From 33d4956b763e495af1d5ce5f96e0e82fd7e5e41c Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 10 Dec 2018 14:14:11 -0500
Subject: [PATCH] fix: #7087, server-side protection against guest blocks

---
 public/language/en-GB/error.json |  3 +++
 src/socket.io/user/profile.js    |  4 ----
 src/user/blocks.js               | 27 +++++++++++++++++++--------
 3 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json
index f9ec3635b1..5adc3351e2 100644
--- a/public/language/en-GB/error.json
+++ b/public/language/en-GB/error.json
@@ -185,5 +185,8 @@
 
 	"cannot-block-self": "You cannot block yourself!",
 	"cannot-block-privileged": "You cannot block administrators or global moderators",
+	"cannot-block-guest": "Guest are not able to block other users",
+	"already-blocked": "This user is already blocked",
+	"already-unblocked": "This user is already unblocked",
 	"no-connection": "There seems to be a problem with your internet connection"
 }
diff --git a/src/socket.io/user/profile.js b/src/socket.io/user/profile.js
index e84442650e..b3eb7de9be 100644
--- a/src/socket.io/user/profile.js
+++ b/src/socket.io/user/profile.js
@@ -220,10 +220,6 @@ module.exports = function (SocketUser) {
 			},
 			function (results, next) {
 				isBlocked = results.is;
-				if (!results.can && !isBlocked) {
-					return next(new Error('[[error:cannot-block-privileged]]'));
-				}
-
 				user.blocks[isBlocked ? 'remove' : 'add'](data.blockeeUid, data.blockerUid, next);
 			},
 		], function (err) {
diff --git a/src/user/blocks.js b/src/user/blocks.js
index 51bb4520f1..3dfa429935 100644
--- a/src/user/blocks.js
+++ b/src/user/blocks.js
@@ -23,7 +23,15 @@ module.exports = function (User) {
 	};
 
 	User.blocks.can = function (callerUid, blockerUid, blockeeUid, callback) {
+		// Guests can't block
+		if (blockerUid === 0 || blockeeUid === 0) {
+			return setImmediate(callback, new Error('[[error:cannot-block-guest]]'));
+		} else if (blockerUid === blockeeUid) {
+			return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
+		}
+
 		// Administrators and global moderators cannot be blocked
+		// Only admins/mods can block users as another user
 		async.waterfall([
 			function (next) {
 				async.parallel({
@@ -37,12 +45,13 @@ module.exports = function (User) {
 			},
 			function (results, next) {
 				if (results.isBlockeeAdminOrMod) {
-					return callback(null, false);
+					return callback(new Error('[[error:cannot-block-privileged]]'));
 				}
 				if (parseInt(callerUid, 10) !== parseInt(blockerUid, 10) && !results.isCallerAdminOrMod) {
-					return callback(null, false);
+					return callback(new Error());
 				}
-				next(null, true);
+
+				next();
 			},
 		], callback);
 	};
@@ -94,12 +103,14 @@ module.exports = function (User) {
 	};
 
 	User.blocks.applyChecks = function (block, targetUid, uid, callback) {
-		if (parseInt(targetUid, 10) === parseInt(uid, 10)) {
-			return setImmediate(callback, new Error('[[error:cannot-block-self]]'));
-		}
+		User.blocks.can(uid, uid, targetUid, function (err) {
+			if (err) {
+				return callback(err);
+			}
 
-		User.blocks.is(targetUid, uid, function (err, is) {
-			callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null));
+			User.blocks.is(targetUid, uid, function (err, is) {
+				callback(err || (is === block ? new Error('[[error:already-' + (block ? 'blocked' : 'unblocked') + ']]') : null));
+			});
 		});
 	};