fix: #14007, deny access for guests to topics in cid -1, unless a post from a local user exists

This commit is contained in:
Julian Lam
2026-02-23 13:26:39 -05:00
parent c1581a1259
commit de4f016f50

View File

@@ -41,10 +41,12 @@ topicsController.get = async function getTopic(req, res, next) {
userPrivileges,
settings,
rssToken,
uids,
] = await Promise.all([
privileges.topics.get(tid, req.uid),
user.getSettings(req.uid),
user.auth.getFeedToken(req.uid),
topics.getUids(tid),
]);
let currentPage = parseInt(req.query.page, 10) || 1;
@@ -53,7 +55,8 @@ topicsController.get = async function getTopic(req, res, next) {
if (
userPrivileges.disabled ||
invalidPagination ||
(topicData.scheduled && !userPrivileges.view_scheduled)
(topicData.scheduled && !userPrivileges.view_scheduled) ||
(!req.uid && (topicData.cid === -1 && !uids.filter(uid => utils.isNumber(uid)).length))
) {
return next();
}