uids, next);
					}
				}, function(err, results) {
					if (err) {
						return next(err);
					}

					uids = uids.filter(function(uid, index) {
						return parseInt(results.disabled, 10) !== 1 &&
							((results.allowedTo[index] && parseInt(topicData.deleted, 10) !== 1) || results.isAdmins[index] || results.isModerators[index]);
					});

					next(null, uids);
				});
			}
		], callback);
	};

	privileges.topics.canPurge = function(tid, uid, callback) {
		async.waterfall([
			function (next) {
				topics.getTopicField(tid, 'cid', next);
			},
			function (cid, next) {
				async.parallel({
					purge: async.apply(privileges.categories.isUserAllowedTo, 'purge', cid, uid),
					owner: async.apply(topics.isOwner, tid, uid),
					isAdminOrMod: async.apply(privileges.categories.isAdminOrMod, cid, uid)
				}, next);
			},
			function (results, next) {
				next(null, results.isAdminOrMod || (results.purge && results.owner));
			}
		], callback);
	};

	privileges.topics.canDelete = function(tid, uid, callback) {
		var topicData;
		async.waterfall([
			function(next) {
				topics.getTopicFields(tid, ['cid', 'postcount'], next);
			},
			function(_topicData, next) {
				topicData = _topicData;
				async.parallel({
					isModerator: async.apply(user.isModerator, uid, topicData.cid),
					isAdministrator: async.apply(user.isAdministrator, uid),
					isOwner: async.apply(topics.isOwner, tid, uid),
					'topics:delete': async.apply(helpers.isUserAllowedTo, 'topics:delete', uid, [topicData.cid])
				}, next);
			}
		], function(err, results) {
			if (err) {
				return callback(err);
			}

			if (results.isModerator || results.isAdministrator) {
				return callback(null, true);
			}

			var preventTopicDeleteAfterReplies = parseInt(meta.config.preventTopicDeleteAfterReplies, 10) || 0;
			if (preventTopicDeleteAfterReplies && (topicData.postcount - 1) >= preventTopicDeleteAfterReplies) {
				var langKey = preventTopicDeleteAfterReplies > 1 ?
					'[[error:cant-delete-topic-has-replies, ' + meta.config.preventTopicDeleteAfterReplies + ']]':
					'[[error:cant-delete-topic-has-reply]]';
				return callback(new Error(langKey));
			}

			if (!results['topics:delete'][0]) {
				return callback(null, false);
			}

			callback(null, results.isOwner);
		});
	};

	privileges.topics.canEdit = function(tid, uid, callback) {
		privileges.topics.isOwnerOrAdminOrMod(tid, uid, callback);
	};

	privileges.topics.isOwnerOrAdminOrMod = function(tid, uid, callback) {
		helpers.some([
			function(next) {
				topics.isOwner(tid, uid, next);
			},
			function(next) {
				privileges.topics.isAdminOrMod(tid, uid, next);
			}
		], callback);
	};


	privileges.topics.isAdminOrMod = function(tid, uid, callback) {
		helpers.some([
			function(next) {
				topics.getTopicField(tid, 'cid', function(err, cid) {
					if (err) {
						return next(err);
					}
					user.isModerator(uid, cid, next);
				});
			},
			function(next) {
				user.isAdministrator(uid, next);
			}
		], callback);
	};
};
more work on #1518 still needs more work, category is next 11 years ago
			`'use strict';`

closes #4103 9 years ago			`var async = require('async');`
more work on #1518 still needs more work, category is next 11 years ago
partially revert https://github.com/NodeBB/NodeBB/commit/fa9f1ac7fe26462febda07189203365e984a146d extending module.exports instead of overwriting fixes the issue 9 years ago			`var meta = require('../meta');`
			`var topics = require('../topics');`
			`var user = require('../user');`
closes #4103 9 years ago			`var helpers = require('./helpers');`
partially revert https://github.com/NodeBB/NodeBB/commit/fa9f1ac7fe26462febda07189203365e984a146d extending module.exports instead of overwriting fixes the issue 9 years ago			`var categories = require('../categories');`
			`var plugins = require('../plugins');`
more work on #1518 still needs more work, category is next 11 years ago
			`module.exports = function(privileges) {`

			`privileges.topics = {};`

			`privileges.topics.get = function(tid, uid, callback) {`
components 10 years ago			`var topic;`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`async.waterfall([`
closes #4631 9 years ago			`async.apply(topics.getTopicFields, tid, ['cid', 'uid', 'locked', 'deleted']),`
components 10 years ago			`function(_topic, next) {`
			`topic = _topic;`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`async.parallel({`
one less query in privileges.topics.get 10 years ago			`'topics:reply': async.apply(helpers.isUserAllowedTo, 'topics:reply', uid, [topic.cid]),`
new privilege: Access Topic differentiation between Access Category and Access Topic, ie. allows you to see the category view but not actually enter the topic itself 9 years ago			`'topics:read': async.apply(helpers.isUserAllowedTo, 'topics:read', uid, [topic.cid]),`
Add edit, delete, and topics:delete permissions for users acting on their own posts 9 years ago			`'topics:delete': async.apply(helpers.isUserAllowedTo, 'topics:delete', uid, [topic.cid]),`
see NodeBB/NodeBB#4909 9 years ago			`'posts:edit': async.apply(helpers.isUserAllowedTo, 'posts:edit', uid, [topic.cid]),`
			`'posts:delete': async.apply(helpers.isUserAllowedTo, 'posts:delete', uid, [topic.cid]),`
one less query in privileges.topics.get 10 years ago			`read: async.apply(helpers.isUserAllowedTo, 'read', uid, [topic.cid]),`
			`isOwner: function(next) {`
fixes #4636 (#4639) 9 years ago			`next(null, !!parseInt(uid, 10) && parseInt(uid, 10) === parseInt(topic.uid, 10));`
one less query in privileges.topics.get 10 years ago			`},`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`isAdministrator: async.apply(user.isAdministrator, uid),`
one less query in privileges.topics.get 10 years ago			`isModerator: async.apply(user.isModerator, uid, topic.cid),`
			`disabled: async.apply(categories.getCategoryField, topic.cid, 'disabled')`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`}, next);`
			`}`
			`], function(err, results) {`
fixed indents 11 years ago			`if (err) {`
			`return callback(err);`
			`}`
more work on #1518 still needs more work, category is next 11 years ago
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`var disabled = parseInt(results.disabled, 10) === 1;`
components 10 years ago			`var locked = parseInt(topic.locked, 10) === 1;`
closes #4631 9 years ago			`var deleted = parseInt(topic.deleted, 10) === 1;`

fix indent 9 years ago			`var isAdminOrMod = results.isAdministrator \|\| results.isModerator;`
closes #2904 10 years ago			`var editable = isAdminOrMod;`
Add edit, delete, and topics:delete permissions for users acting on their own posts 9 years ago			`var deletable = isAdminOrMod \|\| (results.isOwner && results['topics:delete'][0]);`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago
			`plugins.fireHook('filter:privileges.topics.get', {`
closes #4631 9 years ago			`'topics:reply': (results['topics:reply'][0] && !locked && !deleted) \|\| isAdminOrMod,`
new privilege: Access Topic differentiation between Access Category and Access Topic, ie. allows you to see the category view but not actually enter the topic itself 9 years ago			`'topics:read': results['topics:read'][0] \|\| isAdminOrMod,`
closes #4631 9 years ago			`'topics:delete': (results.isOwner && results['topics:delete'][0]) \|\| isAdminOrMod,`
			`'posts:edit': (results['posts:edit'][0] && !locked) \|\| isAdminOrMod,`
			`'posts:delete': (results['posts:delete'][0] && !locked) \|\| isAdminOrMod,`
			`read: results.read[0] \|\| isAdminOrMod,`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`view_thread_tools: editable \|\| deletable,`
			`editable: editable,`
			`deletable: deletable,`
closes #2904 10 years ago			`view_deleted: isAdminOrMod \|\| results.isOwner,`
closes #3689 10 years ago			`isAdminOrMod: isAdminOrMod,`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`disabled: disabled,`
			`tid: tid,`
closes #4631 9 years ago			`uid: uid`
updating privilege handling to fire two new hooks, filter:privileges.topics.get and filter:category.topics.get 10 years ago			`}, callback);`
more work on #1518 still needs more work, category is next 11 years ago			`});`
			`};`

removing allowGuestPosting logic in NodeBB 11 years ago			`privileges.topics.can = function(privilege, tid, uid, callback) {`
			`topics.getTopicField(tid, 'cid', function(err, cid) {`
			`if (err) {`
			`return callback(err);`
			`}`

			`privileges.categories.can(privilege, cid, uid, callback);`
			`});`
			`};`

added privileges.topics.filterUids if a topic is deleted and user doesn't have permissions/admin/mod dont send notifs 10 years ago			`privileges.topics.filterTids = function(privilege, tids, uid, callback) {`
src/topics.js cleanup 10 years ago			`if (!Array.isArray(tids) \|\| !tids.length) {`
early outs for privs no need to check if empty array is passed in, happens if there are no unread topics remove dupe cids before checking for privileges 11 years ago			`return callback(null, []);`
			`}`
closes #4499 9 years ago			`var cids;`
			`var topicsData;`
closes #2995 10 years ago			`async.waterfall([`
			`function(next) {`
			`topics.getTopicsFields(tids, ['tid', 'cid', 'deleted'], next);`
			`},`
closes #4499 9 years ago			`function(_topicsData, next) {`
			`topicsData = _topicsData;`
			`cids = topicsData.map(function(topic) {`
closes #2995 10 years ago			`return topic.cid;`
			`}).filter(function(cid, index, array) {`
missing lines 10 years ago			`return cid && array.indexOf(cid) === index;`
optimize privileges and assorted fixes. * new methods privileges.categories.filter privileges.topics.filter privileges.posts.filter they take a list of ids and a privilege, and return the filtered list of ids, faster than doing async.filter and calling the db for each id. * remove event listeners on recent page before adding * group.exists works for both single group names and arrays * helpers.allowedTo works for both a single cid and an array of cids * moved filter:topic.post hook right before topic creation. * moved filter:topic.reply hook right before topic reply. 11 years ago			`});`
added four new hooks: filter:categories.recent, filter:privileges.categories.get, filter:privileges.posts.filter, filter:privileges.topics.filter 10 years ago
closes #4499 9 years ago			`privileges.categories.getBase(privilege, cids, uid, next);`
			`},`
			`function(results, next) {`

			`var isModOf = {};`
			`cids = cids.filter(function(cid, index) {`
			`isModOf[cid] = results.isModerators[index];`
			`return !results.categories[index].disabled &&`
			`(results.allowedTo[index] \|\| results.isAdmin \|\| results.isModerators[index]);`
			`});`

			`tids = topicsData.filter(function(topic) {`
			`return cids.indexOf(topic.cid) !== -1 &&`
			`(parseInt(topic.deleted, 10) !== 1 \|\| results.isAdmin \|\| isModOf[topic.cid]);`
			`}).map(function(topic) {`
			`return topic.tid;`
			`});`

			`plugins.fireHook('filter:privileges.topics.filter', {`
			`privilege: privilege,`
			`uid: uid,`
			`tids: tids`
			`}, function(err, data) {`
			`next(err, data ? data.tids : null);`
added four new hooks: filter:categories.recent, filter:privileges.categories.get, filter:privileges.posts.filter, filter:privileges.topics.filter 10 years ago			`});`
closes #2995 10 years ago			`}`
			`], callback);`
optimize privileges and assorted fixes. * new methods privileges.categories.filter privileges.topics.filter privileges.posts.filter they take a list of ids and a privilege, and return the filtered list of ids, faster than doing async.filter and calling the db for each id. * remove event listeners on recent page before adding * group.exists works for both single group names and arrays * helpers.allowedTo works for both a single cid and an array of cids * moved filter:topic.post hook right before topic creation. * moved filter:topic.reply hook right before topic reply. 11 years ago			`};`

added privileges.topics.filterUids if a topic is deleted and user doesn't have permissions/admin/mod dont send notifs 10 years ago			`privileges.topics.filterUids = function(privilege, tid, uids, callback) {`
			`if (!Array.isArray(uids) \|\| !uids.length) {`
			`return callback(null, []);`
			`}`

			`uids = uids.filter(function(uid, index, array) {`
			`return array.indexOf(uid) === index;`
			`});`

			`async.waterfall([`
			`function(next) {`
			`topics.getTopicFields(tid, ['tid', 'cid', 'deleted'], next);`
			`},`
			`function(topicData, next) {`
			`async.parallel({`
			`disabled: function(next) {`
			`categories.getCategoryField(topicData.cid, 'disabled', next);`
			`},`
			`allowedTo: function(next) {`
			`helpers.isUsersAllowedTo(privilege, uids, topicData.cid, next);`
			`},`
			`isModerators: function(next) {`
			`user.isModerator(uids, topicData.cid, next);`
			`},`
			`isAdmins: function(next) {`
			`user.isAdministrator(uids, next);`
			`}`
			`}, function(err, results) {`
			`if (err) {`
			`return next(err);`
			`}`

			`uids = uids.filter(function(uid, index) {`
			`return parseInt(results.disabled, 10) !== 1 &&`
			`((results.allowedTo[index] && parseInt(topicData.deleted, 10) !== 1) \|\| results.isAdmins[index] \|\| results.isModerators[index]);`
			`});`

