diff --git a/src/api/posts.js b/src/api/posts.js
index add4fd82a4..fe53439625 100644
--- a/src/api/posts.js
+++ b/src/api/posts.js
@@ -514,9 +514,11 @@ postsAPI.getReplies = async (caller, { pid }) => {
 };
 
 postsAPI.endorse = async (caller, { pid }) => {
+	console.log("VICKYC3", pid, caller.uid);
     return await posts.endorse(pid, caller.uid);
 };
 
 postsAPI.unendorse = async (caller, { pid }) => {
+	console.log("VICKYC4", pid, caller.uid);
     return await posts.unendorse(pid, caller.uid);
 };
diff --git a/src/posts/endorsements.js b/src/posts/endorsements.js
index d6e5498ece..87cde6f93e 100644
--- a/src/posts/endorsements.js
+++ b/src/posts/endorsements.js
@@ -2,9 +2,11 @@
 
 const db = require('../database');
 const plugins = require('../plugins');
+const privileges = require('../privileges');
 
 module.exports = function (Posts) {
     Posts.endorse = async function (pid, uid) {
+        console.log("Calling toggleEndorse with UID VICKY2:", uid);
         return await toggleEndorse('endorse', pid, uid);
     };
 
@@ -16,6 +18,12 @@ module.exports = function (Posts) {
         if (parseInt(uid, 10) <= 0) {
             throw new Error('[[error:not-logged-in]]');
         }
+        console.log("USER ID BEFORE CALLING CAN ENDORSE VICKY: ", uid);
+        const isAllowed = await privileges.posts.canEndorse(uid);
+
+        if (!isAllowed) {
+            throw new Error('[[error:permission-denied]]');
+        }
 
         const isEndorsing = type === 'endorse';
 
diff --git a/src/privileges/posts.js b/src/privileges/posts.js
index fbd6858282..bc5a64c88a 100644
--- a/src/privileges/posts.js
+++ b/src/privileges/posts.js
@@ -225,6 +225,26 @@ privsPosts.canPurge = async function (pid, uid) {
 	return (results.purge && (results.owner || results.isModerator)) || results.isAdmin;
 };
 
+privsPosts.canEndorse = async function (uid) {
+	console.log("CAN ENDORSE FUNCTION IS BEING CALLED");
+    if (parseInt(uid, 10) <= 0) {
+		console.error("VICKY CHEN HERE");
+		console.error("Invalid UID", uid);
+        return false;
+    }
+	console.error("Checking if UID", uid, "is admin...");
+    const isAdmin = await user.isAdministrator(uid);
+	console.error("isAdmin result for UID VICKY13", uid, ":", isAdmin);
+    if (isAdmin) {
+		console.log("True VICKY14");
+        return true;
+    }
+	console.error("Checking if UID", uid, "is global moderator...");
+    const isGlobalMod = await user.isGlobalModerator(uid);
+	console.error("isGlobalMod result for UID", uid, ":", isGlobalMod);
+    return isGlobalMod;
+};
+
 async function isAdminOrMod(pid, uid) {
 	if (parseInt(uid, 10) <= 0) {
 		return false;
diff --git a/src/socket.io/posts/tools.js b/src/socket.io/posts/tools.js
index 5c1f97845d..893cd2c86f 100644
--- a/src/socket.io/posts/tools.js
+++ b/src/socket.io/posts/tools.js
@@ -94,12 +94,21 @@ module.exports = function (SocketPosts) {
 		await Promise.all(logs);
 	};
 
+	// SocketPosts.endorse = async function (socket, data) {
+	// 	if (!data || !data.pid) {
+	// 		throw new Error('[[error:invalid-data]]');
+	// 	}
+	// 	return await apiPosts.endorse(socket, { pid: data.pid });
+	// };
+
 	SocketPosts.endorse = async function (socket, data) {
-		if (!data || !data.pid) {
-			throw new Error('[[error:invalid-data]]');
+		console.log("VICKY8 Socket handshake query: ", socket.handshake.query);
+		const uid = socket.handshake.query.uid;
+		if (!uid || !data || !data.pid ) {
+			throw new Error('[error:invalid-data');
 		}
-		return await apiPosts.endorse(socket, { pid: data.pid });
-	};
+		return await apiPosts.endorse({ uid }, { pid: data.pid });
+	}
 
 	SocketPosts.unendorse = async function (socket, data) {
 		if (!data || !data.pid) {
diff --git a/test/helpers/index.js b/test/helpers/index.js
index e71a05edaa..dc87ec0fe0 100644
--- a/test/helpers/index.js
+++ b/test/helpers/index.js
@@ -59,9 +59,12 @@ helpers.logoutUser = async function (jar) {
 	return { response, body };
 };
 
