fix: regression caused by 77ab46686d

Access checks were added for topic GET route, but occasionally a post_uuid is passed in, which is available to everyone, and so checks should be skipped
4 years ago · f5fcd232f6
parent 4fb907875e
commit f5fcd232f6
1 changed files with 8 additions and 2 deletions
--- a/src/controllers/write/topics.js
+++ b/src/controllers/write/topics.js
@ -104,8 +104,14 @@ Topics.deleteTags = async (req, res) => {
 };

 Topics.getThumbs = async (req, res) => {
-	if (!await privileges.topics.can('topics:read', req.params.tid, req.uid)) {
-		return helpers.formatApiResponse(403, res);
+	if (isFinite(req.params.tid)) {	// post_uuids can be passed in occasionally, in that case no checks are necessary
+		const [exists, canRead] = await Promise.all([
+			topics.exists(req.params.tid),
+			privileges.topics.can('topics:read', req.params.tid, req.uid),
+		]);
+		if (!exists || !canRead) {
+			return helpers.formatApiResponse(403, res);
+		}
 	}

 	helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid));