From ef16c941c590d61ad576e51a0651f7646b8d995b Mon Sep 17 00:00:00 2001
From: Rob Swindell <rob@synchro.net>
Date: Sat, 15 Aug 2020 17:31:31 -0700
Subject: [PATCH] Don't allow downloads form non-accessible directories.

Double-check that the user has access to both the directory and the containing
library before allowing a download a file.
---
 web/root/api/files.ssjs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/web/root/api/files.ssjs b/web/root/api/files.ssjs
index f128ffbaea..00f08a3b73 100644
--- a/web/root/api/files.ssjs
+++ b/web/root/api/files.ssjs
@@ -16,6 +16,8 @@ if ((http_request.method === 'GET' || http_request.method === 'POST') &&
 		case 'download-file':
 			if (typeof http_request.query.dir !== 'undefined' &&
 				typeof file_area.dir[http_request.query.dir[0]] !== 'undefined'	&&
+                file_area.dir[http_request.query.dir[0]].lib_index >= 0 &&
+                file_area.dir[http_request.query.dir[0]].index >= 0 &&
 				file_area.dir[http_request.query.dir[0]].can_download &&
 				typeof http_request.query.file !== 'undefined'
 			) {
-- 
GitLab