From ffff8093ba0721ba31c51e99f0564b22df3c7550 Mon Sep 17 00:00:00 2001 From: barisusakli Date: Tue, 1 Sep 2015 12:38:26 -0400 Subject: [PATCH] make sure user is admin/mod before forking --- src/socket.io/topics.js | 4 +-- src/topics/fork.js | 67 ++++++++++++++++++++++------------------- src/topics/recent.js | 4 ++- 3 files changed, 41 insertions(+), 34 deletions(-) diff --git a/src/socket.io/topics.js b/src/socket.io/topics.js index dcafbeced8..e609629ef0 100644 --- a/src/socket.io/topics.js +++ b/src/socket.io/topics.js @@ -280,11 +280,11 @@ function emitToTopicAndCategory(event, data) { } SocketTopics.createTopicFromPosts = function(socket, data, callback) { - if(!socket.uid) { + if (!socket.uid) { return callback(new Error('[[error:not-logged-in]]')); } - if(!data || !data.title || !data.pids || !Array.isArray(data.pids)) { + if (!data || !data.title || !data.pids || !Array.isArray(data.pids)) { return callback(new Error('[[error:invalid-data]]')); } diff --git a/src/topics/fork.js b/src/topics/fork.js index 34eb758300..6be18cb319 100644 --- a/src/topics/fork.js +++ b/src/topics/fork.js @@ -6,6 +6,7 @@ var async = require('async'), db = require('../database'), + user = require('../user'), posts = require('../posts'), privileges = require('../privileges'), postTools = require('../postTools'), @@ -32,37 +33,33 @@ module.exports = function(Topics) { return a - b; }); var mainPid = pids[0]; - - async.parallel({ - postData: function(callback) { - posts.getPostData(mainPid, callback); + var cid; + var tid; + async.waterfall([ + function(next) { + posts.getCidByPid(mainPid, next); }, - cid: function(callback) { - posts.getCidByPid(mainPid, callback); - } - }, function(err, results) { - if (err) { - return callback(err); - } - - Topics.create({uid: results.postData.uid, title: title, cid: results.cid}, function(err, tid) { - if (err) { - return callback(err); - } - - async.eachSeries(pids, move, function(err) { - if (err) { - return callback(err); + function(_cid, next) { + cid = _cid; + async.parallel({ + postData: function(next) { + posts.getPostData(mainPid, next); + }, + isAdmin: function(next) { + user.isAdministrator(uid, next); + }, + isModerator: function(next) { + user.isModerator(uid, cid, next); } - - Topics.updateTimestamp(tid, Date.now(), function(err) { - if (err) { - return callback(err); - } - Topics.getTopicData(tid, callback); - }); - }); - + }, next); + }, + function(results, next) { + if (!results.isAdmin && !results.isModerator) { + return next(new Error('[[error:no-privileges]]')); + } + Topics.create({uid: results.postData.uid, title: title, cid: cid}, next); + }, + function(_tid, next) { function move(pid, next) { privileges.posts.canEdit(pid, uid, function(err, canEdit) { if(err || !canEdit) { @@ -72,8 +69,16 @@ module.exports = function(Topics) { Topics.movePostToTopic(pid, tid, next); }); } - }); - }); + tid = _tid; + async.eachSeries(pids, move, next); + }, + function(next) { + Topics.updateTimestamp(tid, Date.now(), next); + }, + function(next) { + Topics.getTopicData(tid, next); + } + ], callback); }; Topics.movePostToTopic = function(pid, tid, callback) { diff --git a/src/topics/recent.js b/src/topics/recent.js index b7bee96e36..ded097f222 100644 --- a/src/topics/recent.js +++ b/src/topics/recent.js @@ -47,7 +47,9 @@ module.exports = function(Topics) { function(next) { Topics.setTopicField(tid, 'lastposttime', timestamp, next); } - ], callback); + ], function(err, results) { + callback(err); + }); }; Topics.updateRecent = function(tid, timestamp, callback) {