From dc592853fc6689a2a1050a3c9ced70a40430c9da Mon Sep 17 00:00:00 2001
From: Baris Soner Usakli <barisusakli@gmail.com>
Date: Thu, 6 Feb 2014 14:27:37 -0500
Subject: [PATCH] closes #942

---
 src/webserver.js | 70 ++++++++++++++++++++++++++++++------------------
 1 file changed, 44 insertions(+), 26 deletions(-)

diff --git a/src/webserver.js b/src/webserver.js
index 8e1381c4ef..d1e9174d67 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -514,7 +514,7 @@ module.exports.server = server;
 			});
 		});
 
-		app.get('/topic/:topic_id/:slug?', function (req, res) {
+		app.get('/topic/:topic_id/:slug?', function (req, res, next) {
 			var tid = req.params.topic_id;
 
 			if (tid.match(/^\d+\.rss$/)) {
@@ -531,24 +531,33 @@ module.exports.server = server;
 
 					};
 
-				if (!fs.existsSync(rssPath)) {
-					feed.updateTopic(tid, function (err) {
-						if (err) {
-							res.redirect('/404');
-						} else {
-							loadFeed();
-						}
-					});
-				} else {
-					loadFeed();
-				}
+				ThreadTools.privileges(tid, ((req.user) ? req.user.uid || 0 : 0), function(err, privileges) {
+					if(err) {
+						return next(err);
+					}
+
+					if(!privileges.read) {
+						return res.redirect('403');
+					}
+
+					if (!fs.existsSync(rssPath)) {
+						feed.updateTopic(tid, function (err) {
+							if (err) {
+								res.redirect('/404');
+							} else {
+								loadFeed();
+							}
+						});
+					} else {
+						loadFeed();
+					}
+				});
 
 				return;
 			}
 
 			async.waterfall([
 				function(next) {
-					// Check whether this user is allowed to access this topic
 					ThreadTools.privileges(tid, ((req.user) ? req.user.uid || 0 : 0), function(err, privileges) {
 						if (!err) {
 							if (!privileges.read) {
@@ -687,7 +696,7 @@ module.exports.server = server;
 			});
 		});
 
-		app.get('/category/:category_id/:slug?', function (req, res) {
+		app.get('/category/:category_id/:slug?', function (req, res, next) {
 			var cid = req.params.category_id;
 
 			if (cid.match(/^\d+\.rss$/)) {
@@ -704,24 +713,33 @@ module.exports.server = server;
 
 					};
 
-				if (!fs.existsSync(rssPath)) {
-					feed.updateCategory(cid, function (err) {
-						if (err) {
-							res.redirect('/404');
-						} else {
-							loadFeed();
-						}
-					});
-				} else {
-					loadFeed();
-				}
+				CategoryTools.privileges(cid, ((req.user) ? req.user.uid || 0 : 0), function(err, privileges) {
+					if(err) {
+						return next(err);
+					}
+
+					if(!privileges.read) {
+						return res.redirect('403');
+					}
+
+					if (!fs.existsSync(rssPath)) {
+						feed.updateCategory(cid, function (err) {
+							if (err) {
+								res.redirect('/404');
+							} else {
+								loadFeed();
+							}
+						});
+					} else {
+						loadFeed();
+					}
+				});
 
 				return;
 			}
 
 			async.waterfall([
 				function(next) {
-					// Check whether this user is allowed to access this category
 					CategoryTools.privileges(cid, ((req.user) ? req.user.uid || 0 : 0), function(err, privileges) {
 						if (!err) {
 							if (!privileges.read) {