From 2fc8833bef771347595773b1e73fa515efb16a28 Mon Sep 17 00:00:00 2001
From: jingquan huang <huang.jingquan@163.com>
Date: Thu, 2 May 2019 21:47:09 +0800
Subject: [PATCH] =?UTF-8?q?=E5=9B=BE=E5=83=8F=E4=BF=AE=E6=94=B9=E6=B7=BB?=
 =?UTF-8?q?=E5=8A=A0=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/controllers/avatar_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/controllers/avatar_controller.rb b/app/controllers/avatar_controller.rb
index 3c3c4db0..52971121 100644
--- a/app/controllers/avatar_controller.rb
+++ b/app/controllers/avatar_controller.rb
@@ -7,6 +7,10 @@ class AvatarController < ApplicationController
   include ApplicationHelper
 
   def upload
+    if params[:source_type] == "User" && !(User.current.admin? || User.current.id == params[:source_id].to_i)
+      render_403
+    end
+
     # Make sure that API users get used to set this content type
     # as it won't trigger Rails' automatic parsing of the request body for parameters
     unless request.content_type == 'application/octet-stream'