From f5fcd232f6cfba2684ef0aa512d0f3f045459c8c Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Sun, 17 Jan 2021 15:43:21 -0500
Subject: [PATCH] fix: regression caused by
 77ab46686db62871f149419a368c35628453884e

Access checks were added for topic GET route, but occasionally a post_uuid is passed in, which is available to everyone, and so checks should be skipped
---
 src/controllers/write/topics.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/controllers/write/topics.js b/src/controllers/write/topics.js
index 5c1ae175cf..5696f51a07 100644
--- a/src/controllers/write/topics.js
+++ b/src/controllers/write/topics.js
@@ -104,8 +104,14 @@ Topics.deleteTags = async (req, res) => {
 };
 
 Topics.getThumbs = async (req, res) => {
-	if (!await privileges.topics.can('topics:read', req.params.tid, req.uid)) {
-		return helpers.formatApiResponse(403, res);
+	if (isFinite(req.params.tid)) {	// post_uuids can be passed in occasionally, in that case no checks are necessary
+		const [exists, canRead] = await Promise.all([
+			topics.exists(req.params.tid),
+			privileges.topics.can('topics:read', req.params.tid, req.uid),
+		]);
+		if (!exists || !canRead) {
+			return helpers.formatApiResponse(403, res);
+		}
 	}
 
 	helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid));