feat: added cross course security check when batch deleting files

Ishfaq-code · Ishfaq-code · commit bb60cac13a22 · 2026-03-09T14:35:07.000-04:00
diff --git a/assets/js/Services/Api.js b/assets/js/Services/Api.js
@@ -12,7 +12,7 @@ export default class Api {
             reviewFile: '/api/files/{file}/review',
             postFile: '/api/files/{file}/post',
             deleteFile: '/api/files/{file}/delete',
-            batchDelete: 'api/files/delete',
+            batchDelete: '/api/{course}/files/delete',
             updateContent: '/api/{file}/content',
             reportPdf: '/download/courses/{course}/reports/pdf',
             adminCourses: '/api/admin/courses/account/{account}/term/{term}',
@@ -187,6 +187,7 @@ export default class Api {
     batchDelete(urlList) {
         const authToken = this.getAuthToken()
         let url = `${this.apiUrl}${this.endpoints.batchDelete}`
+        url = url.replace('{course}', this.getCourseId())
 
         return fetch(url, {
             method: 'DELETE',
diff --git a/src/Controller/FileItemsController.php b/src/Controller/FileItemsController.php
@@ -4,6 +4,7 @@
 
 use App\Entity\FileItem;
 use App\Entity\ContentItem;
+use App\Entity\Course;
 use App\Response\ApiResponse;
 use App\Services\LmsPostService;
 use App\Services\LmsFetchService;
@@ -200,11 +201,15 @@ public function deleteFile(SessionService $sessionService, FileItem $file, Utili
         return new JsonResponse($apiResponse);
     }
 
-    #[Route('/api/files/delete', methods: ['DELETE'], name: 'delete_files')]
-    public function batchDeleteFiles(Request $request, UtilityService $util, LmsPostService $lmsPost, LmsFetchService $lmsFetch){
+    #[Route('/api/{course}/files/delete', methods: ['DELETE'], name: 'delete_files')]
+    public function batchDeleteFiles(SessionService $sessionService, Course $course, Request $request, UtilityService $util, LmsPostService $lmsPost, LmsFetchService $lmsFetch){
         $apiResponse = new ApiResponse();
         $user = $this->getUser();
         try{
+            if (!$this->userHasCourseAccess($course, $sessionService)) {
+                throw new \Exception("You do not have permission to access this issue.");
+            }
+
             $content= \json_decode($request->getContent(), true);
             $paths = $content['paths'];
             $apiResponse = $lmsPost->batchDeleteFromLms($paths, $user);
