From d68b68fb709df89ce367b31f16f18e53696e764e Mon Sep 17 00:00:00 2001
From: Eric Schultz <eric@commitchange.com>
Date: Wed, 6 Jan 2021 16:08:46 -0600
Subject: [PATCH] DirectUploadsController only accepts confirmed users

---
 .../concerns/controllers/user/authorization.rb         | 10 +++++++---
 app/controllers/direct_uploads_controller.rb           | 10 +++++++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/app/controllers/concerns/controllers/user/authorization.rb b/app/controllers/concerns/controllers/user/authorization.rb
index 8f689105..326066df 100644
--- a/app/controllers/concerns/controllers/user/authorization.rb
+++ b/app/controllers/concerns/controllers/user/authorization.rb
@@ -39,11 +39,15 @@ module Controllers::User::Authorization
       QueryRoles.user_has_role?(current_user.id, role_names, host_id)
     end
 
-    def authenticate_confirmed_user!
+    def authenticate_confirmed_user!(msg=nil, type= :html)
       if !current_user
-        reject_with_sign_in
+        reject_with_sign_in(msg, type)
       elsif !current_user.confirmed? && !current_role?(%i[super_associate super_admin])
-        redirect_to new_user_confirmation_path, flash: { error: 'You need to confirm your account to do that.' }
+        if type == :html
+          redirect_to new_user_confirmation_path, flash: { error: 'You need to confirm your account to do that.' }
+        else
+          render json: {message:msg}, status: :unauthorized
+        end
       end
     end
   
diff --git a/app/controllers/direct_uploads_controller.rb b/app/controllers/direct_uploads_controller.rb
index 412a50af..a3e3cd8e 100644
--- a/app/controllers/direct_uploads_controller.rb
+++ b/app/controllers/direct_uploads_controller.rb
@@ -1,10 +1,14 @@
 # frozen_string_literal: true
 
-#
+# License: AGPL-3.0-or-later WITH WTO-AP-3.0-or-later
+# Full license explanation at https://github.com/houdiniproject/houdini/blob/master/LICENSE
 class DirectUploadsController < ActiveStorage::DirectUploadsController
 	include Controllers::Nonprofit::Authorization
 	skip_before_action :verify_authenticity_token, only: [:create]
-	before_action  do
-		authenticate_user!("You must be logged in to use this", :json)
+	before_action  :authenticate_user_with_json!
+
+private
+	def authenticate_confirmed_user_with_json!
+		authenticate_confirmed_user!("You must be logged in to use this", :json)
 	end
 end
\ No newline at end of file