From 3653151143c560d2af7e1f4c663ac3cc470878de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 16 Jul 2020 16:47:49 -0400
Subject: [PATCH] fix: #8508, dont allow moving topics if not moderator of
 target category

---
 src/socket.io/topics/move.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/socket.io/topics/move.js b/src/socket.io/topics/move.js
index 046ad83156..f2b6b84cba 100644
--- a/src/socket.io/topics/move.js
+++ b/src/socket.io/topics/move.js
@@ -13,6 +13,11 @@ module.exports = function (SocketTopics) {
 			throw new Error('[[error:invalid-data]]');
 		}
 
+		const canMove = await privileges.categories.isAdminOrMod(data.cid, socket.uid);
+		if (!canMove) {
+			throw new Error('[[error:no-privileges]]');
+		}
+
 		const uids = await user.getUidsFromSet('users:online', 0, -1);
 
 		await async.eachLimit(data.tids, 10, async function (tid) {