nodebb/src/privileges/topics.js


'use strict';

const _ = require('lodash');

const meta = require('../meta');
const topics = require('../topics');
const user = require('../user');
const helpers = require('./helpers');
const categories = require('../categories');
const plugins = require('../plugins');

module.exports = function (privileges) {
	privileges.topics = {};

	privileges.topics.get = async function (tid, uid) {
		uid = parseInt(uid, 10);

		const privs = [
			'topics:reply', 'topics:read', 'topics:tag',
			'topics:delete', 'posts:edit', 'posts:history',
			'posts:delete', 'posts:view_deleted', 'read', 'purge',
		];
		const topicData = await topics.getTopicFields(tid, ['cid', 'uid', 'locked', 'deleted']);
		const [userPrivileges, isAdministrator, isModerator, disabled] = await Promise.all([
			helpers.isUserAllowedTo(privs, uid, topicData.cid),
			user.isAdministrator(uid),
			user.isModerator(uid, topicData.cid),
			categories.getCategoryField(topicData.cid, 'disabled'),
		]);
		const privData = _.zipObject(privs, userPrivileges);
		const isOwner = uid > 0 && uid === topicData.uid;
		const isAdminOrMod = isAdministrator || isModerator;
		const editable = isAdminOrMod;
		const deletable = (privData['topics:delete'] && (isOwner || isModerator)) || isAdministrator;

		return await plugins.fireHook('filter:privileges.topics.get', {
			'topics:reply': (privData['topics:reply'] && ((!topicData.locked && !topicData.deleted) || isModerator)) || isAdministrator,
			'topics:read': privData['topics:read'] || isAdministrator,
			'topics:tag': privData['topics:tag'] || isAdministrator,
			'topics:delete': (privData['topics:delete'] && (isOwner || isModerator)) || isAdministrator,
			'posts:edit': (privData['posts:edit'] && (!topicData.locked || isModerator)) || isAdministrator,
			'posts:history': privData['posts:history'] || isAdministrator,
			'posts:delete': (privData['posts:delete'] && (!topicData.locked || isModerator)) || isAdministrator,
			'posts:view_deleted': privData['posts:view_deleted'] || isAdministrator,
			read: privData.read || isAdministrator,
			purge: (privData.purge && (isOwner || isModerator)) || isAdministrator,

			view_thread_tools: editable || deletable,
			editable: editable,
			deletable: deletable,
			view_deleted: isAdminOrMod || isOwner,
			isAdminOrMod: isAdminOrMod,
			disabled: disabled,
			tid: tid,
			uid: uid,
		});
	};

	privileges.topics.can = async function (privilege, tid, uid) {
		const cid = await topics.getTopicField(tid, 'cid');
		return await privileges.categories.can(privilege, cid, uid);
	};

	privileges.topics.filterTids = async function (privilege, tids, uid) {
		if (!Array.isArray(tids) || !tids.length) {
			return [];
		}

		const topicsData = await topics.getTopicsFields(tids, ['tid', 'cid', 'deleted']);
		const cids = _.uniq(topicsData.map(topic => topic.cid));
		const results = await privileges.categories.getBase(privilege, cids, uid);

		const allowedCids = cids.filter((cid, index) => !results.categories[index].disabled && (results.allowedTo[index] || results.isAdmin));

		const cidsSet = new Set(allowedCids);
		const canViewDeleted = _.zipObject(cids, results.view_deleted);

		tids = topicsData.filter(t => cidsSet.has(t.cid) &&	(!t.deleted || canViewDeleted[t.cid] || results.isAdmin)).map(t => t.tid);

		const data = await plugins.fireHook('filter:privileges.topics.filter', {
			privilege: privilege,
			uid: uid,
			tids: tids,
		});
		return data ? data.tids : [];
	};

	privileges.topics.filterUids = async function (privilege, tid, uids) {
		if (!Array.isArray(uids) || !uids.length) {
			return [];
		}

		uids = _.uniq(uids);
		const topicData = await topics.getTopicFields(tid, ['tid', 'cid', 'deleted']);
		const [disabled, allowedTo, isAdmins] = await Promise.all([
			categories.getCategoryField(topicData.cid, 'disabled'),
			helpers.isUsersAllowedTo(privilege, uids, topicData.cid),
			user.isAdministrator(uids),
		]);
		return uids.filter(function (uid, index) {
			return !disabled &&
				((allowedTo[index] && !topicData.deleted) || isAdmins[index]);
		});
	};

