From 1b5d5425b44f6f94012b37e0c77efff1913aacbc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 4 Jun 2020 21:42:38 -0400
Subject: [PATCH] fix: handle search tag permission as well

---
 public/openapi/read.yaml  | 2 ++
 src/controllers/search.js | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/public/openapi/read.yaml b/public/openapi/read.yaml
index 2899178a16..1baef2861d 100644
--- a/public/openapi/read.yaml
+++ b/public/openapi/read.yaml
@@ -4549,6 +4549,8 @@ paths:
                             type: boolean
                           search:content:
                             type: boolean
+                          search:tags:
+                            type: boolean
                     required:
                       - posts
                       - matchCount
diff --git a/src/controllers/search.js b/src/controllers/search.js
index ed0e78c0a3..a89e87c5d5 100644
--- a/src/controllers/search.js
+++ b/src/controllers/search.js
@@ -25,9 +25,12 @@ searchController.search = async function (req, res, next) {
 	const userPrivileges = await utils.promiseParallel({
 		'search:users': privileges.global.can('search:users', req.uid),
 		'search:content': privileges.global.can('search:content', req.uid),
+		'search:tags': privileges.global.can('search:tags', req.uid),
 	});
 
-	const allowed = (req.query.in === 'users') ? userPrivileges['search:users'] : userPrivileges['search:content'];
+	const allowed = (req.query.in === 'users' && userPrivileges['search:users']) ||
+					(req.query.in === 'tags' && userPrivileges['search:tags']) ||
+					(['titles', 'titlesposts', 'posts'].includes(req.query.in) && userPrivileges['search:content']);
 
 	if (!allowed) {
 		return helpers.notAllowed(req, res);