From 7057c5819e87c68fcd1e30745918f50d36e61a3a Mon Sep 17 00:00:00 2001
From: Yuriy Bakhtin <yurybakh@gmail.com>
Date: Mon, 17 Nov 2025 17:00:53 +0300
Subject: [PATCH 1/3] Update download and upload actions

---
 controllers/EditController.php | 18 +++++++++---------
 controllers/ZipController.php  |  6 ++++++
 docs/CHANGELOG.md              |  4 ++++
 module.json                    |  2 +-
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/controllers/EditController.php b/controllers/EditController.php
index 826e4158..299cc623 100644
--- a/controllers/EditController.php
+++ b/controllers/EditController.php
@@ -34,24 +34,24 @@ public function actionFolder($id = null)
     {
         $folder = FileSystemItem::getItemById($id);
 
-        if ($folder && !$folder->content->canEdit()) {
-            throw new HttpException(403);
-        }
-
-        if ($folder && $folder->content->container->id !== $this->contentContainer->id) {
-            throw new HttpException(404);
-        }
-
         $post = Yii::$app->request->post();
 
         // create new folder if no folder was found or folder is not editable.
-        if (!$folder || !($folder instanceof Folder) || !$folder->isEditableFolder()) {
+        if (!($folder instanceof Folder) || !$folder->isEditableFolder()) {
             $this->getCurrentFolder()->resolveConflictsBeforeCreate($post['Folder']['title'] ?? null);
             $folder = $this->getCurrentFolder()->newFolder();
             $folder->content->container = $this->contentContainer;
             $folder->hidden = $this->module->getContentHiddenDefault($this->contentContainer);
         }
 
+        if (!($folder instanceof Folder) || $folder->content->container->id !== $this->contentContainer->id) {
+            throw new HttpException(404);
+        }
+
+        if (!$folder->content->canEdit()) {
+            throw new HttpException(403);
+        }
+
         if ($folder->load($post) && $folder->save()) {
             $this->view->saved();
             return $this->htmlRedirect($folder->createUrl('/cfiles/browse/index'));
diff --git a/controllers/ZipController.php b/controllers/ZipController.php
index a6c811cf..d7a64a06 100644
--- a/controllers/ZipController.php
+++ b/controllers/ZipController.php
@@ -11,7 +11,9 @@
 use humhub\modules\cfiles\actions\UploadZipAction;
 use humhub\modules\cfiles\libs\ZIPCreator;
 use humhub\modules\cfiles\models\FileSystemItem;
+use humhub\modules\cfiles\permissions\WriteAccess;
 use Yii;
+use yii\web\BadRequestHttpException;
 
 /**
  * ZipController
@@ -27,6 +29,7 @@ protected function getAccessRules()
     {
         return [
             ['checkZipSupport'],
+            ['permission' => [WriteAccess::class], 'actions' => ['upload']],
         ];
     }
 
@@ -69,6 +72,9 @@ public function actionDownload()
         }
         // Otherwise fallback to current folder when no items are selected
         if ($items === []) {
+            if (!Yii::$app->request->get('fid')) {
+                throw new BadRequestHttpException('Wrong request without folder id!');
+            }
             $items[] = $this->getCurrentFolder();
         }
 
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 54197e17..04a6cb4d 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -1,6 +1,10 @@
 Changelog
 =========
 
+0.16.11 - Unreleased
+-------------------------
+- Enh #264: Update download and upload actions
+
 0.16.10 - August 1, 2025
 -------------------------
 Warning: This release contains two [security fixes](https://github.com/humhub/cfiles/security/advisories), and an update is strongly recommended.
diff --git a/module.json b/module.json
index fff42090..15a34f8d 100644
--- a/module.json
+++ b/module.json
@@ -9,7 +9,7 @@
         "organisation",
         "sharing"
     ],
-    "version": "0.16.10",
+    "version": "0.16.11",
     "humhub": {
         "minVersion": "1.14"
     },

From 121777b816ff37b3dbac1eff9455a7ee14d39c67 Mon Sep 17 00:00:00 2001
From: Yuriy Bakhtin <yurybakh@gmail.com>
Date: Tue, 18 Nov 2025 09:05:43 +0300
Subject: [PATCH 2/3] Update download and upload actions

---
 models/FileSystemItem.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/models/FileSystemItem.php b/models/FileSystemItem.php
index 828f9123..f2db4cc2 100644
--- a/models/FileSystemItem.php
+++ b/models/FileSystemItem.php
@@ -334,11 +334,11 @@ public function canEdit(): bool
             return true;
         }
 
-        if (Yii::$app->user->isGuest || $this->isNewRecord) {
+        if (Yii::$app->user->isGuest) {
             return false;
         }
 
-        return $this->content->created_by === Yii::$app->user->id &&
+        return ($this->isNewRecord || $this->content->created_by === Yii::$app->user->id) &&
             $this->content->container->permissionManager->can(WriteAccess::class);
     }
 

From 1c3fabf4a688b78a2685647bebf32d42c1ef9b93 Mon Sep 17 00:00:00 2001
From: Yuriy Bakhtin <yurybakh@gmail.com>
Date: Fri, 21 Nov 2025 09:56:46 +0300
Subject: [PATCH 3/3] Revert restriction of downloading a root folder

---
 controllers/ZipController.php | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/controllers/ZipController.php b/controllers/ZipController.php
index d7a64a06..4bad5989 100644
--- a/controllers/ZipController.php
+++ b/controllers/ZipController.php
@@ -72,9 +72,6 @@ public function actionDownload()
         }
         // Otherwise fallback to current folder when no items are selected
         if ($items === []) {
-            if (!Yii::$app->request->get('fid')) {
-                throw new BadRequestHttpException('Wrong request without folder id!');
-            }
             $items[] = $this->getCurrentFolder();
         }