From d85ad10d345ff4d2236aaff9c8aa111209409a4f Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 18 Jan 2021 15:47:15 -0500
Subject: [PATCH] fix: restored sanity checks for post move socket calls

---
 src/socket.io/posts/move.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/socket.io/posts/move.js b/src/socket.io/posts/move.js
index d802454b97..9424d73a06 100644
--- a/src/socket.io/posts/move.js
+++ b/src/socket.io/posts/move.js
@@ -4,13 +4,27 @@ const api = require('../../api');
 const sockets = require('..');
 
 module.exports = function (SocketPosts) {
+	function moveChecks(socket, typeCheck, data) {
+		if (!socket.uid) {
+			throw new Error('[[error:not-logged-in]]');
+		}
+
+		if (!data || !typeCheck || !data.tid) {
+			throw new Error('[[error:invalid-data]]');
+		}
+	}
+
 	SocketPosts.movePost = async function (socket, data) {
 		sockets.warnDeprecated(socket, 'PUT /api/v3/posts/:pid/move');
+
+		moveChecks(socket, isFinite(data.pid), data);
 		await api.posts.move(socket, data);
 	};
 
 	SocketPosts.movePosts = async function (socket, data) {
 		sockets.warnDeprecated(socket, 'PUT /api/v3/posts/:pid/move');
+
+		moveChecks(socket, !Array.isArray(data.pids), data);
 		await Promise.all(data.pids.map(async pid => api.posts.move(socket, {
 			tid: data.tid,
 			pid,