client/auth: fix masstag privilege bypass

Visiting mass-tag URL directly ignored masstag privileges and showed tag/untag controls (although didn't show the controls in the header). After this change, bypassing mass tag privileges got a little bit harder. (It's still possible for the user to talk directly to the API after all.)
2016-08-23 21:26:33 +02:00 · 2016-08-23 21:26:33 +02:00 · 4ca7c49239
commit 4ca7c49239
parent 1e9ee0838a
2 changed files with 2 additions and 1 deletions
--- a/client/html/posts_page.tpl
+++ b/client/html/posts_page.tpl
@ -35,7 +35,7 @@
                            </span>
                        <% } %>
                    </a>
-                    <% if (ctx.parameters && ctx.parameters.tag) { %>
+                    <% if (ctx.canMassTagg && ctx.parameters && ctx.parameters.tag) { %>
                        <a href data-post-id='<%= post.id %>' class='masstag'>
                        </a>
                    <% } %>
--- a/client/js/controllers/post_list_controller.js
+++ b/client/js/controllers/post_list_controller.js
@ -48,6 +48,7 @@ class PostListController {
            pageRenderer: pageCtx => {
                Object.assign(pageCtx, {
                    canViewPosts: api.hasPrivilege('posts:view'),
+                    canMassTag: api.hasPrivilege('tags:masstag'),
                    massTagTags: this._massTagTags,
                });
                const view = new PostsPageView(pageCtx);