From 61090615016c522c0a0fd5d48fd427219bf8fa02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 11 Nov 2022 11:14:30 -0500
Subject: [PATCH] fix: check schedule privilege, closes #11032

---
 src/api/helpers.js |  2 +-
 src/api/topics.js  | 16 ++++++++++------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/api/helpers.js b/src/api/helpers.js
index fd215aa241..24c2540ccb 100644
--- a/src/api/helpers.js
+++ b/src/api/helpers.js
@@ -13,7 +13,7 @@ const events = require('../events');
 exports.setDefaultPostData = function (reqOrSocket, data) {
 	data.uid = reqOrSocket.uid;
 	data.req = exports.buildReqObject(reqOrSocket, { ...data });
-	data.timestamp = parseInt(data.timestamp, 10) || Date.now();
+	data.timestamp = Date.now();
 	data.fromQueue = false;
 };
 
diff --git a/src/api/topics.js b/src/api/topics.js
index 187bc064be..3cd98f0c20 100644
--- a/src/api/topics.js
+++ b/src/api/topics.js
@@ -40,13 +40,19 @@ topicsAPI.create = async function (caller, data) {
 	const payload = { ...data };
 	payload.tags = payload.tags || [];
 	apiHelpers.setDefaultPostData(caller, payload);
+	const isScheduling = parseInt(data.timestamp, 10) > payload.timestamp;
+	if (isScheduling) {
+		if (await privileges.categories.can('topics:schedule', data.cid, caller.uid)) {
+			payload.timestamp = parseInt(data.timestamp, 10);
+		} else {
+			throw new Error('[[error:no-privileges]]');
+		}
+	}
 
-	// Blacklist & Post Queue
 	await meta.blacklist.test(caller.ip);
 	const shouldQueue = await posts.shouldQueue(caller.uid, payload);
 	if (shouldQueue) {
-		const queueObj = await posts.addToQueue(payload);
-		return queueObj;
+		return await posts.addToQueue(payload);
 	}
 
 	const result = await topics.post(payload);
@@ -66,12 +72,10 @@ topicsAPI.reply = async function (caller, data) {
 	const payload = { ...data };
 	apiHelpers.setDefaultPostData(caller, payload);
 
-	// Blacklist & Post Queue
 	await meta.blacklist.test(caller.ip);
 	const shouldQueue = await posts.shouldQueue(caller.uid, payload);
 	if (shouldQueue) {
-		const queueObj = await posts.addToQueue(payload);
-		return queueObj;
+		return await posts.addToQueue(payload);
 	}
 
 	const postData = await topics.reply(payload); // postData seems to be a subset of postObj, refactor?