From de4f016f50abd6559bfa08f3b7d4fd800e45f85d Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 23 Feb 2026 13:26:39 -0500
Subject: [PATCH] fix: #14007, deny access for guests to topics in cid -1,
 unless a post from a local user exists

---
 src/controllers/topics.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/controllers/topics.js b/src/controllers/topics.js
index a459c3a99f..d5df96bf9e 100644
--- a/src/controllers/topics.js
+++ b/src/controllers/topics.js
@@ -41,10 +41,12 @@ topicsController.get = async function getTopic(req, res, next) {
 		userPrivileges,
 		settings,
 		rssToken,
+		uids,
 	] = await Promise.all([
 		privileges.topics.get(tid, req.uid),
 		user.getSettings(req.uid),
 		user.auth.getFeedToken(req.uid),
+		topics.getUids(tid),
 	]);
 
 	let currentPage = parseInt(req.query.page, 10) || 1;
@@ -53,7 +55,8 @@ topicsController.get = async function getTopic(req, res, next) {
 	if (
 		userPrivileges.disabled ||
 		invalidPagination ||
-		(topicData.scheduled && !userPrivileges.view_scheduled)
+		(topicData.scheduled && !userPrivileges.view_scheduled) ||
+		(!req.uid && (topicData.cid === -1 && !uids.filter(uid => utils.isNumber(uid)).length))
 	) {
 		return next();
 	}