closes #6557

7 years ago · 9e90d1ea5d
parent 4293403451
commit 9e90d1ea5d
2 changed files with 25 additions and 9 deletions
--- a/src/privileges/posts.js
+++ b/src/privileges/posts.js
@ -32,6 +32,7 @@ module.exports = function (privileges) {
 					'topics:read': async.apply(helpers.isUserAllowedTo, 'topics:read', uid, cids),
 					read: async.apply(helpers.isUserAllowedTo, 'read', uid, cids),
 					'posts:edit': async.apply(helpers.isUserAllowedTo, 'posts:edit', uid, cids),
 					'posts:history': async.apply(helpers.isUserAllowedTo, 'posts:history', uid, cids),
 					'posts:view_deleted': async.apply(helpers.isUserAllowedTo, 'posts:view_deleted', uid, cids),
 				}, next);
 			},
@ -39,7 +40,8 @@ module.exports = function (privileges) {
 				var privileges = pids.map(function (pid, i) {
 					var isAdminOrMod = results.isAdmin || results.isModerator[i];
 					var editable = isAdminOrMod || (results.isOwner[i] && results['posts:edit'][i]);
-					var viewDeletedPosts = isAdminOrMod || (results.isOwner[i] && results['posts:view_deleted'][i]);
+					var viewDeletedPosts = isAdminOrMod || results.isOwner[i] || results['posts:view_deleted'][i];
 					var viewHistory = isAdminOrMod || results.isOwner[i] || results['posts:history'][i];
 					return {
 						editable: editable,
@ -48,6 +50,7 @@ module.exports = function (privileges) {
 						isAdminOrMod: isAdminOrMod,
 						'topics:read': results['topics:read'][i] || isAdminOrMod,
 						read: results.read[i] || isAdminOrMod,
 						'posts:history': viewHistory,
 						'posts:view_deleted': viewDeletedPosts,
 					};
 				});
--- a/src/socket.io/posts/diffs.js
+++ b/src/socket.io/posts/diffs.js
@ -7,11 +7,7 @@ var privileges = require('../../privileges');
 module.exports = function (SocketPosts) {
 	SocketPosts.getDiffs = function (socket, data, callback) {
 		async.waterfall([
-			function (next) {
+			async.apply(privilegeCheck, data.pid, socket.uid),
 				privileges.posts.can('posts:history', data.pid, socket.uid, function (err, allowed) {
 					next(err || allowed ? null : new Error('[[error:no-privileges]]'));
 				});
 			},
 			function (next) {
 				posts.diffs.list(data.pid, next);
 			},
@ -23,12 +19,29 @@ module.exports = function (SocketPosts) {
 	};
 	SocketPosts.showPostAt = function (socket, data, callback) {
-		privileges.posts.can('posts:history', data.pid, socket.uid, function (err, allowed) {
+		privilegeCheck(data.pid, socket.uid, function (err) {
-			if (err || !allowed) {
+			if (err) {
-				return callback(err || new Error('[[error:no-privileges]]'));
+				return callback(err);
 			}
 			posts.diffs.load(data.pid, data.since, socket.uid, callback);
 		});
 	};
 	function privilegeCheck(pid, uid, callback) {
 		async.parallel({
 			deleted: async.apply(posts.getPostField, pid, 'deleted'),
 			privileges: async.apply(privileges.posts.get, [pid], uid),
 		}, function (err, payload) {
 			if (err) {
 				return callback(err);
 			}
 			payload.deleted = parseInt(payload.deleted, 10);
 			payload.privileges = payload.privileges[0];
 			const allowed = payload.privileges['posts:history'] && (payload.deleted ? payload.privileges['posts:view_deleted'] : true);
 			callback(!allowed ? new Error('[[error:no-privileges]]') : null);
 		});
 	}
 };