9622 (#9625)

* fix: #9622 dont allow regular user to remove system tags * refactor: add guest/spider check to isPrivileged string/trim tag
4 years ago · 1bf263c4a2
parent 0d975bc4fb
commit 1bf263c4a2
2 changed files with 4 additions and 1 deletions
--- a/src/socket.io/topics/tags.js
+++ b/src/socket.io/topics/tags.js
@ -32,7 +32,7 @@ module.exports = function (SocketTopics) {

 		const systemTags = (meta.config.systemTags || '').split(',');
 		const isPrivileged = await user.isPrivileged(socket.uid);
-		return isPrivileged || !systemTags.includes(data.tag);
+		return isPrivileged || !systemTags.includes(String(data.tag).trim());
 	};

 	SocketTopics.autocompleteTags = async function (socket, data) {
--- a/src/user/index.js
+++ b/src/user/index.js
@ -159,6 +159,9 @@ User.getPrivileges = async function (uid) {
 };

 User.isPrivileged = async function (uid) {
+	if (!(parseInt(uid, 10) > 0)) {
+		return false;
+	}
 	const results = await User.getPrivileges(uid);
 	return results ? (results.isAdmin || results.isGlobalModerator || results.isModeratorOfAnyCategory) : false;
 };