Skip to content

Commit

Permalink
Do not allow change avatars of another users without permission (#13629)
Browse files Browse the repository at this point in the history
  • Loading branch information
MarcosSpessatto authored and rodrigok committed Mar 7, 2019
1 parent 02c6312 commit 6ec15c8
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions packages/rocketchat-file-upload/server/lib/FileUpload.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import { settings } from 'meteor/rocketchat:settings';
import * as Models from 'meteor/rocketchat:models';
import { FileUpload as _FileUpload } from '../../lib/FileUpload';
import { roomTypes } from 'meteor/rocketchat:utils';
import { hasPermission } from 'meteor/rocketchat:authorization';

const cookie = new Cookies();

Expand Down Expand Up @@ -86,6 +87,9 @@ export const FileUpload = Object.assign(_FileUpload, {
if (settings.get('Accounts_AvatarResize') !== true) {
return;
}
if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
}

const tempFilePath = UploadFS.getTempFilePath(file._id);

Expand Down Expand Up @@ -207,6 +211,9 @@ export const FileUpload = Object.assign(_FileUpload, {
},

avatarsOnFinishUpload(file) {
if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
}
// update file record to match user's username
const user = Models.Users.findOneById(file.userId);
const oldAvatar = Models.Avatars.findOneByName(user.username);
Expand Down

0 comments on commit 6ec15c8

Please sign in to comment.