From cea35dc5d2a46bb7bbbc5e91f96fe0aa633b13e4 Mon Sep 17 00:00:00 2001
From: Roardom <roardom@protonmail.com>
Date: Sat, 7 Oct 2023 06:03:44 +0000
Subject: [PATCH] fix: validate user permissions when uploading torrents via
 api

---
 app/Http/Controllers/API/TorrentController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/Http/Controllers/API/TorrentController.php b/app/Http/Controllers/API/TorrentController.php
index aa128cb1c..de1f307cb 100644
--- a/app/Http/Controllers/API/TorrentController.php
+++ b/app/Http/Controllers/API/TorrentController.php
@@ -101,6 +101,9 @@ class TorrentController extends BaseController
     public function store(Request $request): \Illuminate\Http\JsonResponse
     {
         $user = $request->user();
+
+        abort_unless($user->can_upload, 403);
+
         $requestFile = $request->file('torrent');
 
         if (! $request->hasFile('torrent')) {