hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: #8139, dont allow restore if not deleted by self

Browse Source
v1.18.x
Barış Soner Uşaklı 5 years ago
parent 9969dd6335
commit 8c48f94b96
3 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File

5
src/privileges/topics.js
Unescape Escape View File

@ -116,7 +116,7 @@ module.exports = function (privileges) {
}; };
privileges.topics.canDelete = async function (tid, uid) { privileges.topics.canDelete = async function (tid, uid) {
const topicData = await topics.getTopicFields(tid, ['cid', 'postcount']); const topicData = await topics.getTopicFields(tid, ['uid', 'cid', 'postcount', 'deleterUid']);
const [isModerator, isAdministrator, isOwner, allowedTo] = await Promise.all([ const [isModerator, isAdministrator, isOwner, allowedTo] = await Promise.all([
user.isModerator(uid, topicData.cid), user.isModerator(uid, topicData.cid),
user.isAdministrator(uid), user.isAdministrator(uid),
@ -136,7 +136,8 @@ module.exports = function (privileges) {
throw new Error(langKey); throw new Error(langKey);
} }
return allowedTo[0] && (isOwner || isModerator); const deleterUid = topicData.deleterUid;
return allowedTo[0] && ((isOwner && (deleterUid === 0 || deleterUid === topicData.uid)) || isModerator);
}; };
privileges.topics.canEdit = async function (tid, uid) { privileges.topics.canEdit = async function (tid, uid) {

1
src/topics/data.js
Unescape Escape View File

@ -11,6 +11,7 @@ const intFields = [
'tid', 'cid', 'uid', 'mainPid', 'postcount', 'tid', 'cid', 'uid', 'mainPid', 'postcount',
'viewcount', 'deleted', 'locked', 'pinned', 'viewcount', 'deleted', 'locked', 'pinned',
'timestamp', 'upvotes', 'downvotes', 'lastposttime', 'timestamp', 'upvotes', 'downvotes', 'lastposttime',
'deleterUid',
]; ];
module.exports = function (Topics) { module.exports = function (Topics) {

17
test/topics.js
Unescape Escape View File

@ -23,9 +23,11 @@ describe('Topic\'s', function () {
var categoryObj; var categoryObj;
var adminUid; var adminUid;
var adminJar; var adminJar;
var fooUid;
before(async function () { before(async function () {
adminUid = await User.create({ username: 'admin', password: '123456' }); adminUid = await User.create({ username: 'admin', password: '123456' });
fooUid = await User.create({ username: 'foo' });
await groups.join('administrators', adminUid); await groups.join('administrators', adminUid);
adminJar = await helpers.loginUser('admin', '123456'); adminJar = await helpers.loginUser('admin', '123456');
@ -572,6 +574,21 @@ describe('Topic\'s', function () {
}); });
}); });
}); });
it('should not allow user to restore their topic if it was deleted by an admin', async function () {
const result = await topics.post({
uid: fooUid,
title: 'topic for restore test',
content: 'topic content',
cid: categoryObj.cid,
});
await socketTopics.delete({ uid: adminUid }, { tids: [result.topicData.tid], cid: categoryObj.cid });
try {
await socketTopics.restore({ uid: fooUid }, { tids: [result.topicData.tid], cid: categoryObj.cid });
} catch (err) {
assert.strictEqual(err.message, '[[error:no-privileges]]');
}
});
}); });
describe('order pinned topics', function () { describe('order pinned topics', function () {

Write Preview
Loading…
Cancel
Save