From 8c48f94b9607ce04afbb0d6d8690bf2ffea5fdcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Tue, 28 Jan 2020 13:03:58 -0500
Subject: [PATCH] fix: #8139, dont allow restore if not deleted by self

---
 src/privileges/topics.js |  5 +++--
 src/topics/data.js       |  1 +
 test/topics.js           | 17 +++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/privileges/topics.js b/src/privileges/topics.js
index ee1f6b5ea1..d4b34194ff 100644
--- a/src/privileges/topics.js
+++ b/src/privileges/topics.js
@@ -116,7 +116,7 @@ module.exports = function (privileges) {
 	};
 
 	privileges.topics.canDelete = async function (tid, uid) {
-		const topicData = await topics.getTopicFields(tid, ['cid', 'postcount']);
+		const topicData = await topics.getTopicFields(tid, ['uid', 'cid', 'postcount', 'deleterUid']);
 		const [isModerator, isAdministrator, isOwner, allowedTo] = await Promise.all([
 			user.isModerator(uid, topicData.cid),
 			user.isAdministrator(uid),
@@ -136,7 +136,8 @@ module.exports = function (privileges) {
 			throw new Error(langKey);
 		}
 
-		return allowedTo[0] && (isOwner || isModerator);
+		const deleterUid = topicData.deleterUid;
+		return allowedTo[0] && ((isOwner && (deleterUid === 0 || deleterUid === topicData.uid)) || isModerator);
 	};
 
 	privileges.topics.canEdit = async function (tid, uid) {
diff --git a/src/topics/data.js b/src/topics/data.js
index 8ca113fbaf..44625c47f2 100644
--- a/src/topics/data.js
+++ b/src/topics/data.js
@@ -11,6 +11,7 @@ const intFields = [
 	'tid', 'cid', 'uid', 'mainPid', 'postcount',
 	'viewcount', 'deleted', 'locked', 'pinned',
 	'timestamp', 'upvotes', 'downvotes', 'lastposttime',
+	'deleterUid',
 ];
 
 module.exports = function (Topics) {
diff --git a/test/topics.js b/test/topics.js
index 00976ba3f3..c91395407b 100644
--- a/test/topics.js
+++ b/test/topics.js
@@ -23,9 +23,11 @@ describe('Topic\'s', function () {
 	var categoryObj;
 	var adminUid;
 	var adminJar;
+	var fooUid;
 
 	before(async function () {
 		adminUid = await User.create({ username: 'admin', password: '123456' });
+		fooUid = await User.create({ username: 'foo' });
 		await groups.join('administrators', adminUid);
 		adminJar = await helpers.loginUser('admin', '123456');
 
@@ -572,6 +574,21 @@ describe('Topic\'s', function () {
 				});
 			});
 		});
+
+		it('should not allow user to restore their topic if it was deleted by an admin', async function () {
+			const result = await topics.post({
+				uid: fooUid,
+				title: 'topic for restore test',
+				content: 'topic content',
+				cid: categoryObj.cid,
+			});
+			await socketTopics.delete({ uid: adminUid }, { tids: [result.topicData.tid], cid: categoryObj.cid });
+			try {
+				await socketTopics.restore({ uid: fooUid }, { tids: [result.topicData.tid], cid: categoryObj.cid });
+			} catch (err) {
+				assert.strictEqual(err.message, '[[error:no-privileges]]');
+			}
+		});
 	});
 
 	describe('order pinned topics', function () {