Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-02 12:05:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: check if user has read priv before flagging

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2020-01-22 12:14:50 -05:00
parent 1f13ab8a19
commit 51236df4ed
2 changed files with 45 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/flags.js
View File

@@ -251,18 +251,21 @@ Flags.create = async function (type, id, uid, reason, timestamp) {
timestamp = Date.now();
doHistoryAppend = true;
}
const [exists, targetExists, targetUid, targetCid] = await Promise.all([
const [flagExists, targetExists, canFlag, targetUid, targetCid] = await Promise.all([
// Sanity checks
Flags.exists(type, id, uid),
Flags.targetExists(type, id),
Flags.canFlag(type, id, uid),
// Extra data for zset insertion
Flags.getTargetUid(type, id),
Flags.getTargetCid(type, id),
]);
if (exists) {
if (flagExists) {
throw new Error('[[error:already-flagged]]');
} else if (!targetExists) {
throw new Error('[[error:invalid-data]]');
} else if (!canFlag) {
throw new Error('[[error:no-privileges]]');
}
const flagId = await db.incrObjectField('global', 'nextFlagId');
@@ -307,6 +310,16 @@ Flags.exists = async function (type, id, uid) {
return await db.isSortedSetMember('flags:hash', [type, id, uid].join(':'));
};
Flags.canFlag = async function (type, id, uid) {
if (type === 'user') {
return true;
}
if (type === 'post') {
return await privileges.posts.can('topics:read', id, uid);
}
throw new Error('[[error:invalid-data]]');
};
Flags.getTarget = async function (type, id, uid) {
if (type === 'user') {
const userData = await user.getUserData(id);