Fixed Version AttachmentHandler doesn't actually check permissions for adding new version

Jon W

Well-known member
The _canUploadAndManageAttachments function in XenResource_AttachmentHandler_Version is checking for the wrong content ID key, so isn't actually checking whether or not a user has permission to update their own resource -- only that they have permission to add resources.

I suggest replacing with something along the lines of:
Rich (BB code):
    /**
    * Determines if attachments and be uploaded and managed in this context.
    *
    * @see XenForo_AttachmentHandler_Abstract::_canUploadAndManageAttachments()
    */
    protected function _canUploadAndManageAttachments(array $contentData, array $viewingUser)
    {
        $resourceModel = $this->_getResourceModel();
       $versionModel = $this->_getVersionModel();
 
        if (!empty($contentData['resource_version_id']))
        {
            $resource = $resourceModel->getResourceById($attachment['content_id']);
            $resource = $versionModel->getVersionById($contentData['resource_version_id'], array('join' => XenResource_Model_Version::FETCH_RESOURCE));
            if ($resource)
            {
                $category = XenForo_Model::create('XenResource_Model_Category')->getCategoryById($resource['resource_category_id']);
                if ($category)
                {
                    return XenForo_Model::create('XenResource_Model_Version')$versionModel->canAddVersion(
                        $resource, $category, $null, $viewingUser
                    );
                }
                else
                {
                    return false;
                }
            }
        }
 
        return XenForo_Model::create('XenResource_Model_Category')->canAddResource(null, $null, $viewingUser);
    }
 

Mike

XenForo developer
Staff member
resource_version_id would be used when editing a version (which we don't actually support right now).

resource_id is correct, but the issue is that it wasn't passing the resource_id in. That's fixed now.
 
Top