From 7413b5b90876eaf88362386770ce29c71106623c Mon Sep 17 00:00:00 2001
From: JasonOA888 <jason@outland.art>
Date: Wed, 6 May 2026 02:42:59 +0800
Subject: [PATCH] Add authorization check to attachments upload endpoint

The /api/attachments endpoint was missing any authorization check,
allowing file uploads to any submitter if the slug is known. This adds
the same Submitters::AuthorizedForForm check used by other form
endpoints.
---
 app/controllers/api/attachments_controller.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/attachments_controller.rb b/app/controllers/api/attachments_controller.rb
index c81aa0f9..cfab8eaa 100644
--- a/app/controllers/api/attachments_controller.rb
+++ b/app/controllers/api/attachments_controller.rb
@@ -10,7 +10,7 @@ module Api
     def create
       submitter = Submitter.find_by!(slug: params[:submitter_slug])
 
-      unless can_upload?(submitter)
+      unless can_upload?(submitter) && authorized_for_form?(submitter)
         Rollbar.error("Can't upload: #{submitter.id}") if defined?(Rollbar)
 
         return render json: { error: I18n.t('form_has_been_archived') }, status: :unprocessable_content
@@ -46,6 +46,12 @@ module Api
       render json: { error: e.message }, status: :unprocessable_content
     end
 
+    private
+
+    def authorized_for_form?(submitter)
+      Submitters::AuthorizedForForm.call(submitter, nil, request)
+    end
+
     def can_upload?(submitter)
       !submitter.declined_at? &&
         !submitter.completed_at? &&