Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-03-03 11:01:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #14007, deny access for guests to topics in cid -1, unless a post from a local user exists

Browse Source
This commit is contained in:
Julian Lam
2026-02-23 13:26:39 -05:00
parent c1581a1259
commit de4f016f50
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/controllers/topics.js
View File

@@ -41,10 +41,12 @@ topicsController.get = async function getTopic(req, res, next) {
userPrivileges, userPrivileges,
settings, settings,
rssToken, rssToken,
uids,
] = await Promise.all([ ] = await Promise.all([
privileges.topics.get(tid, req.uid), privileges.topics.get(tid, req.uid),
user.getSettings(req.uid), user.getSettings(req.uid),
user.auth.getFeedToken(req.uid), user.auth.getFeedToken(req.uid),
topics.getUids(tid),
]); ]);
let currentPage = parseInt(req.query.page, 10) || 1; let currentPage = parseInt(req.query.page, 10) || 1;
@@ -53,7 +55,8 @@ topicsController.get = async function getTopic(req, res, next) {
if ( if (
userPrivileges.disabled || userPrivileges.disabled ||
invalidPagination || invalidPagination ||
(topicData.scheduled && !userPrivileges.view_scheduled) (topicData.scheduled && !userPrivileges.view_scheduled) ||
(!req.uid && (topicData.cid === -1 && !uids.filter(uid => utils.isNumber(uid)).length))
) { ) {
return next(); return next();
} }