www_editSave needs permission checks to prevent extra assets from being added by unprivileged users. Partial fix for #12068.

docs/changelog/7.x.x.txt

@@ -8,6 +8,7 @@
  - fixed #12061: TimeField form plugin doesn't work with all names.
  - fixed #12055: Thingy pagination breaks after editing data
  - fixed #12066: Thingy CSV export overrides ExportHTML
+ - fixed #12068: www_editSave not strict enough in permission checks
 
 7.10.10
  - fixed #12035: Story Manager - make keywords from Story view work

lib/WebGUI/Asset.pm

@@ -2997,6 +2997,11 @@ sub www_editSave {
 
     ##If this is a new asset (www_add), the parent may be locked.  We should still be able to add a new asset.
     my $isNewAsset = $session->form->process("assetId") eq "new" ? 1 : 0;
+    $session->log->warn("new asset: $isNewAsset");
+    $session->log->warn("canEdit: ". $self->canEdit);
+    $session->log->warn("validToken: ". $session->form->validToken);
+    $session->log->warn("userId: ". $session->user->userId);
+    $session->log->warn("ownerUserId: ". $self->get('ownerUserId'));
     return $session->privilege->locked() if (!$self->canEditIfLocked and !$isNewAsset);
     return $session->privilege->insufficient() unless $self->canEdit && $session->form->validToken;
     if ($self->session->config->get("maximumAssets")) {
@@ -3006,7 +3011,9 @@ sub www_editSave {
     }
     my $object;
     if ($isNewAsset) {
-        $object = $self->addChild({className=>$session->form->process("class","className")});	
+        my $className = $session->form->process("class","className");
+        return $session->privilege->insufficient() if ($isNewAsset && !$className->canAdd($session));
+        $object = $self->addChild({className=> $className});	
         return $self->www_view unless defined $object;
         $object->{_parent} = $self;
         $object->{_properties}{url} = undef;