SECURITY: only allow picking of avatars created by self (#6417)

* SECURITY: only allow picking of avatars created by self

Also adds origin tracking to all uploads including de-duplicated uploads

lib/guardian/user_guardian.rb

@@ -1,6 +1,23 @@
 # mixin for all Guardian methods dealing with user permissions
 module UserGuardian
 
+  def can_pick_avatar?(user_avatar, upload)
+    return false unless self.user
+
+    return true if is_admin?
+
+    # can always pick blank avatar
+    return true if !upload
+
+    return true if user_avatar.contains_upload?(upload.id)
+    return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id
+
+    UserUpload.exists?(
+      upload_id: upload.id,
+      user_id: [upload.user_id, user.id]
+    )
+  end
+
   def can_edit_user?(user)
     is_me?(user) || is_staff?
   end

lib/upload_creator.rb

@@ -74,7 +74,10 @@ class UploadCreator
       end
 
       # return the previous upload if any
-      return @upload unless @upload.nil?
+      if @upload
+        UserUpload.find_or_create_by!(user_id: user_id, upload_id: @upload.id) if user_id
+        return @upload
+      end
 
       fixed_original_filename = nil
       if is_image
@@ -132,6 +135,10 @@ class UploadCreator
         Jobs.enqueue(:create_avatar_thumbnails, upload_id: @upload.id, user_id: user_id)
       end
 
+      if @upload.errors.empty?
+        UserUpload.find_or_create_by!(user_id: user_id, upload_id: @upload.id) if user_id
+      end
+
       @upload
     end
   ensure