topics in private categories can no longer be accessed via ajaxify or by

direct link
11 years ago · 8385ceef79
parent 83cc8f3ba8
commit 8385ceef79
2 changed files with 42 additions and 16 deletions
--- a/src/routes/api.js
+++ b/src/routes/api.js
@ -7,6 +7,7 @@ var path = require('path'),
 	groups = require('../groups'),
 	auth = require('./authentication'),
 	topics = require('../topics'),
+	ThreadTools = require('../threadTools'),
 	posts = require('../posts'),
 	categories = require('../categories'),
 	categoryTools = require('../categoryTools')
@ -120,21 +121,27 @@ var path = require('path'),

 			app.get('/topic/:id/:slug?', function (req, res, next) {
 				var uid = (req.user) ? req.user.uid : 0;
-				topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) {
-					if (!err) {
-						if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) {
-							return res.json(404, {});
-						}
-						// get the category this post belongs to and check category access
-						var cid = data.category_slug.split("/")[0];
-						groups.getCategoryAccess(cid, uid, function(err, access){
-							if (access){
-								res.json(data);
-							} else {
-								res.send(403);
-							}
-						})
-					} else next();
+				ThreadTools.privileges(req.params.id, uid, function(err, privileges) {
+					if (privileges.read) {
+						topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) {
+							if (!err) {
+								if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) {
+									return res.json(404, {});
+								}
+								// get the category this post belongs to and check category access
+								var cid = data.category_slug.split("/")[0];
+								groups.getCategoryAccess(cid, uid, function(err, access){
+									if (access){
+										res.json(data);
+									} else {
+										res.send(403);
+									}
+								})
+							} else next();
+						});
+					} else {
+						res.send(403);
+					}
 				});
 			});

--- a/src/webserver.js
+++ b/src/webserver.js
@ -18,6 +18,7 @@ var path = require('path'),
 	categories = require('./categories'),
 	posts = require('./posts'),
 	topics = require('./topics'),
+	ThreadTools = require('./threadTools'),
 	notifications = require('./notifications'),
 	admin = require('./routes/admin'),
 	userRoute = require('./routes/user'),
@ -484,6 +485,20 @@ var path = require('path'),
 			}

 			async.waterfall([
+				function(next) {
+					// Check whether this user is allowed to access this topic
+					ThreadTools.privileges(tid, ((req.user) ? req.user.uid : 0), function(err, privileges) {
+						if (!err) {
+							if (!privileges.read) {
+								next(new Error('not-enough-privileges'));
+							} else {
+								next();
+							}
+						} else {
+							next(err);
+						}
+					});
+				},
 				function (next) {
 					topics.getTopicWithPosts(tid, ((req.user) ? req.user.uid : 0), 0, -1, true, function (err, topicData) {
 						if (topicData) {
@ -558,7 +573,11 @@ var path = require('path'),
 				},
 			], function (err, data) {
 				if (err) {
-					return res.redirect('404');
+					if (err.message === 'not-enough-privileges') {
+						return res.redirect('403');
+					} else {
+						return res.redirect('404');
+					}
 				}

 				var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');