From 5214d484866cf92357652a39ba85a9cf05cae233 Mon Sep 17 00:00:00 2001
From: Yang Luo <hsluoyz@qq.com>
Date: Fri, 12 May 2023 01:00:06 +0800
Subject: [PATCH] Fix authorized issue of UploadResource() API

---
 controllers/resource.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/controllers/resource.go b/controllers/resource.go
index a53e6eac..1c7389a6 100644
--- a/controllers/resource.go
+++ b/controllers/resource.go
@@ -236,6 +236,17 @@ func (c *ApiController) UploadResource() {
 		user.Avatar = fileUrl
 		object.UpdateUser(user.GetId(), user, []string{"avatar"}, false)
 	case "termsOfUse":
+		user := object.GetUserNoCheck(util.GetId(owner, username))
+		if user == nil {
+			c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(owner, username)))
+			return
+		}
+
+		if !user.IsAdminUser() {
+			c.ResponseError(c.T("auth:Unauthorized operation"))
+			return
+		}
+
 		_, applicationId := util.GetOwnerAndNameFromIdNoCheck(strings.TrimRight(fullFilePath, ".html"))
 		applicationObj := object.GetApplication(applicationId)
 		applicationObj.TermsOfUse = fileUrl