From 90f63e8eb9d84324a831a4617a554f250dd36dcc Mon Sep 17 00:00:00 2001
From: OldHawk <taobataoma@gmail.com>
Date: Sun, 16 Jul 2017 16:03:55 +0800
Subject: [PATCH] fix(forums): update/delete access check

---
 .../server/controllers/forums.server.controller.js     | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/forums/server/controllers/forums.server.controller.js b/modules/forums/server/controllers/forums.server.controller.js
index 31dc0d18..b3e0bb3e 100644
--- a/modules/forums/server/controllers/forums.server.controller.js
+++ b/modules/forums/server/controllers/forums.server.controller.js
@@ -369,7 +369,7 @@ exports.toggleTopicTopStatus = function (req, res) {
 exports.toggleTopicGlobalStatus = function (req, res) {
   var topic = req.topic;
 
-  if (!req.user.isOper) {
+  if (!req.user.toJSON().isOper && !req.user.toJSON().isAdmin) {
     return res.status(403).json({
       message: 'ERROR: User is not authorized'
     });
@@ -850,7 +850,9 @@ exports.topicById = function (req, res, next, id) {
  * @returns {boolean}
  */
 function canEdit(u, f) {
-  if (u.isOper) {
+  if (u.toJSON().isOper) {
+    return true;
+  } else if (u.toJSON().isAdmin) {
     return true;
   } else if (isModerator(f)) {
     return true;
@@ -862,7 +864,7 @@ function canEdit(u, f) {
     if (f) {
       var isM = false;
       f.moderators.forEach(function (m) {
-        if (m._id === u._id) {
+        if (m._id.equals(u._id)) {
           isM = true;
         }
       });
@@ -880,7 +882,7 @@ function canEdit(u, f) {
  */
 function isOwner(u, o) {
   if (o) {
-    if (o.user._id.str === u._id) {
+    if (o.user._id.equals(u._id)) {
       return true;
     } else {
       return false;