Fixed Version AttachmentHandler doesn't actually check permissions for adding new version

Jon W

Well-known member
The _canUploadAndManageAttachments function in XenResource_AttachmentHandler_Version is checking for the wrong content ID key, so isn't actually checking whether or not a user has permission to update their own resource -- only that they have permission to add resources.

I suggest replacing with something along the lines of:
Rich (BB code):
    * Determines if attachments and be uploaded and managed in this context.
    * @see XenForo_AttachmentHandler_Abstract::_canUploadAndManageAttachments()
    protected function _canUploadAndManageAttachments(array $contentData, array $viewingUser)
        $resourceModel = $this->_getResourceModel();
       $versionModel = $this->_getVersionModel();
        if (!empty($contentData['resource_version_id']))
            $resource = $resourceModel->getResourceById($attachment['content_id']);
            $resource = $versionModel->getVersionById($contentData['resource_version_id'], array('join' => XenResource_Model_Version::FETCH_RESOURCE));
            if ($resource)
                $category = XenForo_Model::create('XenResource_Model_Category')->getCategoryById($resource['resource_category_id']);
                if ($category)
                    return XenForo_Model::create('XenResource_Model_Version')$versionModel->canAddVersion(
                        $resource, $category, $null, $viewingUser
                    return false;
        return XenForo_Model::create('XenResource_Model_Category')->canAddResource(null, $null, $viewingUser);


XenForo developer
Staff member
resource_version_id would be used when editing a version (which we don't actually support right now).

resource_id is correct, but the issue is that it wasn't passing the resource_id in. That's fixed now.