From aefff423f79d68a5046ce6bc466916b36dc1924e Mon Sep 17 00:00:00 2001
From: beu <benoit@virtit.fr>
Date: Sun, 22 Jun 2025 11:45:02 +0200
Subject: [PATCH] check permission to prevent CustomEvent injection

---
 core/Maps/DirectoryBrowser.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/core/Maps/DirectoryBrowser.php b/core/Maps/DirectoryBrowser.php
index 15b83301..1e965ae6 100644
--- a/core/Maps/DirectoryBrowser.php
+++ b/core/Maps/DirectoryBrowser.php
@@ -483,6 +483,11 @@ class DirectoryBrowser implements ManialinkPageAnswerListener {
 	 * @param Player $player
 	 */
 	public function handleAddFile(array $actionCallback, Player $player) {
+		if (!$this->maniaControl->getAuthenticationManager()->checkPermission($player, MapManager::SETTING_PERMISSION_ADD_MAP)) {
+			$this->maniaControl->getAuthenticationManager()->sendNotAllowed($player);
+			return;
+		}
+
 		$actionName = $actionCallback[1][2];
 		$fileName   = base64_decode(substr($actionName, strlen(self::ACTION_ADD_FILE)));
 		$folderPath = $player->getCache($this, self::CACHE_FOLDER_PATH);
@@ -542,6 +547,11 @@ class DirectoryBrowser implements ManialinkPageAnswerListener {
 	 * @param Player $player
 	 */
 	public function handleEraseFile(array $actionCallback, Player $player) {
+		if (!$this->maniaControl->getAuthenticationManager()->checkPermission($player, MapManager::SETTING_PERMISSION_ERASE_MAP)) {
+			$this->maniaControl->getAuthenticationManager()->sendNotAllowed($player);
+			return;
+		}
+
 		$actionName = $actionCallback[1][2];
 		$fileName   = base64_decode(substr($actionName, strlen(self::ACTION_ERASE_FILE)));
 		$folderPath = $player->getCache($this, self::CACHE_FOLDER_PATH);
@@ -569,6 +579,11 @@ class DirectoryBrowser implements ManialinkPageAnswerListener {
 	 * @param Player $player
 	 */
 	public function handleCreateFolder(array $actionCallback, Player $player) {
+		if (!$this->maniaControl->getAuthenticationManager()->checkPermission($player, MapManager::SETTING_PERMISSION_ADD_MAP)) {
+			$this->maniaControl->getAuthenticationManager()->sendNotAllowed($player);
+			return;
+		}
+
 		$name = trim($actionCallback[1][3][0]["Value"]);
 
 		var_dump($actionCallback);