github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2024-12-01 14:20:47 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fix avatar uploading permissions

Browse Source 
closes flarum/core#230
This commit is contained in:
Toby Zerner 2015-08-13 12:59:40 +09:30
parent 9c7fab5d8c
commit 6dd6942e17
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Core/Users/Commands/DeleteAvatarHandler.php
View File

@ -42,7 +42,9 @@ class DeleteAvatarHandler
// Make sure the current user is allowed to edit the user profile. // Make sure the current user is allowed to edit the user profile.
// This will let admins and the user themselves pass through, and // This will let admins and the user themselves pass through, and
// throw an exception otherwise. // throw an exception otherwise.
$user->assertCan($actor, 'edit'); if ($actor->id !== $user->id) {
$user->assertCan($actor, 'edit');
}
$avatarPath = $user->avatar_path; $avatarPath = $user->avatar_path;
$user->changeAvatarPath(null); $user->changeAvatarPath(null);

4
src/Core/Users/Commands/UploadAvatarHandler.php
View File

@ -48,7 +48,9 @@ class UploadAvatarHandler
// Make sure the current user is allowed to edit the user profile. // Make sure the current user is allowed to edit the user profile.
// This will let admins and the user themselves pass through, and // This will let admins and the user themselves pass through, and
// throw an exception otherwise. // throw an exception otherwise.
$user->assertCan($actor, 'edit'); if ($actor->id !== $user->id) {
$user->assertCan($actor, 'edit');
}
$tmpFile = tempnam(sys_get_temp_dir(), 'avatar'); $tmpFile = tempnam(sys_get_temp_dir(), 'avatar');
$command->file->moveTo($tmpFile); $command->file->moveTo($tmpFile);