From 1bf263c4a22a4417ced6a1a0a1054b2cdfdaa82c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Tue, 22 Jun 2021 12:21:52 -0400
Subject: [PATCH] 9622 (#9625)

* fix: #9622

dont allow regular user to remove system tags

* refactor: add guest/spider check to isPrivileged

string/trim tag
---
 src/socket.io/topics/tags.js | 2 +-
 src/user/index.js            | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/socket.io/topics/tags.js b/src/socket.io/topics/tags.js
index 08f26635bf..117b63c31a 100644
--- a/src/socket.io/topics/tags.js
+++ b/src/socket.io/topics/tags.js
@@ -32,7 +32,7 @@ module.exports = function (SocketTopics) {
 
 		const systemTags = (meta.config.systemTags || '').split(',');
 		const isPrivileged = await user.isPrivileged(socket.uid);
-		return isPrivileged || !systemTags.includes(data.tag);
+		return isPrivileged || !systemTags.includes(String(data.tag).trim());
 	};
 
 	SocketTopics.autocompleteTags = async function (socket, data) {
diff --git a/src/user/index.js b/src/user/index.js
index e2c807ed04..9f8330b791 100644
--- a/src/user/index.js
+++ b/src/user/index.js
@@ -159,6 +159,9 @@ User.getPrivileges = async function (uid) {
 };
 
 User.isPrivileged = async function (uid) {
+	if (!(parseInt(uid, 10) > 0)) {
+		return false;
+	}
 	const results = await User.getPrivileges(uid);
 	return results ? (results.isAdmin || results.isGlobalModerator || results.isModeratorOfAnyCategory) : false;
 };