Fix avatar edit permissions (by Jerôme Bakker)

diff --git a/actions/avatar/remove.php b/actions/avatar/remove.php
index cd38e456a541578ad9362150327106f8e919b56a..9cb40a760b2f418fd14286e6b58a486a50bc6fd5 100644 (file)
--- a/actions/avatar/remove.php
+++ b/actions/avatar/remove.php
@@ -3,32 +3,34 @@
  * Avatar remove action
  */
 
-$guid = get_input('guid');
-$user = get_entity($guid);
-if ($user) {
-       // Delete all icons from diskspace
-       $icon_sizes = elgg_get_config('icon_sizes');
-       foreach ($icon_sizes as $name => $size_info) {
-               $file = new ElggFile();
-               $file->owner_guid = $guid;
-               $file->setFilename("profile/{$guid}{$name}.jpg");
-               $filepath = $file->getFilenameOnFilestore();
-               if (!$file->delete()) {
-                       elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING');
-               }
-       }
-       
-       // Remove crop coords
-       unset($user->x1);
-       unset($user->x2);
-       unset($user->y1);
-       unset($user->y2);
-       
-       // Remove icon
-       unset($user->icontime);
-       system_message(elgg_echo('avatar:remove:success'));
-} else {
+$user_guid = get_input('guid');
+$user = get_user($user_guid);
+
+if (!$user || !$user->canEdit()) {
        register_error(elgg_echo('avatar:remove:fail'));
+       forward(REFERER);
 }
 
+// Delete all icons from diskspace
+$icon_sizes = elgg_get_config('icon_sizes');
+foreach ($icon_sizes as $name => $size_info) {
+       $file = new ElggFile();
+       $file->owner_guid = $user_guid;
+       $file->setFilename("profile/{$user_guid}{$name}.jpg");
+       $filepath = $file->getFilenameOnFilestore();
+       if (!$file->delete()) {
+               elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING');
+       }
+}
+
+// Remove crop coords
+unset($user->x1);
+unset($user->x2);
+unset($user->y1);
+unset($user->y2);
+
+// Remove icon
+unset($user->icontime);
+
+system_message(elgg_echo('avatar:remove:success'));
 forward(REFERER);

diff --git a/languages/en.php b/languages/en.php
index be86e12e6d3d9588286db418048e159cad261a74..49e3664841d4a8d536e6d38b766592e800177337 100644 (file)
--- a/languages/en.php
+++ b/languages/en.php
@@ -359,6 +359,7 @@ $english = array(
        'friendspicker:chararray' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
 
        'avatar' => 'Avatar',
+       'avatar:noaccess' => "You're not allowed to edit this user's avatar",
        'avatar:create' => 'Create your avatar',
        'avatar:edit' => 'Edit avatar',
        'avatar:preview' => 'Preview',

diff --git a/pages/avatar/edit.php b/pages/avatar/edit.php
index c71633b8bec44cce383d33cd74e85a2b31c18603..56aede88739b1b875665495016cfa73321396cd8 100644 (file)
--- a/pages/avatar/edit.php
+++ b/pages/avatar/edit.php
@@ -11,6 +11,11 @@ elgg_set_context('profile_edit');
 $title = elgg_echo('avatar:edit');
 
 $entity = elgg_get_page_owner_entity();
+if (!elgg_instanceof($entity, 'user') || !$entity->canEdit()) {
+       register_error(elgg_echo('avatar:noaccess'));
+       forward(REFERER);
+}
+
 $content = elgg_view('core/avatar/upload', array('entity' => $entity));
 
 // only offer the crop view if an avatar has been uploaded