check message attachment's permission.

Fix dnnsoftware#3644.
zyhfish · Mar 26, 2020 · 8c71d51 · 8c71d51
1 parent a178514
commit 8c71d51
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/DNN Platform/Library/Services/Social/Messaging/MessagingController.cs b/DNN Platform/Library/Services/Social/Messaging/MessagingController.cs
@@ -32,7 +32,9 @@
 using DotNetNuke.Framework;
 using DotNetNuke.Security;
 using DotNetNuke.Entities.Users;
+using DotNetNuke.Security.Permissions;
 using DotNetNuke.Security.Roles;
+using DotNetNuke.Services.FileSystem;
 using DotNetNuke.Services.Social.Messaging.Data;
 using DotNetNuke.Services.Social.Messaging.Exceptions;
 using DotNetNuke.Services.Social.Messaging.Internal;
@@ -209,7 +211,10 @@ public virtual void SendMessage(Message message, IList<RoleInfo> roles, IList<Us
             {
                 foreach (var attachment in fileIDs.Select(fileId => new MessageAttachment { MessageAttachmentID = Null.NullInteger, FileID = fileId, MessageID = message.MessageID }))
                 {
-                    _dataService.SaveMessageAttachment(attachment, UserController.Instance.GetCurrentUserInfo().UserID);
+                    if (CanViewFile(attachment.FileID))
+                    {
+                        _dataService.SaveMessageAttachment(attachment, UserController.Instance.GetCurrentUserInfo().UserID);
+                    }
                 }
             }
 
@@ -290,5 +295,17 @@ internal virtual bool IsAdminOrHost(UserInfo userInfo)
         }
 
         #endregion
+
+        private bool CanViewFile(int fileId)
+        {
+            var file = FileManager.Instance.GetFile(fileId);
+            if (file == null)
+            {
+                return false;
+            }
+
+            var folder = FolderManager.Instance.GetFolder(file.FolderId);
+            return folder != null && FolderPermissionController.Instance.CanViewFolder(folder);
+        }
     }
 }