Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(legacy): allow deleting file with api token (#2995) 

When calling DELETE "/rest/media/<id>" the call fails with 'unknown error'
if it's not within a GUI session. The StoredFile delete method checks
for user permissions regardless of if a user is even known.
This commit is contained in:
Thomas Göttgens 2024-05-05 22:26:27 +02:00 committed by GitHub
parent 201e85e537
commit 86da46ee3a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
legacy/application/models/StoredFile.php
View File

@ -394,16 +394,20 @@ SQL;
throw new DeleteScheduledFileException(); throw new DeleteScheduledFileException();
} }
$userInfo = Zend_Auth::getInstance()->getStorage()->read(); // if we get here from the REST API, there's no valid user. APIKEY is validated already.
$user = new Application_Model_User($userInfo->id); if ($userInfo = Zend_Auth::getInstance()->getStorage()->read()) {
$isAdminOrPM = $user->isUserType([UTYPE_SUPERADMIN, UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER]); // This call will throw "Trying to get property 'id' of non-object"
if (!$isAdminOrPM && $this->getFileOwnerId() != $user->getId()) { $user = new Application_Model_User($userInfo->id);
throw new FileNoPermissionException(); $isAdminOrPM = $user->isUserType([UTYPE_SUPERADMIN, UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER]);
if (!$isAdminOrPM && $this->getFileOwnerId() != $user->getId()) {
throw new FileNoPermissionException();
}
$file_id = $this->_file->getDbId();
Logging::info($file_id);
Logging::info('User ' . $user->getLogin() . ' is deleting file: ' . $this->_file->getDbTrackTitle() . ' - file id: ' . $file_id);
} else {
Logging::info('API Auth is deleting file: ' . $this->_file->getDbTrackTitle() . ' - file id: ' . $this->_file->getDbId());
} }
$file_id = $this->_file->getDbId();
Logging::info($file_id);
Logging::info('User ' . $user->getLogin() . ' is deleting file: ' . $this->_file->getDbTrackTitle() . ' - file id: ' . $file_id);
$filesize = $this->_file->getFileSize(); $filesize = $this->_file->getFileSize();
if ($filesize < 0) { if ($filesize < 0) {
throw new Exception('Cannot delete file with filesize ' . $filesize); throw new Exception('Cannot delete file with filesize ' . $filesize);