	privileges.topics.canPurge = async function (tid, uid) {
		const cid = await topics.getTopicField(tid, 'cid');
		const [purge, owner, isAdmin, isModerator] = await Promise.all([
			privileges.categories.isUserAllowedTo('purge', cid, uid),
			topics.isOwner(tid, uid),
			privileges.users.isAdministrator(uid),
			privileges.users.isModerator(uid, cid),
		]);
		return (purge && (owner || isModerator)) || isAdmin;
	};

	privileges.topics.canDelete = async function (tid, uid) {
		const topicData = await topics.getTopicFields(tid, ['uid', 'cid', 'postcount', 'deleterUid']);
		const [isModerator, isAdministrator, isOwner, allowedTo] = await Promise.all([
			user.isModerator(uid, topicData.cid),
			user.isAdministrator(uid),
			topics.isOwner(tid, uid),
			helpers.isUserAllowedTo('topics:delete', uid, [topicData.cid]),
		]);

		if (isAdministrator) {
			return true;
		}

		const preventTopicDeleteAfterReplies = meta.config.preventTopicDeleteAfterReplies;
		if (!isModerator && preventTopicDeleteAfterReplies && (topicData.postcount - 1) >= preventTopicDeleteAfterReplies) {
			const langKey = preventTopicDeleteAfterReplies > 1 ?
				'[[error:cant-delete-topic-has-replies, ' + meta.config.preventTopicDeleteAfterReplies + ']]' :
				'[[error:cant-delete-topic-has-reply]]';
			throw new Error(langKey);
		}

		const deleterUid = topicData.deleterUid;
		return allowedTo[0] && ((isOwner && (deleterUid === 0 || deleterUid === topicData.uid)) || isModerator);
	};

	privileges.topics.canEdit = async function (tid, uid) {
		return await privileges.topics.isOwnerOrAdminOrMod(tid, uid);
	};

	privileges.topics.isOwnerOrAdminOrMod = async function (tid, uid) {
		const [isOwner, isAdminOrMod] = await Promise.all([
			topics.isOwner(tid, uid),
			privileges.topics.isAdminOrMod(tid, uid),
		]);
		return isOwner || isAdminOrMod;
	};

	privileges.topics.isAdminOrMod = async function (tid, uid) {
		if (parseInt(uid, 10) <= 0) {
			return false;
		}
		const cid = await topics.getTopicField(tid, 'cid');
		return await privileges.categories.isAdminOrMod(cid, uid);
	};
};
more work on #1518 still needs more work, category is next 11 years ago
			`'use strict';`

feat: #7743, privileges 6 years ago			`const _ = require('lodash');`
more work on #1518 still needs more work, category is next 11 years ago
feat: #7743, privileges 6 years ago			`const meta = require('../meta');`
			`const topics = require('../topics');`
			`const user = require('../user');`
			`const helpers = require('./helpers');`
			`const categories = require('../categories');`
			`const plugins = require('../plugins');`
more work on #1518 still needs more work, category is next 11 years ago
Fix space-before-function-paren linter rule 8 years ago			`module.exports = function (privileges) {`
more work on #1518 still needs more work, category is next 11 years ago			`privileges.topics = {};`

feat: #7743, privileges 6 years ago			`privileges.topics.get = async function (tid, uid) {`
remove some parseInts 6 years ago			`uid = parseInt(uid, 10);`
feat: #7743, privileges 6 years ago
			`const privs = [`
misc fixes handle spider uids properly 6 years ago			`'topics:reply', 'topics:read', 'topics:tag',`
			`'topics:delete', 'posts:edit', 'posts:history',`
			`'posts:delete', 'posts:view_deleted', 'read', 'purge',`
			`];`
feat: #7743, privileges 6 years ago			`const topicData = await topics.getTopicFields(tid, ['cid', 'uid', 'locked', 'deleted']);`
			`const [userPrivileges, isAdministrator, isModerator, disabled] = await Promise.all([`
			`helpers.isUserAllowedTo(privs, uid, topicData.cid),`
			`user.isAdministrator(uid),`
			`user.isModerator(uid, topicData.cid),`
			`categories.getCategoryField(topicData.cid, 'disabled'),`
			`]);`
			`const privData = _.zipObject(privs, userPrivileges);`
			`const isOwner = uid > 0 && uid === topicData.uid;`
			`const isAdminOrMod = isAdministrator \|\| isModerator;`
			`const editable = isAdminOrMod;`
			`const deletable = (privData['topics:delete'] && (isOwner \|\| isModerator)) \|\| isAdministrator;`