-helpers.connectSocketIO = function (res, csrf_token) {
+helpers.connectSocketIO = function (res, csrf_token, uid) {
+	console.log("VICKY7 UID passed to connectSocketIO", uid);
+
 	const io = require('socket.io-client');
 	const cookie = res.headers['set-cookie'];
+
 	const socket = io(nconf.get('base_url'), {
 		path: `${nconf.get('relative_path')}/socket.io`,
 		extraHeaders: {
@@ -70,6 +73,7 @@ helpers.connectSocketIO = function (res, csrf_token) {
 		},
 		query: {
 			_csrf: csrf_token,
+			uid: uid
 		},
 	});
 	return new Promise((resolve, reject) => {
diff --git a/test/posts.js b/test/posts.js
index f797522bb5..d2854db51a 100644
--- a/test/posts.js
+++ b/test/posts.js
@@ -133,33 +133,86 @@ describe('Post\'s', () => {
 	});
 
 	describe('endorsing and unendorsing', function () {
-        let testPid;
-        let testUid;
+        let adminUid;
+		let globalModUid;
+		let regularUserUid;
+		let postResult;
 
         before(async () => {
-            testUid = await user.create({ username: 'endorser' });
-            const postResult = await topics.post({
-                uid: testUid,
-                cid: cid,
-                title: 'test topic for endorsement feature',
-                content: 'endorsement topic content',
-            });
-            testPid = postResult.postData.pid;
+			// adminUid = await user.create({ username: 'admin' });
+			// await groups.join('administrators', adminUid);
+
+			adminUid = await user.create({ username: 'admin', password: '123456' });
+			console.log("Admin UID VICKY9:", adminUid); 
+			await groups.join('administrators', adminUid);
+			
+			globalModUid = await user.create({ username: 'global mod' });
+			await groups.join('Global Moderators', globalModUid);
+			
+			regularUserUid = await user.create({ username: 'regular user' });
+
+			({ cid } = await categories.create({
+				name: 'test endorsement category',
+				description: 'category for testing endorsements',
+			}));
+
+			postResult = await topics.post({
+				uid: regularUserUid,
+				cid: cid,
+				title: 'test topic for endorsement feature',
+				content: 'endorsement topic content',
+			});
         });
 
-        it('should mark post as endorsed', async function () {
-            const caller = { uid: testUid };
-            const data = { pid: testPid };
-            const result = await apiPosts.endorse(caller, data);
-            assert.strictEqual(result.isEndorsed, true);
+        // it('should allow an admin to endorse a post', async function () {
+		// 	console.log("VICKY10", postResult.postData.pid, adminUid)
+        //     const result = await apiPosts.endorse(postResult.postData.pid, adminUid);
+		// 	console.log("VICKYC11 Endorsement result:", result); 
+        // 	assert.strictEqual(result.isEndorsed, true);
+        // });
+
+		it('should allow an admin to endorse a post', async function () {
+			try {
+				console.log("VICKY10", postResult.postData.pid, adminUid);
+				const result = await apiPosts.endorse(postResult.postData.pid, adminUid);
+				console.log("Endorsement result:", result);  // This will log the result if it works
+				assert.strictEqual(result.isEndorsed, true);
+			} catch (err) {
+				console.error("Endorsement failed with error:", err);  // This will log the actual error
+			}
+		});
+
+		it('should allow a global mod to endorse a post', async function () {
+			const result = await apiPosts.endorse(postResult.postData.pid, globalModUid);
+			assert.strictEqual(result.isEndorsed, true);
         });
 
-        it('should change post to unendorsed', async function () {
-            await apiPosts.endorse({ uid: testUid }, { pid: testPid }); 
-            const caller = { uid: testUid };
-            const data = { pid: testPid };
-            const result = await apiPosts.unendorse(caller, data);
-            assert.strictEqual(result.isEndorsed, false);
+		it('should not allow a regular user to endorse a post', async () => {
+			try {
+				await apiPosts.endorse(postResult.postData.pid, regularUserUid);
+				assert.fail('Regular user should not be able to endorse a post');
+			} catch (err) {
+				assert.strictEqual(err.message, '[[error:permission-denied]]');
+			}
+		});
+
+		it('should allow an admin to unendorse a post', async () => {
+			const result = await apiPosts.unendorse(postResult.postData.pid, adminUid);
+			assert.strictEqual(result.isEndorsed, false);
+		});
+
+		it('should allow a global mod to unendorse a post', async () => {
+			const result = await apiPosts.unendorse(postResult.postData.pid, globalModUid);
+			assert.strictEqual(result.isEndorsed, false);
+		});
+	
+        it('should not allow a regular user to unendorse a post', async function () {
+			try {
+				await apiPosts.unendorse(postResult.postData.pid, regularUserUid);
+				assert.fail('Regular user should not be able to unendorse a post');
+			} catch (err) {
+				assert.strictEqual(err.message, '[[error:permission-denied]]');
+			}
         });
     });
 
diff --git a/test/socket.io.js b/test/socket.io.js
index 6c0a5a2367..c6a5d1d774 100644
--- a/test/socket.io.js
+++ b/test/socket.io.js
@@ -50,7 +50,12 @@ describe('socket.io', () => {
 
 	it('should connect and auth properly', async () => {
 		const { response, csrf_token } = await helpers.loginUser('admin', 'adminpwd');
-		io = await helpers.connectSocketIO(response, csrf_token);
+		console.log("VICKY5 Login response object: ", response);
+
+		const uid = response.user?.uid || 'No UID';
+		console.log("VICKY6 Retrieved UID: ", uid);
+
+		io = await helpers.connectSocketIO(response, csrf_token, uid);
 		assert(io);
 		assert(io.emit);
 	});