Members cannot delete their own files #393

nxmndr · 2024-01-29T15:53:44Z

Bug Report

Current Behavior
Admins can delete their files and other member's, but members cannot delete their own. A file deleted by an admin also remains in the media manager view until the page is reloaded.

Steps to Reproduce

Go to /admin#/extension/fof-upload as an admin and give the Member role permissions to Upload, View and Delete files.
Go to /u/<me>/uploads as a Member.
A delete button has appeared near each file. Clicking on said button results in 403 error.

See call stack

POST https://forum.test/api/fof/upload/delete/988f0772-e3ab-4ba5-9a83-9205c2f45d6d
Flarum\User\Exception\PermissionDeniedException in /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php:611
Stack trace:
#0 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(638): Flarum\User\User->assertPermission()
#1 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(648): Flarum\User\User->assertCan()
#2 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Commands/DeleteFileHandler.php(51): Flarum\User\User->assertAdmin()
#3 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(122): FoF\Upload\Commands\DeleteFileHandler->handle()
#4 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(128): Illuminate\Bus\Dispatcher->Illuminate\Bus\{closure}()
#5 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#6 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(132): Illuminate\Pipeline\Pipeline->then()
#7 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(78): Illuminate\Bus\Dispatcher->dispatchNow()
#8 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Api/Controllers/DeleteFileController.php(38): Illuminate\Bus\Dispatcher->dispatch()
#9 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Controller/AbstractDeleteController.php(24): FoF\Upload\Api\Controllers\DeleteFileController->delete()
#10 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/RouteHandlerFactory.php(41): Flarum\Api\Controller\AbstractDeleteController->handle()
#11 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ExecuteRoute.php(27): Flarum\Http\RouteHandlerFactory->Flarum\Http\{closure}()
#12 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ExecuteRoute->process()
#13 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/ThrottleApi.php(33): Laminas\Stratigility\Next->handle()
#14 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\ThrottleApi->process()
#15 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/CheckCsrfToken.php(44): Laminas\Stratigility\Next->handle()
#16 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\CheckCsrfToken->process()
#17 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ResolveRoute.php(69): Laminas\Stratigility\Next->handle()
#18 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ResolveRoute->process()
#19 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/SetLocale.php(51): Laminas\Stratigility\Next->handle()
#20 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\SetLocale->process()
#21 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithHeader.php(58): Laminas\Stratigility\Next->handle()
#22 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithHeader->process()
#23 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithSession.php(31): Laminas\Stratigility\Next->handle()
#24 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithSession->process()
#25 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/RememberFromCookie.php(52): Laminas\Stratigility\Next->handle()
#26 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\RememberFromCookie->process()
#27 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/StartSession.php(61): Laminas\Stratigility\Next->handle()
#28 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\StartSession->process()
#29 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/FakeHttpMethods.php(29): Laminas\Stratigility\Next->handle()
#30 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\FakeHttpMethods->process()
#31 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ParseJsonBody.php(28): Laminas\Stratigility\Next->handle()
#32 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ParseJsonBody->process()
#33 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/HandleErrors.php(57): Laminas\Stratigility\Next->handle()
#34 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\HandleErrors->process()
#35 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/InjectActorReference.php(25): Laminas\Stratigility\Next->handle()
#36 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\InjectActorReference->process()
#37 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle()
#38 /home/vagrant/nxmndr/forum/vendor/middlewares/request-handler/src/RequestHandler.php(84): Laminas\Stratigility\MiddlewarePipe->process()
#39 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\RequestHandler->process()
#40 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path-router/src/BasePathRouter.php(99): Laminas\Stratigility\Next->handle()
#41 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePathRouter->process()
#42 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Middleware/OriginalMessages.php(36): Laminas\Stratigility\Next->handle()
#43 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Laminas\Stratigility\Middleware\OriginalMessages->process()
#44 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path/src/BasePath.php(73): Laminas\Stratigility\Next->handle()
#45 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePath->process()
#46 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ProcessIp.php(24): Laminas\Stratigility\Next->handle()
#47 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ProcessIp->process()
#48 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle()
#49 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(64): Laminas\Stratigility\MiddlewarePipe->process()
#50 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-httphandlerrunner/src/RequestHandlerRunner.php(73): Laminas\Stratigility\MiddlewarePipe->handle()
#51 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Server.php(45): Laminas\HttpHandlerRunner\RequestHandlerRunner->run()
#52 /home/vagrant/nxmndr/forum/public/index.php(26): Flarum\Http\Server->listen()
#53 {main}

Expected Behavior
Having the Delete permission as a member should allow to delete one's own files.

They should also disappear from the view without requiring page reload.

