Merge pull request #317 from 10up/fix/avatar-set-user-check

Additional avatar REST checks
10up · Nov 14, 2024 · 6fa814e · 6fa814e
2 parents 52fa9fa + ba76619
commit 6fa814e
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/includes/class-simple-local-avatars.php b/includes/class-simple-local-avatars.php
@@ -1324,11 +1324,22 @@ public function set_avatar_rest( $input, $user ) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Request did not contain a valid media_id field.', 'simple-local-avatars' ) );
 		}
 
+		$attachment = get_post( (int) $input['media_id'] );
+
 		// Ensure this media_id is a valid attachment.
-		if ( ! wp_get_attachment_url( (int) $input['media_id'] ) ) {
+		if (
+			! $attachment ||
+			'attachment' !== $attachment->post_type ||
+			! wp_attachment_is_image( $attachment )
+		) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Media ID did not match a valid attachment.', 'simple-local-avatars' ) );
 		}
 
+		// Ensure this attachment is associated with this user.
+		if ( (int) $attachment->post_author !== (int) $user->ID ) {
+			return new \WP_Error( 'invalid_media_id', esc_html__( 'This attachment was not uploaded by this user.', 'simple-local-avatars' ) );
+		}
+
 		$this->assign_new_user_avatar( (int) $input['media_id'], $user->ID );
 	}