Revert "SECURITY: User could non-avatar uploads."

Revert "SECURITY: User could non-avatar uploads."

This reverts commit 89581fa301f8a649a4b94ccf25c4dce6423bc0f8.

diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb
index 6751159..e6393e1 100644
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@@ -3,13 +3,19 @@ module UserGuardian
 
   def can_pick_avatar?(user_avatar, upload)
     return false unless self.user
+
     return true if is_admin?
+
     # can always pick blank avatar
     return true if !upload
+
     return true if user_avatar.contains_upload?(upload.id)
     return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id
 
-    UserUpload.exists?(upload_id: upload.id, user_id: user.id)
+    UserUpload.exists?(
+      upload_id: upload.id,
+      user_id: [upload.user_id, user.id]
+    )
   end
 
   def can_edit_user?(user)
diff --git a/spec/components/guardian/user_guardian_spec.rb b/spec/components/guardian/user_guardian_spec.rb
index 41660a1..e599760 100644
--- a/spec/components/guardian/user_guardian_spec.rb
+++ b/spec/components/guardian/user_guardian_spec.rb
@@ -14,8 +14,8 @@ describe UserGuardian do
     Fabricate.build(:admin, id: 3)
   end
 
-  let(:user_avatar) do
-    Fabricate(:user_avatar, user: user)
+  let :user_avatar do
+    UserAvatar.new(user_id: user.id)
   end
 
   let :users_upload do
@@ -54,24 +54,19 @@ describe UserGuardian do
       it "can not set uploads not owned by current user" do
         expect(guardian.can_pick_avatar?(user_avatar, users_upload)).to eq(true)
         expect(guardian.can_pick_avatar?(user_avatar, already_uploaded)).to eq(true)
-
-        UserUpload.create!(
-          upload_id: not_my_upload.id,
-          user_id: not_my_upload.user_id
-        )
-
         expect(guardian.can_pick_avatar?(user_avatar, not_my_upload)).to eq(false)
         expect(guardian.can_pick_avatar?(user_avatar, nil)).to eq(true)
       end
 
       it "can handle uploads that are associated but not directly owned" do
-        UserUpload.create!(
-          upload_id: not_my_upload.id,
-          user_id: user_avatar.user_id
-        )
+        yes_my_upload = not_my_upload
+        UserUpload.create!(upload_id: yes_my_upload.id, user_id: user_avatar.user_id)
+        expect(guardian.can_pick_avatar?(user_avatar, yes_my_upload)).to eq(true)
+
+        UserUpload.destroy_all
 
-        expect(guardian.can_pick_avatar?(user_avatar, not_my_upload))
-          .to eq(true)
+        UserUpload.create!(upload_id: yes_my_upload.id, user_id: yes_my_upload.user_id)
+        expect(guardian.can_pick_avatar?(user_avatar, yes_my_upload)).to eq(true)
       end
     end

GitHub
sha: 899caf35

This commit has been mentioned on Discourse Meta. There might be relevant details there:

https://meta.discourse.org/t/what-is-the-status-of-this-potential-security-related-commit/104777/1