complete secure files
This commit is contained in:
@@ -51,8 +51,9 @@ class MediaConductor extends Conductor
|
||||
|
||||
/** @var \App\Models\User */
|
||||
$user = auth()->user();
|
||||
$fields = arrayRemoveItem($fields, 'security_data');
|
||||
if ($user === null || $user->hasPermission('admin/media') === false) {
|
||||
$fields = arrayRemoveItem($fields, ['security', 'storage']);
|
||||
$fields = arrayRemoveItem($fields, 'storage');
|
||||
}
|
||||
|
||||
return $fields;
|
||||
@@ -68,13 +69,13 @@ class MediaConductor extends Conductor
|
||||
{
|
||||
$user = auth()->user();
|
||||
if ($user === null) {
|
||||
$builder->where('security', '');
|
||||
$builder->where('security_type', '');
|
||||
} else {
|
||||
$builder->where(function ($query) use ($user) {
|
||||
$query->where('security', '')
|
||||
$query->where('security_type', '')
|
||||
->orWhere(function ($subquery) use ($user) {
|
||||
$subquery->where('security', 'LIKE', 'permission:%')
|
||||
->whereIn(DB::raw("SUBSTRING(security, 11)"), $user->permissions);
|
||||
$subquery->where('security_type', 'permission')
|
||||
->whereIn('security_data', $user->permissions);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
@@ -13,6 +13,7 @@ use Illuminate\Http\Request;
|
||||
use Illuminate\Http\UploadedFile;
|
||||
use Illuminate\Support\Carbon;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
use Laravel\Sanctum\PersonalAccessToken;
|
||||
|
||||
class MediaController extends ApiController
|
||||
@@ -162,15 +163,20 @@ class MediaController extends ApiController
|
||||
$data['storage'] = $request->get('storage', '');
|
||||
}
|
||||
|
||||
if ($request->has('security') === true || $file !== null) {
|
||||
$data['security'] = $request->get('security', '');
|
||||
if ($request->has('security_type') === true || $file !== null) {
|
||||
$data['security']['type'] = $request->get('security_type', '');
|
||||
$data['security']['data'] = $request->get('security_data', '');
|
||||
|
||||
if($data['security']['type'] === '') {
|
||||
$data['security']['data'] = '';
|
||||
}
|
||||
}
|
||||
|
||||
if(array_key_exists('storage', $data) === true &&
|
||||
array_key_exists('security', $data) === true &&
|
||||
(array_key_exists('security', $data) === true && array_key_exists('type', $data['security']) === true) &&
|
||||
array_key_exists('mime_type', $data) === true &&
|
||||
$data['mime_type'] !== "") {
|
||||
$error = Media::verifyStorage($data['mime_type'], $data['security'], $data['storage']);
|
||||
$error = Media::verifyStorage($data['mime_type'], $data['security']['type'], $data['storage']);
|
||||
switch($error) {
|
||||
case Media::STORAGE_VALID:
|
||||
break;
|
||||
@@ -284,47 +290,49 @@ class MediaController extends ApiController
|
||||
*/
|
||||
public function download(Request $request, Media $medium)
|
||||
{
|
||||
$respondJson = in_array('application/json', explode(',', $request->header('Accept', 'application/json')));
|
||||
|
||||
$headers = [];
|
||||
$path = $medium->path();
|
||||
|
||||
/* File exists */
|
||||
if (file_exists($path) === false) {
|
||||
if ($respondJson === false) {
|
||||
return redirect('/not-found');
|
||||
} else {
|
||||
return $this->respondNotFound();
|
||||
}
|
||||
|
||||
/* Check file exists */
|
||||
if(Storage::disk($medium->storage)->exists($medium->name) === true) {
|
||||
return $this->respondNotFound();
|
||||
}
|
||||
|
||||
$updated_at = Carbon::parse(filemtime($path));
|
||||
|
||||
$updated_at = Carbon::parse(Storage::disk($medium->storage)->lastModified($medium->name));
|
||||
|
||||
$headerPragma = 'no-cache';
|
||||
$headerCacheControl = 'max-age=0, must-revalidate';
|
||||
$headerExpires = $updated_at->toRfc2822String();
|
||||
|
||||
if (empty($medium->permission) === true) {
|
||||
if ($request->user() === null && $request->has('token') === true) {
|
||||
$accessToken = PersonalAccessToken::findToken(urldecode($request->input('token')));
|
||||
/* construct user if can */
|
||||
$user = $request->user();
|
||||
if ($user === null && $request->has('token') === true) {
|
||||
$accessToken = PersonalAccessToken::findToken(urldecode($request->input('token')));
|
||||
|
||||
if (
|
||||
$accessToken !== null && (config('sanctum.expiration') === null ||
|
||||
$accessToken->created_at->lte(now()->subMinutes(config('sanctum.expiration'))) === false)
|
||||
) {
|
||||
$user = $accessToken->tokenable;
|
||||
}
|
||||
if (
|
||||
$accessToken !== null && (config('sanctum.expiration') === null ||
|
||||
$accessToken->created_at->lte(now()->subMinutes(config('sanctum.expiration'))) === false)
|
||||
) {
|
||||
$user = $accessToken->tokenable;
|
||||
}
|
||||
if ($request->user() === null || $user->hasPermission($medium->permission) === false) {
|
||||
if ($respondJson === false) {
|
||||
return redirect('/login?redirect=' . $request->path());
|
||||
} else {
|
||||
return $this->respondForbidden();
|
||||
}
|
||||
}
|
||||
} else {
