check privs on getRecentReplies and getRecentTopicReplies

10 years ago · 6a3a3669d2
parent c7ca2e2573
commit 6a3a3669d2
2 changed files with 30 additions and 37 deletions
--- a/src/categories/recentreplies.js
+++ b/src/categories/recentreplies.js
@ -7,50 +7,53 @@ var async = require('async'),
 	db = require('../database'),
 	posts = require('../posts'),
-	topics = require('../topics');
+	topics = require('../topics'),
 	privileges = require('../privileges');
 module.exports = function(Categories) {
 	Categories.getRecentReplies = function(cid, uid, count, callback) {
-		if (!parseInt(count, 10)) {
+		privileges.categories.can('read', cid, uid, function(err, canRead) {
-			return callback(null, []);
+			if (err || !canRead || !parseInt(count, 10)) {
 				return callback(err, []);
 			}
 			db.getSortedSetRevRange('cid:' + cid + ':pids', 0, count - 1, function(err, pids) {
-			if (err || !pids || !pids.length) {
+				if (err || !Array.isArray(pids) || !pids.length) {
 					return callback(err, []);
 				}
 				posts.getPostSummaryByPids(pids, uid, {stripTags: true}, callback);
 			});
 		});
 	};
 	Categories.getRecentTopicReplies = function(categoryData, uid, callback) {
 		if (!Array.isArray(categoryData) || !categoryData.length) {
 			return callback(null, []);
 		}
 		async.map(categoryData, getRecentTopicPids, function(err, results) {
 			if (err) {
 				return callback(err);
 			}
 		async.waterfall([
 			function(next) {
 				async.map(categoryData, getRecentTopicPids, next);
 			},
 			function(results, next) {
 				var pids = _.flatten(results);
 				pids = pids.filter(function(pid, index, array) {
 					return !!pid && array.indexOf(pid) === index;
 				});
-
+				privileges.posts.filter('read', pids, uid, next);
-			posts.getPostSummaryByPids(pids, uid, {stripTags: true}, function(err, posts) {
+			},
-				if (err) {
+			function(pids, next) {
-					return callback(err);
+				posts.getPostSummaryByPids(pids, uid, {stripTags: true}, next);
-				}
+			},
-
+			function(posts, next) {
 				categoryData.forEach(function(category) {
 					assignPostsToCategory(category, posts);
 				});
-
+				next();
-				callback();
+			}
-			});
+		], callback);
 		});
 	};
 	function assignPostsToCategory(category, posts) {
--- a/src/socket.io/categories.js
+++ b/src/socket.io/categories.js
@ -11,17 +11,7 @@ var	async = require('async'),
 	SocketCategories = {};
 SocketCategories.getRecentReplies = function(socket, cid, callback) {
 	privileges.categories.can('read', cid, socket.uid, function(err, canRead) {
 		if (err) {
 			return callback(err);
 		}
 		if (!canRead) {
 			return callback(null, []);
 		}
 	categories.getRecentReplies(cid, socket.uid, 4, callback);
 	});
 };
 SocketCategories.get = function(socket, data, callback) {