Members cannot delete their own files

nxmndr commented 5 months ago

Bug Report

Current Behavior Admins can delete their files and other member's, but members cannot delete their own. A file deleted by an admin also remains in the media manager view until the page is reloaded.

Steps to Reproduce

Go to /admin#/extension/fof-upload as an admin and give the Member role permissions to Upload, View and Delete files.
Go to /u/<me>/uploads as a Member.
A delete button has appeared near each file. Clicking on said button results in 403 error.

See call stack

``` POST https://forum.test/api/fof/upload/delete/988f0772-e3ab-4ba5-9a83-9205c2f45d6d Flarum\User\Exception\PermissionDeniedException in /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php:611 Stack trace: #0 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(638): Flarum\User\User->assertPermission() #1 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(648): Flarum\User\User->assertCan() #2 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Commands/DeleteFileHandler.php(51): Flarum\User\User->assertAdmin() #3 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(122): FoF\Upload\Commands\DeleteFileHandler->handle() #4 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(128): Illuminate\Bus\Dispatcher->Illuminate\Bus\{closure}() #5 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() #6 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(132): Illuminate\Pipeline\Pipeline->then() #7 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(78): Illuminate\Bus\Dispatcher->dispatchNow() #8 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Api/Controllers/DeleteFileController.php(38): Illuminate\Bus\Dispatcher->dispatch() #9 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Controller/AbstractDeleteController.php(24): FoF\Upload\Api\Controllers\DeleteFileController->delete() #10 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/RouteHandlerFactory.php(41): Flarum\Api\Controller\AbstractDeleteController->handle() #11 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ExecuteRoute.php(27): Flarum\Http\RouteHandlerFactory->Flarum\Http\{closure}() #12 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ExecuteRoute->process() #13 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/ThrottleApi.php(33): Laminas\Stratigility\Next->handle() #14 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\ThrottleApi->process() #15 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/CheckCsrfToken.php(44): Laminas\Stratigility\Next->handle() #16 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\CheckCsrfToken->process() #17 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ResolveRoute.php(69): Laminas\Stratigility\Next->handle() #18 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ResolveRoute->process() #19 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/SetLocale.php(51): Laminas\Stratigility\Next->handle() #20 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\SetLocale->process() #21 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithHeader.php(58): Laminas\Stratigility\Next->handle() #22 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithHeader->process() #23 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithSession.php(31): Laminas\Stratigility\Next->handle() #24 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithSession->process() #25 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/RememberFromCookie.php(52): Laminas\Stratigility\Next->handle() #26 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\RememberFromCookie->process() #27 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/StartSession.php(61): Laminas\Stratigility\Next->handle() #28 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\StartSession->process() #29 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/FakeHttpMethods.php(29): Laminas\Stratigility\Next->handle() #30 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\FakeHttpMethods->process() #31 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ParseJsonBody.php(28): Laminas\Stratigility\Next->handle() #32 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ParseJsonBody->process() #33 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/HandleErrors.php(57): Laminas\Stratigility\Next->handle() #34 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\HandleErrors->process() #35 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/InjectActorReference.php(25): Laminas\Stratigility\Next->handle() #36 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\InjectActorReference->process() #37 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle() #38 /home/vagrant/nxmndr/forum/vendor/middlewares/request-handler/src/RequestHandler.php(84): Laminas\Stratigility\MiddlewarePipe->process() #39 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\RequestHandler->process() #40 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path-router/src/BasePathRouter.php(99): Laminas\Stratigility\Next->handle() #41 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePathRouter->process() #42 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Middleware/OriginalMessages.php(36): Laminas\Stratigility\Next->handle() #43 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Laminas\Stratigility\Middleware\OriginalMessages->process() #44 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path/src/BasePath.php(73): Laminas\Stratigility\Next->handle() #45 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePath->process() #46 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ProcessIp.php(24): Laminas\Stratigility\Next->handle() #47 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ProcessIp->process() #48 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle() #49 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(64): Laminas\Stratigility\MiddlewarePipe->process() #50 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-httphandlerrunner/src/RequestHandlerRunner.php(73): Laminas\Stratigility\MiddlewarePipe->handle() #51 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Server.php(45): Laminas\HttpHandlerRunner\RequestHandlerRunner->run() #52 /home/vagrant/nxmndr/forum/public/index.php(26): Flarum\Http\Server->listen() #53 {main} ```

Expected Behavior Having the Delete permission as a member should allow to delete one's own files.

They should also disappear from the view without requiring page reload.

Environment

Flarum version: 1.8.5
Extension version: 1.5.4
Website URL: localhost
Webserver: tested on apache 2.4 and nginx 1.18
Hosting environment: Linux and MacOS respectively
PHP version: 8.2.12 and 8.2.10
Browser: Firefox 121 & Safari 14.1

Output of "php flarum info"

