check privs on composer.push

src/socket.io/modules.js

@@ -1,6 +1,12 @@
 "use strict";
 
-var	posts = require('../posts'),
+var	nconf = require('nconf'),
+	async = require('async'),
+	S = require('string'),
+	winston = require('winston'),
+	_ = require('underscore'),
+
+	posts = require('../posts'),
 	postTools = require('../postTools'),
 	topics = require('../topics'),
 	meta = require('../meta'),
@@ -9,13 +15,10 @@ var	posts = require('../posts'),
 	notifications = require('../notifications'),
 	plugins = require('../plugins'),
 	utils = require('../../public/src/utils'),
+	privileges = require('../privileges'),
 
-	async = require('async'),
-	S = require('string'),
-	winston = require('winston'),
-	_ = require('underscore'),
 	server = require('./'),
-	nconf = require('nconf'),
+
 
 	SocketModules = {
 		composer: {},
@@ -28,6 +31,10 @@ var	posts = require('../posts'),
 /* Posts Composer */
 
 SocketModules.composer.push = function(socket, pid, callback) {
+	privileges.posts.can('read', pid, socket.uid, function(err, canRead) {
+		if (err || !canRead) {
+			return callback(err || new Error('[[error:no-privileges]]'));
+		}
 		posts.getPostFields(pid, ['content', 'tid'], function(err, postData) {
 			if(err || (!postData && !postData.content)) {
 				return callback(err || new Error('[[error:invalid-pid]]'));
@@ -62,6 +69,7 @@ SocketModules.composer.push = function(socket, pid, callback) {
 				});
 			});
 		});
+	});
 };
 
 SocketModules.composer.editCheck = function(socket, pid, callback) {