fix: handle search tag permission as well

2025-10-26 08:36:12 +01:00 · 2020-06-04 21:42:38 -04:00
parent 2100a03c1a
commit 1b5d5425b4
2 changed files with 6 additions and 1 deletions
--- a/public/openapi/read.yaml
+++ b/public/openapi/read.yaml
@@ -4549,6 +4549,8 @@ paths:
                            type: boolean
                          search:content:
                            type: boolean
+                          search:tags:
+                            type: boolean
                    required:
                      - posts
                      - matchCount
--- a/src/controllers/search.js
+++ b/src/controllers/search.js
@@ -25,9 +25,12 @@ searchController.search = async function (req, res, next) {
 	const userPrivileges = await utils.promiseParallel({
 		'search:users': privileges.global.can('search:users', req.uid),
 		'search:content': privileges.global.can('search:content', req.uid),
+		'search:tags': privileges.global.can('search:tags', req.uid),
 	});

-	const allowed = (req.query.in === 'users') ? userPrivileges['search:users'] : userPrivileges['search:content'];
+	const allowed = (req.query.in === 'users' && userPrivileges['search:users']) ||
+					(req.query.in === 'tags' && userPrivileges['search:tags']) ||
+					(['titles', 'titlesposts', 'posts'].includes(req.query.in) && userPrivileges['search:content']);

 	if (!allowed) {
 		return helpers.notAllowed(req, res);