fix: #7087, server-side protection against guest blocks

public/language/en-GB/error.json

@@ -185,5 +185,8 @@
 
 	"cannot-block-self": "You cannot block yourself!",
 	"cannot-block-privileged": "You cannot block administrators or global moderators",
+	"cannot-block-guest": "Guest are not able to block other users",
+	"already-blocked": "This user is already blocked",
+	"already-unblocked": "This user is already unblocked",
 	"no-connection": "There seems to be a problem with your internet connection"
 }

src/socket.io/user/profile.js

@@ -220,10 +220,6 @@ module.exports = function (SocketUser) {
 			},
 			function (results, next) {
 				isBlocked = results.is;
-				if (!results.can && !isBlocked) {
-					return next(new Error('[[error:cannot-block-privileged]]'));
-				}
-
 				user.blocks[isBlocked ? 'remove' : 'add'](data.blockeeUid, data.blockerUid, next);
 			},
 		], function (err) {

src/user/blocks.js

@@ -23,7 +23,15 @@ module.exports = function (User) {
 	};
 
 	User.blocks.can = function (callerUid, blockerUid, blockeeUid, callback) {
+		// Guests can't block
+		if (blockerUid === 0 || blockeeUid === 0) {
+			return setImmediate(callback, new Error('[[error:cannot-block-guest]]'));
+		} else if (blockerUid === blockeeUid) {
+			return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
+		}
+
 		// Administrators and global moderators cannot be blocked
+		// Only admins/mods can block users as another user
 		async.waterfall([
 			function (next) {
 				async.parallel({
@@ -37,12 +45,13 @@ module.exports = function (User) {
 			},
 			function (results, next) {
 				if (results.isBlockeeAdminOrMod) {
-					return callback(null, false);
+					return callback(new Error('[[error:cannot-block-privileged]]'));
 				}
 				if (parseInt(callerUid, 10) !== parseInt(blockerUid, 10) && !results.isCallerAdminOrMod) {
-					return callback(null, false);
+					return callback(new Error());
 				}
-				next(null, true);
+
+				next();
 			},
 		], callback);
 	};
@@ -94,12 +103,14 @@ module.exports = function (User) {
 	};
 
 	User.blocks.applyChecks = function (block, targetUid, uid, callback) {
-		if (parseInt(targetUid, 10) === parseInt(uid, 10)) {
-			return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
-		}
+		User.blocks.can(uid, uid, targetUid, function (err) {
+			if (err) {
+				return callback(err);
+			}
 
-		User.blocks.is(targetUid, uid, function (err, is) {
-			callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null));
+			User.blocks.is(targetUid, uid, function (err, is) {
+				callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null));
+			});
 		});
 	};