fix: checking correct permissions for user search (#8371)

* fix: checking correct permissions for user search * fix: missing permissions porperty in openapi /api/search
5 years ago · f6b92d241a
parent c1d8b9bb5a
commit f6b92d241a
2 changed files with 18 additions and 1 deletions
--- a/public/openapi/read.yaml
+++ b/public/openapi/read.yaml
@ -4542,6 +4542,13 @@ paths:
                        type: string
                      searchDefaultSortBy:
                        type: string
                      permissions:
                        type: object
                        properties:
                          users:
                            type: boolean
                          content:
                            type: boolean
                    required:
                      - posts
                      - matchCount
@ -4556,6 +4563,7 @@ paths:
                      - showAsTopics
                      - title
                      - searchDefaultSortBy
                      - permissions
                  - $ref: components/schemas/Pagination.yaml#/Pagination
                  - $ref: components/schemas/Breadcrumbs.yaml#/Breadcrumbs
                  - $ref: components/schemas/CommonProps.yaml#/CommonProps
--- a/src/controllers/search.js
+++ b/src/controllers/search.js
@ -9,6 +9,7 @@ const search = require('../search');
 const categories = require('../categories');
 const pagination = require('../pagination');
 const privileges = require('../privileges');
 const utils = require('../utils');
 const helpers = require('./helpers');
 const searchController = module.exports;
@ -21,7 +22,13 @@ searchController.search = async function (req, res, next) {
 	const searchOnly = parseInt(req.query.searchOnly, 10) === 1;
-	const allowed = await privileges.global.can('search:content', req.uid);
+	const permissions = await utils.promiseParallel({
 		users: privileges.global.can('search:users', req.uid),
 		content: privileges.global.can('search:content', req.uid),
 	});
 	const allowed = (req.query.in === 'users') ? permissions.users : permissions.content;
 	if (!allowed) {
 		return helpers.notAllowed(req, res);
 	}
@ -77,6 +84,8 @@ searchController.search = async function (req, res, next) {
 	searchData.title = '[[global:header.search]]';
 	searchData.searchDefaultSortBy = meta.config.searchDefaultSortBy || '';
 	searchData.permissions = permissions;
 	res.render('search', searchData);
 };