			`return await plugins.fireHook('filter:privileges.topics.get', {`
			`'topics:reply': (privData['topics:reply'] && ((!topicData.locked && !topicData.deleted) \|\| isModerator)) \|\| isAdministrator,`
			`'topics:read': privData['topics:read'] \|\| isAdministrator,`
			`'topics:tag': privData['topics:tag'] \|\| isAdministrator,`
			`'topics:delete': (privData['topics:delete'] && (isOwner \|\| isModerator)) \|\| isAdministrator,`
			`'posts:edit': (privData['posts:edit'] && (!topicData.locked \|\| isModerator)) \|\| isAdministrator,`
			`'posts:history': privData['posts:history'] \|\| isAdministrator,`
			`'posts:delete': (privData['posts:delete'] && (!topicData.locked \|\| isModerator)) \|\| isAdministrator,`
			`'posts:view_deleted': privData['posts:view_deleted'] \|\| isAdministrator,`
			`read: privData.read \|\| isAdministrator,`
			`purge: (privData.purge && (isOwner \|\| isModerator)) \|\| isAdministrator,`

			`view_thread_tools: editable \|\| deletable,`
			`editable: editable,`
			`deletable: deletable,`
			`view_deleted: isAdminOrMod \|\| isOwner,`
			`isAdminOrMod: isAdminOrMod,`
			`disabled: disabled,`
			`tid: tid,`
			`uid: uid,`
			`});`
more work on #1518 still needs more work, category is next 11 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.can = async function (privilege, tid, uid) {`
			`const cid = await topics.getTopicField(tid, 'cid');`
			`return await privileges.categories.can(privilege, cid, uid);`
removing allowGuestPosting logic in NodeBB 11 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.filterTids = async function (privilege, tids, uid) {`
src/topics.js cleanup 10 years ago			`if (!Array.isArray(tids) \|\| !tids.length) {`
feat: #7743, privileges 6 years ago			`return [];`
early outs for privs no need to check if empty array is passed in, happens if there are no unread topics remove dupe cids before checking for privileges 11 years ago			`}`
feat: #7743, privileges 6 years ago
			`const topicsData = await topics.getTopicsFields(tids, ['tid', 'cid', 'deleted']);`
fix: use view_deleted when filtering, closes #8137 5 years ago			`const cids = _.uniq(topicsData.map(topic => topic.cid));`
feat: #7743, privileges 6 years ago			`const results = await privileges.categories.getBase(privilege, cids, uid);`

fix: use view_deleted when filtering, closes #8137 5 years ago			`const allowedCids = cids.filter((cid, index) => !results.categories[index].disabled && (results.allowedTo[index] \|\| results.isAdmin));`
feat: #7743, privileges 6 years ago
fix: use view_deleted when filtering, closes #8137 5 years ago			`const cidsSet = new Set(allowedCids);`
			`const canViewDeleted = _.zipObject(cids, results.view_deleted);`
feat: #7743, privileges 6 years ago
fix: use view_deleted when filtering, closes #8137 5 years ago			`tids = topicsData.filter(t => cidsSet.has(t.cid) && (!t.deleted \|\| canViewDeleted[t.cid] \|\| results.isAdmin)).map(t => t.tid);`
feat: #7743, privileges 6 years ago
			`const data = await plugins.fireHook('filter:privileges.topics.filter', {`
			`privilege: privilege,`
			`uid: uid,`
			`tids: tids,`
			`});`
			`return data ? data.tids : [];`
optimize privileges and assorted fixes. * new methods privileges.categories.filter privileges.topics.filter privileges.posts.filter they take a list of ids and a privilege, and return the filtered list of ids, faster than doing async.filter and calling the db for each id. * remove event listeners on recent page before adding * group.exists works for both single group names and arrays * helpers.allowedTo works for both a single cid and an array of cids * moved filter:topic.post hook right before topic creation. * moved filter:topic.reply hook right before topic reply. 11 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.filterUids = async function (privilege, tid, uids) {`
added privileges.topics.filterUids if a topic is deleted and user doesn't have permissions/admin/mod dont send notifs 10 years ago			`if (!Array.isArray(uids) \|\| !uids.length) {`
feat: #7743, privileges 6 years ago			`return [];`
added privileges.topics.filterUids if a topic is deleted and user doesn't have permissions/admin/mod dont send notifs 10 years ago			`}`

