From 83da4a26ac864b2d0ceb4afe16f324a280b3cc08 Mon Sep 17 00:00:00 2001
From: Aaron van Geffen <aaron@aaronweb.net>
Date: Sat, 11 Nov 2023 15:14:57 +0100
Subject: [PATCH] EditAsset: allow users to edit their own photos

---
 controllers/EditAsset.php | 9 +++++----
 models/Asset.php          | 5 +++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/controllers/EditAsset.php b/controllers/EditAsset.php
index f00194e6..98e22690 100644
--- a/controllers/EditAsset.php
+++ b/controllers/EditAsset.php
@@ -10,10 +10,6 @@ class EditAsset extends HTMLController
 {
 	public function __construct()
 	{
-		// Ensure it's just admins at this point.
-		if (!Registry::get('user')->isAdmin())
-			throw new NotAllowedException();
-
 		if (empty($_GET['id']))
 			throw new Exception('Invalid request.');
 
@@ -21,6 +17,11 @@ class EditAsset extends HTMLController
 		if (empty($asset))
 			throw new NotFoundException('Asset not found');
 
+		// Can we edit this asset?
+		$user = Registry::get('user');
+		if (!($user->isAdmin() || $asset->isOwnedBy($user)))
+			throw new NotAllowedException();
+
 		if (isset($_REQUEST['delete']))
 			throw new Exception('Not implemented.');
 
diff --git a/models/Asset.php b/models/Asset.php
index f107b4ba..4a799f7e 100644
--- a/models/Asset.php
+++ b/models/Asset.php
@@ -383,6 +383,11 @@ class Asset
 		return new Image(get_object_vars($this));
 	}
 
+	public function isOwnedBy(User $user)
+	{
+		return $this->id_user_uploaded == $user->getUserId();
+	}
+
 	public function replaceFile($filename)
 	{
 		// No filename? Abort!