From c21f64c27fa390891d8b2db9bd845e6c4b82e765 Mon Sep 17 00:00:00 2001
From: Baris Usakli <barisusakli@gmail.com>
Date: Fri, 11 Aug 2017 14:22:02 -0400
Subject: [PATCH 1/5] closes #5872

---
 src/controllers/posts.js | 19 +++++++++++++++----
 test/controllers.js      | 20 ++++++++++++++++++++
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/src/controllers/posts.js b/src/controllers/posts.js
index 8afb3f5729..4f906fb0ba 100644
--- a/src/controllers/posts.js
+++ b/src/controllers/posts.js
@@ -3,6 +3,7 @@
 var async = require('async');
 
 var posts = require('../posts');
+var privileges = require('../privileges');
 var helpers = require('./helpers');
 
 var postsController = module.exports;
@@ -15,13 +16,23 @@ postsController.redirectToPost = function (req, res, next) {
 
 	async.waterfall([
 		function (next) {
-			posts.generatePostPath(pid, req.uid, next);
+			async.parallel({
+				canRead: function (next) {
+					privileges.posts.can('read', pid, req.uid, next);
+				},
+				path: function (next) {
+					posts.generatePostPath(pid, req.uid, next);
+				},
+			}, next);
 		},
-		function (path, next) {
-			if (!path) {
+		function (results, next) {
+			if (!results.canRead) {
+				return helpers.notAllowed(req, res);
+			}
+			if (!results.path) {
 				return next();
 			}
-			helpers.redirect(res, path);
+			helpers.redirect(res, results.path);
 		},
 	], next);
 };
diff --git a/test/controllers.js b/test/controllers.js
index af8dcd51f1..bd18d879fa 100644
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -1232,6 +1232,15 @@ describe('Controllers', function () {
 	});
 
 	describe('post redirect', function () {
+		var jar;
+		before(function (done) {
+			helpers.loginUser('foo', 'barbar', function (err, _jar) {
+				assert.ifError(err);
+				jar = _jar;
+				done();
+			});
+		});
+
 		it('should 404 for invalid pid', function (done) {
 			request(nconf.get('url') + '/api/post/fail', function (err, res) {
 				assert.ifError(err);
@@ -1240,6 +1249,17 @@ describe('Controllers', function () {
 			});
 		});
 
+		it('should 403 if user does not have read privilege', function (done) {
+			privileges.categories.rescind(['read'], category.cid, 'registered-users', function (err) {
+				assert.ifError(err);
+				request(nconf.get('url') + '/api/post/' + pid, { jar: jar }, function (err, res) {
+					assert.ifError(err);
+					assert.equal(res.statusCode, 403);
+					privileges.categories.give(['read'], category.cid, 'registered-users', done);
+				});
+			});
+		});
+
 		it('should return correct post path', function (done) {
 			request(nconf.get('url') + '/api/post/' + pid, { json: true }, function (err, res, body) {
 				assert.ifError(err);

From acfda106f179cb5c44a31ade74fcac83154b1fc0 Mon Sep 17 00:00:00 2001
From: aStonedPenguin <aStonedPenguin@users.noreply.github.com>
Date: Fri, 11 Aug 2017 19:43:41 -0800
Subject: [PATCH 2/5] Fix dead links (#5856)

* Fix dead links

* ok
---
 .github/CONTRIBUTING.md | 2 +-
 nodebb                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
index a26d415c49..11911cd409 100644
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -15,7 +15,7 @@ If you are writing contributions as part of employment from another company / in
 
 # Having problems installing NodeBB?
 
-Chances are somebody has run into this problem before. After consulting our [documentation](https://docs.nodebb.org/en/latest/installing/os.html), please head over to our [community support forum](https://community.nodebb.org) for advice.
+Chances are somebody has run into this problem before. After consulting our [documentation](https://docs.nodebb.org/installing/os/), please head over to our [community support forum](https://community.nodebb.org) for advice.
 
