From 586337496faf9828e571c7c163f0d8e2f1c14ea1 Mon Sep 17 00:00:00 2001
From: Mohamed Marrouchi <marrouchi.mohamed@gmail.com>
Date: Mon, 6 Jan 2025 13:27:37 +0100
Subject: [PATCH] fix: access to own user avatar

---
 api/src/user/guards/ability.guard.ts | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/api/src/user/guards/ability.guard.ts b/api/src/user/guards/ability.guard.ts
index 60e5dc13..095ed904 100644
--- a/api/src/user/guards/ability.guard.ts
+++ b/api/src/user/guards/ability.guard.ts
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2024 Hexastack. All rights reserved.
+ * Copyright © 2025 Hexastack. All rights reserved.
  *
  * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
  * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
@@ -53,9 +53,16 @@ export class Ability implements CanActivate {
 
     if (user?.roles?.length) {
       if (
-        ['/auth/logout', '/logout', '/auth/me', '/channel', '/i18n'].includes(
-          _parsedUrl.pathname,
-        )
+        [
+          // Allow access to all routes available for authenticated users
+          '/auth/logout',
+          '/logout',
+          '/auth/me',
+          '/channel',
+          '/i18n',
+          // Allow access to own avatar
+          `/user/${user.id}/profile_pic`,
+        ].includes(_parsedUrl.pathname)
       ) {
         return true;
       }