From 218f5eabe2a29a18089dae05526c7ca8b2bfca69 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 23 Sep 2025 10:58:00 -0400
Subject: [PATCH] fix: #13668, privilege checking on topic create for remote
 users; was not properly checking against fediverse pseudo-user

---
 src/topics/create.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/topics/create.js b/src/topics/create.js
index 2f41c822b1..43001a9bd3 100644
--- a/src/topics/create.js
+++ b/src/topics/create.js
@@ -89,11 +89,12 @@ module.exports = function (Topics) {
 	Topics.post = async function (data) {
 		data = await plugins.hooks.fire('filter:topic.post', data);
 		const { uid } = data;
+		const remoteUid = !utils.isNumber(uid);
 
 		const [categoryExists, canCreate, canTag, isAdmin] = await Promise.all([
 			parseInt(data.cid, 10) > 0 ? categories.exists(data.cid) : true,
-			privileges.categories.can('topics:create', data.cid, uid),
-			privileges.categories.can('topics:tag', data.cid, uid),
+			privileges.categories.can('topics:create', data.cid, remoteUid ? -2 : uid),
+			privileges.categories.can('topics:tag', data.cid, remoteUid ? -2 : uid),
 			privileges.users.isAdministrator(uid),
 		]);