SECURITY: Users can pick non-avatar uploads.

https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564
2025-02-25 18:55:32 -06:00 · 2018-12-18 13:37:45 +08:00
parent 899caf35ba
commit 5c2e194d01
2 changed files with 15 additions and 16 deletions
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@@ -3,19 +3,13 @@ module UserGuardian

  def can_pick_avatar?(user_avatar, upload)
    return false unless self.user
-
    return true if is_admin?
-
    # can always pick blank avatar
    return true if !upload
-
    return true if user_avatar.contains_upload?(upload.id)
    return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id

-    UserUpload.exists?(
-      upload_id: upload.id,
-      user_id: [upload.user_id, user.id]
-    )
+    UserUpload.exists?(upload_id: upload.id, user_id: user.id)
  end

  def can_edit_user?(user)