upload icon indicating copy to clipboard operation
upload copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfFlarum

Members cannot delete their own files

Open nxmndr opened this issue 1 year ago • 2 comments

Bug Report

Current Behavior Admins can delete their files and other member's, but members cannot delete their own. A file deleted by an admin also remains in the media manager view until the page is reloaded.

Steps to Reproduce

  1. Go to /admin#/extension/fof-upload as an admin and give the Member role permissions to Upload, View and Delete files.
  2. Go to /u/<me>/uploads as a Member.
  3. A delete button has appeared near each file. Clicking on said button results in 403 error.
See call stack 
POST https://forum.test/api/fof/upload/delete/988f0772-e3ab-4ba5-9a83-9205c2f45d6d
Flarum\User\Exception\PermissionDeniedException in /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php:611
Stack trace:
#0 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(638): Flarum\User\User->assertPermission()
#1 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(648): Flarum\User\User->assertCan()
#2 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Commands/DeleteFileHandler.php(51): Flarum\User\User->assertAdmin()
#3 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(122): FoF\Upload\Commands\DeleteFileHandler->handle()
#4 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(128): Illuminate\Bus\Dispatcher->Illuminate\Bus\{closure}()
#5 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#6 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(132): Illuminate\Pipeline\Pipeline->then()
#7 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(78): Illuminate\Bus\Dispatcher->dispatchNow()
#8 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Api/Controllers/DeleteFileController.php(38): Illuminate\Bus\Dispatcher->dispatch()
#9 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Controller/AbstractDeleteController.php(24): FoF\Upload\Api\Controllers\DeleteFileController->delete()
#10 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/RouteHandlerFactory.php(41): Flarum\Api\Controller\AbstractDeleteController->handle()
#11 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ExecuteRoute.php(27): Flarum\Http\RouteHandlerFactory->Flarum\Http\{closure}()
#12 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ExecuteRoute->process()
#13 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/ThrottleApi.php(33): Laminas\Stratigility\Next->handle()
#14 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\ThrottleApi->process()
#15 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/CheckCsrfToken.php(44): Laminas\Stratigility\Next->handle()
#16 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\CheckCsrfToken->process()
#17 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ResolveRoute.php(69): Laminas\Stratigility\Next->handle()
#18 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ResolveRoute->process()
#19 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/SetLocale.php(51): Laminas\Stratigility\Next->handle()
#20 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\SetLocale->process()
#21 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithHeader.php(58): Laminas\Stratigility\Next->handle()
#22 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithHeader->process()
#23 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithSession.php(31): Laminas\Stratigility\Next->handle()
#24 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithSession->process()
#25 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/RememberFromCookie.php(52): Laminas\Stratigility\Next->handle()
#26 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\RememberFromCookie->process()
#27 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/StartSession.php(61): Laminas\Stratigility\Next->handle()
#28 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\StartSession->process()
#29 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/FakeHttpMethods.php(29): Laminas\Stratigility\Next->handle()
#30 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\FakeHttpMethods->process()
#31 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ParseJsonBody.php(28): Laminas\Stratigility\Next->handle()
#32 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ParseJsonBody->process()
#33 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/HandleErrors.php(57): Laminas\Stratigility\Next->handle()
#34 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\HandleErrors->process()
#35 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/InjectActorReference.php(25): Laminas\Stratigility\Next->handle()
#36 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\InjectActorReference->process()
#37 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle()
#38 /home/vagrant/nxmndr/forum/vendor/middlewares/request-handler/src/RequestHandler.php(84): Laminas\Stratigility\MiddlewarePipe->process()
#39 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\RequestHandler->process()
#40 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path-router/src/BasePathRouter.php(99): Laminas\Stratigility\Next->handle()
#41 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePathRouter->process()
#42 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Middleware/OriginalMessages.php(36): Laminas\Stratigility\Next->handle()
#43 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Laminas\Stratigility\Middleware\OriginalMessages->process()
#44 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path/src/BasePath.php(73): Laminas\Stratigility\Next->handle()
#45 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePath->process()
#46 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ProcessIp.php(24): Laminas\Stratigility\Next->handle()
#47 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ProcessIp->process()
#48 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle()
#49 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(64): Laminas\Stratigility\MiddlewarePipe->process()
#50 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-httphandlerrunner/src/RequestHandlerRunner.php(73): Laminas\Stratigility\MiddlewarePipe->handle()
#51 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Server.php(45): Laminas\HttpHandlerRunner\RequestHandlerRunner->run()
#52 /home/vagrant/nxmndr/forum/public/index.php(26): Flarum\Http\Server->listen()
#53 {main}

Expected Behavior Having the Delete permission as a member should allow to delete one's own files.

