topcoder-platform · jmgasper · Feb 7, 2021 · Feb 7, 2021
diff --git a/config/vanilla/bootstrap.late.php b/config/vanilla/bootstrap.late.php
@@ -55,4 +55,16 @@
        $CategoryModel->recalculateTree();
        unset($CategoryModel);
     }
+
+
+   // Define some permissions for the Vanilla categories.
+   // FIX: https://github.com/topcoder-platform/forums/issues/373
+   $PermissionModel->define(
+        [
+            'Vanilla.Discussions.Uploads' => 0,
+            'Vanilla.Comments.Uploads' => 0],
+        'tinyint',
+        'Category',
+        'PermissionCategoryID'
+    );
 }
diff --git a/vanilla/applications/dashboard/controllers/api/MediaApiController.php b/vanilla/applications/dashboard/controllers/api/MediaApiController.php
@@ -364,12 +364,6 @@ public function patch_attachment(int $id, array $body): array {
      * @return array
      */
     public function post(array $body) {
-        if(!Gdn::session()->checkPermission('Garden.Uploads.Add')) {
-            throw new ClientException('You don\'t have permission to upload files', 403);
-        }
-
-        //$this->permission('Garden.Uploads.Add');
-
         $allowedExtensions = $this->config->get('Garden.Upload.AllowedFileExtensions', []);
         $uploadSchema = new UploadedFileSchema([
             UploadedFileSchema::OPTION_ALLOWED_EXTENSIONS => $allowedExtensions,
@@ -380,10 +374,69 @@ public function post(array $body) {
 
         $in = $this->schema([
             'file' => $uploadSchema,
+            'categoryID:i?' => "CategoryID",
+            'discussionID:i?' => "DiscussionID",
+            'commentID:i?' => "CommentID",
+            'actionType:s?' => "ActionType"
         ], 'in')->setDescription('Add a media item.');
-        $out = $this->schema($this->fullSchema(), 'out');
-
         $body = $in->validate($body);
+        $categoryID = $body['categoryID'];
+        $discussionID = $body['discussionID'];
+        $commentID = $body['commentID'];
+        $actionType = $body['actionType'];
+
+        if(!$categoryID && !$discussionID && !Gdn::session()->checkPermission('Garden.Uploads.Add')) {
+             throw new ClientException("You don't have permission to upload files", 403);
+        }
+
+        if(!Gdn::session()->checkPermission('Garden.Uploads.Add')) {
+            switch ($actionType) {
+                case 'NewDiscussion':
+                    if(!$categoryID) {
+                        throw new ClientException("You don't have permission to upload files", 403);
+                    }
+                    $permissionCategory = CategoryModel::permissionCategory($categoryID);
+                    $discussionsUploads = CategoryModel::checkPermission($permissionCategory, 'Vanilla.Discussions.Uploads');
+                    if(!$discussionsUploads) {
+                        throw new ClientException("You don't have permission to upload files", 403);
+                    }
+                    break;
+                case 'EditDiscussion':
+                    $discussionModel = new DiscussionModel();
+                    $discussion =  $discussionModel->getID($discussionID);
+                    if (!$discussion) {
+                        throw new NotFoundException('Discussion');
+                    }
+                    $categoryID = val('CategoryID', $discussion, false);
+                    $permissionCategory = CategoryModel::permissionCategory($categoryID);
+                    $discussionsUploads = CategoryModel::checkPermission($permissionCategory, 'Vanilla.Discussions.Uploads');
+                    if(!$discussionsUploads) {
+                        throw new ClientException("You don't have permission to upload files", 403);
+                    }
+                    break;
+                case 'NewComment':
+                case 'EditComment':
+                    $discussionModel = new DiscussionModel();
+                    $discussion =  $discussionModel->getID($discussionID);
+                    if (!$discussion) {
+                        throw new NotFoundException('Discussion');
+                    }
+
+                    $categoryID = val('CategoryID', $discussion, false);
+                    $permissionCategory = CategoryModel::permissionCategory($categoryID);
+                    $commentsUploads =  CategoryModel::checkPermission($permissionCategory, 'Vanilla.Comments.Uploads');
+                    // No permissions
+                    if(!$commentsUploads) {
+                        throw new ClientException("You don't have permission to upload files", 403);
+                    }
+                    break;
+                default:
+                    throw new ClientException("You don't have permission to upload files", 403);
+            }
+
+        }
+
+        $out = $this->schema($this->fullSchema(), 'out');
 
