• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Version AttachmentHandler doesn't actually check permissions for adding new version

Jon W

Well-known member
The _canUploadAndManageAttachments function in XenResource_AttachmentHandler_Version is checking for the wrong content ID key, so isn't actually checking whether or not a user has permission to update their own resource -- only that they have permission to add resources.

I suggest replacing with something along the lines of:
Rich (BB code):
    * Determines if attachments and be uploaded and managed in this context.
    * @see XenForo_AttachmentHandler_Abstract::_canUploadAndManageAttachments()
    protected function _canUploadAndManageAttachments(array $contentData, array $viewingUser)
        $resourceModel = $this->_getResourceModel();
       $versionModel = $this->_getVersionModel();
        if (!empty($contentData['resource_version_id']))
            $resource = $resourceModel->getResourceById($attachment['content_id']);
            $resource = $versionModel->getVersionById($contentData['resource_version_id'], array('join' => XenResource_Model_Version::FETCH_RESOURCE));
            if ($resource)
                $category = XenForo_Model::create('XenResource_Model_Category')->getCategoryById($resource['resource_category_id']);
                if ($category)
                    return XenForo_Model::create('XenResource_Model_Version')$versionModel->canAddVersion(
                        $resource, $category, $null, $viewingUser
                    return false;
        return XenForo_Model::create('XenResource_Model_Category')->canAddResource(null, $null, $viewingUser);


XenForo developer
Staff member
resource_version_id would be used when editing a version (which we don't actually support right now).

resource_id is correct, but the issue is that it wasn't passing the resource_id in. That's fixed now.