fix: access checks for tags and thumbs get route

src/controllers/write/topics.js

@@ -86,16 +86,28 @@ Topics.unfollow = async (req, res) => {
 };
 
 Topics.addTags = async (req, res) => {
+	if (!await privileges.topics.canEdit(req.params.tid, req.user.uid)) {
+		return helpers.formatApiResponse(403, res);
+	}
+
 	await topics.createTags(req.body.tags, req.params.tid, Date.now());
 	helpers.formatApiResponse(200, res);
 };
 
 Topics.deleteTags = async (req, res) => {
+	if (!await privileges.topics.canEdit(req.params.tid, req.user.uid)) {
+		return helpers.formatApiResponse(403, res);
+	}
+
 	await topics.deleteTopicTags(req.params.tid);
 	helpers.formatApiResponse(200, res);
 };
 
 Topics.getThumbs = async (req, res) => {
+	if (!await privileges.topics.can('topics:read', req.params.tid, req.uid)) {
+		return helpers.formatApiResponse(403, res);
+	}
+
 	helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid));
 };
 

src/routes/write/topics.js

@@ -35,7 +35,7 @@ module.exports = function () {
 	setupApiRoute(router, 'put', '/:tid/tags', [...middlewares, middleware.checkRequired.bind(null, ['tags']), middleware.assert.topic], controllers.write.topics.addTags);
 	setupApiRoute(router, 'delete', '/:tid/tags', [...middlewares, middleware.assert.topic], controllers.write.topics.deleteTags);
 
-	setupApiRoute(router, 'get', '/:tid/thumbs', [], controllers.write.topics.getThumbs);
+	setupApiRoute(router, 'get', '/:tid/thumbs', middleware.authenticateOrGuest, controllers.write.topics.getThumbs);
 	setupApiRoute(router, 'post', '/:tid/thumbs', [multipartMiddleware, middleware.validateFiles, ...middlewares], controllers.write.topics.addThumb);
 	setupApiRoute(router, 'put', '/:tid/thumbs', [], controllers.write.topics.migrateThumbs);
 	setupApiRoute(router, 'delete', '/:tid/thumbs', [...middlewares, middleware.checkRequired.bind(null, ['path'])], controllers.write.topics.deleteThumb);