         $imageExtensions = array_keys(ImageResizer::getExtType());
         /** @var UploadedFile $file */

diff --git a/vanilla/applications/vanilla/controllers/class.discussioncontroller.php b/vanilla/applications/vanilla/controllers/class.discussioncontroller.php
@@ -257,6 +257,8 @@ public function index($DiscussionID = '', $DiscussionStub = '', $Page = '') {
         $this->DiscussionID = $this->Discussion->DiscussionID;
         $this->Form->addHidden('DiscussionID', $this->DiscussionID);
         $this->Form->addHidden('CommentID', '');
+        $this->setData('ActionType', 'NewComment');
+        $this->Form->addHidden('ActionType', 'NewComment');
 
         // Look in the session stash for a comment
         $StashComment = $Session->getPublicStash('CommentForDiscussionID_'.$this->Discussion->DiscussionID);

diff --git a/vanilla/applications/vanilla/controllers/class.postcontroller.php b/vanilla/applications/vanilla/controllers/class.postcontroller.php
@@ -173,7 +173,7 @@ public function discussion($categoryUrlCode = '') {
             $this->Form->setFormValue('DiscussionID', $this->Discussion->DiscussionID);
 
             $this->title(t('Edit Discussion'));
-
+            $this->setData('ActionType', 'EditDiscussion');
             if ($this->Discussion->Type) {
                 $this->setData('Type', $this->Discussion->Type);
             } else {
@@ -197,8 +197,10 @@ public function discussion($categoryUrlCode = '') {
                 $this->permission('Vanilla.Discussions.Add');
             }
             $this->title(t('New Discussion'));
+            $this->setData('ActionType', 'NewDiscussion');
         }
 
+        $this->Form->addHidden('ActionType', $this->data('ActionType'));
         touchValue('Type', $this->Data, 'Discussion');
 
         // Remove Announce parameter if it was injected into the form.
@@ -443,7 +445,7 @@ public function editDiscussion($discussionID = '', $draftID = '') {
             $record = $this->Draft = $this->DraftModel->getID($draftID);
             $this->CategoryID = $this->Draft->CategoryID;
             $this->setData('ShowPreviewButton', $record->Format != 'Rich');
-
+            $this->setData('ActionType', 'NewDiscussion');
             // FIX: https://github.com/topcoder-platform/forums/issues/347
             $this->setData('_CancelUrl', '/drafts');
             // Verify this is their draft
@@ -452,6 +454,7 @@ public function editDiscussion($discussionID = '', $draftID = '') {
             }
         } else {
             $record = $this->DiscussionModel->getID($discussionID);
+            $this->setData('ActionType', 'EditDiscussion');
             $this->setData('ShowPreviewButton', $this->Discussion->Format != 'Rich');
             // FIX: Issues-308: Editor - supporting old and new formats
             $this->EventArguments['Discussion'] = &$record;
@@ -693,7 +696,7 @@ public function comment($DiscussionID = '') {
         $this->Form->addHidden('DiscussionID', $DiscussionID);
         $this->Form->addHidden('CommentID', $CommentID);
         $this->Form->addHidden('DraftID', $DraftID, true);
-
+        $this->Form->addHidden('ActionType', $this->data('ActionType'));
         // Check permissions
         if ($Discussion && $Editing) {
             // Make sure that content can (still) be edited.
@@ -987,9 +990,11 @@ public function comment2($commentID, $inserted = false) {
      */
     public function editComment($commentID = '', $draftID = '') {
         if (is_numeric($commentID) && $commentID > 0) {
+            $this->setData('ActionType', 'EditComment');
             $this->Form->setModel($this->CommentModel);
             $this->Comment = $this->CommentModel->getID($commentID);
         } else {
+            $this->setData('ActionType', 'NewComment');
             $this->Form->setModel($this->DraftModel);
             $this->Comment = $this->DraftModel->getID($draftID);
         }

diff --git a/vanilla/applications/vanilla/models/class.categorymodel.php b/vanilla/applications/vanilla/models/class.categorymodel.php
@@ -211,6 +211,8 @@ private function calculateUser(array &$category, $addUserCategory = null) {
         $category['PermsDiscussionsAdd'] = self::checkPermission($category, 'Vanilla.Discussions.Add');
         $category['PermsDiscussionsEdit'] = self::checkPermission($category, 'Vanilla.Discussions.Edit');
         $category['PermsCommentsAdd'] = self::checkPermission($category, 'Vanilla.Comments.Add');
+        $category['PermsDiscussionsUploads'] = self::checkPermission($category, 'Vanilla.Discussions.Uploads');
+        $category['PermsCommentsUploads'] = self::checkPermission($category, 'Vanilla.Comments.Uploads');
 
         $code = $category['UrlCode'];
         $category['Name'] = Gdn::translate("Categories.".$code.".Name", $category['Name']);