harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix ability for file storage creators (visitors) to be able to delete their own content

Browse Source
This commit is contained in:
zotlabs 2019-02-19 13:14:19 -08:00
parent 1ea9002fe8
commit 1a77bdd1d0
3 changed files with 42 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Zotlabs/Module/Filestorage.php
View File

@ -5,6 +5,8 @@ namespace Zotlabs\Module;
* *
*/ */
class Filestorage extends \Zotlabs\Web\Controller { class Filestorage extends \Zotlabs\Web\Controller {
function post() { function post() {
@ -71,14 +73,6 @@ class Filestorage extends \Zotlabs\Web\Controller {
return; return;
} }
// Since we have ACL'd files in the wild, but don't have ACL here yet, we
// need to return for anyone other than the owner, despite the perms check for now.
$is_owner = (((local_channel()) && ($owner == local_channel())) ? true : false);
if(! ($is_owner || is_site_admin())){
info( t('Permission Denied.') . EOL );
return;
}
if(argc() > 3 && argv(3) === 'delete') { if(argc() > 3 && argv(3) === 'delete') {
@ -101,18 +95,31 @@ class Filestorage extends \Zotlabs\Web\Controller {
} }
$file = intval(argv(2)); $file = intval(argv(2));
$r = q("SELECT hash FROM attach WHERE id = %d AND uid = %d LIMIT 1", $r = q("SELECT hash, creator FROM attach WHERE id = %d AND uid = %d LIMIT 1",
dbesc($file), dbesc($file),
intval($owner) intval($owner)
); );
if(! $r) { if(! $r) {
notice( t('File not found.') . EOL);
if($json_return) if($json_return)
json_return_and_die([ 'success' => false ]); json_return_and_die([ 'success' => false ]);
notice( t('File not found.') . EOL);
goaway(z_root() . '/cloud/' . $which); goaway(z_root() . '/cloud/' . $which);
} }
if(local_channel() !== $owner) {
if($r[0]['creator'] && $r[0]['creator'] !== $ob_hash) {
notice( t('Permission denied.') . EOL);
if($json_return)
json_return_and_die([ 'success' => false ]);
goaway(z_root() . '/cloud/' . $which);
}
}
$f = $r[0]; $f = $r[0];
$channel = channelx_by_n($owner); $channel = channelx_by_n($owner);
@ -134,6 +141,19 @@ class Filestorage extends \Zotlabs\Web\Controller {
goaway(dirname($url)); goaway(dirname($url));
} }
// Since we have ACL'd files in the wild, but don't have ACL here yet, we
// need to return for anyone other than the owner, despite the perms check for now.
$is_owner = (((local_channel()) && ($owner == local_channel())) ? true : false);
if(! ($is_owner || is_site_admin())){
info( t('Permission Denied.') . EOL );
return;
}
if(argc() > 3 && argv(3) === 'edit') { if(argc() > 3 && argv(3) === 'edit') {
require_once('include/acl_selectors.php'); require_once('include/acl_selectors.php');
if(! $perms['write_storage']) { if(! $perms['write_storage']) {

