closes #5872

8 years ago · c21f64c27f
parent 24bbf8fe00
commit c21f64c27f
2 changed files with 35 additions and 4 deletions
--- a/src/controllers/posts.js
+++ b/src/controllers/posts.js
@ -3,6 +3,7 @@
 var async = require('async');

 var posts = require('../posts');
+var privileges = require('../privileges');
 var helpers = require('./helpers');

 var postsController = module.exports;
@ -15,13 +16,23 @@ postsController.redirectToPost = function (req, res, next) {

 	async.waterfall([
 		function (next) {
-			posts.generatePostPath(pid, req.uid, next);
+			async.parallel({
+				canRead: function (next) {
+					privileges.posts.can('read', pid, req.uid, next);
+				},
+				path: function (next) {
+					posts.generatePostPath(pid, req.uid, next);
+				},
+			}, next);
 		},
-		function (path, next) {
-			if (!path) {
+		function (results, next) {
+			if (!results.canRead) {
+				return helpers.notAllowed(req, res);
+			}
+			if (!results.path) {
 				return next();
 			}
-			helpers.redirect(res, path);
+			helpers.redirect(res, results.path);
 		},
 	], next);
 };
--- a/test/controllers.js
+++ b/test/controllers.js
@ -1232,6 +1232,15 @@ describe('Controllers', function () {
 	});

 	describe('post redirect', function () {
+		var jar;
+		before(function (done) {
+			helpers.loginUser('foo', 'barbar', function (err, _jar) {
+				assert.ifError(err);
+				jar = _jar;
+				done();
+			});
+		});
+
 		it('should 404 for invalid pid', function (done) {
 			request(nconf.get('url') + '/api/post/fail', function (err, res) {
 				assert.ifError(err);
@ -1240,6 +1249,17 @@ describe('Controllers', function () {
 			});
 		});

+		it('should 403 if user does not have read privilege', function (done) {
+			privileges.categories.rescind(['read'], category.cid, 'registered-users', function (err) {
+				assert.ifError(err);
+				request(nconf.get('url') + '/api/post/' + pid, { jar: jar }, function (err, res) {
+					assert.ifError(err);
+					assert.equal(res.statusCode, 403);
+					privileges.categories.give(['read'], category.cid, 'registered-users', done);
+				});
+			});
+		});
+
 		it('should return correct post path', function (done) {
 			request(nconf.get('url') + '/api/post/' + pid, { json: true }, function (err, res, body) {
 				assert.ifError(err);