			`next(null, uids);`
			`});`
			`}`
			`], callback);`
			`};`

closes #2330 10 years ago			`privileges.topics.canPurge = function(tid, uid, callback) {`
			`async.waterfall([`
			`function (next) {`
			`topics.getTopicField(tid, 'cid', next);`
			`},`
			`function (cid, next) {`
			`async.parallel({`
			`purge: async.apply(privileges.categories.isUserAllowedTo, 'purge', cid, uid),`
			`owner: async.apply(topics.isOwner, tid, uid),`
			`isAdminOrMod: async.apply(privileges.categories.isAdminOrMod, cid, uid)`
			`}, next);`
			`},`
			`function (results, next) {`
			`next(null, results.isAdminOrMod \|\| (results.purge && results.owner));`
			`}`
			`], callback);`
			`};`

Add edit, delete, and topics:delete permissions for users acting on their own posts 9 years ago			`privileges.topics.canDelete = function(tid, uid, callback) {`
closes #4919 9 years ago			`var topicData;`
			`async.waterfall([`
			`function(next) {`
			`topics.getTopicFields(tid, ['cid', 'postcount'], next);`
			`},`
			`function(_topicData, next) {`
			`topicData = _topicData;`
			`async.parallel({`
			`isModerator: async.apply(user.isModerator, uid, topicData.cid),`
			`isAdministrator: async.apply(user.isAdministrator, uid),`
			`isOwner: async.apply(topics.isOwner, tid, uid),`
			`'topics:delete': async.apply(helpers.isUserAllowedTo, 'topics:delete', uid, [topicData.cid])`
			`}, next);`
			`}`
			`], function(err, results) {`
Add edit, delete, and topics:delete permissions for users acting on their own posts 9 years ago			`if (err) {`
			`return callback(err);`
			`}`
closes #4919 9 years ago
			`if (results.isModerator \|\| results.isAdministrator) {`
			`return callback(null, true);`
			`}`

			`var preventTopicDeleteAfterReplies = parseInt(meta.config.preventTopicDeleteAfterReplies, 10) \|\| 0;`
			`if (preventTopicDeleteAfterReplies && (topicData.postcount - 1) >= preventTopicDeleteAfterReplies) {`
fix lang key 9 years ago			`var langKey = preventTopicDeleteAfterReplies > 1 ?`
			`'[[error:cant-delete-topic-has-replies, ' + meta.config.preventTopicDeleteAfterReplies + ']]':`
			`'[[error:cant-delete-topic-has-reply]]';`
			`return callback(new Error(langKey));`
closes #4919 9 years ago			`}`

			`if (!results['topics:delete'][0]) {`
			`return callback(null, false);`
			`}`

			`callback(null, results.isOwner);`
Add edit, delete, and topics:delete permissions for users acting on their own posts 9 years ago			`});`
			`};`

added back canEdit 10 years ago			`privileges.topics.canEdit = function(tid, uid, callback) {`
			`privileges.topics.isOwnerOrAdminOrMod(tid, uid, callback);`
			`};`

privilege fixes 10 years ago			`privileges.topics.isOwnerOrAdminOrMod = function(tid, uid, callback) {`
more work on #1518 still needs more work, category is next 11 years ago			`helpers.some([`
			`function(next) {`
closes #1731 11 years ago			`topics.isOwner(tid, uid, next);`
more work on #1518 still needs more work, category is next 11 years ago			`},`
			`function(next) {`
privilege fixes 10 years ago			`privileges.topics.isAdminOrMod(tid, uid, next);`
more work on #1518 still needs more work, category is next 11 years ago			`}`
			`], callback);`
			`};`

closes #1731 11 years ago
privilege fixes 10 years ago			`privileges.topics.isAdminOrMod = function(tid, uid, callback) {`
more work on #1518 still needs more work, category is next 11 years ago			`helpers.some([`
			`function(next) {`
			`topics.getTopicField(tid, 'cid', function(err, cid) {`
			`if (err) {`
			`return next(err);`
			`}`
			`user.isModerator(uid, cid, next);`
			`});`
			`},`
			`function(next) {`
			`user.isAdministrator(uid, next);`
			`}`
			`], callback);`
privilege fixes 10 years ago			`};`
partially revert https://github.com/NodeBB/NodeBB/commit/fa9f1ac7fe26462febda07189203365e984a146d extending module.exports instead of overwriting fixes the issue 9 years ago			`};`