From 86da46ee3a54676298e30301846be890d1ea93ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=B6ttgens?= <tgoettgens@gmail.com>
Date: Sun, 5 May 2024 22:26:27 +0200
Subject: [PATCH] fix(legacy): allow deleting file with api token (#2995)

When calling DELETE "/rest/media/<id>" the call fails with 'unknown error'
if it's not within a GUI session. The StoredFile delete method checks
for user permissions regardless of if a user is even known.
---
 legacy/application/models/StoredFile.php | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/legacy/application/models/StoredFile.php b/legacy/application/models/StoredFile.php
index bdb97dbaf..118d0dd2a 100644
--- a/legacy/application/models/StoredFile.php
+++ b/legacy/application/models/StoredFile.php
@@ -394,16 +394,20 @@ SQL;
             throw new DeleteScheduledFileException();
         }
 
-        $userInfo = Zend_Auth::getInstance()->getStorage()->read();
-        $user = new Application_Model_User($userInfo->id);
-        $isAdminOrPM = $user->isUserType([UTYPE_SUPERADMIN, UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER]);
-        if (!$isAdminOrPM && $this->getFileOwnerId() != $user->getId()) {
-            throw new FileNoPermissionException();
+        // if we get here from the REST API, there's no valid user. APIKEY is validated already.
+        if ($userInfo = Zend_Auth::getInstance()->getStorage()->read()) {
+            // This call will throw "Trying to get property 'id' of non-object"
+            $user = new Application_Model_User($userInfo->id);
+            $isAdminOrPM = $user->isUserType([UTYPE_SUPERADMIN, UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER]);
+            if (!$isAdminOrPM && $this->getFileOwnerId() != $user->getId()) {
+                throw new FileNoPermissionException();
+            }
+            $file_id = $this->_file->getDbId();
+            Logging::info($file_id);
+            Logging::info('User ' . $user->getLogin() . ' is deleting file: ' . $this->_file->getDbTrackTitle() . ' - file id: ' . $file_id);
+        } else {
+            Logging::info('API Auth is deleting file: ' . $this->_file->getDbTrackTitle() . ' - file id: ' . $this->_file->getDbId());
         }
-        $file_id = $this->_file->getDbId();
-        Logging::info($file_id);
-        Logging::info('User ' . $user->getLogin() . ' is deleting file: ' . $this->_file->getDbTrackTitle() . ' - file id: ' . $file_id);
-
         $filesize = $this->_file->getFileSize();
         if ($filesize < 0) {
             throw new Exception('Cannot delete file with filesize ' . $filesize);