From fe42fd4ebcc338f56eb3cd80809fa6d4fe956d33 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 21 Sep 2023 17:05:45 -0400
Subject: [PATCH] fix: #12025, validity checking on user-provided toPid value

---
 src/posts/create.js | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/posts/create.js b/src/posts/create.js
index c95ba3535e..ae9ebdbc85 100644
--- a/src/posts/create.js
+++ b/src/posts/create.js
@@ -9,6 +9,7 @@ const user = require('../user');
 const topics = require('../topics');
 const categories = require('../categories');
 const groups = require('../groups');
+const privileges = require('../privileges');
 const utils = require('../utils');
 
 module.exports = function (Posts) {
@@ -24,8 +25,17 @@ module.exports = function (Posts) {
 			throw new Error('[[error:invalid-uid]]');
 		}
 
-		if (data.toPid && !utils.isNumber(data.toPid)) {
-			throw new Error('[[error:invalid-pid]]');
+		if (data.toPid) {
+			const toPidExists = await Posts.exists(data.toPid);
+			const toPidDeleted = await Posts.getPostField(data.toPid, 'deleted');
+			const canViewToPid = await privileges.posts.can('posts:view_deleted', data.toPid, uid);
+
+			if (
+				!utils.isNumber(data.toPid) || !toPidExists ||
+				(toPidDeleted && !canViewToPid)
+			) {
+				throw new Error('[[error:invalid-pid]]');
+			}
 		}
 
 		const pid = await db.incrObjectField('global', 'nextPid');