They should also disappear from the view without requiring page reload.

Environment

  • Flarum version: 1.8.5
  • Extension version: 1.5.4
  • Website URL: localhost
  • Webserver: tested on apache 2.4 and nginx 1.18
  • Hosting environment: Linux and MacOS respectively
  • PHP version: 8.2.12 and 8.2.10
  • Browser: Firefox 121 & Safari 14.1
Output of "php flarum info" 
Flarum core: 1.8.5
PHP version: 8.2.10
MySQL version: 11.1.2-MariaDB-1:11.1.2+maria~ubu2004
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, random, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dba, dom, enchant, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, ldap, exif, msgpack, mysqli, odbc, pdo_dblib, PDO_Firebird, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, readline, redis, shmop, SimpleXML, snmp, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tidy, tokenizer, xmlreader, xmlrpc, xmlwriter, xsl, zip, memcached, Zend OPcache, xdebug
+-------------------------------------------+---------+--------+
| Flarum Extensions                         |         |        |
+-------------------------------------------+---------+--------+
| ID                                        | Version | Commit |
+-------------------------------------------+---------+--------+
| flarum-flags                              | v1.8.0  |        |
| flarum-tags                               | v1.8.0  |        |
| flarum-approval                           | v1.8.1  |        |
| flarum-mentions                           | v1.8.3  |        |
| flarum-subscriptions                      | v1.8.0  |        |
| fof-follow-tags                           | 1.2.2   |        |
| flarum-markdown                           | v1.8.0  |        |
| fof-upload                                | 1.5.4   |        |
| fof-best-answer                           | 1.4.1   |        |
| flarum-suspend                            | v1.8.1  |        |
| flarum-sticky                             | v1.8.0  |        |
| flarum-statistics                         | v1.8.0  |        |
| flarum-lock                               | v1.8.0  |        |
| flarum-likes                              | v1.8.0  |        |
| flarum-lang-english                       | v1.8.0  |        |
| flarum-emoji                              | v1.8.0  |        |
| flarum-bbcode                             | v1.8.0  |        |
| datlechin-discussion-count                | v0.1.0  |        |
| clarkwinkelmann-advanced-search-highlight | 1.0.2   |        |
| askvortsov-rich-text                      | v2.1.7  |        |
| askvortsov-markdown-tables                | v1.2.1  |        |
+-------------------------------------------+---------+--------+
Base URL: https://forum.test
Installation path: /home/vagrant/nxmndr/forum
Queue driver: sync
Session driver: file
Scheduler status: Never run
Mail driver: smtp
Debug mode: ON

Possible solution(s) I believe there should be additional View and Delete permissions for other users files.

Best

nxmndr avatar Jan 29 '24 15:01 nxmndr

Hi @nxmndr thanks for the bug report! Are you able to reproduce the permission issue when only fof/upload is enabled (besides the Flarum 1st party extensions)?

Regarding the page reload being required; in this sense it's not really a bug, but a feature which would have to be implemented. A web socket connection would be required for this to work, which could optionally be supported (for example with blomstra/realtime). Currently, this isn't a very high priority, but PRs are always welcome!

DavideIadeluca avatar Feb 29 '24 19:02 DavideIadeluca

I can reproduce it indeed =)

I re-enabled it too.

A websocket ? I don't mean the user seing changes made by admin instantly, I mean the admin not seing the result of the deletion they made themselves as in click => nothing happens on the screen. I'm still new to Flarum but I think calling GET /api/fof/uploads once POST /api/fof/upload/delete is done would be enough (might even include it in the POST result).

(edited for clarity)

nxmndr avatar Mar 25 '24 13:03 nxmndr