Members cannot delete their own files #393
Description
Bug Report
Current Behavior
Admins can delete their files and other member's, but members cannot delete their own. A file deleted by an admin also remains in the media manager view until the page is reloaded.
Steps to Reproduce
- Go to
/admin#/extension/fof-uploadas an admin and give the Member role permissions to Upload, View and Delete files. - Go to
/u/<me>/uploadsas a Member. - A delete button has appeared near each file. Clicking on said button results in 403 error.
See call stack
POST https://forum.test/api/fof/upload/delete/988f0772-e3ab-4ba5-9a83-9205c2f45d6d
Flarum\User\Exception\PermissionDeniedException in /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php:611
Stack trace:
#0 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(638): Flarum\User\User->assertPermission()
#1 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/User/User.php(648): Flarum\User\User->assertCan()
#2 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Commands/DeleteFileHandler.php(51): Flarum\User\User->assertAdmin()
#3 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(122): FoF\Upload\Commands\DeleteFileHandler->handle()
#4 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(128): Illuminate\Bus\Dispatcher->Illuminate\Bus\{closure}()
#5 /home/vagrant/nxmndr/forum/vendor/illuminate/pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#6 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(132): Illuminate\Pipeline\Pipeline->then()
#7 /home/vagrant/nxmndr/forum/vendor/illuminate/bus/Dispatcher.php(78): Illuminate\Bus\Dispatcher->dispatchNow()
#8 /home/vagrant/nxmndr/forum/vendor/fof/upload/src/Api/Controllers/DeleteFileController.php(38): Illuminate\Bus\Dispatcher->dispatch()
#9 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Controller/AbstractDeleteController.php(24): FoF\Upload\Api\Controllers\DeleteFileController->delete()
#10 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/RouteHandlerFactory.php(41): Flarum\Api\Controller\AbstractDeleteController->handle()
#11 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ExecuteRoute.php(27): Flarum\Http\RouteHandlerFactory->Flarum\Http\{closure}()
#12 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ExecuteRoute->process()
#13 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/ThrottleApi.php(33): Laminas\Stratigility\Next->handle()
#14 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\ThrottleApi->process()
#15 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/CheckCsrfToken.php(44): Laminas\Stratigility\Next->handle()
#16 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\CheckCsrfToken->process()
#17 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ResolveRoute.php(69): Laminas\Stratigility\Next->handle()
#18 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ResolveRoute->process()
#19 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/SetLocale.php(51): Laminas\Stratigility\Next->handle()
#20 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\SetLocale->process()
#21 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithHeader.php(58): Laminas\Stratigility\Next->handle()
#22 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithHeader->process()
#23 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithSession.php(31): Laminas\Stratigility\Next->handle()
#24 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\AuthenticateWithSession->process()
#25 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/RememberFromCookie.php(52): Laminas\Stratigility\Next->handle()
#26 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\RememberFromCookie->process()
#27 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/StartSession.php(61): Laminas\Stratigility\Next->handle()
#28 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\StartSession->process()
#29 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Api/Middleware/FakeHttpMethods.php(29): Laminas\Stratigility\Next->handle()
#30 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Api\Middleware\FakeHttpMethods->process()
#31 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ParseJsonBody.php(28): Laminas\Stratigility\Next->handle()
#32 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ParseJsonBody->process()
#33 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/HandleErrors.php(57): Laminas\Stratigility\Next->handle()
#34 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\HandleErrors->process()
#35 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/InjectActorReference.php(25): Laminas\Stratigility\Next->handle()
#36 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\InjectActorReference->process()
#37 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle()
#38 /home/vagrant/nxmndr/forum/vendor/middlewares/request-handler/src/RequestHandler.php(84): Laminas\Stratigility\MiddlewarePipe->process()
#39 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\RequestHandler->process()
#40 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path-router/src/BasePathRouter.php(99): Laminas\Stratigility\Next->handle()
#41 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePathRouter->process()
#42 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Middleware/OriginalMessages.php(36): Laminas\Stratigility\Next->handle()
#43 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Laminas\Stratigility\Middleware\OriginalMessages->process()
#44 /home/vagrant/nxmndr/forum/vendor/middlewares/base-path/src/BasePath.php(73): Laminas\Stratigility\Next->handle()
#45 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Middlewares\BasePath->process()
#46 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Middleware/ProcessIp.php(24): Laminas\Stratigility\Next->handle()
#47 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/Next.php(49): Flarum\Http\Middleware\ProcessIp->process()
#48 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(75): Laminas\Stratigility\Next->handle()
#49 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(64): Laminas\Stratigility\MiddlewarePipe->process()
#50 /home/vagrant/nxmndr/forum/vendor/laminas/laminas-httphandlerrunner/src/RequestHandlerRunner.php(73): Laminas\Stratigility\MiddlewarePipe->handle()
#51 /home/vagrant/nxmndr/forum/vendor/flarum/core/src/Http/Server.php(45): Laminas\HttpHandlerRunner\RequestHandlerRunner->run()
#52 /home/vagrant/nxmndr/forum/public/index.php(26): Flarum\Http\Server->listen()
#53 {main}
Expected Behavior
Having the Delete permission as a member should allow to delete one's own files.
They should also disappear from the view without requiring page reload.
Environment
- Flarum version: 1.8.5
- Extension version: 1.5.4
- Website URL: localhost
- Webserver: tested on apache 2.4 and nginx 1.18
- Hosting environment: Linux and MacOS respectively
- PHP version: 8.2.12 and 8.2.10
- Browser: Firefox 121 & Safari 14.1
Output of "php flarum info"
Flarum core: 1.8.5
PHP version: 8.2.10
MySQL version: 11.1.2-MariaDB-1:11.1.2+maria~ubu2004
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, random, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dba, dom, enchant, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, ldap, exif, msgpack, mysqli, odbc, pdo_dblib, PDO_Firebird, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, readline, redis, shmop, SimpleXML, snmp, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tidy, tokenizer, xmlreader, xmlrpc, xmlwriter, xsl, zip, memcached, Zend OPcache, xdebug
+-------------------------------------------+---------+--------+
| Flarum Extensions | | |
+-------------------------------------------+---------+--------+
| ID | Version | Commit |
+-------------------------------------------+---------+--------+
| flarum-flags | v1.8.0 | |
| flarum-tags | v1.8.0 | |
| flarum-approval | v1.8.1 | |
| flarum-mentions | v1.8.3 | |
| flarum-subscriptions | v1.8.0 | |
| fof-follow-tags | 1.2.2 | |
| flarum-markdown | v1.8.0 | |
| fof-upload | 1.5.4 | |
| fof-best-answer | 1.4.1 | |
| flarum-suspend | v1.8.1 | |
| flarum-sticky | v1.8.0 | |
| flarum-statistics | v1.8.0 | |
| flarum-lock | v1.8.0 | |
| flarum-likes | v1.8.0 | |
| flarum-lang-english | v1.8.0 | |
| flarum-emoji | v1.8.0 | |
| flarum-bbcode | v1.8.0 | |
| datlechin-discussion-count | v0.1.0 | |
| clarkwinkelmann-advanced-search-highlight | 1.0.2 | |
| askvortsov-rich-text | v2.1.7 | |
| askvortsov-markdown-tables | v1.2.1 | |
+-------------------------------------------+---------+--------+
Base URL: https://forum.test
Installation path: /home/vagrant/nxmndr/forum
Queue driver: sync
Session driver: file
Scheduler status: Never run
Mail driver: smtp
Debug mode: ON
Possible solution(s)
I believe there should be additional View and Delete permissions for other users files.
Best