From 845c8013b6442ef31fa0476f1c8e2447c643f58f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 6 Feb 2023 10:45:01 -0500
Subject: [PATCH 1/4] fix: #11259, clean old emails when updating via admin
 (#11260)

when admin is changing users emails check if its avaiable and remove old email of user first
upgrade script to cleanup email:uid, email:sorted, will remove entries if user doesn't exist or doesn't have email or if entry in user hash doesn't match entry in email:uid
fix missing ! in email interstitial
fix missing await in canSendValidation,
fix broken tests
dont pass sessionId to email.remove if admin is changing/removing email
---
 src/upgrades/2.8.7/fix-email-sorted-sets.js | 46 +++++++++++++++++++++
 src/user/email.js                           | 18 +++++++-
 src/user/interstitials.js                   | 11 +++--
 test/user/emails.js                         |  4 +-
 4 files changed, 72 insertions(+), 7 deletions(-)
 create mode 100644 src/upgrades/2.8.7/fix-email-sorted-sets.js

diff --git a/src/upgrades/2.8.7/fix-email-sorted-sets.js b/src/upgrades/2.8.7/fix-email-sorted-sets.js
new file mode 100644
index 0000000000..fcab69a8f4
--- /dev/null
+++ b/src/upgrades/2.8.7/fix-email-sorted-sets.js
@@ -0,0 +1,46 @@
+'use strict';
+
+
+const db = require('../../database');
+const batch = require('../../batch');
+
+
+module.exports = {
+	name: 'Fix user email sorted sets',
+	timestamp: Date.UTC(2023, 1, 4),
+	method: async function () {
+		const { progress } = this;
+		const bulkRemove = [];
+		await batch.processSortedSet('email:uid', async (data) => {
+			progress.incr(data.length);
+			const usersData = await db.getObjects(data.map(d => `user:${d.score}`));
+			data.forEach((emailData, index) => {
+				const { score: uid, value: email } = emailData;
+				const userData = usersData[index];
+				// user no longer exists or doesn't have email set in user hash
+				// remove the email/uid pair from email:uid, email:sorted
+				if (!userData || !userData.email) {
+					bulkRemove.push(['email:uid', email]);
+					bulkRemove.push(['email:sorted', `${email.toLowerCase()}:${uid}`]);
+					return;
+				}
+
+				// user has email but doesn't match whats stored in user hash, gh#11259
+				if (userData.email && userData.email.toLowerCase() !== email.toLowerCase()) {
+					bulkRemove.push(['email:uid', email]);
+					bulkRemove.push(['email:sorted', `${email.toLowerCase()}:${uid}`]);
+				}
+			});
+		}, {
+			batch: 500,
+			withScores: true,
+			progress: progress,
+		});
+
+		await batch.processArray(bulkRemove, async (bulk) => {
+			await db.sortedSetRemoveBulk(bulk);
+		}, {
+			batch: 500,
+		});
+	},
+};
diff --git a/src/user/email.js b/src/user/email.js
index 1ea8bd551e..c6fc3274d4 100644
--- a/src/user/email.js
+++ b/src/user/email.js
@@ -39,7 +39,7 @@ UserEmail.remove = async function (uid, sessionId) {
 		db.sortedSetRemove('email:uid', email.toLowerCase()),
 		db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`),
 		user.email.expireValidation(uid),
-		user.auth.revokeAllSessions(uid, sessionId),
+		sessionId ? user.auth.revokeAllSessions(uid, sessionId) : Promise.resolve(),
 		events.log({ type: 'email-change', email, newEmail: '' }),
 	]);
 };
@@ -69,7 +69,7 @@ UserEmail.expireValidation = async (uid) => {
 };
 
 UserEmail.canSendValidation = async (uid, email) => {
-	const pending = UserEmail.isValidationPending(uid, email);
+	const pending = await UserEmail.isValidationPending(uid, email);
 	if (!pending) {
 		return true;
 	}
@@ -196,6 +196,20 @@ UserEmail.confirmByUid = async function (uid) {
 		throw new Error('[[error:invalid-email]]');
 	}
 