|
||||
}
|
||||
|
||||
if ($medium->security_type === '') {
|
||||
/* no security */
|
||||
$headerPragma = 'public';
|
||||
$headerExpires = $updated_at->addMonth()->toRfc2822String();
|
||||
} else if (strcasecmp('password', $medium->security_type) === 0) {
|
||||
/* password */
|
||||
if(
|
||||
($user === null || $user->hasPermission('admin/media') === false) &&
|
||||
($request->has('password') === false || $request->get('password') !== $medium->security_data)) {
|
||||
return $this->respondForbidden();
|
||||
}
|
||||
} else if (strcasecmp('permission', $medium->security_type) === 0) {
|
||||
/* permission */
|
||||
if(
|
||||
$user === null || ($user->hasPermission('admin/media') === false && $user->hasPermission($medium->security_data) === false)) {
|
||||
return $this->respondForbidden();
|
||||
}
|
||||
}//end if
|
||||
|
||||
// deepcode ignore InsecureHash: Browsers expect Etag to be a md5 hash
|
||||
@@ -333,7 +341,7 @@ class MediaController extends ApiController
|
||||
|
||||
$headers = [
|
||||
'Cache-Control' => $headerCacheControl,
|
||||
'Content-Disposition' => sprintf('inline; filename="%s"', basename($path)),
|
||||
'Content-Disposition' => sprintf('inline; filename="%s"', basename($medium->name)),
|
||||
'Etag' => $headerEtag,
|
||||
'Expires' => $headerExpires,
|
||||
'Last-Modified' => $headerLastModified,
|
||||
@@ -352,7 +360,18 @@ class MediaController extends ApiController
|
||||
return response()->make('', 304, $headers);
|
||||
}
|
||||
|
||||
return response()->file($path, $headers);
|
||||
$headers['Content-Type'] = Storage::disk($medium->storage)->mimeType($medium->name);
|
||||
$headers['Content-Length'] = Storage::disk($medium->storage)->size($medium->name);
|
||||
$headers['Content-Disposition'] = 'inline; filename="' . basename($medium->name) . '"';
|
||||
|
||||
$stream = Storage::disk($medium->storage)->readStream($medium->name);
|
||||
return response()->stream(
|
||||
function () use ($stream) {
|
||||
fclose($stream);
|
||||
},
|
||||
200,
|
||||
$headers
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -86,13 +86,14 @@ class MediaWorkerJob implements ShouldQueue
|
||||
}//end if
|
||||
|
||||
// get security
|
||||
$security = '';
|
||||
$security = [];
|
||||
if ($media === null) {
|
||||
if (array_key_exists('security', $data) === true) {
|
||||
$security = $data['security'];
|
||||
}
|
||||
} else {
|
||||
$security = $media->security;
|
||||
$security['type'] = $media->security_type;
|
||||
$security['data'] = $media->security_data;
|
||||
}
|
||||
|
||||
// get storage
|
||||
@@ -106,7 +107,7 @@ class MediaWorkerJob implements ShouldQueue
|
||||
}
|
||||
|
||||
if ($storage === '') {
|
||||
if(strlen($security) === 0) {
|
||||
if(count($security) === 0 || $security['type'] === '') {
|
||||
if (strpos($data['mime_type'], 'image/') === 0) {
|
||||
$storage = 'local';
|
||||
} else {
|
||||
@@ -145,7 +146,8 @@ class MediaWorkerJob implements ShouldQueue
|
||||
'name' => $data['name'],
|
||||
'mime_type' => $data['mime_type'],
|
||||
'size' => $data['size'],
|
||||
'security' => $data['security'],
|
||||
'security_type' => $data['security']['type'],
|
||||
'security_data' => $data['security']['data'],
|
||||
'storage' => $storage,
|
||||
]);
|
||||
}//end if
|
||||
@@ -296,8 +298,9 @@ class MediaWorkerJob implements ShouldQueue
|
||||
}
|
||||
|
||||
// Relocate file (if requested)
|
||||
if (array_key_exists('security', $data) === true) {
|
||||
$media->security = $data['security'];
|
||||
if (array_key_exists('security', $data) === true && array_key_exists('type', $data['security']) === true) {
|
||||
$media->security_type = $data['security']['type'];
|
||||
$media->security_data = $data['security']['data'];
|
||||
}
|
||||
|
||||
if (array_key_exists('storage', $data) === true) {
|
||||
|
||||
@@ -51,7 +51,8 @@ class Media extends Model
|
||||
'title',
|
||||
'user_id',
|
||||
'mime_type',
|
||||
'security',
|
||||
'security_type',
|
||||
'security_data',
|
||||
'storage',
|
||||
'description',
|
||||
'name',
|
||||
@@ -77,7 +78,8 @@ class Media extends Model
|
||||
'variants' => '[]',
|
||||
'description' => '',
|
||||
'dimensions' => '',
|
||||
'security' => '',
|
||||
'security_type' => '',
|
||||
'security_data' => '',
|
||||
'thumbnail' => '',
|
||||
];
|
||||
|
||||
@@ -335,11 +337,12 @@ class Media extends Model
|
||||
*/
|
||||
public function getUrlAttribute(): string
|
||||
{
|
||||
if (isset($this->attributes['name']) === true) {
|
||||
return self::getUrlPath() . $this->name;
|
||||
}
|
||||
$url = self::getUrlPath();
|
||||
|
||||
return '';
|
||||
$url = str_replace('{id}', $this->id, $url);
|
||||
$url = str_replace('{name}', $this->name, $url);
|
||||
|
||||
return $url;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -377,49 +380,6 @@ class Media extends Model
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Download the file from the storage to the user.