``` Flarum core: 1.8.5 PHP version: 8.2.10 MySQL version: 11.1.2-MariaDB-1:11.1.2+maria~ubu2004 Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, random, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dba, dom, enchant, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, ldap, exif, msgpack, mysqli, odbc, pdo_dblib, PDO_Firebird, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, readline, redis, shmop, SimpleXML, snmp, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tidy, tokenizer, xmlreader, xmlrpc, xmlwriter, xsl, zip, memcached, Zend OPcache, xdebug +-------------------------------------------+---------+--------+ | Flarum Extensions | | | +-------------------------------------------+---------+--------+ | ID | Version | Commit | +-------------------------------------------+---------+--------+ | flarum-flags | v1.8.0 | | | flarum-tags | v1.8.0 | | | flarum-approval | v1.8.1 | | | flarum-mentions | v1.8.3 | | | flarum-subscriptions | v1.8.0 | | | fof-follow-tags | 1.2.2 | | | flarum-markdown | v1.8.0 | | | fof-upload | 1.5.4 | | | fof-best-answer | 1.4.1 | | | flarum-suspend | v1.8.1 | | | flarum-sticky | v1.8.0 | | | flarum-statistics | v1.8.0 | | | flarum-lock | v1.8.0 | | | flarum-likes | v1.8.0 | | | flarum-lang-english | v1.8.0 | | | flarum-emoji | v1.8.0 | | | flarum-bbcode | v1.8.0 | | | datlechin-discussion-count | v0.1.0 | | | clarkwinkelmann-advanced-search-highlight | 1.0.2 | | | askvortsov-rich-text | v2.1.7 | | | askvortsov-markdown-tables | v1.2.1 | | +-------------------------------------------+---------+--------+ Base URL: https://forum.test Installation path: /home/vagrant/nxmndr/forum Queue driver: sync Session driver: file Scheduler status: Never run Mail driver: smtp Debug mode: ON ```

Possible solution(s) I believe there should be additional View and Delete permissions for other users files.

Best

DavideIadeluca commented 4 months ago

Hi @nxmndr thanks for the bug report! Are you able to reproduce the permission issue when only fof/upload is enabled (besides the Flarum 1st party extensions)?

Regarding the page reload being required; in this sense it's not really a bug, but a feature which would have to be implemented. A web socket connection would be required for this to work, which could optionally be supported (for example with blomstra/realtime). Currently, this isn't a very high priority, but PRs are always welcome!

nxmndr commented 3 months ago

I can reproduce it indeed =)

I re-enabled it too.

A websocket ? I don't mean the user seing changes made by admin instantly, I mean the admin not seing the result of the deletion they made themselves as in click => nothing happens on the screen. I'm still new to Flarum but I think calling GET /api/fof/uploads once POST /api/fof/upload/delete is done would be enough (might even include it in the POST result).

(edited for clarity)

FriendsOfFlarum / upload

Members cannot delete their own files #393

Bug Report