Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission.
Description
Craft CMS’s craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination.
The permission checks for this action allow:
deleteAssets:for the folder being movedcreateFolders:for the destination parent foldersaveAssets:for the destination parent folder
The action does not require deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict.
$this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
$this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
$this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);*src/controllers/AssetsController.php:L751-L753*
Indexed destination conflicts are deleted via the Assets service:
$assets->deleteFoldersByIds($existingFolder->id);*src/controllers/AssetsController.php:L798-L798*
Unindexed destination conflicts are deleted directly in the volume filesystem:
$targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name);*src/controllers/AssetsController.php:L815*
Impact
A user who cannot delete assets in a destination volume can still delete a destination folder and its contents by triggering a forced move into a conflicting name. This can cause asset loss, broken references in entries and fields that point to deleted assets, and operational disruption.