Merge branch 'master' of https://github.com/designcreateplay/NodeBB

11 years ago · a18e366493
parent 12e95df068 a078f73e84
commit a18e366493
3 changed files with 73 additions and 25 deletions
--- a/src/routes/api.js
+++ b/src/routes/api.js
@ -7,6 +7,7 @@ var path = require('path'),
 	groups = require('../groups'),
 	auth = require('./authentication'),
 	topics = require('../topics'),
+	ThreadTools = require('../threadTools'),
 	posts = require('../posts'),
 	categories = require('../categories'),
 	categoryTools = require('../categoryTools')
@ -120,6 +121,8 @@ var path = require('path'),

 			app.get('/topic/:id/:slug?', function (req, res, next) {
 				var uid = (req.user) ? req.user.uid : 0;
+				ThreadTools.privileges(req.params.id, uid, function(err, privileges) {
+					if (privileges.read) {
 						topics.getTopicWithPosts(req.params.id, uid, 0, 10, false, function (err, data) {
 							if (!err) {
 								if (parseInt(data.deleted, 10) === 1 && parseInt(data.expose_tools, 10) === 0) {
@ -136,6 +139,10 @@ var path = require('path'),
 								})
 							} else next();
 						});
+					} else {
+						res.send(403);
+					}
+				});
 			});

 			app.get('/category/:id/:slug?', function (req, res, next) {
--- a/src/topics.js
+++ b/src/topics.js
@ -262,11 +262,22 @@ var async = require('async'),
 				return;
 			}

+			// Filter out topics that belong to categories that this user cannot access
+			async.filter(tids, function(tid, next) {
+				threadTools.privileges(tid, current_user, function(err, privileges) {
+					if (!err && privileges.read) {
+						next(true);
+					} else {
+						next(false);
+					}
+				});
+			}, function(tids) {
 				Topics.getTopicsByTids(tids, current_user, function(topicData) {
 					latestTopics.topics = topicData;
 					callback(err, latestTopics);
 				});
 			});
+		});
 	}

 	Topics.getTotalUnread = function(uid, callback) {
@ -342,6 +353,16 @@ var async = require('async'),
 							return parseInt(read[index], 10) === 0;
 						});

+						// Filter out topics that belong to categories that this user cannot access
+						async.filter(newtids, function(tid, next) {
+							threadTools.privileges(tid, uid, function(err, privileges) {
+								if (!err && privileges.read) {
+									next(true);
+								} else {
+									next(false);
+								}
+							});
+						}, function(newtids) {
 							unreadTids.push.apply(unreadTids, newtids);

 							if(continueCondition()) {
@ -351,6 +372,7 @@ var async = require('async'),

 							callback(null);
 						});
+					});
 				}
 			});
 		}, function(err) {
--- a/src/webserver.js
+++ b/src/webserver.js
@ -18,6 +18,7 @@ var path = require('path'),
 	categories = require('./categories'),
 	posts = require('./posts'),
 	topics = require('./topics'),
+	ThreadTools = require('./threadTools'),
 	notifications = require('./notifications'),
 	admin = require('./routes/admin'),
 	userRoute = require('./routes/user'),
@ -484,6 +485,20 @@ var path = require('path'),
 			}

 			async.waterfall([
+				function(next) {
+					// Check whether this user is allowed to access this topic
+					ThreadTools.privileges(tid, ((req.user) ? req.user.uid : 0), function(err, privileges) {
+						if (!err) {
+							if (!privileges.read) {
+								next(new Error('not-enough-privileges'));
+							} else {
+								next();
+							}
+						} else {
+							next(err);
+						}
+					});
+				},
 				function (next) {
 					topics.getTopicWithPosts(tid, ((req.user) ? req.user.uid : 0), 0, -1, true, function (err, topicData) {
 						if (topicData) {
@ -558,8 +573,12 @@ var path = require('path'),
 				},
 			], function (err, data) {
 				if (err) {
+					if (err.message === 'not-enough-privileges') {
+						return res.redirect('403');
+					} else {
 						return res.redirect('404');
 					}
+				}

 				var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');