fixed markAsUnreadForAll permissions

src/socket.io/topics.js

@@ -154,7 +154,38 @@ SocketTopics.markAsUnreadForAll = function(socket, tids, callback) {
 		return callback(new Error('[[error:invalid-tid]]'));
 	}
 
+	if (!socket.uid) {
+		return callback(new Error('[[error:no-privileges]]'));
+	}
+
+	user.isAdministrator(socket.uid, function(err, isAdmin) {
+		if (err) {
+			return callback(err);
+		}
+
 		async.each(tids, function(tid, next) {
+			async.waterfall([
+				function(next) {
+					threadTools.exists(tid, next);
+				},
+				function(exists, next) {
+					if (!exists) {
+						return next(new Error('[[error:invalid-tid]]'));
+					}
+					topics.getTopicField(tid, 'cid', next);
+				},
+				function(cid, next) {
+					user.isModerator(socket.uid, cid, next);
+				}
+			], function(err, isMod) {
+				if (err) {
+					return next(err);
+				}
+
+				if (!isAdmin && !isMod) {
+					return next(new Error('[[error:no-privileges]]'));
+				}
+
 				topics.markAsUnreadForAll(tid, function(err) {
 					if(err) {
 						return next(err);
@@ -168,7 +199,9 @@ SocketTopics.markAsUnreadForAll = function(socket, tids, callback) {
 						next();
 					});
 				});
+			});
 		}, callback);
+	});
 };
 
 SocketTopics.delete = function(socket, data, callback) {