Don't allow downloads form non-accessible directories.

Double-check that the user has access to both the directory and the containing library before allowing a download a file.
echicken · Aug 16, 2020 · abef8a3 · abef8a3
1 parent c0b6506
commit abef8a3
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/web/root/api/files.ssjs b/web/root/api/files.ssjs
@@ -16,6 +16,8 @@ if ((http_request.method === 'GET' || http_request.method === 'POST') &&
 		case 'download-file':
 			if (typeof http_request.query.dir !== 'undefined' &&
 				typeof file_area.dir[http_request.query.dir[0]] !== 'undefined'	&&
+                file_area.dir[http_request.query.dir[0]].lib_index >= 0 &&
+                file_area.dir[http_request.query.dir[0]].index >= 0 &&
 				file_area.dir[http_request.query.dir[0]].can_download &&
 				typeof http_request.query.file !== 'undefined'
 			) {