From 2d5dc44ce59cb79eabfa9fef4c9edde28d3ce615 Mon Sep 17 00:00:00 2001
From: barisusakli <barisusakli@gmail.com>
Date: Mon, 22 Sep 2014 21:54:28 -0400
Subject: [PATCH] closes #2123

---
 src/controllers/topics.js | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/controllers/topics.js b/src/controllers/topics.js
index f9ba17f743..64db92ec08 100644
--- a/src/controllers/topics.js
+++ b/src/controllers/topics.js
@@ -252,25 +252,40 @@ topicsController.get = function(req, res, next) {
 topicsController.teaser = function(req, res, next) {
 	var tid = req.params.topic_id;
 	var uid = req.user ? parseInt(req.user.uid, 10) : 0;
-	topics.getLatestUndeletedPid(tid, function(err, pid) {
+
+	if (!utils.isNumber(tid)) {
+		return next(new Error('[[error:invalid-tid]]'));
+	}
+
+	privileges.topics.can('read', tid, uid, function(err, canRead) {
 		if (err) {
 			return next(err);
 		}
 
-		if (!pid) {
-			return res.json(404, 'not-found');
+		if (!canRead) {
+			return res.json(403, '[[error:no-priveges]]');
 		}
 
-		posts.getPostSummaryByPids([pid], uid, {stripTags: false}, function(err, posts) {
+		topics.getLatestUndeletedPid(tid, function(err, pid) {
 			if (err) {
 				return next(err);
 			}
 
-			if (!Array.isArray(posts) || !posts.length) {
+			if (!pid) {
 				return res.json(404, 'not-found');
 			}
 
-			res.json(posts[0]);
+			posts.getPostSummaryByPids([pid], uid, {stripTags: false}, function(err, posts) {
+				if (err) {
+					return next(err);
+				}
+
+				if (!Array.isArray(posts) || !posts.length) {
+					return res.json(404, 'not-found');
+				}
+
+				res.json(posts[0]);
+			});
 		});
 	});
 };