fix: remove allowed check from notes.assert as it is already done downstream in topics.(post|reply), update privilege check to inherit world privs if passed-in cid is remote cid

src/activitypub/notes.js

@@ -199,10 +199,7 @@ Notes.assert = async (uid, input, options = { skipChecks: false }) => {
 			uid || hasTid ||
 			options.skipChecks || options.cid ||
 			await assertRelation(chain[inputIndex !== -1 ? inputIndex : 0]);
-
-		const privilege = `topics:${tid ? 'reply' : 'create'}`;
-		const allowed = await privileges.categories.can(privilege, options.cid || cid, activitypub._constants.uid);
-		if (!hasRelation || !allowed) {
+		if (!hasRelation) {
 			if (!hasRelation) {
 				activitypub.helpers.log(`[activitypub/notes.assert] Not asserting ${id} as it has no relation to existing tracked content.`);
 			}

src/topics/create.js

@@ -98,8 +98,8 @@ module.exports = function (Topics) {
 
 		const [categoryExists, canCreate, canTag, isAdmin] = await Promise.all([
 			parseInt(data.cid, 10) > 0 ? categories.exists(data.cid) : true,
-			privileges.categories.can('topics:create', data.cid, remoteUid ? -2 : uid),
-			privileges.categories.can('topics:tag', data.cid, remoteUid ? -2 : uid),
+			privileges.categories.can('topics:create', utils.isNumber(data.cid) ? data.cid : -1, remoteUid ? -2 : uid),
+			privileges.categories.can('topics:tag', utils.isNumber(data.cid) ? data.cid : -1, remoteUid ? -2 : uid),
 			privileges.users.isAdministrator(uid),
 		]);