+	// If another uid has the same email throw error
+	const oldUid = await db.sortedSetScore('email:uid', currentEmail.toLowerCase());
+	if (oldUid && oldUid !== parseInt(uid, 10)) {
+		throw new Error('[[error:email-taken]]');
+	}
+
+	const confirmedEmails = await db.getSortedSetRangeByScore(`email:uid`, 0, -1, uid, uid);
+	if (confirmedEmails.length) {
+		// remove old email of user by uid
+		await db.sortedSetsRemoveRangeByScore([`email:uid`], uid, uid);
+		await db.sortedSetRemoveBulk(
+			confirmedEmails.map(email => [`email:sorted`, `${email.toLowerCase()}:${uid}`])
+		);
+	}
 	await Promise.all([
 		db.sortedSetAddBulk([
 			['email:uid', uid, currentEmail.toLowerCase()],
diff --git a/src/user/interstitials.js b/src/user/interstitials.js
index 2a662785f9..aa70e8098f 100644
--- a/src/user/interstitials.js
+++ b/src/user/interstitials.js
@@ -42,6 +42,7 @@ Interstitials.email = async (data) => {
 		callback: async (userData, formData) => {
 			// Validate and send email confirmation
 			if (userData.uid) {
+				const isSelf = parseInt(userData.uid, 10) === parseInt(data.req.uid, 10);
 				const [isPasswordCorrect, canEdit, { email: current, 'email:confirmed': confirmed }, { allowed, error }] = await Promise.all([
 					user.isPasswordCorrect(userData.uid, formData.password, data.req.ip),
 					privileges.users.canEdit(data.req.uid, userData.uid),
@@ -68,13 +69,17 @@ Interstitials.email = async (data) => {
 					if (formData.email === current) {
 						if (confirmed) {
 							throw new Error('[[error:email-nochange]]');
-						} else if (await user.email.canSendValidation(userData.uid, current)) {
+						} else if (!await user.email.canSendValidation(userData.uid, current)) {
 							throw new Error(`[[error:confirm-email-already-sent, ${meta.config.emailConfirmInterval}]]`);
 						}
 					}
 
 					// Admins editing will auto-confirm, unless editing their own email
 					if (isAdminOrGlobalMod && userData.uid !== data.req.uid) {
+						if (!await user.email.available(formData.email)) {
+							throw new Error('[[error:email-taken]]');
+						}
+						await user.email.remove(userData.uid);
 						await user.setUserField(userData.uid, 'email', formData.email);
 						await user.email.confirmByUid(userData.uid);
 					} else if (canEdit) {
@@ -99,8 +104,8 @@ Interstitials.email = async (data) => {
 					}
 
 					if (current.length && (!hasPassword || (hasPassword && isPasswordCorrect) || isAdminOrGlobalMod)) {
-						// User explicitly clearing their email
-						await user.email.remove(userData.uid, data.req.session.id);
+						// User or admin explicitly clearing their email
+						await user.email.remove(userData.uid, isSelf ? data.req.session.id : null);
 					}
 				}
 			} else {
diff --git a/test/user/emails.js b/test/user/emails.js
index f413a51283..47d3fcb6d0 100644
--- a/test/user/emails.js
+++ b/test/user/emails.js
@@ -120,7 +120,7 @@ describe('email confirmation (library methods)', () => {
 			await user.email.sendValidationEmail(uid, {
 				email,
 			});
-			const ok = await user.email.canSendValidation(uid, 'test@example.com');
+			const ok = await user.email.canSendValidation(uid, email);
 
 			assert.strictEqual(ok, false);
 		});
@@ -131,7 +131,7 @@ describe('email confirmation (library methods)', () => {
 				email,
 			});
 			await db.pexpire(`confirm:byUid:${uid}`, 1000);
-			const ok = await user.email.canSendValidation(uid, 'test@example.com');
+			const ok = await user.email.canSendValidation(uid, email);
 
 			assert(ok);
 		});