|
||||
*
|
||||
* @param string $variant The variant to download or null if none.
|
||||
* @param boolean $fallback Fallback to the original file if the variant is not found.
|
||||
* @return JsonResponse|StreamedResponse The response.
|
||||
* @throws BindingResolutionException The Exception.
|
||||
*/
|
||||
public function download(string $variant = null, bool $fallback = true)
|
||||
{
|
||||
$path = $this->name;
|
||||
if ($variant !== null) {
|
||||
if (array_key_exists($variant, $this->variant) === true) {
|
||||
$path = $this->variant[$variant];
|
||||
} else {
|
||||
return response()->json(
|
||||
['message' => 'The resource was not found.'],
|
||||
HttpResponseCodes::HTTP_NOT_FOUND
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
$disk = Storage::disk($this->storage);
|
||||
if ($disk->exists($path) === true) {
|
||||
$stream = $disk->readStream($path);
|
||||
$response = response()->stream(
|
||||
function () use ($stream) {
|
||||
fpassthru($stream);
|
||||
},
|
||||
200,
|
||||
[
|
||||
'Content-Type' => $this->mime_type,
|
||||
'Content-Length' => $disk->size($path),
|
||||
'Content-Disposition' => 'attachment; filename="' . basename($path) . '"',
|
||||
]
|
||||
);
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
return response()->json(['message' => 'The resource was not found.'], HttpResponseCodes::HTTP_NOT_FOUND);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the server maximum upload size
|
||||
*
|
||||
@@ -773,7 +733,7 @@ class Media extends Model
|
||||
$newFilename = pathinfo($this->name, PATHINFO_FILENAME) . "-" . uniqid() . "-thumb.webp";
|
||||
$success = false;
|
||||
|
||||
if ($this->security === '') {
|
||||
if ($this->security_type === '') {
|
||||
if (strpos($this->mime_type, 'image/') === 0) {
|
||||
$image = Image::make($filePath);
|
||||
$image->orientate();
|
||||
@@ -897,7 +857,7 @@ class Media extends Model
|
||||
}
|
||||
$this->variants = [];
|
||||
|
||||
if ($this->security === '') {
|
||||
if ($this->security_type === '') {
|
||||
if (strpos($this->mime_type, 'image/') === 0) {
|
||||
// Generate additional image sizes
|
||||
$sizes = Media::getObjectVariants('image');
|
||||
@@ -1025,13 +985,13 @@ class Media extends Model
|
||||
return $this->hasMany(MediaJob::class, 'media_id');
|
||||
}
|
||||
|
||||
public static function verifyStorage($mime_type, $security, &$storage): int {
|
||||
public static function verifyStorage($mime_type, $security_type, &$storage): int {
|
||||
if($mime_type === '') {
|
||||
return Media::STORAGE_MIME_MISSING;
|
||||
}
|
||||
|
||||
if($storage === '') {
|
||||
if($security === '') {
|
||||
if($security_type === '') {
|
||||
if (strpos($mime_type, 'image/') === 0) {
|
||||
$storage = 'local';
|
||||
} else {
|
||||
|
||||
@@ -181,10 +181,10 @@ class MediaJob extends Model
|
||||
$data['mime_type'] = $mime;
|
||||
|
||||
if(array_key_exists('storage', $data) === true &&
|
||||
array_key_exists('security', $data) === true &&
|
||||
array_key_exists('security_type', $data) === true &&
|
||||
array_key_exists('mime_type', $data) === true &&
|
||||
$data['mime_type'] !== "") {
|
||||
$error = Media::verifyStorage($data['mime_type'], $data['security'], $data['storage']);
|
||||
$error = Media::verifyStorage($data['mime_type'], $data['security_type'], $data['storage']);
|
||||
switch($error) {
|
||||
case Media::STORAGE_VALID:
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user