fix: relax toPid assertion checks so that it only checks that it is a number or uri

src/posts/create.js

@@ -7,7 +7,6 @@ const user = require('../user');
 const topics = require('../topics');
 const categories = require('../categories');
 const groups = require('../groups');
-const privileges = require('../privileges');
 const activitypub = require('../activitypub');
 const utils = require('../utils');
 
@@ -24,8 +23,8 @@ module.exports = function (Posts) {
 			throw new Error('[[error:invalid-uid]]');
 		}
 
-		if (data.toPid) {
+		if (data.toPid && !utils.isNumber(data.toPid) && !activitypub.helpers.isUri(data.toPid)) {
-			await checkToPid(data.toPid, uid);
+			throw new Error('[[error:invalid-pid]]');
 		}
 
 		const pid = data.pid || await db.incrObjectField('global', 'nextPid');
@@ -101,19 +100,4 @@ module.exports = function (Posts) {
 			db.incrObjectField(`post:${postData.toPid}`, 'replies'),
 		]);
 	}
-
-	async function checkToPid(toPid, uid) {
-		if (!utils.isNumber(toPid) && !activitypub.helpers.isUri(toPid)) {
-			throw new Error('[[error:invalid-pid]]');
-		}
-
-		const [toPost, canViewToPid] = await Promise.all([
-			Posts.getPostFields(toPid, ['pid', 'deleted']),
-			privileges.posts.can('posts:view_deleted', toPid, uid),
-		]);
-		const toPidExists = !!toPost.pid;
-		if (!toPidExists || (toPost.deleted && !canViewToPid)) {
-			throw new Error('[[error:invalid-pid]]');
-		}
-	}
 };

test/topics.js

@@ -314,51 +314,6 @@ describe('Topic\'s', () => {
 			});
 		});
 
-		it('should fail to create new reply with toPid that has been purged', async () => {
-			const { postData } = await topics.post({
-				uid: topic.userId,
-				cid: topic.categoryId,
-				title: utils.generateUUID(),
-				content: utils.generateUUID(),
-			});
-			await posts.purge(postData.pid, topic.userId);
-
-			await assert.rejects(
-				topics.reply({ uid: topic.userId, content: 'test post', tid: postData.topic.tid, toPid: postData.pid }),
-				{ message: '[[error:invalid-pid]]' }
-			);
-		});
-
-		it('should fail to create a new reply with toPid that has been deleted (user cannot view_deleted)', async () => {
-			const { postData } = await topics.post({
-				uid: topic.userId,
-				cid: topic.categoryId,
-				title: utils.generateUUID(),
-				content: utils.generateUUID(),
-			});
-			await posts.delete(postData.pid, topic.userId);
-			const uid = await User.create({ username: utils.generateUUID().slice(0, 10) });
-
-			await assert.rejects(
-				topics.reply({ uid, content: 'test post', tid: postData.topic.tid, toPid: postData.pid }),
-				{ message: '[[error:invalid-pid]]' }
-			);
-		});
-
-		it('should properly create a new reply with toPid that has been deleted (user\'s own deleted post)', async () => {
-			const { postData } = await topics.post({
-				uid: topic.userId,
-				cid: topic.categoryId,
-				title: utils.generateUUID(),
-				content: utils.generateUUID(),
-			});
-			await posts.delete(postData.pid, topic.userId);
-			const uid = await User.create({ username: utils.generateUUID().slice(0, 10) });
-
-			const { pid } = await topics.reply({ uid: topic.userId, content: 'test post', tid: postData.topic.tid, toPid: postData.pid });
-			assert(pid);
-		});
-
 		it('should delete nested relies properly', async () => {
 			const result = await topics.post({ uid: fooUid, title: 'nested test', content: 'main post', cid: topic.categoryId });
 			const reply1 = await topics.reply({ uid: fooUid, content: 'reply post 1', tid: result.topicData.tid });