From e335d0f6016c76575ed768d6c33130f8ff847b35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 8 Feb 2023 13:22:16 -0500
Subject: [PATCH 2/4] fix: email expiry timestamps

emailConfirmExpiry is hours and default is 24
---
 src/user/email.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/user/email.js b/src/user/email.js
index c6fc3274d4..9b51b43ddd 100644
--- a/src/user/email.js
+++ b/src/user/email.js
@@ -134,13 +134,13 @@ UserEmail.sendValidationEmail = async function (uid, options) {
 
 	await UserEmail.expireValidation(uid);
 	await db.set(`confirm:byUid:${uid}`, confirm_code);
-	await db.pexpire(`confirm:byUid:${uid}`, emailConfirmExpiry * 24 * 60 * 60 * 1000);
+	await db.pexpire(`confirm:byUid:${uid}`, emailConfirmExpiry * 60 * 60 * 1000);
 
 	await db.setObject(`confirm:${confirm_code}`, {
 		email: options.email.toLowerCase(),
 		uid: uid,
 	});
-	await db.pexpire(`confirm:${confirm_code}`, emailConfirmExpiry * 24 * 60 * 60 * 1000);
+	await db.pexpire(`confirm:${confirm_code}`, emailConfirmExpiry * 60 * 60 * 1000);
 
 	winston.verbose(`[user/email] Validation email for uid ${uid} sent to ${options.email}`);
 	events.log({

From 326b92687fa5d2b68cc5f55275c565a43bf6a16e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 8 Feb 2023 17:35:38 -0500
Subject: [PATCH 3/4] fix: show admins/globalmods if content is purged

---
 src/controllers/mods.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/controllers/mods.js b/src/controllers/mods.js
index 3656146652..760c119fbe 100644
--- a/src/controllers/mods.js
+++ b/src/controllers/mods.js
@@ -132,11 +132,11 @@ modsController.flags.detail = async function (req, res, next) {
 			uids = _.uniq(admins.concat(uids));
 		} else if (flagData.type === 'post') {
 			const cid = await posts.getCidByPid(flagData.targetId);
-			if (!cid) {
-				return [];
+			uids = _.uniq(admins.concat(globalMods));
+			if (cid) {
+				const modUids = (await privileges.categories.getUidsWithPrivilege([cid], 'moderate'))[0];
+				uids = _.uniq(uids.concat(modUids));
 			}
-			uids = (await privileges.categories.getUidsWithPrivilege([cid], 'moderate'))[0];
-			uids = _.uniq(admins.concat(globalMods).concat(uids));
 		}
 		const userData = await user.getUsersData(uids);
 		return userData.filter(u => u && u.userslug);

From 40e7b86da9b3eab82914ce557333eb257c4c43d3 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 13 Feb 2023 11:44:40 -0500
Subject: [PATCH 4/4] docs: update openapi spec to include info about passing
 in timestamps for topic creation, removing timestamp as valid request param
 for topic replying

---
 public/openapi/write/topics.yaml     | 9 +++++++++
 public/openapi/write/topics/tid.yaml | 2 --
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/public/openapi/write/topics.yaml b/public/openapi/write/topics.yaml
index ba00cf0024..49cae076f9 100644
--- a/public/openapi/write/topics.yaml
+++ b/public/openapi/write/topics.yaml
@@ -19,6 +19,15 @@ post:
             content:
               type: string
               example: This is the test topic's content
+            timestamp:
+              type: number
+              description: |
+                A UNIX timestamp of the topic's creation date (i.e. when it will be posted).
+                Specifically, this value can only be set to a value in the future if the calling user has the `topics:schedule` privilege for the passed-in category.
+                Otherwise, the current date and time are always assumed.
+                In some scenarios (e.g. forum migrations), you may want to backdate topics and posts.
+                Please see [this Developer FAQ topic](https://community.nodebb.org/topic/16983/how-can-i-backdate-topics-and-posts-for-migration-purposes) for more information.
+              example: 556084800000
             tags:
               type: array
               items:
diff --git a/public/openapi/write/topics/tid.yaml b/public/openapi/write/topics/tid.yaml
index 8e68efe25a..4c1acab3d6 100644
--- a/public/openapi/write/topics/tid.yaml
+++ b/public/openapi/write/topics/tid.yaml
@@ -46,8 +46,6 @@ post:
             content:
               type: string
               example: This is a test reply
-            timestamp:
-              type: number
             toPid:
               type: number
           required: