From 99dc3feeb2fb6475eca140a5d16987163d6c13c7 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 7 Jun 2018 12:23:08 -0400
Subject: [PATCH] Edit history is now a category-level privilege

Closes #6425
---
 .../en-GB/admin/manage/privileges.json        |  1 +
 public/src/client/topic/postTools.js          |  2 +-
 src/categories/create.js                      |  1 +
 src/privileges.js                             |  2 ++
 src/privileges/topics.js                      |  3 ++-
 src/socket.io/posts/diffs.js                  | 14 +++++++++++-
 src/upgrades/1.10.0/post_history_privilege.js | 22 +++++++++++++++++++
 .../admin/partials/categories/privileges.tpl  |  4 ++--
 8 files changed, 44 insertions(+), 5 deletions(-)
 create mode 100644 src/upgrades/1.10.0/post_history_privilege.js

diff --git a/public/language/en-GB/admin/manage/privileges.json b/public/language/en-GB/admin/manage/privileges.json
index 7136ab1b32..7f8408b8ce 100644
--- a/public/language/en-GB/admin/manage/privileges.json
+++ b/public/language/en-GB/admin/manage/privileges.json
@@ -18,6 +18,7 @@
 	"reply-to-topics": "Reply to Topics",
 	"tag-topics": "Tag Topics",
 	"edit-posts": "Edit Posts",
+	"view-edit-history": "View Edit History",
 	"delete-posts": "Delete Posts",
 	"upvote-posts": "Upvote Posts",
 	"downvote-posts": "Downvote Posts",
diff --git a/public/src/client/topic/postTools.js b/public/src/client/topic/postTools.js
index 68ded070c9..8d460d7ae3 100644
--- a/public/src/client/topic/postTools.js
+++ b/public/src/client/topic/postTools.js
@@ -140,7 +140,7 @@ define('forum/topic/postTools', [
 			}
 		});
 
-		if (config.enablePostHistory) {
+		if (config.enablePostHistory && ajaxify.data.privileges['posts:history']) {
 			postContainer.on('click', '[component="post/view-history"], [component="post/edit-indicator"]', function () {
 				var btn = $(this);
 				diffs.open(getData(btn, 'data-pid'));
diff --git a/src/categories/create.js b/src/categories/create.js
index 7af9e5c5c3..1d6fc6c09f 100644
--- a/src/categories/create.js
+++ b/src/categories/create.js
@@ -60,6 +60,7 @@ module.exports = function (Categories) {
 					'topics:reply',
 					'topics:tag',
 					'posts:edit',
+					'posts:history',
 					'posts:delete',
 					'posts:upvote',
 					'posts:downvote',
diff --git a/src/privileges.js b/src/privileges.js
index 8ea2939bba..65c4aa75ae 100644
--- a/src/privileges.js
+++ b/src/privileges.js
@@ -10,6 +10,7 @@ privileges.privilegeLabels = [
 	{ name: '[[admin/manage/privileges:reply-to-topics]]' },
 	{ name: '[[admin/manage/privileges:tag-topics]]' },
 	{ name: '[[admin/manage/privileges:edit-posts]]' },
+	{ name: '[[admin/manage/privileges:view-edit-history]]' },
 	{ name: '[[admin/manage/privileges:delete-posts]]' },
 	{ name: '[[admin/manage/privileges:upvote-posts]]' },
 	{ name: '[[admin/manage/privileges:downvote-posts]]' },
@@ -26,6 +27,7 @@ privileges.userPrivilegeList = [
 	'topics:reply',
 	'topics:tag',
 	'posts:edit',
+	'posts:history',
 	'posts:delete',
 	'posts:upvote',
 	'posts:downvote',
diff --git a/src/privileges/topics.js b/src/privileges/topics.js
index 84e34954e5..1dc20cf03a 100644
--- a/src/privileges/topics.js
+++ b/src/privileges/topics.js
@@ -16,7 +16,7 @@ module.exports = function (privileges) {
 
