From 6860c0a3ff2352ee4c906c0be615f21495e5b304 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 12:08:06 -0500
Subject: [PATCH] Fix collection logic on import

- Only retrieve a collection from database if an alias is submitted
- Only call GetCollection() once (previously, it was inside the loop)
- Return error if user doesn't own the collection

Ref T609
---
 account_import.go | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/account_import.go b/account_import.go
index 87882c6..6a8d807 100644
--- a/account_import.go
+++ b/account_import.go
@@ -56,6 +56,27 @@ func viewImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error
 func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error {
 	// limit 10MB per submission
 	r.ParseMultipartForm(10 << 20)
+
+	collAlias := r.PostFormValue("collection")
+	coll := &Collection{
+		ID: 0,
+	}
+	var err error
+	if collAlias != "" {
+		coll, err = app.db.GetCollection(collAlias)
+		if err != nil {
+			log.Error("Unable to get collection for import: %s", err)
+			return err
+		}
+		// Only allow uploading to collection if current user is owner
+		if coll.OwnerID != u.ID {
+			err := ErrUnauthorizedGeneral
+			_ = addSessionFlash(app, w, r, err.Message, nil)
+			return err
+		}
+		coll.hostName = app.cfg.App.Host
+	}
+
 	files := r.MultipartForm.File["files"]
 	var fileErrs []error
 	filesSubmitted := len(files)
@@ -105,14 +126,9 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 			continue
 		}
 
-		post.Collection = r.PostFormValue("collection")
-		coll, _ := app.db.GetCollection(post.Collection)
-		if coll == nil {
-			coll = &Collection{
-				ID: 0,
-			}
+		if collAlias != "" {
+			post.Collection = collAlias
 		}
-		coll.hostName = app.cfg.App.Host
 		created := post.Created.Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{
 			Title:   &post.Title,