Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-30 18:46:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: regression caused by 77ab46686d

Browse Source 
Access checks were added for topic GET route, but occasionally a post_uuid is passed in, which is available to everyone, and so checks should be skipped
This commit is contained in:
Julian Lam
2021-01-17 15:43:21 -05:00
parent 4fb907875e
commit f5fcd232f6
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/controllers/write/topics.js
View File

@@ -104,9 +104,15 @@ Topics.deleteTags = async (req, res) => {
}; };
Topics.getThumbs = async (req, res) => { Topics.getThumbs = async (req, res) => {
if (!await privileges.topics.can('topics:read', req.params.tid, req.uid)) { if (isFinite(req.params.tid)) { // post_uuids can be passed in occasionally, in that case no checks are necessary
const [exists, canRead] = await Promise.all([
topics.exists(req.params.tid),
privileges.topics.can('topics:read', req.params.tid, req.uid),
]);
if (!exists || !canRead) {
return helpers.formatApiResponse(403, res); return helpers.formatApiResponse(403, res);
} }
}
helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid)); helpers.formatApiResponse(200, res, await topics.thumbs.get(req.params.tid));
}; };