From 90b95db77b2170cf439cfa4078c746c225287126 Mon Sep 17 00:00:00 2001
From: "Rob Swindell (on Windows 11)" <rob@synchro.net>
Date: Tue, 8 Apr 2025 15:55:07 -0700
Subject: [PATCH] Add/use user_can_access_grp() to resolve issue #905

If a message group has no sub-boards (or no sub-boards that ther user can
access) then the user cannot access the group, so don't include the group in
JS msg_area.grp_list[].
---
 src/sbbs3/js_msg_area.c |  2 +-
 src/sbbs3/userdat.c     | 16 ++++++++++++++++
 src/sbbs3/userdat.h     |  1 +
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/sbbs3/js_msg_area.c b/src/sbbs3/js_msg_area.c
index cbc540ebd4..46875bbcd6 100644
--- a/src/sbbs3/js_msg_area.c
+++ b/src/sbbs3/js_msg_area.c
@@ -500,7 +500,7 @@ JSBool js_msg_area_resolve(JSContext* cx, JSObject* areaobj, jsid id)
 
 			val = OBJECT_TO_JSVAL(grpobj);
 			grp_index = -1;
-			if (p->user == NULL || chk_ar(p->cfg, p->cfg->grp[l]->ar, p->user, p->client)) {
+			if (p->user == NULL || user_can_access_grp(p->cfg, l, p->user, p->client)) {
 
 				if (!JS_GetArrayLength(cx, grp_list, (jsuint*)&grp_index))
 					return JS_FALSE;
diff --git a/src/sbbs3/userdat.c b/src/sbbs3/userdat.c
index c52e5083c7..662ac7634b 100644
--- a/src/sbbs3/userdat.c
+++ b/src/sbbs3/userdat.c
@@ -3591,6 +3591,22 @@ size_t user_field_len(enum user_field fnum)
 	}
 }
 
+/****************************************************************************/
+// Determine if the specified user can access one or more sub-boards of group
+/****************************************************************************/
+bool user_can_access_grp(scfg_t* cfg, int grpnum, user_t* user, client_t* client)
+{
+	uint count = 0;
+
+	for (int subnum = 0; subnum < cfg->total_subs; ++subnum) {
+		if (cfg->sub[subnum]->grp != grpnum)
+			continue;
+		if (user_can_access_sub(cfg, subnum, user, client)) // checks grp's AR already
+			count++;
+	}
+	return count >= 1; // User has access to one or more sub-boards of group
+}
+
 /****************************************************************************/
 /* Determine if the specified user can or cannot access the specified sub	*/
 /****************************************************************************/
diff --git a/src/sbbs3/userdat.h b/src/sbbs3/userdat.h
index 622d8174e0..a04744540e 100644
--- a/src/sbbs3/userdat.h
+++ b/src/sbbs3/userdat.h
@@ -156,6 +156,7 @@ DLLEXPORT bool  user_can_access_all_libs(scfg_t*, user_t*, client_t*);
 DLLEXPORT bool  user_can_access_all_dirs(scfg_t*, int libnum, user_t*, client_t*);
 DLLEXPORT bool  user_can_access_lib(scfg_t*, int libnum, user_t*, client_t*);
 DLLEXPORT bool  user_can_access_dir(scfg_t*, int dirnum, user_t*, client_t* client);
+DLLEXPORT bool  user_can_access_grp(scfg_t*, int subnum, user_t*, client_t* client);
 DLLEXPORT bool  user_can_access_sub(scfg_t*, int subnum, user_t*, client_t* client);
 DLLEXPORT bool  user_can_read_sub(scfg_t*, int subnum, user_t*, client_t* client);
 DLLEXPORT bool  user_can_post(scfg_t*, int subnum, user_t*, client_t* client, uint* reason);
-- 
GitLab