diff --git a/src/Api/Controllers/DeletePollImageByNameController.php b/src/Api/Controllers/DeletePollImageByNameController.php index 8574e7e2..60f6bdc8 100644 --- a/src/Api/Controllers/DeletePollImageByNameController.php +++ b/src/Api/Controllers/DeletePollImageByNameController.php @@ -13,6 +13,7 @@ use Flarum\Http\RequestUtil; use FoF\Polls\Events\PollImageDeleting; +use FoF\Polls\Poll; use Illuminate\Database\Eloquent\ModelNotFoundException; use Illuminate\Support\Arr; use Laminas\Diactoros\Response\EmptyResponse; @@ -26,6 +27,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface $actor = RequestUtil::getActor($request); $fileName = Arr::get($request->getQueryParams(), 'fileName'); + $actor->assertCan('edit', new Poll()); + if ($this->uploadDir->exists($fileName)) { $this->events->dispatch( new PollImageDeleting($fileName, $actor) diff --git a/src/Api/Controllers/DeletePollImageController.php b/src/Api/Controllers/DeletePollImageController.php index f7f453b6..021a7e63 100644 --- a/src/Api/Controllers/DeletePollImageController.php +++ b/src/Api/Controllers/DeletePollImageController.php @@ -49,6 +49,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface /** @var Poll $poll */ $poll = Poll::find($pollId); + $actor->assertCan('edit', $poll); + $this->events->dispatch( new PollImageDeleting($poll->image, $actor) ); diff --git a/src/Api/Controllers/DeletePollOptionImageController.php b/src/Api/Controllers/DeletePollOptionImageController.php index 2c66c0cc..c84938a2 100644 --- a/src/Api/Controllers/DeletePollOptionImageController.php +++ b/src/Api/Controllers/DeletePollOptionImageController.php @@ -49,6 +49,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface /** @var PollOption $option */ $option = PollOption::find($optionId); + $actor->assertCan('edit', $option->poll); + // if the image_url is a fully qualified URL, we just set it to null if (filter_var($option->image_url, FILTER_VALIDATE_URL)) { } else {