Merge branch '4.x-advisories' into 4.x

Author: brandonkelly

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 4
 
+## Unreleased
+
+- Fixed [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) authorization bypass vulnerabilities. (GHSA-3w32-23wj-rxg3, GHSA-qh45-9g5p-m2v4)
+
 ## 4.17.13.1 - 2026-04-14
 
 - Fixed an issue that prevented Craft from being installed. ([#18700](https://github.com/craftcms/cms/issues/18700))

src/controllers/AssetsController.php

@@ -422,8 +422,14 @@ public function actionReplaceFile(): Response
             throw new NotFoundHttpException('Asset not found.');
         }
 
-        $this->requireVolumePermissionByAsset('replaceFiles', $assetToReplace ?: $sourceAsset);
-        $this->requirePeerVolumePermissionByAsset('replacePeerFiles', $assetToReplace ?: $sourceAsset);
+        if ($assetToReplace) {
+            $this->requireVolumePermissionByAsset('replaceFiles', $assetToReplace);
+            $this->requirePeerVolumePermissionByAsset('replacePeerFiles', $assetToReplace);
+        }
+        if ($sourceAsset) {
+            $this->requireVolumePermissionByAsset('replaceFiles', $sourceAsset);
+            $this->requirePeerVolumePermissionByAsset('replacePeerFiles', $sourceAsset);
+        }
 
         // Handle the Element Action
         if ($assetToReplace !== null && $uploadedFile) {
@@ -740,11 +746,17 @@ public function actionMoveFolder(): Response
             throw new BadRequestHttpException('The destination folder does not exist');
         }
 
-        // Check if it's possible to delete objects in the source volume, create folders
-        // in the target volume, and save assets in the target volume.
-        $this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
-        $this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
+        // Make sure the user has permission to move the source folder
+        // (same permissions checked for `data-movable`)
+        $this->requireVolumePermissionByFolder('savePeerAssets', $folderToMove);
+        $this->requireVolumePermissionByFolder('deletePeerAssets', $folderToMove);
+
+        // Make sure the user has permission to move folders into the target folder
+        // (same permissions checked for `data-can-move-to`)
         $this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);
+        $this->requireVolumePermissionByFolder('deleteAssets', $destinationFolder);
+        $this->requireVolumePermissionByFolder('savePeerAssets', $destinationFolder);
+        $this->requireVolumePermissionByFolder('deletePeerAssets', $destinationFolder);
 
         $targetVolume = $destinationFolder->getVolume();
 

src/elements/Asset.php

@@ -903,9 +903,9 @@ private static function _assembleSourceInfoForFolder(VolumeFolder $folder, ?User
 
         $userSession = Craft::$app->getUser();
         $canUpload = $userSession->checkPermission("saveAssets:$volume->uid");
-        $canMoveTo = $canUpload && $userSession->checkPermission("deleteAssets:$volume->uid");
-        $canMovePeerFilesTo = (
-            $canMoveTo &&
+        $canMoveTo = (
+            $canUpload &&
+            $userSession->checkPermission("deleteAssets:$volume->uid") &&
             $userSession->checkPermission("savePeerAssets:$volume->uid") &&
             $userSession->checkPermission("deletePeerAssets:$volume->uid")
         );
@@ -924,7 +924,6 @@ private static function _assembleSourceInfoForFolder(VolumeFolder $folder, ?User
                 'folder-id' => $folder->id,
                 'can-upload' => $folder->volumeId === null || $canUpload,
                 'can-move-to' => $canMoveTo,
-                'can-move-peer-files-to' => $canMovePeerFilesTo,
                 'fs-type' => $fs::class,
             ],
         ];

src/web/assets/cp/dist/cp.js

@@ -58,7 +58,7 @@ Craft.AssetIndex = Craft.BaseElementIndex.extend(
                 .filter(
                   (source) =>
                     Garnish.hasAttr(source, 'data-folder-id') &&
-                    Garnish.hasAttr(source, 'data-can-move-peer-files-to')
+                    Garnish.hasAttr(source, 'data-can-move-to')
                 )
             );
             if (this.sourcePath.length <= 1) {
@@ -764,10 +764,7 @@ Craft.AssetIndex = Craft.BaseElementIndex.extend(
             },
           });
 
-          if (
-            currentFolder.canMove &&
-            this.getMoveTargetSourceKeys(true).length
-          ) {
+          if (currentFolder.canMove && this.getMoveTargetSourceKeys().length) {
             actions.push({
               label: Craft.t('app', 'Move folder'),
               onSelect: () => {
@@ -895,18 +892,15 @@ Craft.AssetIndex = Craft.BaseElementIndex.extend(
         });
     },
 
-    getMoveTargetSourceKeys: function (peerFiles) {
-      const attr = peerFiles
-        ? 'data-can-move-peer-files-to'
-        : 'data-can-move-to';
+    getMoveTargetSourceKeys: function () {
       return this.$sources
         .toArray()
         .filter((source) => {
           const volumeHandle = $(source).data('volume-handle');
           return (
             volumeHandle &&
             volumeHandle !== 'temp' &&
-            Garnish.hasAttr(source, attr)
+            Garnish.hasAttr(source, 'data-can-to')
           );
         })
         .map((source) => $(source).data('key'));
@@ -922,7 +916,7 @@ Craft.AssetIndex = Craft.BaseElementIndex.extend(
       }
 
       new Craft.VolumeFolderSelectorModal({
-        sources: this.getMoveTargetSourceKeys(true),
+        sources: this.getMoveTargetSourceKeys(),
         showTitle: true,
         modalTitle: Craft.t('app', 'Move to'),
         selectBtnLabel: Craft.t('app', 'Move'),