diff --git a/controllers/EditAsset.php b/controllers/EditAsset.php index f00194e..98e2269 100644 --- a/controllers/EditAsset.php +++ b/controllers/EditAsset.php @@ -10,10 +10,6 @@ class EditAsset extends HTMLController { public function __construct() { - // Ensure it's just admins at this point. - if (!Registry::get('user')->isAdmin()) - throw new NotAllowedException(); - if (empty($_GET['id'])) throw new Exception('Invalid request.'); @@ -21,6 +17,11 @@ class EditAsset extends HTMLController if (empty($asset)) throw new NotFoundException('Asset not found'); + // Can we edit this asset? + $user = Registry::get('user'); + if (!($user->isAdmin() || $asset->isOwnedBy($user))) + throw new NotAllowedException(); + if (isset($_REQUEST['delete'])) throw new Exception('Not implemented.'); diff --git a/models/Asset.php b/models/Asset.php index f107b4b..4a799f7 100644 --- a/models/Asset.php +++ b/models/Asset.php @@ -383,6 +383,11 @@ class Asset return new Image(get_object_vars($this)); } + public function isOwnedBy(User $user) + { + return $this->id_user_uploaded == $user->getUserId(); + } + public function replaceFile($filename) { // No filename? Abort!