fix: gate crossposting behind new topics:crosspost privilege

src/topics/crossposts.js

@@ -6,6 +6,7 @@ const topics = require('.');
 const user = require('../user');
 const categories = require('../categories');
 const posts = require('../posts');
+const privileges = require('../privileges');
 const activitypub = require('../activitypub');
 const utils = require('../utils');
 
@@ -56,10 +57,16 @@ Crossposts.add = async function (tid, cid, uid) {
 	if (!utils.isNumber(cid)) {
 		await activitypub.actors.assert(cid);
 	}
-	const exists = await categories.exists(cid);
+	const [exists, allowed] = await Promise.all([
+		categories.exists(cid),
+		uid === 0 || privileges.categories.can('topics:crosspost', cid, uid),
+	]);
 	if (!exists) {
 		throw new Error('[[error:invalid-cid]]');
 	}
+	if (!allowed) {
+		throw new Error('[[error:not-allowed]]');
+	}
 	if (uid < 0) {
 		throw new Error('[[error:invalid-uid]]');
 	}

test/topics/crossposts.js

@@ -87,10 +87,19 @@ describe('Crossposting (& related logic)', () => {
 		it('should not allow a spider (uid -1) to crosspost', async () => {
 			await assert.rejects(
 				topics.crossposts.add(tid, cid2, -1),
-				{ message: '[[error:invalid-uid]]' }
+				{ message: '[[error:not-allowed]]' }
 			);
 		});
 
+		it('should not allow a crosspost if privilege is missing', async () => {
+			await privileges.categories.rescind(['groups:topics:crosspost'], cid2, 'registered-users');
+			await assert.rejects(
+				topics.crossposts.add(tid, cid2, uid),
+				{ message: '[[error:not-allowed]]' }
+			);
+			await privileges.categories.give(['groups:topics:crosspost'], cid2, 'registered-users');
+		});
+
 		it('should successfully crosspost to another cid', async () => {
 			const crossposts = await topics.crossposts.add(tid, cid2, uid);