From 4ca7c49239dfe30f90221f0b24dc587cdfc5cf42 Mon Sep 17 00:00:00 2001
From: rr- <rr-@sakuya.pl>
Date: Tue, 23 Aug 2016 21:26:33 +0200
Subject: [PATCH] client/auth: fix masstag privilege bypass

Visiting mass-tag URL directly ignored masstag privileges and showed
tag/untag controls (although didn't show the controls in the header).
After this change, bypassing mass tag privileges got a little bit
harder. (It's still possible for the user to talk directly to the API
after all.)
---
 client/html/posts_page.tpl                    | 2 +-
 client/js/controllers/post_list_controller.js | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/client/html/posts_page.tpl b/client/html/posts_page.tpl
index 7080aa53..ce0c4fa1 100644
--- a/client/html/posts_page.tpl
+++ b/client/html/posts_page.tpl
@@ -35,7 +35,7 @@
                             </span>
                         <% } %>
                     </a>
-                    <% if (ctx.parameters && ctx.parameters.tag) { %>
+                    <% if (ctx.canMassTagg && ctx.parameters && ctx.parameters.tag) { %>
                         <a href data-post-id='<%= post.id %>' class='masstag'>
                         </a>
                     <% } %>
diff --git a/client/js/controllers/post_list_controller.js b/client/js/controllers/post_list_controller.js
index d76e3f46..00da59db 100644
--- a/client/js/controllers/post_list_controller.js
+++ b/client/js/controllers/post_list_controller.js
@@ -48,6 +48,7 @@ class PostListController {
             pageRenderer: pageCtx => {
                 Object.assign(pageCtx, {
                     canViewPosts: api.hasPrivilege('posts:view'),
+                    canMassTag: api.hasPrivilege('tags:masstag'),
                     massTagTags: this._massTagTags,
                 });
                 const view = new PostsPageView(pageCtx);