Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-01-21 15:03:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: patch low-level privilege query calls to accept privilege masks at the cid level

Browse Source
This commit is contained in:
Julian Lam
2025-12-02 13:18:15 -05:00
parent 76b6b3b259
commit 4020e1be35
1 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/privileges/helpers.js
View File

@@ -4,6 +4,7 @@
const _ = require('lodash');
const validator = require('validator');
const db = require('../database');
const groups = require('../groups');
const user = require('../user');
const categories = require('../categories');
@@ -25,16 +26,25 @@ helpers.isUsersAllowedTo = async function (privilege, uids, cid) {
cid = -1;
}
const [hasUserPrivilege, hasGroupPrivilege] = await Promise.all([
groups.isMembers(uids, `cid:${cid}:privileges:${privilege}`),
groups.isMembersOfGroupList(uids, `cid:${cid}:privileges:groups:${privilege}`),
]);
const allowed = uids.map((uid, index) => hasUserPrivilege[index] || hasGroupPrivilege[index]);
const result = await plugins.hooks.fire('filter:privileges:isUsersAllowedTo', { allowed: allowed, privilege: privilege, uids: uids, cid: cid });
let allowed;
const masked = db.isSetMember(`cid:${cid}:privilegeMask`, privilege);
if (!masked) {
const [hasUserPrivilege, hasGroupPrivilege] = await Promise.all([
groups.isMembers(uids, `cid:${cid}:privileges:${privilege}`),
groups.isMembersOfGroupList(uids, `cid:${cid}:privileges:groups:${privilege}`),
]);
allowed = uids.map((uid, index) => hasUserPrivilege[index] || hasGroupPrivilege[index]);
} else {
allowed = uids.map(() => false);
}
const result = await plugins.hooks.fire('filter:privileges:isUsersAllowedTo', { allowed, privilege, uids, cid });
return result.allowed;
};
helpers.isAllowedTo = async function (privilege, uidOrGroupName, cid) {
const _cid = cid; // original passed-in cid needed for privilege mask checks
// Remote categories (non-numeric) inherit world privileges
if (Array.isArray(cid)) {
cid = cid.map(cid => (utils.isNumber(cid) ? cid : -1));
@@ -44,10 +54,15 @@ helpers.isAllowedTo = async function (privilege, uidOrGroupName, cid) {
let allowed;
if (Array.isArray(privilege) && !Array.isArray(cid)) {
const mask = await db.isSetMembers(`cid:${_cid}:privilegeMask`, privilege);
allowed = await isAllowedToPrivileges(privilege, uidOrGroupName, cid);
allowed = allowed.map((allowed, idx) => mask[idx] ? false : allowed);
} else if (Array.isArray(cid) && !Array.isArray(privilege)) {
const mask = await db.isMemberOfSets(_cid.map(cid => `cid:${cid}:privilegeMask`), privilege);
allowed = await isAllowedToCids(privilege, uidOrGroupName, cid);
allowed = allowed.map((allowed, idx) => mask[idx] ? false : allowed);
}
if (allowed) {
({ allowed } = await plugins.hooks.fire('filter:privileges:isAllowedTo', { allowed: allowed, privilege: privilege, uid: uidOrGroupName, cid: cid }));
return allowed;