feat: make sure user has file_create permission and save policy on source when downloading an image

theboxer · theboxer · commit 1e71d3cfe678 · 2025-04-16T09:54:45.000+02:00
Resolves #41
diff --git a/core/components/modai/src/API/Download/Image.php b/core/components/modai/src/API/Download/Image.php
@@ -20,6 +20,10 @@ public function post(ServerRequestInterface $request): void
             throw APIException::unauthorized();
         }
 
+        if (!$this->modx->hasPermission('file_create')) {
+            throw APIException::unauthorized();
+        }
+
         $data = $request->getParsedBody();
 
         $url = $this->modx->getOption('url', $data);
@@ -79,6 +83,10 @@ public function post(ServerRequestInterface $request): void
             throw new LexiconException('modai.error.source_init failed');
         }
 
+        if (!$source->checkPolicy('create')) {
+            throw APIException::unauthorized();
+        }
+
         $path = Settings::getImageSetting($this->modx, $field, 'path');
         $filePath = $this->createFilePath($path, $resource);
 
