From 795b00a3af311f8d97a652947801c67b6226358c Mon Sep 17 00:00:00 2001
From: barisusakli <barisusakli@gmail.com>
Date: Fri, 1 Jul 2016 13:01:09 +0300
Subject: [PATCH] closes #4810

---
 src/controllers/api.js      | 110 +++++++++++++++++++++++++-----------
 src/privileges/posts.js     |  30 ++++++----
 src/socket.io/categories.js |   2 +-
 src/socket.io/posts.js      |  12 +---
 src/socket.io/topics.js     |  12 +---
 5 files changed, 100 insertions(+), 66 deletions(-)

diff --git a/src/controllers/api.js b/src/controllers/api.js
index 0139b9a3d3..4b84d44ef8 100644
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@@ -129,47 +129,93 @@ apiController.renderWidgets = function(req, res, next) {
 	});
 };
 
-apiController.getObject = function(req, res, next) {
-	apiController.getObjectByType(req.uid, req.params.type, req.params.id, function(err, results) {
-		if (err) {
-			return next(err);
+apiController.getPostData = function(pid, uid, callback) {
+	async.parallel({
+		privileges: function(next) {
+			privileges.posts.get([pid], uid, next);
+		},
+		post: function(next) {
+			posts.getPostData(pid, next);
+		}
+	}, function(err, results) {
+		if (err || !results.post) {
+			return callback(err);
 		}
 
-		res.json(results);
+		var post = results.post;
+		var privileges = results.privileges[0];
+
+		if (!privileges.read || !privileges['topics:read']) {
+			return callback();
+		}
+
+		post.ip = privileges.isAdminOrMod ? post.ip : undefined;
+		var selfPost = uid && uid === parseInt(post.uid, 10);
+		if (post.deleted && !(privileges.isAdminOrMod || selfPost)) {
+			post.content = '[[topic:post_is_deleted]]';
+		}
+		callback(null, post);
 	});
 };
 
-apiController.getObjectByType = function(uid, type, id, callback) {
+apiController.getTopicData = function(tid, uid, callback) {
+	async.parallel({
+		privileges: function(next) {
+			privileges.topics.get(tid, uid, next);
+		},
+		topic: function(next) {
+			topics.getTopicData(tid, next);
+		}
+	}, function(err, results) {
+		if (err || !results.topic) {
+			return callback(err);
+		}
+
+		if (!results.privileges.read || !results.privileges['topics:read'] || (parseInt(results.topic.deleted, 10) && !results.privileges.view_deleted)) {
+			return callback();
+		}
+		callback(null, results.topic);
+	});
+};
+
+apiController.getCategoryData = function(cid, uid, callback) {
+	async.parallel({
+		privileges: function(next) {
+			privileges.categories.get(cid, uid, next);
+		},
+		category: function(next) {
+			categories.getCategoryData(cid, next);
+		}
+	}, function(err, results) {
+		if (err || !results.category) {
+			return callback(err);
+		}
+
+		if (!results.privileges.read) {
+			return callback();
+		}
+		callback(null, results.category);
+	});
+};
+
+
+apiController.getObject = function(req, res, next) {
 	var methods = {
-		post: {
-			canRead: privileges.posts.can,
-			data: posts.getPostData
-		},
-		topic: {
-			canRead: privileges.topics.can,
-			data: topics.getTopicData
-		},
-		category: {
-			canRead: privileges.categories.can,
-			data: categories.getCategoryData
-		}
+		post: apiController.getPostData,
+		topic: apiController.getTopicData,
+		category: apiController.getCategoryData
 	};
-
-	if (!methods[type]) {
-		return callback();
+	var method = methods[req.params.type];
+	if (!method) {
+		return next();
 	}
-
-	async.waterfall([
-		function (next) {
-			methods[type].canRead('read', id, uid, next);
-		},
-		function (canRead, next) {
-			if (!canRead) {
-				return next(new Error('[[error:no-privileges]]'));
-			}
-			methods[type].data(id, next);
+	method(req.params.id, req.uid, function(err, result) {
+		if (err || !result) {
+			return next(err);
 		}
-	], callback);
+
+		res.json(result);
+	});
 };
 
 apiController.getUserByUID = function(req, res, next) {
diff --git a/src/privileges/posts.js b/src/privileges/posts.js
index 17fcb1fc74..a0d06f3600 100644
--- a/src/privileges/posts.js
+++ b/src/privileges/posts.js
@@ -19,17 +19,20 @@ module.exports = function(privileges) {
 			return callback(null, []);
 		}
 
