fix: deleting images does not have any permission checks

FriendsOfFlarum · Jul 29, 2024 · d946f77 · d946f77
1 parent 2a6e199
commit d946f77
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 0 deletions.
diff --git a/src/Api/Controllers/DeletePollImageByNameController.php b/src/Api/Controllers/DeletePollImageByNameController.php
@@ -13,6 +13,7 @@
 
 use Flarum\Http\RequestUtil;
 use FoF\Polls\Events\PollImageDeleting;
+use FoF\Polls\Poll;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Support\Arr;
 use Laminas\Diactoros\Response\EmptyResponse;
@@ -26,6 +27,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         $actor = RequestUtil::getActor($request);
         $fileName = Arr::get($request->getQueryParams(), 'fileName');
 
+        $actor->assertCan('edit', new Poll());
+
         if ($this->uploadDir->exists($fileName)) {
             $this->events->dispatch(
                 new PollImageDeleting($fileName, $actor)

diff --git a/src/Api/Controllers/DeletePollImageController.php b/src/Api/Controllers/DeletePollImageController.php
@@ -49,6 +49,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         /** @var Poll $poll */
         $poll = Poll::find($pollId);
 
+        $actor->assertCan('edit', $poll);
+
         $this->events->dispatch(
             new PollImageDeleting($poll->image, $actor)
         );

diff --git a/src/Api/Controllers/DeletePollOptionImageController.php b/src/Api/Controllers/DeletePollOptionImageController.php
@@ -49,6 +49,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         /** @var PollOption $option */
         $option = PollOption::find($optionId);
 
+        $actor->assertCan('edit', $option->poll);
+
         // if the image_url is a fully qualified URL, we just set it to null
         if (filter_var($option->image_url, FILTER_VALIDATE_URL)) {
         } else {