Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #13668, privilege checking on topic create for remote users; was not properly checking against fediverse pseudo-user

Browse Source
This commit is contained in:
Julian Lam
2025-09-23 10:58:00 -04:00
parent 33b56e810c
commit 218f5eabe2
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/topics/create.js
View File

@@ -89,11 +89,12 @@ module.exports = function (Topics) {
Topics.post = async function (data) { Topics.post = async function (data) {
data = await plugins.hooks.fire('filter:topic.post', data); data = await plugins.hooks.fire('filter:topic.post', data);
const { uid } = data; const { uid } = data;
const remoteUid = !utils.isNumber(uid);
const [categoryExists, canCreate, canTag, isAdmin] = await Promise.all([ const [categoryExists, canCreate, canTag, isAdmin] = await Promise.all([
parseInt(data.cid, 10) > 0 ? categories.exists(data.cid) : true, parseInt(data.cid, 10) > 0 ? categories.exists(data.cid) : true,
privileges.categories.can('topics:create', data.cid, uid), privileges.categories.can('topics:create', data.cid, remoteUid ? -2 : uid),
privileges.categories.can('topics:tag', data.cid, uid), privileges.categories.can('topics:tag', data.cid, remoteUid ? -2 : uid),
privileges.users.isAdministrator(uid), privileges.users.isAdministrator(uid),
]); ]);