From 83da4a26ac864b2d0ceb4afe16f324a280b3cc08 Mon Sep 17 00:00:00 2001 From: Aaron van Geffen Date: Sat, 11 Nov 2023 15:14:57 +0100 Subject: [PATCH] EditAsset: allow users to edit their own photos --- controllers/EditAsset.php | 9 +++++---- models/Asset.php | 5 +++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/controllers/EditAsset.php b/controllers/EditAsset.php index f00194e..98e2269 100644 --- a/controllers/EditAsset.php +++ b/controllers/EditAsset.php @@ -10,10 +10,6 @@ class EditAsset extends HTMLController { public function __construct() { - // Ensure it's just admins at this point. - if (!Registry::get('user')->isAdmin()) - throw new NotAllowedException(); - if (empty($_GET['id'])) throw new Exception('Invalid request.'); @@ -21,6 +17,11 @@ class EditAsset extends HTMLController if (empty($asset)) throw new NotFoundException('Asset not found'); + // Can we edit this asset? + $user = Registry::get('user'); + if (!($user->isAdmin() || $asset->isOwnedBy($user))) + throw new NotAllowedException(); + if (isset($_REQUEST['delete'])) throw new Exception('Not implemented.'); diff --git a/models/Asset.php b/models/Asset.php index f107b4b..4a799f7 100644 --- a/models/Asset.php +++ b/models/Asset.php @@ -383,6 +383,11 @@ class Asset return new Image(get_object_vars($this)); } + public function isOwnedBy(User $user) + { + return $this->id_user_uploaded == $user->getUserId(); + } + public function replaceFile($filename) { // No filename? Abort!