Check if this is a private attachment

Cyperghost · Cyperghost · commit a3850e84df33 · 2025-01-31T09:47:19.000+01:00
diff --git a/wcfsetup/install/files/lib/system/endpoint/controller/core/attachments/DeleteAttachment.class.php b/wcfsetup/install/files/lib/system/endpoint/controller/core/attachments/DeleteAttachment.class.php
@@ -7,6 +7,7 @@
 use Psr\Http\Message\ServerRequestInterface;
 use wcf\data\attachment\Attachment;
 use wcf\data\attachment\AttachmentAction;
+use wcf\data\object\type\ObjectTypeCache;
 use wcf\http\Helper;
 use wcf\system\endpoint\DeleteRequest;
 use wcf\system\endpoint\IController;
@@ -41,5 +42,9 @@ private function assertAttachmentBeDeleted(Attachment $attachment): void
         if (!WCF::getSession()->getPermission("admin.attachment.canManageAttachment") || !$attachment->canDelete()) {
             throw new PermissionDeniedException();
         }
+
+        if (ObjectTypeCache::getInstance()->getObjectType($attachment->objectTypeID)->private) {
+            throw new PermissionDeniedException();
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`use Psr\Http\Message\ServerRequestInterface;`
`8`	`8`	`use wcf\data\attachment\Attachment;`
`9`	`9`	`use wcf\data\attachment\AttachmentAction;`
	`10`	`+use wcf\data\object\type\ObjectTypeCache;`
`10`	`11`	`use wcf\http\Helper;`
`11`	`12`	`use wcf\system\endpoint\DeleteRequest;`
`12`	`13`	`use wcf\system\endpoint\IController;`
`@@ -41,5 +42,9 @@ private function assertAttachmentBeDeleted(Attachment $attachment): void`
`41`	`42`	`if (!WCF::getSession()->getPermission("admin.attachment.canManageAttachment") \|\| !$attachment->canDelete()) {`
`42`	`43`	`throw new PermissionDeniedException();`
`43`	`44`	`}`
	`45`	`+`
	`46`	`+ if (ObjectTypeCache::getInstance()->getObjectType($attachment->objectTypeID)->private) {`
	`47`	`+ throw new PermissionDeniedException();`
	`48`	`+ }`
`44`	`49`	`}`
`45`	`50`	`}`