-		async.parallel({
-			isAdmin: function(next){
-				user.isAdministrator(uid, next);
+		async.waterfall([
+			function(next) {
+				posts.getCidsByPids(pids, next);
 			},
-			isModerator: function(next) {
-				posts.isModerator(pids, uid, next);
-			},
-			isOwner: function(next) {
-				posts.isOwner(pids, uid, next);
+			function(cids, next) {
+				async.parallel({
+					isAdmin: async.apply(user.isAdministrator, uid),
+					isModerator: async.apply(posts.isModerator, pids, uid),
+					isOwner: async.apply(posts.isOwner, pids, uid),
+					'topics:read': async.apply(helpers.isUserAllowedTo, 'topics:read', uid, cids),
+					read: async.apply(helpers.isUserAllowedTo, 'read', uid, cids),
+				}, next);
 			}
-		}, function(err, results) {
+		], function(err, results) {
 			if (err) {
 				return callback(err);
 			}
@@ -37,11 +40,16 @@ module.exports = function(privileges) {
 			var privileges = [];
 
 			for (var i=0; i<pids.length; ++i) {
-				var editable = results.isAdmin || results.isModerator[i] || results.isOwner[i];
+				var isAdminOrMod = results.isAdmin || results.isModerator[i];
+				var editable = isAdminOrMod || results.isOwner[i];
+
 				privileges.push({
 					editable: editable,
 					view_deleted: editable,
-					move: results.isAdmin || results.isModerator[i]
+					move: isAdminOrMod,
+					isAdminOrMod: isAdminOrMod,
+					'topics:read': results['topics:read'][i] || isAdminOrMod,
+					read: results.read[i] || isAdminOrMod
 				});
 			}
 
diff --git a/src/socket.io/categories.js b/src/socket.io/categories.js
index 262a5e8a41..545938d718 100644
--- a/src/socket.io/categories.js
+++ b/src/socket.io/categories.js
@@ -193,7 +193,7 @@ SocketCategories.isModerator = function(socket, cid, callback) {
 };
 
 SocketCategories.getCategory = function(socket, cid, callback) {
-	apiController.getObjectByType(socket.uid, 'category', cid, callback);
+	apiController.getCategoryData(cid, socket.uid, callback);
 };
 
 module.exports = SocketCategories;
diff --git a/src/socket.io/posts.js b/src/socket.io/posts.js
index d08495d877..3251c3700c 100644
--- a/src/socket.io/posts.js
+++ b/src/socket.io/posts.js
@@ -73,17 +73,7 @@ SocketPosts.getRawPost = function(socket, pid, callback) {
 };
 
 SocketPosts.getPost = function(socket, pid, callback) {
-	async.waterfall([
-		function(next) {
-			apiController.getObjectByType(socket.uid, 'post', pid, next);
-		},
-		function(postData, next) {
-			if (parseInt(postData.deleted, 10) === 1) {
-				return next(new Error('[[error:no-post]]'));
-			}
-			next(null, postData);
-		}
-	], callback);
+	apiController.getPostData(pid, socket.uid, callback);
 };
 
 SocketPosts.loadMoreFavourites = function(socket, data, callback) {
diff --git a/src/socket.io/topics.js b/src/socket.io/topics.js
index 0b8c170d8e..48f24700b1 100644
--- a/src/socket.io/topics.js
+++ b/src/socket.io/topics.js
@@ -111,17 +111,7 @@ SocketTopics.isModerator = function(socket, tid, callback) {
 };
 
 SocketTopics.getTopic = function (socket, tid, callback) {
-	async.waterfall([
-		function (next) {
-			apiController.getObjectByType(socket.uid, 'topic', tid, next);
-		},
-		function (topicData, next) {
-			if (parseInt(topicData.deleted, 10) === 1) {
-				return next(new Error('[[error:no-topic]]'));
-			}
-			next(null, topicData);
-		}
-	], callback);
+	apiController.getTopicData(tid, socket.uid, callback);
 };
 
 module.exports = SocketTopics;