From 5e7d366f5546f34a9f52c62086a616aa6436b25b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 6 May 2022 14:01:08 -0400
Subject: [PATCH] fix: #10584, dont show backlinks if you dont have read
 privilege

---
 src/topics/events.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/topics/events.js b/src/topics/events.js
index b84e98474a..1d6e67fd11 100644
--- a/src/topics/events.js
+++ b/src/topics/events.js
@@ -8,6 +8,7 @@ const posts = require('../posts');
 const categories = require('../categories');
 const plugins = require('../plugins');
 const translator = require('../translator');
+const privileges = require('../privileges');
 
 const Events = module.exports;
 
@@ -130,6 +131,14 @@ async function modifyEvent({ tid, uid, eventIds, timestamps, events }) {
 	// Remove backlink events if backlinks are disabled
 	if (meta.config.topicBacklinks !== 1) {
 		events = events.filter(event => event.type !== 'backlink');
+	} else {
+		// remove backlinks that we dont have read permission
+		const backlinkPids = events.filter(e => e.type === 'backlink')
+			.map(e => e.href.split('/').pop());
+		const pids = await privileges.posts.filter('topics:read', backlinkPids, uid);
+		events = events.filter(
+			e => e.type !== 'backlink' || pids.includes(e.href.split('/').pop())
+		);
 	}
 
 	// Remove events whose types no longer exist (e.g. plugin uninstalled)