From c21f64c27fa390891d8b2db9bd845e6c4b82e765 Mon Sep 17 00:00:00 2001
From: Baris Usakli <barisusakli@gmail.com>
Date: Fri, 11 Aug 2017 14:22:02 -0400
Subject: [PATCH] closes #5872

---
 src/controllers/posts.js | 19 +++++++++++++++----
 test/controllers.js      | 20 ++++++++++++++++++++
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/src/controllers/posts.js b/src/controllers/posts.js
index 8afb3f5729..4f906fb0ba 100644
--- a/src/controllers/posts.js
+++ b/src/controllers/posts.js
@@ -3,6 +3,7 @@
 var async = require('async');
 
 var posts = require('../posts');
+var privileges = require('../privileges');
 var helpers = require('./helpers');
 
 var postsController = module.exports;
@@ -15,13 +16,23 @@ postsController.redirectToPost = function (req, res, next) {
 
 	async.waterfall([
 		function (next) {
-			posts.generatePostPath(pid, req.uid, next);
+			async.parallel({
+				canRead: function (next) {
+					privileges.posts.can('read', pid, req.uid, next);
+				},
+				path: function (next) {
+					posts.generatePostPath(pid, req.uid, next);
+				},
+			}, next);
 		},
-		function (path, next) {
-			if (!path) {
+		function (results, next) {
+			if (!results.canRead) {
+				return helpers.notAllowed(req, res);
+			}
+			if (!results.path) {
 				return next();
 			}
-			helpers.redirect(res, path);
+			helpers.redirect(res, results.path);
 		},
 	], next);
 };
diff --git a/test/controllers.js b/test/controllers.js
index af8dcd51f1..bd18d879fa 100644
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -1232,6 +1232,15 @@ describe('Controllers', function () {
 	});
 
 	describe('post redirect', function () {
+		var jar;
+		before(function (done) {
+			helpers.loginUser('foo', 'barbar', function (err, _jar) {
+				assert.ifError(err);
+				jar = _jar;
+				done();
+			});
+		});
+
 		it('should 404 for invalid pid', function (done) {
 			request(nconf.get('url') + '/api/post/fail', function (err, res) {
 				assert.ifError(err);
@@ -1240,6 +1249,17 @@ describe('Controllers', function () {
 			});
 		});
 
+		it('should 403 if user does not have read privilege', function (done) {
+			privileges.categories.rescind(['read'], category.cid, 'registered-users', function (err) {
+				assert.ifError(err);
+				request(nconf.get('url') + '/api/post/' + pid, { jar: jar }, function (err, res) {
+					assert.ifError(err);
+					assert.equal(res.statusCode, 403);
+					privileges.categories.give(['read'], category.cid, 'registered-users', done);
+				});
+			});
+		});
+
 		it('should return correct post path', function (done) {
 			request(nconf.get('url') + '/api/post/' + pid, { json: true }, function (err, res, body) {
 				assert.ifError(err);