Tighten image edit privs

Bloke · Bloke · commit a8d66808f1ee · 2026-03-06T09:40:18.000Z
Thanks, lighthousekeeper1212. Fixes #2064.
diff --git a/textpattern/include/txp_image.php b/textpattern/include/txp_image.php
@@ -695,7 +695,11 @@ function image_edit($message = '', $id = '')
     if ($rs) {
         extract($rs);
 
-        if (!has_privs('image.edit') && !has_privs('image.edit.own')) {
+        $can_edit = has_privs('image.edit') || ($author === $txp_user && has_privs('image.edit.own'));
+        $can_delete = has_privs('image.delete') || ($author == $txp_user && has_privs('image.delete.own'));
+        $can_upload = $can_edit && is_dir(IMPATH) && is_writeable(IMPATH);
+
+        if (!$can_edit) {
             require_privs('image.edit');
 
             return;
@@ -750,9 +754,6 @@ function image_edit($message = '', $id = '')
 
         $imageBlock = array();
         $thumbBlock = array();
-        $can_edit = has_privs('image.edit') || ($author === $txp_user && has_privs('image.edit.own'));
-        $can_delete = has_privs('image.delete') || ($author == $txp_user && has_privs('image.delete.own'));
-        $can_upload = $can_edit && is_dir(IMPATH) && is_writeable(IMPATH);
         $imagetypes = get_safe_image_types();
         $delete = ($can_delete)
             ? form(
