From f23bc347b12381e101afde59c3b786bd86a49f27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 10 Feb 2020 13:20:10 -0500
Subject: [PATCH] fix: #8156 dont allow loading members from hidden groups

---
 src/controllers/groups.js | 10 +++++-----
 src/socket.io/groups.js   | 12 ++++++++++++
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/src/controllers/groups.js b/src/controllers/groups.js
index d618cbf858..46ac7fa784 100644
--- a/src/controllers/groups.js
+++ b/src/controllers/groups.js
@@ -33,14 +33,16 @@ groupsController.details = async function (req, res, next) {
 	if (!groupName) {
 		return next();
 	}
-	const [exists, isHidden] = await Promise.all([
+	const [exists, isHidden, isAdmin, isGlobalMod] = await Promise.all([
 		groups.exists(groupName),
 		groups.isHidden(groupName),
+		user.isAdministrator(req.uid),
+		user.isGlobalModerator(req.uid),
 	]);
 	if (!exists) {
 		return next();
 	}
-	if (isHidden) {
+	if (isHidden && !isAdmin && !isGlobalMod) {
 		const [isMember, isInvited] = await Promise.all([
 			groups.isMember(req.uid, groupName),
 			groups.isInvited(req.uid, groupName),
@@ -49,15 +51,13 @@ groupsController.details = async function (req, res, next) {
 			return next();
 		}
 	}
-	const [groupData, posts, isAdmin, isGlobalMod] = await Promise.all([
+	const [groupData, posts] = await Promise.all([
 		groups.get(groupName, {
 			uid: req.uid,
 			truncateUserList: true,
 			userListCount: 20,
 		}),
 		groups.getLatestMemberPosts(groupName, 10, req.uid),
-		user.isAdministrator(req.uid),
-		user.isGlobalModerator(req.uid),
 	]);
 	if (!groupData) {
 		return next();
diff --git a/src/socket.io/groups.js b/src/socket.io/groups.js
index 7b8e383a85..bc8e6b0933 100644
--- a/src/socket.io/groups.js
+++ b/src/socket.io/groups.js
@@ -342,6 +342,18 @@ SocketGroups.loadMoreMembers = async (socket, data) => {
 	if (!data.groupName || !utils.isNumber(data.after) || parseInt(data.after, 10) < 0) {
 		throw new Error('[[error:invalid-data]]');
 	}
+	const [isHidden, isAdmin, isGlobalMod] = await Promise.all([
+		groups.isHidden(data.groupName),
+		user.isAdministrator(socket.uid),
+		user.isGlobalModerator(socket.uid),
+	]);
+	if (isHidden && !isAdmin && !isGlobalMod) {
+		const isMember = await groups.isMember(socket.uid, data.groupName);
+		if (!isMember) {
+			throw new Error('[[error:no-privileges]]');
+		}
+	}
+
 	data.after = parseInt(data.after, 10);
 	const users = await user.getUsersFromSet('group:' + data.groupName + ':members', socket.uid, data.after, data.after + 9);
 	return {