From 9bc6011876de1fcd5a3526e6f0de813363421d32 Mon Sep 17 00:00:00 2001
From: Steven Nguyen <stnguyen90@users.noreply.github.com>
Date: Thu, 31 Aug 2023 20:28:13 -0700
Subject: [PATCH] Fix fileSecurity check

Because of the `getAttributes()` call, `$fileSecurity` was always true
which lead to invalid permission check. This resulted in files being
deleted when a user had delete permissions on the file even though
they didn't on the bucket.
---
 app/controllers/api/storage.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php
index 8cad0aaf8f..60e474a7eb 100644
--- a/app/controllers/api/storage.php
+++ b/app/controllers/api/storage.php
@@ -1316,7 +1316,7 @@ App::put('/v1/storage/buckets/:bucketId/files/:fileId')
             throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
         }
 
-        $fileSecurity = $bucket->getAttributes('fileSecurity', false);
+        $fileSecurity = $bucket->getAttribute('fileSecurity', false);
         $validator = new Authorization(Database::PERMISSION_UPDATE);
         $valid = $validator->isValid($bucket->getUpdate());
         if (!$fileSecurity && !$valid) {
@@ -1423,7 +1423,7 @@ App::delete('/v1/storage/buckets/:bucketId/files/:fileId')
             throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND);
         }
 
-        $fileSecurity = $bucket->getAttributes('fileSecurity', false);
+        $fileSecurity = $bucket->getAttribute('fileSecurity', false);
         $validator = new Authorization(Database::PERMISSION_DELETE);
         $valid = $validator->isValid($bucket->getDelete());
         if (!$fileSecurity && !$valid) {