hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/designcreateplay/NodeBB

Browse Source
v1.18.x
Baris Soner Usakli 11 years ago
parent 12e95df068 a078f73e84
commit a18e366493
3 changed files with 73 additions and 25 deletions
Show Stats Download Patch File Download Diff File

37
src/routes/api.js
Unescape Escape View File

@ -7,6 +7,7 @@ var path = require('path'),
groups = require('../groups'), groups = require('../groups'),
auth = require('./authentication'), auth = require('./authentication'),
topics = require('../topics'), topics = require('../topics'),
ThreadTools = require('../threadTools'),
posts = require('../posts'), posts = require('../posts'),
categories = require('../categories'), categories = require('../categories'),
categoryTools = require('../categoryTools') categoryTools = require('../categoryTools')
@ -120,21 +121,27 @@ var path = require('path'),
app.get('/topic/:id/:slug?', function (req, res, next) { app.get('/topic/:id/:slug?', function (req, res, next) {
var uid = (req.user) ? req.user.uid : 0; var uid = (req.user) ? req.user.uid : 0;
topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) { ThreadTools.privileges(req.params.id, uid, function(err, privileges) {
if (!err) { if (privileges.read) {
if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) { topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) {
return res.json(404, {}); if (!err) {
} if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) {
// get the category this post belongs to and check category access return res.json(404, {});
var cid = data.category_slug.split("/")[0]; }
groups.getCategoryAccess(cid, uid, function(err, access){ // get the category this post belongs to and check category access
if (access){ var cid = data.category_slug.split("/")[0];
res.json(data); groups.getCategoryAccess(cid, uid, function(err, access){
} else { if (access){
res.send(403); res.json(data);
} } else {
}) res.send(403);
} else next(); }
})
} else next();
});
} else {
res.send(403);
}
}); });
}); });

40
src/topics.js
Unescape Escape View File

@ -262,9 +262,20 @@ var async = require('async'),
return; return;
} }
Topics.getTopicsByTids(tids, current_user, function(topicData) { // Filter out topics that belong to categories that this user cannot access
latestTopics.topics = topicData; async.filter(tids, function(tid, next) {
callback(err, latestTopics); threadTools.privileges(tid, current_user, function(err, privileges) {
if (!err && privileges.read) {
next(true);
} else {
next(false);
}
});
}, function(tids) {
Topics.getTopicsByTids(tids, current_user, function(topicData) {
latestTopics.topics = topicData;
callback(err, latestTopics);
});
}); });
}); });
} }
@ -342,14 +353,25 @@ var async = require('async'),
return parseInt(read[index], 10) === 0; return parseInt(read[index], 10) === 0;
}); });
unreadTids.push.apply(unreadTids, newtids); // Filter out topics that belong to categories that this user cannot access
async.filter(newtids, function(tid, next) {
threadTools.privileges(tid, uid, function(err, privileges) {
if (!err && privileges.read) {
next(true);
} else {
next(false);
}
});
}, function(newtids) {
unreadTids.push.apply(unreadTids, newtids);
if(continueCondition()) { if(continueCondition()) {
start = stop + 1; start = stop + 1;
stop = start + 19; stop = start + 19;
} }
callback(null); callback(null);
});
}); });
} }
}); });

21
src/webserver.js
Unescape Escape View File

@ -18,6 +18,7 @@ var path = require('path'),
categories = require('./categories'), categories = require('./categories'),
posts = require('./posts'), posts = require('./posts'),
topics = require('./topics'), topics = require('./topics'),
ThreadTools = require('./threadTools'),
notifications = require('./notifications'), notifications = require('./notifications'),
admin = require('./routes/admin'), admin = require('./routes/admin'),
userRoute = require('./routes/user'), userRoute = require('./routes/user'),
@ -484,6 +485,20 @@ var path = require('path'),
} }
async.waterfall([ async.waterfall([
function(next) {
// Check whether this user is allowed to access this topic
ThreadTools.privileges(tid, ((req.user) ? req.user.uid : 0), function(err, privileges) {
if (!err) {
if (!privileges.read) {
next(new Error('not-enough-privileges'));
} else {
next();
}
} else {
next(err);
}
});
},
function (next) { function (next) {
topics.getTopicWithPosts(tid, ((req.user) ? req.user.uid : 0), 0, -1, true, function (err, topicData) { topics.getTopicWithPosts(tid, ((req.user) ? req.user.uid : 0), 0, -1, true, function (err, topicData) {
if (topicData) { if (topicData) {
@ -558,7 +573,11 @@ var path = require('path'),
}, },
], function (err, data) { ], function (err, data) {
if (err) { if (err) {
return res.redirect('404'); if (err.message === 'not-enough-privileges') {
return res.redirect('403');
} else {
return res.redirect('404');
}
} }
var topic_url = tid + (req.params.slug ? '/' + req.params.slug : ''); var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');

Write Preview
Loading…
Cancel
Save