fix: checking correct permissions for user search (#8371)

* fix: checking correct permissions for user search * fix: missing permissions porperty in openapi /api/search
2025-10-26 16:46:12 +01:00 · 2020-06-05 03:27:43 +02:00
parent c1d8b9bb5a
commit f6b92d241a
2 changed files with 18 additions and 1 deletions
--- a/public/openapi/read.yaml
+++ b/public/openapi/read.yaml
@@ -4542,6 +4542,13 @@ paths:
                        type: string
                      searchDefaultSortBy:
                        type: string
+                      permissions:
+                        type: object
+                        properties:
+                          users:
+                            type: boolean
+                          content:
+                            type: boolean
                    required:
                      - posts
                      - matchCount
@@ -4556,6 +4563,7 @@ paths:
                      - showAsTopics
                      - title
                      - searchDefaultSortBy
+                      - permissions
                  - $ref: components/schemas/Pagination.yaml#/Pagination
                  - $ref: components/schemas/Breadcrumbs.yaml#/Breadcrumbs
                  - $ref: components/schemas/CommonProps.yaml#/CommonProps
--- a/src/controllers/search.js
+++ b/src/controllers/search.js
@@ -9,6 +9,7 @@ const search = require('../search');
 const categories = require('../categories');
 const pagination = require('../pagination');
 const privileges = require('../privileges');
+const utils = require('../utils');
 const helpers = require('./helpers');

 const searchController = module.exports;
@@ -21,7 +22,13 @@ searchController.search = async function (req, res, next) {

 	const searchOnly = parseInt(req.query.searchOnly, 10) === 1;

-	const allowed = await privileges.global.can('search:content', req.uid);
+	const permissions = await utils.promiseParallel({
+		users: privileges.global.can('search:users', req.uid),
+		content: privileges.global.can('search:content', req.uid),
+	});
+
+	const allowed = (req.query.in === 'users') ? permissions.users : permissions.content;
+
 	if (!allowed) {
 		return helpers.notAllowed(req, res);
 	}
@@ -77,6 +84,8 @@ searchController.search = async function (req, res, next) {
 	searchData.title = '[[global:header.search]]';

 	searchData.searchDefaultSortBy = meta.config.searchDefaultSortBy || '';
+	searchData.permissions = permissions;
+
 	res.render('search', searchData);
 };