From eaf9d2e44ad07769e5aa51480b899ccae44c1a69 Mon Sep 17 00:00:00 2001
From: gasoved <gasoved@gmail.com>
Date: Tue, 2 Feb 2021 14:52:24 +0300
Subject: [PATCH] fix: include admins, limit to category mods, correct
 privilege name

---
 src/api/posts.js | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/src/api/posts.js b/src/api/posts.js
index 40026d8a23..3801c2598b 100644
--- a/src/api/posts.js
+++ b/src/api/posts.js
@@ -261,16 +261,10 @@ postsAPI.getDiffs = async (caller, data) => {
 	usernames = usernames.map(userObj => (userObj.uid ? userObj.username : null));
 
 	const cid = await posts.getCidByPid(data.pid);
-	const isModerator = await privileges.users.isModerator(cid, caller.uid);
-
-	let canEdit = true;
-	try {
-		if (!isModerator) {
-			await user.isPrivilegedOrSelf(caller.uid, post.uid);
-		}
-	} catch (e) {
-		canEdit = false;
-	}
+	const [isAdmin, isModerator] = await Promise.all([
+		user.isAdministrator(caller.uid),
+		privileges.users.isModerator(caller.uid, cid),
+	]);
 
 	timestamps.push(post.timestamp);
 
@@ -280,8 +274,10 @@ postsAPI.getDiffs = async (caller, data) => {
 			timestamp: timestamp,
 			username: usernames[idx],
 		})),
-		editable: canEdit,
-		deletable: isModerator,
+		// Only admins, global mods and moderator of that cid can delete a diff
+		deletable: isAdmin || isModerator,
+		// These and post owners can restore to a different post version
+		editable: isAdmin || isModerator || parseInt(caller.uid, 10) === parseInt(post.uid, 10),
 	};
 };
 
@@ -292,7 +288,7 @@ postsAPI.loadDiff = async (caller, data) => {
 
 postsAPI.restoreDiff = async (caller, data) => {
 	const cid = await posts.getCidByPid(data.pid);
-	const canEdit = await privileges.categories.can('edit', cid, caller.uid);
+	const canEdit = await privileges.categories.can('posts:edit', cid, caller.uid);
 	if (!canEdit) {
 		throw new Error('[[error:no-privileges]]');
 	}