Merge branch 'master' of https://github.com/designcreateplay/NodeBB

11 years ago · a18e366493
parent 12e95df068 a078f73e84
commit a18e366493
3 changed files with 73 additions and 25 deletions
--- a/src/routes/api.js
+++ b/src/routes/api.js
@ -7,6 +7,7 @@ var path = require('path'),
 	groups = require('../groups'),
 	auth = require('./authentication'),
 	topics = require('../topics'),
+	ThreadTools = require('../threadTools'),
 	posts = require('../posts'),
 	categories = require('../categories'),
 	categoryTools = require('../categoryTools')
@ -120,21 +121,27 @@ var path = require('path'),

 			app.get('/topic/:id/:slug?', function (req, res, next) {
 				var uid = (req.user) ? req.user.uid : 0;
-				topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) {
-					if (!err) {
-						if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) {
-							return res.json(404, {});
-						}
-						// get the category this post belongs to and check category access
-						var cid = data.category_slug.split("/")[0];
-						groups.getCategoryAccess(cid, uid, function(err, access){
-							if (access){
-								res.json(data);
-							} else {
-								res.send(403);
-							}
-						})
-					} else next();
+				ThreadTools.privileges(req.params.id, uid, function(err, privileges) {
+					if (privileges.read) {
+						topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) {
+							if (!err) {
+								if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) {
+									return res.json(404, {});
+								}
+								// get the category this post belongs to and check category access
+								var cid = data.category_slug.split("/")[0];
+								groups.getCategoryAccess(cid, uid, function(err, access){
+									if (access){
+										res.json(data);
+									} else {
+										res.send(403);
+									}
+								})
+							} else next();
+						});
+					} else {
+						res.send(403);
+					}
 				});
 			});

--- a/src/topics.js
+++ b/src/topics.js
@ -262,9 +262,20 @@ var async = require('async'),
 				return;
 			}

-			Topics.getTopicsByTids(tids, current_user, function(topicData) {
-				latestTopics.topics = topicData;
-				callback(err, latestTopics);
+			// Filter out topics that belong to categories that this user cannot access
+			async.filter(tids, function(tid, next) {
+				threadTools.privileges(tid, current_user, function(err, privileges) {
+					if (!err && privileges.read) {
+						next(true);
+					} else {
+						next(false);
+					}
+				});
+			}, function(tids) {
+				Topics.getTopicsByTids(tids, current_user, function(topicData) {
+					latestTopics.topics = topicData;
+					callback(err, latestTopics);
+				});
 			});
 		});
 	}
@ -342,14 +353,25 @@ var async = require('async'),
 							return parseInt(read[index], 10) === 0;
 						});

-						unreadTids.push.apply(unreadTids, newtids);
+						// Filter out topics that belong to categories that this user cannot access
+						async.filter(newtids, function(tid, next) {
+							threadTools.privileges(tid, uid, function(err, privileges) {
+								if (!err && privileges.read) {
+									next(true);
+								} else {
+									next(false);
+								}
+							});
+						}, function(newtids) {
+							unreadTids.push.apply(unreadTids, newtids);

-						if(continueCondition()) {
-							start = stop + 1;
-							stop = start + 19;
-						}
+							if(continueCondition()) {
+								start = stop + 1;
+								stop = start + 19;
+							}

-						callback(null);
+							callback(null);
+						});
 					});
 				}
 			});
--- a/src/webserver.js
+++ b/src/webserver.js
@ -18,6 +18,7 @@ var path = require('path'),
 	categories = require('./categories'),
 	posts = require('./posts'),
 	topics = require('./topics'),
+	ThreadTools = require('./threadTools'),
 	notifications = require('./notifications'),
 	admin = require('./routes/admin'),
 	userRoute = require('./routes/user'),
@ -484,6 +485,20 @@ var path = require('path'),
 			}

 			async.waterfall([
+				function(next) {
+					// Check whether this user is allowed to access this topic
+					ThreadTools.privileges(tid, ((req.user) ? req.user.uid : 0), function(err, privileges) {
+						if (!err) {
+							if (!privileges.read) {
+								next(new Error('not-enough-privileges'));
+							} else {
+								next();
+							}
+						} else {
+							next(err);
+						}
+					});
+				},
 				function (next) {
 					topics.getTopicWithPosts(tid, ((req.user) ? req.user.uid : 0), 0, -1, true, function (err, topicData) {
 						if (topicData) {
@ -558,7 +573,11 @@ var path = require('path'),
 				},
 			], function (err, data) {
 				if (err) {
-					return res.redirect('404');
+					if (err.message === 'not-enough-privileges') {
+						return res.redirect('403');
+					} else {
+						return res.redirect('404');
+					}
 				}

 				var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');