From ba766195bed3cc86074d920b5fc816fa75824d2d Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@gmail.com>
Date: Tue, 12 Nov 2024 14:02:35 -0700
Subject: [PATCH] Only allow images that were uploaded by this user be used as
 avatars

---
 includes/class-simple-local-avatars.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/includes/class-simple-local-avatars.php b/includes/class-simple-local-avatars.php
index 845451a..6eb9f72 100644
--- a/includes/class-simple-local-avatars.php
+++ b/includes/class-simple-local-avatars.php
@@ -1335,6 +1335,11 @@ public function set_avatar_rest( $input, $user ) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Media ID did not match a valid attachment.', 'simple-local-avatars' ) );
 		}
 
+		// Ensure this attachment is associated with this user.
+		if ( (int) $attachment->post_author !== (int) $user->ID ) {
+			return new \WP_Error( 'invalid_media_id', esc_html__( 'This attachment was not uploaded by this user.', 'simple-local-avatars' ) );
+		}
+
 		$this->assign_new_user_avatar( (int) $input['media_id'], $user->ID );
 	}