fix: access to own user avatar

2025-01-22 10:35:37 +00:00 · 2025-01-06 13:27:37 +01:00 · 2025-01-06 13:27:37 +01:00 · 586337496f
commit 586337496f
parent d1e9214128
1 changed files with 11 additions and 4 deletions
--- a/api/src/user/guards/ability.guard.ts
+++ b/api/src/user/guards/ability.guard.ts
@ -1,5 +1,5 @@
 /*
- * Copyright © 2024 Hexastack. All rights reserved.
+ * Copyright © 2025 Hexastack. All rights reserved.
 *
 * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
 * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
@ -53,9 +53,16 @@ export class Ability implements CanActivate {

    if (user?.roles?.length) {
      if (
-        ['/auth/logout', '/logout', '/auth/me', '/channel', '/i18n'].includes(
-          _parsedUrl.pathname,
-        )
+        [
+          // Allow access to all routes available for authenticated users
+          '/auth/logout',
+          '/logout',
+          '/auth/me',
+          '/channel',
+          '/i18n',
+          // Allow access to own avatar
+          `/user/${user.id}/profile_pic`,
+        ].includes(_parsedUrl.pathname)
      ) {
        return true;
      }