 # Found a Security Vulnerability?
 
diff --git a/nodebb b/nodebb
index b40409cddb..c0edb6e39c 100755
--- a/nodebb
+++ b/nodebb
@@ -40,7 +40,7 @@ try {
 	process.stdout.write(
 		'\x1b[31mNodeBB could not be initialised because there was an error while loading dependencies.\n' +
 		'Please run "\x1b[33mnpm install --production\x1b[31m" and try again.\x1b[0m\n\n' +
-		'For more information, please see: https://docs.nodebb.org/en/latest/installing/os.html\n\n'
+		'For more information, please see: https://docs.nodebb.org/installing/os/\n\n'
 	);
 
 	throw e;

From 48165b90110c06edf494f1024fca657c3b5e701c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Sat, 12 Aug 2017 16:45:08 -0400
Subject: [PATCH 3/5] closes #5875

---
 src/groups/membership.js | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/groups/membership.js b/src/groups/membership.js
index 8ffd845443..48bb82f56f 100644
--- a/src/groups/membership.js
+++ b/src/groups/membership.js
@@ -251,6 +251,9 @@ module.exports = function (Groups) {
 					next();
 				}
 			},
+			function (next) {
+				clearGroupTitleIfSet(groupName, uid, next);
+			},
 			function (next) {
 				plugins.fireHook('action:group.leave', {
 					groupName: groupName,
@@ -261,6 +264,24 @@ module.exports = function (Groups) {
 		], callback);
 	};
 
+	function clearGroupTitleIfSet(groupName, uid, callback) {
+		if (groupName === 'registered-users' || Groups.isPrivilegeGroup(groupName)) {
+			return callback();
+		}
+		async.waterfall([
+			function (next) {
+				db.getObjectField('user:' + uid, 'groupTitle', next);
+			},
+			function (groupTitle, next) {
+				if (groupTitle === groupName) {
+					db.deleteObjectField('user:' + uid, 'groupTitle', next);
+				} else {
+					next();
+				}
+			}
+		], callback);
+	}
+
 	Groups.leaveAllGroups = function (uid, callback) {
 		async.waterfall([
 			function (next) {

From ed84794c1feff4ca7a8a6e2133429a1f70743c2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Sat, 12 Aug 2017 16:50:29 -0400
Subject: [PATCH 4/5] fix lint

---
 src/groups/membership.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/groups/membership.js b/src/groups/membership.js
index 48bb82f56f..4d4a1f2887 100644
--- a/src/groups/membership.js
+++ b/src/groups/membership.js
@@ -278,7 +278,7 @@ module.exports = function (Groups) {
 				} else {
 					next();
 				}
-			}
+			},
 		], callback);
 	}
 

From 7ab152e5829553636fa447ee933c3e348cd5600a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Sat, 12 Aug 2017 20:36:39 -0400
Subject: [PATCH 5/5] fix missing template var name

---
 src/views/admin/partials/groups/memberlist.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/views/admin/partials/groups/memberlist.tpl b/src/views/admin/partials/groups/memberlist.tpl
index 23ce3e1dae..0b20231739 100644
--- a/src/views/admin/partials/groups/memberlist.tpl
+++ b/src/views/admin/partials/groups/memberlist.tpl
@@ -5,7 +5,7 @@
 
 <table component="groups/members" class="table table-striped table-hover" data-nextstart="{group.membersNextStart}">
 	<tbody>
-	<!-- BEGIN members -->
+	<!-- BEGIN group.members -->
 	<tr data-uid="{group.members.uid}">
 		<td>
 			<a href="{config.relative_path}/user/{group.members.userslug}">
@@ -32,6 +32,6 @@
 			<!-- ENDIF group.isOwner -->
 		</td>
 	</tr>
-	<!-- END members -->
+	<!-- END group.members -->
 	</tbody>
 </table>
\ No newline at end of file