mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: #8971, disallow flags of privileged users (mods, gmods, admins)
This commit is contained in:
		| @@ -169,6 +169,7 @@ | ||||
| 	"user-already-flagged": "You have already flagged this user", | ||||
| 	"post-flagged-too-many-times": "This post has been flagged by others already", | ||||
| 	"user-flagged-too-many-times": "This user has been flagged by others already", | ||||
| 	"cant-flag-privileged": "You are not allowed to flag the profiles or content of privileged users (moderators/global moderators/admins)", | ||||
| 	"self-vote": "You cannot vote on your own post", | ||||
| 	"too-many-downvotes-today": "You can only downvote %1 times a day", | ||||
| 	"too-many-downvotes-today-user": "You can only downvote a user %1 times a day", | ||||
|   | ||||
| @@ -70,6 +70,7 @@ helpers.getUserDataByUserSlug = async function (userslug, callerUID) { | ||||
| 	userData.isSelfOrAdminOrGlobalModerator = isSelf || isAdmin || isGlobalModerator; | ||||
| 	userData.canEdit = results.canEdit; | ||||
| 	userData.canBan = results.canBanUser; | ||||
| 	userData.canFlag = (await privileges.users.canFlag(callerUID, userData.uid)).flag; | ||||
| 	userData.canChangePassword = isAdmin || (isSelf && !meta.config['password:disableEdit']); | ||||
| 	userData.isSelf = isSelf; | ||||
| 	userData.isFollowing = results.isFollowing; | ||||
|   | ||||
| @@ -251,6 +251,15 @@ Flags.validate = async function (payload) { | ||||
| 		throw new Error('[[error:user-banned]]'); | ||||
| 	} | ||||
|  | ||||
| 	// Disallow flagging of profiles/content of privileged users | ||||
| 	const [targetPrivileged, reporterPrivileged] = await Promise.all([ | ||||
| 		user.isPrivileged(target.uid), | ||||
| 		user.isPrivileged(reporter.uid), | ||||
| 	]); | ||||
| 	if (targetPrivileged && !reporterPrivileged) { | ||||
| 		throw new Error('[[error:cant-flag-privileged]]'); | ||||
| 	} | ||||
|  | ||||
| 	if (payload.type === 'post') { | ||||
| 		const editable = await privileges.posts.canEdit(payload.id, payload.uid); | ||||
| 		if (!editable.flag && !meta.config['reputation:disabled'] && reporter.reputation < meta.config['min:rep:flag']) { | ||||
|   | ||||
| @@ -176,12 +176,20 @@ module.exports = function (privileges) { | ||||
| 	}; | ||||
|  | ||||
| 	privileges.posts.canFlag = async function (pid, uid) { | ||||
| 		const [userReputation, isAdminOrModerator] = await Promise.all([ | ||||
| 		const targetUid = await posts.getPostField(pid, 'uid'); | ||||
| 		const [userReputation, isAdminOrModerator, targetPrivileged, reporterPrivileged] = await Promise.all([ | ||||
| 			user.getUserField(uid, 'reputation'), | ||||
| 			isAdminOrMod(pid, uid), | ||||
| 			user.isPrivileged(targetUid), | ||||
| 			user.isPrivileged(uid), | ||||
| 		]); | ||||
| 		const minimumReputation = meta.config['min:rep:flag']; | ||||
| 		const canFlag = isAdminOrModerator || (userReputation >= minimumReputation); | ||||
| 		let canFlag = isAdminOrModerator || (userReputation >= minimumReputation); | ||||
|  | ||||
| 		if (targetPrivileged && !reporterPrivileged) { | ||||
| 			canFlag = false; | ||||
| 		} | ||||
|  | ||||
| 		return { flag: canFlag }; | ||||
| 	}; | ||||
|  | ||||
|   | ||||
| @@ -3,6 +3,8 @@ | ||||
|  | ||||
| const _ = require('lodash'); | ||||
|  | ||||
| const user = require('../user'); | ||||
| const meta = require('../meta'); | ||||
| const groups = require('../groups'); | ||||
| const plugins = require('../plugins'); | ||||
| const helpers = require('./helpers'); | ||||
| @@ -107,6 +109,22 @@ module.exports = function (privileges) { | ||||
| 		return data.canBan; | ||||
| 	}; | ||||
|  | ||||
| 	privileges.users.canFlag = async function (callerUid, uid) { | ||||
| 		const [userReputation, targetPrivileged, reporterPrivileged] = await Promise.all([ | ||||
| 			user.getUserField(callerUid, 'reputation'), | ||||
| 			user.isPrivileged(uid), | ||||
| 			user.isPrivileged(callerUid), | ||||
| 		]); | ||||
| 		const minimumReputation = meta.config['min:rep:flag']; | ||||
| 		let canFlag = reporterPrivileged || (userReputation >= minimumReputation); | ||||
|  | ||||
| 		if (targetPrivileged && !reporterPrivileged) { | ||||
| 			canFlag = false; | ||||
| 		} | ||||
|  | ||||
| 		return { flag: canFlag }; | ||||
| 	}; | ||||
|  | ||||
| 	privileges.users.hasBanPrivilege = async uid => await hasGlobalPrivilege('ban', uid); | ||||
| 	privileges.users.hasInvitePrivilege = async uid => await hasGlobalPrivilege('invite', uid); | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user