1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Version AttachmentHandler doesn't actually check permissions for adding new version

Discussion in 'Resource Manager Resolved Bugs' started by Jon W, Apr 13, 2013.

  1. Jon W

    Jon W Well-Known Member

    The _canUploadAndManageAttachments function in XenResource_AttachmentHandler_Version is checking for the wrong content ID key, so isn't actually checking whether or not a user has permission to update their own resource -- only that they have permission to add resources.

    I suggest replacing with something along the lines of:
    Code:
        /**
        * Determines if attachments and be uploaded and managed in this context.
        *
        * @see XenForo_AttachmentHandler_Abstract::_canUploadAndManageAttachments()
        */
        protected function _canUploadAndManageAttachments(array $contentData, array $viewingUser)
        {
            $resourceModel = $this->_getResourceModel();
           $versionModel = $this->_getVersionModel();
     
            if (!empty($contentData['resource_version_id']))
            {
                $resource = $resourceModel->getResourceById($attachment['content_id']);
                $resource = $versionModel->getVersionById($contentData['resource_version_id'], array('join' => XenResource_Model_Version::FETCH_RESOURCE));
                if ($resource)
                {
                    $category = XenForo_Model::create('XenResource_Model_Category')->getCategoryById($resource['resource_category_id']);
                    if ($category)
                    {
                        return XenForo_Model::create('XenResource_Model_Version')$versionModel->canAddVersion(
                            $resource, $category, $null, $viewingUser
                        );
                    }
                    else
                    {
                        return false;
                    }
                }
            }
     
            return XenForo_Model::create('XenResource_Model_Category')->canAddResource(null, $null, $viewingUser);
        }
     
  2. Mike

    Mike XenForo Developer Staff Member

    resource_version_id would be used when editing a version (which we don't actually support right now).

    resource_id is correct, but the issue is that it wasn't passing the resource_id in. That's fixed now.
     
    Jon W likes this.

Share This Page