switch .filter to uniq 8 years ago			`uids = _.uniq(uids);`
feat: #7743, privileges 6 years ago			`const topicData = await topics.getTopicFields(tid, ['tid', 'cid', 'deleted']);`
			`const [disabled, allowedTo, isAdmins] = await Promise.all([`
			`categories.getCategoryField(topicData.cid, 'disabled'),`
			`helpers.isUsersAllowedTo(privilege, uids, topicData.cid),`
			`user.isAdministrator(uids),`
			`]);`
			`return uids.filter(function (uid, index) {`
			`return !disabled &&`
			`((allowedTo[index] && !topicData.deleted) \|\| isAdmins[index]);`
			`});`
added privileges.topics.filterUids if a topic is deleted and user doesn't have permissions/admin/mod dont send notifs 10 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.canPurge = async function (tid, uid) {`
			`const cid = await topics.getTopicField(tid, 'cid');`
			`const [purge, owner, isAdmin, isModerator] = await Promise.all([`
			`privileges.categories.isUserAllowedTo('purge', cid, uid),`
			`topics.isOwner(tid, uid),`
			`privileges.users.isAdministrator(uid),`
			`privileges.users.isModerator(uid, cid),`
			`]);`
			`return (purge && (owner \|\| isModerator)) \|\| isAdmin;`
closes #2330 10 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.canDelete = async function (tid, uid) {`
fix: #8139, dont allow restore if not deleted by self 5 years ago			`const topicData = await topics.getTopicFields(tid, ['uid', 'cid', 'postcount', 'deleterUid']);`
feat: #7743, privileges 6 years ago			`const [isModerator, isAdministrator, isOwner, allowedTo] = await Promise.all([`
			`user.isModerator(uid, topicData.cid),`
			`user.isAdministrator(uid),`
			`topics.isOwner(tid, uid),`
			`helpers.isUserAllowedTo('topics:delete', uid, [topicData.cid]),`
			`]);`

			`if (isAdministrator) {`
			`return true;`
			`}`

			`const preventTopicDeleteAfterReplies = meta.config.preventTopicDeleteAfterReplies;`
			`if (!isModerator && preventTopicDeleteAfterReplies && (topicData.postcount - 1) >= preventTopicDeleteAfterReplies) {`
			`const langKey = preventTopicDeleteAfterReplies > 1 ?`
			`'[[error:cant-delete-topic-has-replies, ' + meta.config.preventTopicDeleteAfterReplies + ']]' :`
			`'[[error:cant-delete-topic-has-reply]]';`
			`throw new Error(langKey);`
			`}`

fix: #8139, dont allow restore if not deleted by self 5 years ago			`const deleterUid = topicData.deleterUid;`
			`return allowedTo[0] && ((isOwner && (deleterUid === 0 \|\| deleterUid === topicData.uid)) \|\| isModerator);`
Add edit, delete, and topics:delete permissions for users acting on their own posts 9 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.canEdit = async function (tid, uid) {`
			`return await privileges.topics.isOwnerOrAdminOrMod(tid, uid);`
added back canEdit 10 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.isOwnerOrAdminOrMod = async function (tid, uid) {`
			`const [isOwner, isAdminOrMod] = await Promise.all([`
			`topics.isOwner(tid, uid),`
			`privileges.topics.isAdminOrMod(tid, uid),`
			`]);`
			`return isOwner \|\| isAdminOrMod;`
more work on #1518 still needs more work, category is next 11 years ago			`};`

feat: #7743, privileges 6 years ago			`privileges.topics.isAdminOrMod = async function (tid, uid) {`
			`if (parseInt(uid, 10) <= 0) {`
			`return false;`
			`}`
			`const cid = await topics.getTopicField(tid, 'cid');`
			`return await privileges.categories.isAdminOrMod(cid, uid);`
privilege fixes 10 years ago			`};`
ESlint eol-last 8 years ago			`};`