From 414caac01b52d280701cc7786a6e378379b9ac8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Thu, 26 Nov 2020 12:45:02 -0500 Subject: [PATCH] fix: #8957 --- src/socket.io/posts/move.js | 5 +++++ test/posts.js | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/socket.io/posts/move.js b/src/socket.io/posts/move.js index bfd614b063..c1637fad51 100644 --- a/src/socket.io/posts/move.js +++ b/src/socket.io/posts/move.js @@ -19,6 +19,11 @@ module.exports = function (SocketPosts) { throw new Error('[[error:invalid-data]]'); } + const canMove = await privileges.topics.isAdminOrMod(data.tid, socket.uid); + if (!canMove) { + throw new Error('[[error:no-privileges]]'); + } + for (const pid of data.pids) { /* eslint-disable no-await-in-loop */ const canMove = await privileges.posts.canMove(pid, socket.uid); diff --git a/test/posts.js b/test/posts.js index aad50e2684..b777230f93 100644 --- a/test/posts.js +++ b/test/posts.js @@ -721,6 +721,21 @@ describe('Post\'s', function () { }); }); }); + + it('should fail to move post if not moderator of target category', async function () { + const cat1 = await categories.create({ name: 'Test Category', description: 'Test category created by testing script' }); + const cat2 = await categories.create({ name: 'Test Category', description: 'Test category created by testing script' }); + const result = await socketTopics.post({ uid: globalModUid }, { title: 'target topic', content: 'queued topic', cid: cat2.cid }); + const modUid = await user.create({ username: 'modofcat1' }); + await privileges.categories.give(privileges.userPrivilegeList, cat1.cid, modUid); + let err; + try { + await socketPosts.movePost({ uid: modUid }, { pid: replyPid, tid: result.tid }); + } catch (_err) { + err = _err; + } + assert.strictEqual(err.message, '[[error:no-privileges]]'); + }); }); describe('getPostSummaryByPids', function () {