fix(1.x,suspend): suspended users can abuse avatar upload

flarum · Sep 20, 2023 · a5ed6a8 · a5ed6a8
1 parent e03ca44
commit a5ed6a8
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/extensions/suspend/src/Access/UserPolicy.php b/extensions/suspend/src/Access/UserPolicy.php
@@ -25,4 +25,11 @@ public function suspend(User $actor, User $user)
             return $this->deny();
         }
     }
+
+    public function uploadAvatar(User $actor, User $user)
+    {
+        if ($actor->suspended_until && $actor->suspended_until->isFuture()) {
+            return $this->deny();
+        }
+    }
 }
diff --git a/framework/core/src/User/Access/UserPolicy.php b/framework/core/src/User/Access/UserPolicy.php
@@ -39,4 +39,15 @@ public function editCredentials(User $actor, User $user)
             return $this->allow();
         }
     }
+
+    public function uploadAvatar(User $actor, User $user)
+    {
+        if ($actor->id === $user->id) {
+            return $this->allow();
+        }
+
+        if ($actor->id !== $user->id) {
+            return $actor->can('edit', $user);
+        }
+    }
 }
diff --git a/framework/core/src/User/Command/UploadAvatarHandler.php b/framework/core/src/User/Command/UploadAvatarHandler.php
@@ -68,9 +68,7 @@ public function handle(UploadAvatar $command)
 
         $user = $this->users->findOrFail($command->userId);
 
-        if ($actor->id !== $user->id) {
-            $actor->assertCan('edit', $user);
-        }
+        $actor->assertCan('uploadAvatar', $user);
 
         $this->validator->assertValid(['avatar' => $command->file]);