From f6b92d241a87720fb93e0f564286e08470f095ea Mon Sep 17 00:00:00 2001
From: cryptoethic <44468286+cryptoethic@users.noreply.github.com>
Date: Fri, 5 Jun 2020 03:27:43 +0200
Subject: [PATCH] fix: checking correct permissions for user search (#8371)

* fix: checking correct permissions for user search

* fix: missing permissions porperty in openapi /api/search
---
 public/openapi/read.yaml  |  8 ++++++++
 src/controllers/search.js | 11 ++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/public/openapi/read.yaml b/public/openapi/read.yaml
index c57e7c1257..8a60e0342f 100644
--- a/public/openapi/read.yaml
+++ b/public/openapi/read.yaml
@@ -4542,6 +4542,13 @@ paths:
                         type: string
                       searchDefaultSortBy:
                         type: string
+                      permissions:
+                        type: object
+                        properties:
+                          users:
+                            type: boolean
+                          content:
+                            type: boolean
                     required:
                       - posts
                       - matchCount
@@ -4556,6 +4563,7 @@ paths:
                       - showAsTopics
                       - title
                       - searchDefaultSortBy
+                      - permissions
                   - $ref: components/schemas/Pagination.yaml#/Pagination
                   - $ref: components/schemas/Breadcrumbs.yaml#/Breadcrumbs
                   - $ref: components/schemas/CommonProps.yaml#/CommonProps
diff --git a/src/controllers/search.js b/src/controllers/search.js
index 1c5da9ce58..9f6aa10c68 100644
--- a/src/controllers/search.js
+++ b/src/controllers/search.js
@@ -9,6 +9,7 @@ const search = require('../search');
 const categories = require('../categories');
 const pagination = require('../pagination');
 const privileges = require('../privileges');
+const utils = require('../utils');
 const helpers = require('./helpers');
 
 const searchController = module.exports;
@@ -21,7 +22,13 @@ searchController.search = async function (req, res, next) {
 
 	const searchOnly = parseInt(req.query.searchOnly, 10) === 1;
 
-	const allowed = await privileges.global.can('search:content', req.uid);
+	const permissions = await utils.promiseParallel({
+		users: privileges.global.can('search:users', req.uid),
+		content: privileges.global.can('search:content', req.uid),
+	});
+
+	const allowed = (req.query.in === 'users') ? permissions.users : permissions.content;
+
 	if (!allowed) {
 		return helpers.notAllowed(req, res);
 	}
@@ -77,6 +84,8 @@ searchController.search = async function (req, res, next) {
 	searchData.title = '[[global:header.search]]';
 
 	searchData.searchDefaultSortBy = meta.config.searchDefaultSortBy || '';
+	searchData.permissions = permissions;
+
 	res.render('search', searchData);
 };