Merge remote-tracking branch 'refs/remotes/origin/master' into develop

8 years ago · fc0e5421d6
parent 27a6b8a713 7ab152e582
commit fc0e5421d6
6 changed files with 60 additions and 8 deletions
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@ -15,7 +15,7 @@ If you are writing contributions as part of employment from another company / in

 # Having problems installing NodeBB?

-Chances are somebody has run into this problem before. After consulting our [documentation](https://docs.nodebb.org/en/latest/installing/os.html), please head over to our [community support forum](https://community.nodebb.org) for advice.
+Chances are somebody has run into this problem before. After consulting our [documentation](https://docs.nodebb.org/installing/os/), please head over to our [community support forum](https://community.nodebb.org) for advice.

 # Found a Security Vulnerability?

--- a/2
+++ b/2
@ -40,7 +40,7 @@ try {
 	process.stdout.write(
 		'\x1b[31mNodeBB could not be initialised because there was an error while loading dependencies.\n' +
 		'Please run "\x1b[33mnpm install --production\x1b[31m" and try again.\x1b[0m\n\n' +
-		'For more information, please see: https://docs.nodebb.org/en/latest/installing/os.html\n\n'
+		'For more information, please see: https://docs.nodebb.org/installing/os/\n\n'
 	);

 	throw e;
--- a/src/controllers/posts.js
+++ b/src/controllers/posts.js
@ -3,6 +3,7 @@
 var async = require('async');

 var posts = require('../posts');
+var privileges = require('../privileges');
 var helpers = require('./helpers');

 var postsController = module.exports;
@ -15,13 +16,23 @@ postsController.redirectToPost = function (req, res, next) {

 	async.waterfall([
 		function (next) {
-			posts.generatePostPath(pid, req.uid, next);
+			async.parallel({
+				canRead: function (next) {
+					privileges.posts.can('read', pid, req.uid, next);
+				},
+				path: function (next) {
+					posts.generatePostPath(pid, req.uid, next);
+				},
+			}, next);
 		},
-		function (path, next) {
-			if (!path) {
+		function (results, next) {
+			if (!results.canRead) {
+				return helpers.notAllowed(req, res);
+			}
+			if (!results.path) {
 				return next();
 			}
-			helpers.redirect(res, path);
+			helpers.redirect(res, results.path);
 		},
 	], next);
 };
--- a/src/groups/membership.js
+++ b/src/groups/membership.js
@ -251,6 +251,9 @@ module.exports = function (Groups) {
 					next();
 				}
 			},
+			function (next) {
+				clearGroupTitleIfSet(groupName, uid, next);
+			},
 			function (next) {
 				plugins.fireHook('action:group.leave', {
 					groupName: groupName,
@ -261,6 +264,24 @@ module.exports = function (Groups) {
 		], callback);
 	};

+	function clearGroupTitleIfSet(groupName, uid, callback) {
+		if (groupName === 'registered-users' || Groups.isPrivilegeGroup(groupName)) {
+			return callback();
+		}
+		async.waterfall([
+			function (next) {
+				db.getObjectField('user:' + uid, 'groupTitle', next);
+			},
+			function (groupTitle, next) {
+				if (groupTitle === groupName) {
+					db.deleteObjectField('user:' + uid, 'groupTitle', next);
+				} else {
+					next();
+				}
+			},
+		], callback);
+	}
+
 	Groups.leaveAllGroups = function (uid, callback) {
 		async.waterfall([
 			function (next) {
--- a/src/views/admin/partials/groups/memberlist.tpl
+++ b/src/views/admin/partials/groups/memberlist.tpl
@ -5,7 +5,7 @@

 <table component="groups/members" class="table table-striped table-hover" data-nextstart="{group.membersNextStart}">
 	<tbody>
-	<!-- BEGIN members -->
+	<!-- BEGIN group.members -->
 	<tr data-uid="{group.members.uid}">
 		<td>
 			<a href="{config.relative_path}/user/{group.members.userslug}">
@ -32,6 +32,6 @@
 			<!-- ENDIF group.isOwner -->
 		</td>
 	</tr>
-	<!-- END members -->
+	<!-- END group.members -->
 	</tbody>
 </table>
--- a/test/controllers.js
+++ b/test/controllers.js
@ -1233,6 +1233,15 @@ describe('Controllers', function () {
 	});

 	describe('post redirect', function () {
+		var jar;
+		before(function (done) {
+			helpers.loginUser('foo', 'barbar', function (err, _jar) {
+				assert.ifError(err);
+				jar = _jar;
+				done();
+			});
+		});
+
 		it('should 404 for invalid pid', function (done) {
 			request(nconf.get('url') + '/api/post/fail', function (err, res) {
 				assert.ifError(err);
@ -1241,6 +1250,17 @@ describe('Controllers', function () {
 			});
 		});

+		it('should 403 if user does not have read privilege', function (done) {
+			privileges.categories.rescind(['read'], category.cid, 'registered-users', function (err) {
+				assert.ifError(err);
+				request(nconf.get('url') + '/api/post/' + pid, { jar: jar }, function (err, res) {
+					assert.ifError(err);
+					assert.equal(res.statusCode, 403);
+					privileges.categories.give(['read'], category.cid, 'registered-users', done);
+				});
+			});
+		});
+
 		it('should return correct post path', function (done) {
 			request(nconf.get('url') + '/api/post/' + pid, { json: true }, function (err, res, body) {
 				assert.ifError(err);