Commit b7922b7b authored by pwolanin's avatar pwolanin

Fix for SA-CONTRIB-2016-008 by pwolanin, reviewed by quicksketch and drewish

parent 0ce48b4c
......@@ -338,7 +338,8 @@ function filefield_widget_process($element, $edit, &$form_state, $form) {
// does a reference check in addition to our basic status check.
if (isset($edit['fid'])) {
$removed_file = field_file_load($edit['fid']);
if ($removed_file['status'] == 0) {
// Users are only allowed to remove their own files.
if ($removed_file['status'] == 0 && $GLOBALS['user']->uid == $removed_file['uid']) {
field_file_delete($removed_file);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment