CC-4655: DJ's can delete files that they do not own

-fixed
2012-10-31 16:51:29 -04:00 · 2012-10-31 16:51:29 -04:00 · 2507e0f8a4
parent fc613aa597
commit 2507e0f8a4
2 changed files with 10 additions and 0 deletions
--- a/airtime_mvc/application/controllers/LibraryController.php
+++ b/airtime_mvc/application/controllers/LibraryController.php
@ -319,6 +319,8 @@ class LibraryController extends Zend_Controller_Action
            if (isset($file)) {
                try {
                    $res = $file->delete(true);
+                } catch (FileNoPermissionException $e) {
+                    $this->view->message = "You don't have permission to delete selected items.";
                } catch (Exception $e) {
                    //could throw a scheduled in future exception.
                    $message = "Could not delete some scheduled files.";
--- a/airtime_mvc/application/models/StoredFile.php
+++ b/airtime_mvc/application/models/StoredFile.php
@ -344,6 +344,13 @@ SQL;
            throw new DeleteScheduledFileException();
        }

+        $userInfo = Zend_Auth::getInstance()->getStorage()->read();
+        $user = new Application_Model_User($userInfo->id);
+        $isAdminOrPM = $user->isUserType(array(UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER));
+        if (!$isAdminOrPM && $this->getFileOwnerId() != $user->getId()) {
+            throw new FileNoPermissionException();
+        }
+
        $music_dir = Application_Model_MusicDir::getDirByPK($this->_file->getDbDirectory());
        $type = $music_dir->getType();

@ -1213,3 +1220,4 @@ SQL;

 class DeleteScheduledFileException extends Exception {}
 class FileDoesNotExistException extends Exception {}
+class FileNoPermissionException extends Exception {}