11
Zotlabs/Storage/Browser.php
View File

@ -205,18 +205,22 @@ class Browser extends DAV\Browser\Plugin {
// upload access. system.thumbnail_security should be set to 1 if you want to include these // upload access. system.thumbnail_security should be set to 1 if you want to include these
// types // types
$is_creator = false;
$photo_icon = ''; $photo_icon = '';
$preview_style = intval(get_config('system','thumbnail_security',0)); $preview_style = intval(get_config('system','thumbnail_security',0));
$r = q("select content from attach where hash = '%s' and uid = %d limit 1", $r = q("select content, creator from attach where hash = '%s' and uid = %d limit 1",
dbesc($attachHash), dbesc($attachHash),
intval($owner) intval($owner)
); );
if($r && file_exists(dbunescbin($r[0]['content']) . '.thumb')) { if($r) {
$is_creator = (($r[0]['creator'] === get_observer_hash()) ? true : false);
if(file_exists(dbunescbin($r[0]['content']) . '.thumb')) {
$photo_icon = 'data:image/jpeg;base64,' . base64_encode(file_get_contents(dbunescbin($r[0]['content']) . '.thumb')); $photo_icon = 'data:image/jpeg;base64,' . base64_encode(file_get_contents(dbunescbin($r[0]['content']) . '.thumb'));
// logger('found thumb: ' . $photo_icon); // logger('found thumb: ' . $photo_icon);
} }
}
if(strpos($type,'image/') === 0 && $attachHash) { if(strpos($type,'image/') === 0 && $attachHash) {
$r = q("select resource_id, imgscale from photo where resource_id = '%s' and imgscale in ( %d, %d ) order by imgscale asc limit 1", $r = q("select resource_id, imgscale from photo where resource_id = '%s' and imgscale in ( %d, %d ) order by imgscale asc limit 1",
@ -247,6 +251,7 @@ class Browser extends DAV\Browser\Plugin {
$ft['attachIcon'] = (($size) ? $attachIcon : ''); $ft['attachIcon'] = (($size) ? $attachIcon : '');
// @todo Should this be an item value, not a global one? // @todo Should this be an item value, not a global one?
$ft['is_owner'] = $is_owner; $ft['is_owner'] = $is_owner;
$ft['is_creator'] = $is_creator;
$ft['fullPath'] = $fullPath; $ft['fullPath'] = $fullPath;
$ft['displayName'] = $displayName; $ft['displayName'] = $displayName;
$ft['type'] = $type; $ft['type'] = $type;
@ -256,6 +261,8 @@ class Browser extends DAV\Browser\Plugin {
$ft['iconFromType'] = getIconFromType($type); $ft['iconFromType'] = getIconFromType($type);
$f[] = $ft; $f[] = $ft;
logger('f:' . print_r($ft,true));
} }

2
view/tpl/cloud_directory.tpl
View File

@ -68,7 +68,7 @@
<td class="cloud-index-tool"><a href="#" title="{{$delete}}" onclick="dropItem('{{$item.fileStorageUrl}}/{{$item.attachId}}/delete/json', '#cloud-index-{{$item.attachId}},#cloud-tools-{{$item.attachId}}'); return false;"><i class="fa fa-trash-o drop-icons"></i></a></td> <td class="cloud-index-tool"><a href="#" title="{{$delete}}" onclick="dropItem('{{$item.fileStorageUrl}}/{{$item.attachId}}/delete/json', '#cloud-index-{{$item.attachId}},#cloud-tools-{{$item.attachId}}'); return false;"><i class="fa fa-trash-o drop-icons"></i></a></td>
{{else}} {{else}}
<td></td><td></td><td></td>{{if $is_admin}}<td class="cloud-index-tool"><a href="#" title="{{$admin_delete}}" onclick="dropItem('{{$item.fileStorageUrl}}/{{$item.attachId}}/delete/json', '#cloud-index-{{$item.attachId}},#cloud-tools-{{$item.attachId}}'); return false;"><i class="fa fa-trash-o drop-icons"></i></a>{{else}}<td>{{/if}}</td> <td></td><td></td><td></td>{{if $is_admin || $item.is_creator}}<td class="cloud-index-tool"><a href="#" title="{{if $is_admin}}{{$admin_delete}}{{else}}{{$delete}}{{/if}}" onclick="dropItem('{{$item.fileStorageUrl}}/{{$item.attachId}}/delete/json', '#cloud-index-{{$item.attachId}},#cloud-tools-{{$item.attachId}}'); return false;"><i class="fa fa-trash-o drop-icons"></i></a>{{else}}<td>{{/if}}</td>
{{/if}} {{/if}}
<td>{{*{{$item.type}}*}}</td> <td>{{*{{$item.type}}*}}</td>
<td class="d-none d-md-table-cell">{{$item.sizeFormatted}}</td> <td class="d-none d-md-table-cell">{{$item.sizeFormatted}}</td>