From 8e275df803dbdbfed9afd0e3c75a3ac8c3bbbdcb Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 4 May 2018 12:39:00 -0400
Subject: [PATCH] closes #6487

---
 install/package.json                |  4 ++--
 public/language/en-GB/error.json    |  5 ++++-
 public/src/client/account/blocks.js |  7 ++++++-
 src/socket.io/user/profile.js       |  9 +++++++++
 src/user/blocks.js                  | 15 ++++++++++++---
 5 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/install/package.json b/install/package.json
index 32bae82082..1d650a6c15 100644
--- a/install/package.json
+++ b/install/package.json
@@ -74,9 +74,9 @@
         "nodebb-plugin-spam-be-gone": "0.5.3",
         "nodebb-rewards-essentials": "0.0.11",
         "nodebb-theme-lavender": "5.0.4",
-        "nodebb-theme-persona": "9.0.3",
+        "nodebb-theme-persona": "9.0.4",
         "nodebb-theme-slick": "1.2.1",
-        "nodebb-theme-vanilla": "10.0.3",
+        "nodebb-theme-vanilla": "10.0.4",
         "nodebb-widget-essentials": "4.0.2",
         "nodemailer": "4.4.1",
         "passport": "^0.4.0",
diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json
index 1a3803cc14..cb4ed098ac 100644
--- a/public/language/en-GB/error.json
+++ b/public/language/en-GB/error.json
@@ -177,5 +177,8 @@
 	"invalid-session-text": "It looks like your login session is no longer active, or no longer matches with the server. Please refresh this page.",
 
 	"no-topics-selected": "No topics selected!",
-	"cant-move-to-same-topic": "Can't move post to same topic!"
+	"cant-move-to-same-topic": "Can't move post to same topic!",
+
+	"cannot-block-self": "You cannot block yourself!",
+	"cannot-block-privileged": "You cannot block administrators or global moderators"
 }
diff --git a/public/src/client/account/blocks.js b/public/src/client/account/blocks.js
index de6ba1e731..f6ef1154d0 100644
--- a/public/src/client/account/blocks.js
+++ b/public/src/client/account/blocks.js
@@ -22,11 +22,16 @@ define('forum/account/blocks', ['forum/account/header', 'autocomplete'], functio
 		});
 	};
 
-	Blocks.refreshList = function () {
+	Blocks.refreshList = function (err) {
+		if (err) {
+			return app.alertError(err.message);
+		}
+
 		$.get(config.relative_path + '/api/' + ajaxify.currentPage)
 			.done(function (payload) {
 				app.parseAndTranslate('account/blocks', 'users', payload, function (html) {
 					$('#users-container').html(html);
+					$('#users-container').siblings('div.alert')[html.length ? 'hide' : 'show']();
 				});
 			})
 			.fail(function () {
diff --git a/src/socket.io/user/profile.js b/src/socket.io/user/profile.js
index b14f12bc1e..d025b223a2 100644
--- a/src/socket.io/user/profile.js
+++ b/src/socket.io/user/profile.js
@@ -203,6 +203,15 @@ module.exports = function (SocketUser) {
 
 	SocketUser.toggleBlock = function (socket, data, callback) {
 		async.waterfall([
+			function (next) {
+				user.blocks.can(data.uid, function (err, can) {
+					if (err || !can) {
+						return next(err || new Error('[[error:cannot-block-privileged]]'));
+					}
+
+					next();
+				});
+			},
 			async.apply(user.blocks.is, data.uid, socket.uid),
 			function (is, next) {
 				user.blocks[is ? 'remove' : 'add'](data.uid, socket.uid, next);
diff --git a/src/user/blocks.js b/src/user/blocks.js
index 51fe2f0d8f..5fd8977874 100644
--- a/src/user/blocks.js
+++ b/src/user/blocks.js
@@ -19,6 +19,11 @@ module.exports = function (User) {
 		});
 	};
 
+	User.blocks.can = function (uid, callback) {
+		// Administrators and global moderators cannot be blocked
+		User.isAdminOrGlobalMod(uid, (err, can) => callback(err, !can));
+	};
+
 	User.blocks.list = function (uid, callback) {
 		if (User.blocks._cache.has(uid)) {
 			return setImmediate(callback, null, User.blocks._cache.get(uid));
@@ -37,7 +42,7 @@ module.exports = function (User) {
 
 	User.blocks.add = function (targetUid, uid, callback) {
 		async.waterfall([
-			async.apply(this.stateCheck, true, targetUid, uid),
+			async.apply(this.applyChecks, true, targetUid, uid),
 			async.apply(db.sortedSetAdd.bind(db), 'uid:' + uid + ':blocked_uids', Date.now(), targetUid),
 			async.apply(User.incrementUserFieldBy, uid, 'blocksCount', 1),
 			function (_blank, next) {
@@ -50,7 +55,7 @@ module.exports = function (User) {
 
 	User.blocks.remove = function (targetUid, uid, callback) {
 		async.waterfall([
-			async.apply(this.stateCheck, false, targetUid, uid),
+			async.apply(this.applyChecks, false, targetUid, uid),
 			async.apply(db.sortedSetRemove.bind(db), 'uid:' + uid + ':blocked_uids', targetUid),
 			async.apply(User.decrementUserFieldBy, uid, 'blocksCount', 1),
 			function (_blank, next) {
@@ -61,7 +66,11 @@ module.exports = function (User) {
 		], callback);
 	};
 
-	User.blocks.stateCheck = function (block, targetUid, uid, callback) {
+	User.blocks.applyChecks = function (block, targetUid, uid, callback) {
+		if (parseInt(targetUid, 10) === parseInt(uid, 10)) {
+			return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
+		}
+
 		User.blocks.is(targetUid, uid, function (err, is) {
 			callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null));
 		});