From 3cd0c9a4766463a15e459ff6b4ba5d893dc606aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Sun, 29 Nov 2020 15:43:40 -0500 Subject: [PATCH] fix: #8998, allow guests to use write api to post/reply --- src/routes/write/topics.js | 4 +-- test/topics.js | 52 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/src/routes/write/topics.js b/src/routes/write/topics.js index 744f83aa66..08bd8b2928 100644 --- a/src/routes/write/topics.js +++ b/src/routes/write/topics.js @@ -10,8 +10,8 @@ const setupApiRoute = routeHelpers.setupApiRoute; module.exports = function () { const middlewares = [middleware.authenticate]; - setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['cid', 'title', 'content'])], controllers.write.topics.create); - setupApiRoute(router, 'post', '/:tid', [...middlewares, middleware.checkRequired.bind(null, ['content']), middleware.assert.topic], controllers.write.topics.reply); + setupApiRoute(router, 'post', '/', [middleware.authenticateOrGuest, middleware.checkRequired.bind(null, ['cid', 'title', 'content'])], controllers.write.topics.create); + setupApiRoute(router, 'post', '/:tid', [middleware.authenticateOrGuest, middleware.checkRequired.bind(null, ['content']), middleware.assert.topic], controllers.write.topics.reply); setupApiRoute(router, 'delete', '/:tid', [...middlewares], controllers.write.topics.purge); setupApiRoute(router, 'put', '/:tid/state', [...middlewares], controllers.write.topics.restore); diff --git a/test/topics.js b/test/topics.js index 239cf055d5..adf516521a 100644 --- a/test/topics.js +++ b/test/topics.js @@ -5,6 +5,7 @@ const assert = require('assert'); const validator = require('validator'); const nconf = require('nconf'); const request = require('request'); +const util = require('util'); const db = require('./mocks/databasemock'); const topics = require('../src/topics'); @@ -18,6 +19,11 @@ const helpers = require('./helpers'); const socketPosts = require('../src/socket.io/posts'); const socketTopics = require('../src/socket.io/topics'); + +const requestType = util.promisify(function (type, url, opts, cb) { + request[type](url, opts, (err, res, body) => cb(err, { res: res, body: body })); +}); + describe('Topic\'s', function () { var topic; var categoryObj; @@ -111,6 +117,52 @@ describe('Topic\'s', function () { done(); }); }); + + it('should fail to post a topic as guest if no privileges', async function () { + const categoryObj = await categories.create({ + name: 'Test Category', + description: 'Test category created by testing script', + }); + const result = await requestType('post', nconf.get('url') + '/api/v3/topics', { + form: { + title: 'just a title', + cid: categoryObj.cid, + content: 'content for the main post', + }, + json: true, + }); + assert.strictEqual(result.body.status.message, '[[error:no-privileges]]'); + }); + + it('should post a topic as guest if guest group has privileges', async function () { + const categoryObj = await categories.create({ + name: 'Test Category', + description: 'Test category created by testing script', + }); + await privileges.categories.give(['groups:topics:create'], categoryObj.cid, 'guests'); + await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests'); + + const result = await requestType('post', nconf.get('url') + '/api/v3/topics', { + form: { + title: 'just a title', + cid: categoryObj.cid, + content: 'content for the main post', + }, + json: true, + }); + + assert.strictEqual(result.body.status.code, 'ok'); + assert.strictEqual(result.body.response.title, 'just a title'); + assert.strictEqual(result.body.response.user.username, '[[global:guest]]'); + + const replyResult = await requestType('post', nconf.get('url') + '/api/v3/topics/' + result.body.response.tid, { + form: { + content: 'a reply by guest', + }, + json: true, + }); + assert.strictEqual(replyResult.body.response.content, 'a reply by guest'); + }); }); describe('.reply', function () {