Environment

Flarum version: 1.8.5
Extension version: 1.5.4
Website URL: localhost
Webserver: tested on apache 2.4 and nginx 1.18
Hosting environment: Linux and MacOS respectively
PHP version: 8.2.12 and 8.2.10
Browser: Firefox 121 & Safari 14.1

Output of "php flarum info"

Flarum core: 1.8.5
PHP version: 8.2.10
MySQL version: 11.1.2-MariaDB-1:11.1.2+maria~ubu2004
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, random, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dba, dom, enchant, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, ldap, exif, msgpack, mysqli, odbc, pdo_dblib, PDO_Firebird, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, readline, redis, shmop, SimpleXML, snmp, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tidy, tokenizer, xmlreader, xmlrpc, xmlwriter, xsl, zip, memcached, Zend OPcache, xdebug
+-------------------------------------------+---------+--------+
| Flarum Extensions                         |         |        |
+-------------------------------------------+---------+--------+
| ID                                        | Version | Commit |
+-------------------------------------------+---------+--------+
| flarum-flags                              | v1.8.0  |        |
| flarum-tags                               | v1.8.0  |        |
| flarum-approval                           | v1.8.1  |        |
| flarum-mentions                           | v1.8.3  |        |
| flarum-subscriptions                      | v1.8.0  |        |
| fof-follow-tags                           | 1.2.2   |        |
| flarum-markdown                           | v1.8.0  |        |
| fof-upload                                | 1.5.4   |        |
| fof-best-answer                           | 1.4.1   |        |
| flarum-suspend                            | v1.8.1  |        |
| flarum-sticky                             | v1.8.0  |        |
| flarum-statistics                         | v1.8.0  |        |
| flarum-lock                               | v1.8.0  |        |
| flarum-likes                              | v1.8.0  |        |
| flarum-lang-english                       | v1.8.0  |        |
| flarum-emoji                              | v1.8.0  |        |
| flarum-bbcode                             | v1.8.0  |        |
| datlechin-discussion-count                | v0.1.0  |        |
| clarkwinkelmann-advanced-search-highlight | 1.0.2   |        |
| askvortsov-rich-text                      | v2.1.7  |        |
| askvortsov-markdown-tables                | v1.2.1  |        |
+-------------------------------------------+---------+--------+
Base URL: https://forum.test
Installation path: /home/vagrant/nxmndr/forum
Queue driver: sync
Session driver: file
Scheduler status: Never run
Mail driver: smtp
Debug mode: ON

Possible solution(s)
I believe there should be additional View and Delete permissions for other users files.

Best

The text was updated successfully, but these errors were encountered:

DavideIadeluca · 2024-02-29T19:42:05Z

Hi @nxmndr thanks for the bug report! Are you able to reproduce the permission issue when only fof/upload is enabled (besides the Flarum 1st party extensions)?

Regarding the page reload being required; in this sense it's not really a bug, but a feature which would have to be implemented. A web socket connection would be required for this to work, which could optionally be supported (for example with blomstra/realtime). Currently, this isn't a very high priority, but PRs are always welcome!

nxmndr · 2024-03-25T13:28:04Z

I can reproduce it indeed =)

I re-enabled it too.

A websocket ? I don't mean the user seing changes made by admin instantly, I mean the admin not seing the result of the deletion they made themselves as in click => nothing happens on the screen. I'm still new to Flarum but I think calling GET /api/fof/uploads once POST /api/fof/upload/delete is done would be enough (might even include it in the POST result).

(edited for clarity)

nxmndr added the bug label Jan 29, 2024

DavideIadeluca self-assigned this Feb 29, 2024

github-actions bot added the Stale label Jun 17, 2024

DavideIadeluca added the keep Issues that should not be closed label Jun 17, 2024

DavideIadeluca mentioned this issue Nov 10, 2024

fix: redraw after deleting file #412

Merged

3 tasks

DavideIadeluca closed this as completed in #412 Nov 10, 2024

DavideIadeluca reopened this Nov 10, 2024

DavideIadeluca linked a pull request Nov 10, 2024 that will close this issue

fix: implement more fine grained permission checks #416

Draft

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Members cannot delete their own files #393

Members cannot delete their own files #393

nxmndr commented Jan 29, 2024

DavideIadeluca commented Feb 29, 2024

nxmndr commented Mar 25, 2024 •

edited

Loading

Members cannot delete their own files #393

Members cannot delete their own files #393

Comments

nxmndr commented Jan 29, 2024

Bug Report

DavideIadeluca commented Feb 29, 2024

nxmndr commented Mar 25, 2024 • edited Loading

nxmndr commented Mar 25, 2024 •

edited

Loading