Priv hook fix (#9775)

* fix: #9773, fire hooks properly for priv changes

* fix: admin/global group privs

dont allow invalid privs

src/api/categories.js

@@ -70,15 +70,19 @@ categoriesAPI.setPrivilege = async (caller, data) => {
 	if (!privs.length) {
 		throw new Error('[[error:invalid-data]]');
 	}
-	let privMethod = privileges.categories[type];
 	if (parseInt(data.cid, 10) === 0) {
-		if (privs[0].startsWith('admin:')) {
+		const adminPrivs = privs.filter(priv => privileges.admin.privilegeList.includes(priv));
-			privMethod = privileges.admin[type];
+		const globalPrivs = privs.filter(priv => privileges.global.privilegeList.includes(priv));
-		} else {
+		if (adminPrivs.length) {
-			privMethod = privileges.global[type];
+			await privileges.admin[type](adminPrivs, data.member);
 		}
+		if (globalPrivs.length) {
+			await privileges.global[type](globalPrivs, data.member);
+		}
+	} else {
+		const categoryPrivs = privs.filter(priv => privileges.categories.privilegeList.includes(priv));
+		await privileges.categories[type](categoryPrivs, data.cid, data.member);
 	}
-	await privMethod(privs, data.cid, data.member);
 
 	await events.log({
 		uid: caller.uid,

src/privileges/admin.js

@@ -35,6 +35,8 @@ privsAdmin.userPrivilegeList = [
 
 privsAdmin.groupPrivilegeList = privsAdmin.userPrivilegeList.map(privilege => `groups:${privilege}`);
 
+privsAdmin.privilegeList = privsAdmin.userPrivilegeList.concat(privsAdmin.groupPrivilegeList);
+
 // Mapping for a page route (via direct match or regexp) to a privilege
 privsAdmin.routeMap = {
 	dashboard: 'admin:dashboard',

src/privileges/global.js

@@ -49,6 +49,8 @@ privsGlobal.userPrivilegeList = [
 
 privsGlobal.groupPrivilegeList = privsGlobal.userPrivilegeList.map(privilege => `groups:${privilege}`);
 
+privsGlobal.privilegeList = privsGlobal.userPrivilegeList.concat(privsGlobal.groupPrivilegeList);
+
 privsGlobal.list = async function () {
 	async function getLabels() {
 		return await utils.promiseParallel({