From b5d3fcb8d4ec29d072779480c5afcca1201e5300 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Sat, 14 Nov 2020 07:41:01 -0500
Subject: [PATCH] Move top-level permission check outside of
 Model\Item::getTopLevelParentData

- It wasn't checked when the direct parent was also the top-level parent
---
 src/Model/Item.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/Model/Item.php b/src/Model/Item.php
index 508cb691c8..fc4d81e432 100644
--- a/src/Model/Item.php
+++ b/src/Model/Item.php
@@ -1514,13 +1514,6 @@ class Item
 			return [];
 		}
 
-		// If the thread originated from this node, we check the permission against the thread starter
-		$condition = ['uri' => $toplevel_parent['uri'], 'wall' => true];
-		$localTopLevelParent = self::selectFirst(['uid'], $condition);
-		if (!empty($localTopLevelParent['uid']) && !self::isAllowedByUser($item, $localTopLevelParent['uid'])) {
-			return [];
-		}
-
 		return $toplevel_parent;
 	}
 
@@ -1689,6 +1682,13 @@ class Item
 				return 0;
 			}
 
+			// If the thread originated from this node, we check the permission against the thread starter
+			$condition = ['uri' => $toplevel_parent['uri'], 'wall' => true];
+			$localTopLevelParent = self::selectFirst(['uid'], $condition);
+			if (!empty($localTopLevelParent['uid']) && !self::isAllowedByUser($item, $localTopLevelParent['uid'])) {
+				return 0;
+			}
+
 			$parent_id          = $toplevel_parent['id'];
 			$item['parent-uri'] = $toplevel_parent['uri'];
 			$item['deleted']    = $toplevel_parent['deleted'];