 	privileges.topics.get = function (tid, uid, callback) {
 		var topic;
-		var privs = ['topics:reply', 'topics:read', 'topics:tag', 'topics:delete', 'posts:edit', 'posts:delete', 'read'];
+		var privs = ['topics:reply', 'topics:read', 'topics:tag', 'topics:delete', 'posts:edit', 'posts:history', 'posts:delete', 'read'];
 		async.waterfall([
 			async.apply(topics.getTopicFields, tid, ['cid', 'uid', 'locked', 'deleted']),
 			function (_topic, next) {
@@ -44,6 +44,7 @@ module.exports = function (privileges) {
 					'topics:tag': privData['topics:tag'] || isAdminOrMod,
 					'topics:delete': (isOwner && privData['topics:delete']) || isAdminOrMod,
 					'posts:edit': (privData['posts:edit'] && !locked) || isAdminOrMod,
+					'posts:history': privData['posts:history'] || isAdminOrMod,
 					'posts:delete': (privData['posts:delete'] && !locked) || isAdminOrMod,
 					read: privData.read || isAdminOrMod,
 					view_thread_tools: editable || deletable,
diff --git a/src/socket.io/posts/diffs.js b/src/socket.io/posts/diffs.js
index c8f7c72259..2070a338e1 100644
--- a/src/socket.io/posts/diffs.js
+++ b/src/socket.io/posts/diffs.js
@@ -2,10 +2,16 @@
 
 var async = require('async');
 var posts = require('../../posts');
+var privileges = require('../../privileges');
 
 module.exports = function (SocketPosts) {
 	SocketPosts.getDiffs = function (socket, data, callback) {
 		async.waterfall([
+			function (next) {
+				privileges.posts.can('posts:history', data.pid, socket.uid, function (err, allowed) {
+					next(err || allowed ? null : new Error('[[error:no-privileges]]'));
+				});
+			},
 			function (next) {
 				posts.diffs.list(data.pid, next);
 			},
@@ -17,6 +23,12 @@ module.exports = function (SocketPosts) {
 	};
 
 	SocketPosts.showPostAt = function (socket, data, callback) {
-		posts.diffs.load(data.pid, data.since, socket.uid, callback);
+		privileges.posts.can('posts:history', data.pid, socket.uid, function (err, allowed) {
+			if (err || !allowed) {
+				return callback(err || new Error('[[error:no-privileges]]'));
+			}
+
+			posts.diffs.load(data.pid, data.since, socket.uid, callback);
+		});
 	};
 };
diff --git a/src/upgrades/1.10.0/post_history_privilege.js b/src/upgrades/1.10.0/post_history_privilege.js
new file mode 100644
index 0000000000..da0511307b
--- /dev/null
+++ b/src/upgrades/1.10.0/post_history_privilege.js
@@ -0,0 +1,22 @@
+'use strict';
+
+
+var async = require('async');
+
+var privileges = require('../../privileges');
+var db = require('../../database');
+
+module.exports = {
+	name: 'Give post history viewing privilege to registered-users on all categories',
+	timestamp: Date.UTC(2018, 5, 7),
+	method: function (callback) {
+		db.getSortedSetRange('categories:cid', 0, -1, function (err, cids) {
+			if (err) {
+				return callback(err);
+			}
+			async.eachSeries(cids, function (cid, next) {
+				privileges.categories.give(['posts:history'], cid, 'registered-users', next);
+			}, callback);
+		});
+	},
+};
diff --git a/src/views/admin/partials/categories/privileges.tpl b/src/views/admin/partials/categories/privileges.tpl
index c5bfc3ec63..21512c75db 100644
--- a/src/views/admin/partials/categories/privileges.tpl
+++ b/src/views/admin/partials/categories/privileges.tpl
@@ -5,7 +5,7 @@
 								<th class="arrowed" colspan="3">
 									[[admin/manage/categories:privileges.section-viewing]]
 								</th>
-								<th class="arrowed" colspan="8">
+								<th class="arrowed" colspan="9">
 									[[admin/manage/categories:privileges.section-posting]]
 								</th>
 								<th class="arrowed" colspan="2">
@@ -61,7 +61,7 @@
 								<th class="arrowed" colspan="3">
 									[[admin/manage/categories:privileges.section-viewing]]
 								</th>
-								<th class="arrowed" colspan="8">
+								<th class="arrowed" colspan="9">
 									[[admin/manage/categories:privileges.section-posting]]
 								</th>
 								<th class="arrowed" colspan="2">