diff options
4 files changed, 30 insertions, 58 deletions
diff --git a/main/app/sprinkles/admin/routes/posts.php b/main/app/sprinkles/admin/routes/posts.php index ebc2cda..918af24 100644 --- a/main/app/sprinkles/admin/routes/posts.php +++ b/main/app/sprinkles/admin/routes/posts.php @@ -10,6 +10,8 @@ * Routes for posting. */ +$app->get('/image/{PostID}', 'UserFrosting\Sprinkle\Admin\Controller\PostController:postImage')->add('authGuard'); + $app->group('/api/posts', function () { $this->post('/image', 'UserFrosting\Sprinkle\Admin\Controller\PostController:postImage'); -})->add('authGuard'); +})->add('authGuard');
\ No newline at end of file diff --git a/main/app/sprinkles/admin/src/Controller/PostController.php b/main/app/sprinkles/admin/src/Controller/PostController.php index a3015f7..9f63b50 100644 --- a/main/app/sprinkles/admin/src/Controller/PostController.php +++ b/main/app/sprinkles/admin/src/Controller/PostController.php @@ -8,6 +8,7 @@ namespace UserFrosting\Sprinkle\Admin\Controller; +use function GuzzleHttp\Psr7\str; use UserFrosting\Fortress\RequestDataTransformer; use UserFrosting\Fortress\RequestSchema; use UserFrosting\Fortress\ServerSideValidator; @@ -25,15 +26,24 @@ use Slim\Http\UploadedFile; */ class PostController extends SimpleController { - public function postImage($request, $response, $args) { + public function showImage($request, $response, $args) { + + $authorizer = $this->ci->authorizer; + $currentUser = $this->ci->currentUser; + if (!$authorizer->checkAccess($currentUser, 'view_image')) { + throw new ForbiddenException(); + } + + $postID = $args['PostID']; + } + + public function postImage(Request $request, Response $response) { function moveUploadedFile($directory, UploadedFile $uploadedFile) { $extension = pathinfo($uploadedFile->getClientFilename(), PATHINFO_EXTENSION); $basename = bin2hex(random_bytes(8)); // see http://php.net/manual/en/function.random-bytes.php $filename = sprintf('%s.%0.8s', $basename, $extension); - $uploadedFile->moveTo($directory . DIRECTORY_SEPARATOR . $filename); - return $filename; } @@ -43,46 +53,20 @@ class PostController extends SimpleController throw new ForbiddenException(); } - $directory = $_SERVER['DOCUMENT_ROOT'] . '/beam/social/main/uploads/'; + $directory = __DIR__ . '/../../../../../uploads'; // It's ugly but it is flexible.. $uploadedFiles = $request->getUploadedFiles(); - $uploadedFile = $uploadedFiles['example1']; - if ($uploadedFile->getError() === UPLOAD_ERR_OK) { + $uploadedFile = $uploadedFiles['image']; + + if (!strpos($uploadedFile->getClientMediaType(), "mage")) { + return $response->withStatus(415); + } else if ($uploadedFile->getError() === 1) { + return $response->withStatus(406); + } else if ($uploadedFile->getSize() > 10485760) { + return $response->withStatus(413); + } else { $filename = moveUploadedFile($directory, $uploadedFile); $response->write('uploaded ' . $filename . '<br/>'); } - - foreach ($uploadedFiles['example2'] as $uploadedFile) { - if ($uploadedFile->getError() === UPLOAD_ERR_OK) { - $filename = moveUploadedFile($directory, $uploadedFile); - $response->write('uploaded ' . $filename . '<br/>'); - } - } - - foreach ($uploadedFiles['example3'] as $uploadedFile) { - if ($uploadedFile->getError() === UPLOAD_ERR_OK) { - $filename = moveUploadedFile($directory, $uploadedFile); - $response->write('uploaded ' . $filename . '<br/>'); - } - } - } - - /** - * Moves the uploaded file to the upload directory and assigns it a unique name - * to avoid overwriting an existing uploaded file. - * - * @param string $directory directory to which the file is moved - * @param UploadedFile $uploaded file uploaded file to move - * @return string filename of moved file - */ - function moveUploadedFile($directory, UploadedFile $uploadedFile) - { - $extension = pathinfo($uploadedFile->getClientFilename(), PATHINFO_EXTENSION); - $basename = bin2hex(random_bytes(8)); // see http://php.net/manual/en/function.random-bytes.php - $filename = sprintf('%s.%0.8s', $basename, $extension); - - $uploadedFile->moveTo($directory . DIRECTORY_SEPARATOR . $filename); - - return $filename; } protected function getUserFromParams($params) { diff --git a/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php b/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php index 3f562a9..c67b886 100644 --- a/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php +++ b/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php @@ -235,9 +235,6 @@ class ServicesProvider // Hacky fix to prevent sessions from being hit too much: ignore CSRF middleware for requests for raw assets ;-) // See https://github.com/laravel/framework/issues/8172#issuecomment-99112012 for more information on why it's bad to hit Laravel sessions multiple times in rapid succession. $csrfBlacklist = $config['csrf.blacklist']; - $csrfBlacklist['^/api/posts/image'] = [ - 'POST' - ]; $csrfBlacklist['^/' . $config['assets.raw.path']] = [ 'GET' ]; diff --git a/main/app/sprinkles/core/templates/pages/test.html.twig b/main/app/sprinkles/core/templates/pages/test.html.twig index 8df9b89..796ee72 100644 --- a/main/app/sprinkles/core/templates/pages/test.html.twig +++ b/main/app/sprinkles/core/templates/pages/test.html.twig @@ -1,19 +1,8 @@ -<form method="post" enctype="multipart/form-data" action="{{site.uri.public}}/api/posts/image"> +<form method="post" action="{{ site.uri.public }}/api/posts/image"> {% include "forms/csrf.html.twig" %} <p> - <label>Add file (single): </label><br/> - <input type="file" name="example1"/> - </p> - <p> - <label>Add files (up to 2): </label><br/> - <input type="file" name="example2[]"/><br/> - <input type="file" name="example2[]"/> - </p> - <p> - <label>Add files (multiple): </label><br/> - <input type="file" name="example3[]" multiple="multiple"/> - </p> - <p> - <input type="submit"/> + <label>Upload file:</label><br/> + <input formenctype="multipart/form-data" type="file" name="image"/> </p> + <input formenctype="multipart/form-data" type="submit"/> </form>
\ No newline at end of file |