From 6472462924ae0cc52f05bb553c645749a8009ecd Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 26 Feb 2026 22:39:52 -0500
Subject: [PATCH] fix: remove allowed check from notes.assert as it is already
 done downstream in topics.(post|reply), update privilege check to inherit
 world privs if passed-in cid is remote cid

---
 src/activitypub/notes.js | 5 +----
 src/topics/create.js     | 4 ++--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/activitypub/notes.js b/src/activitypub/notes.js
index 727bdc14c2..4bce9785f0 100644
--- a/src/activitypub/notes.js
+++ b/src/activitypub/notes.js
@@ -199,10 +199,7 @@ Notes.assert = async (uid, input, options = { skipChecks: false }) => {
 			uid || hasTid ||
 			options.skipChecks || options.cid ||
 			await assertRelation(chain[inputIndex !== -1 ? inputIndex : 0]);
-
-		const privilege = `topics:${tid ? 'reply' : 'create'}`;
-		const allowed = await privileges.categories.can(privilege, options.cid || cid, activitypub._constants.uid);
-		if (!hasRelation || !allowed) {
+		if (!hasRelation) {
 			if (!hasRelation) {
 				activitypub.helpers.log(`[activitypub/notes.assert] Not asserting ${id} as it has no relation to existing tracked content.`);
 			}
diff --git a/src/topics/create.js b/src/topics/create.js
index 6b5d7699b8..c96dadbd4b 100644
--- a/src/topics/create.js
+++ b/src/topics/create.js
@@ -98,8 +98,8 @@ module.exports = function (Topics) {
 
 		const [categoryExists, canCreate, canTag, isAdmin] = await Promise.all([
 			parseInt(data.cid, 10) > 0 ? categories.exists(data.cid) : true,
-			privileges.categories.can('topics:create', data.cid, remoteUid ? -2 : uid),
-			privileges.categories.can('topics:tag', data.cid, remoteUid ? -2 : uid),
+			privileges.categories.can('topics:create', utils.isNumber(data.cid) ? data.cid : -1, remoteUid ? -2 : uid),
+			privileges.categories.can('topics:tag', utils.isNumber(data.cid) ? data.cid : -1, remoteUid ? -2 : uid),
 			privileges.users.isAdministrator(uid),
 		]);