Commit ec7052e1 authored by Henning Leutz's avatar Henning Leutz 🥋

refactor: #955 - upload permissions

parent 6bf2ab8d
......@@ -128,16 +128,22 @@ class Manager
QUIFile::mkdir($this->getUserUploadDir());
$filename = false;
$filesize = 0;
$fileSize = 0;
$fileType = false;
$params = [];
$onfinish = false;
if (isset($_REQUEST['filetype'])) {
$fileType = $_REQUEST['filetype'];
}
if (isset($_REQUEST['filename'])) {
$filename = $_REQUEST['filename'];
}
if (isset($_REQUEST['filesize'])) {
$filesize = (int)$_REQUEST['filesize'];
$fileSize = (int)$_REQUEST['filesize'];
}
if (isset($_REQUEST['fileparams'])) {
......@@ -152,6 +158,47 @@ class Manager
$_REQUEST['extract'] = QUI\Utils\BoolHelper::JSBool($_REQUEST['extract']);
}
// check file count
$configMaxFileCount = Permission::getPermission(
'quiqqer.upload.maxUploadCount'
);
if ($configMaxFileCount) {
$userDir = $this->getUserUploadDir();
$files = File::readDir($userDir);
$count = \count($files) / 2;
if ($count + 1 >= $configMaxFileCount) {
throw new QUI\Permissions\Exception([
'quiqqer/quiqqer',
'exception.upload.count.limit'
]);
}
}
// check mime type
$configAllowedTypes = Permission::getPermission(
'quiqqer.upload.allowedTypes'
);
$configAllowedEndings = Permission::getPermission(
'quiqqer.upload.allowedEndings'
);
if ($this->checkFnMatch($configAllowedTypes, $fileType) === false) {
throw new QUI\Exception([
'quiqqer/quiqqer',
'exception.upload.not.allowed.mimetype'
]);
}
if ($this->checkFnMatch($configAllowedEndings, $filename) === false) {
throw new QUI\Exception([
'quiqqer/quiqqer',
'exception.upload.not.allowed.ending'
]);
}
/**
* no html5 upload
*/
......@@ -164,13 +211,13 @@ class Manager
return '';
}
$uploadid = 0;
$uploadId = 0;
if (isset($_REQUEST['uploadid'])) {
$uploadid = $_REQUEST['uploadid'];
$uploadId = $_REQUEST['uploadid'];
}
$this->flushAction('UploadManager.isFinish("'.$uploadid.'")');
$this->flushAction('UploadManager.isFinish("'.$uploadId.'")');
return '';
}
......@@ -215,8 +262,8 @@ class Manager
$configMaxFileSize = Permission::getPermission('quiqqer.upload.maxFileUploadSize');
if (QUI\Projects\Manager::get()->getConfig('media_maxUploadFileSize')) {
$configMaxFileSize = QUI\Projects\Manager::get()->getConfig('media_maxUploadFileSize');
if ((int)QUI\Projects\Manager::get()->getConfig('media_maxUploadFileSize')) {
$configMaxFileSize = (int)QUI\Projects\Manager::get()->getConfig('media_maxUploadFileSize');
}
......@@ -234,7 +281,7 @@ class Manager
}
// finish? then upload to folder
if ((int)$fileinfo['filesize'] == $filesize) {
if ((int)$fileinfo['filesize'] == $fileSize) {
// extract if the the extract file is set
if (isset($_REQUEST['extract']) && $_REQUEST['extract']) {
$File = $this->extract($tmp_name);
......@@ -285,6 +332,30 @@ class Manager
return '';
}
/**
* @param $values
* @param $str
*
* @return bool
*/
protected function checkFnMatch($values, $str)
{
if (empty($configAllowedTypes)) {
return true;
}
$configAllowedTypes = \explode(',', $configAllowedTypes);
$fileType = $_REQUEST['filetype'];
foreach ($configAllowedTypes as $type) {
if (\fnmatch($type, $fileType)) {
return true;
}
}
return false;
}
/**
* call a function
*
......
......@@ -4261,11 +4261,11 @@ Hinweis: Wenn QUIQQER als GIT Repository installiert ist, existiert keine MD5 Su
<de><![CDATA[Upload]]></de>
</locale>
<locale name="permission.quiqqer.upload.maxUploadCount">
<de><![CDATA[Max. Grösse eines Upload-Vorgangs]]></de>
<de><![CDATA[Upload Dateien Limit pro Nutzer]]></de>
</locale>
<locale name="permission.quiqqer.upload.maxUploadCount.description">
<de><![CDATA[
Legt die maximale Grösse eines Upload-Vorgangs fest.
Legt die maximale Anzahl an Uploads für den Benutzer fest.
Hier zählen alle Dateien die während eines Upload-Vorgangs hochgeladen werden, zusammen.
]]></de>
</locale>
......@@ -4927,6 +4927,15 @@ Du kannst die Benutzerrechteprüfung der Konsole auch mit '--ignore-file-permiss
<locale name="console.systemtool.licence">
<de><![CDATA[Zeigt die QUIQQER Lizenz]]></de>
</locale>
<locale name="exception.upload.count.limit">
<de><![CDATA[Leider darfst keine weiteren Dateien mehr hochladen.]]></de>
</locale>
<locale name="exception.upload.not.allowed.mimetype">
<de><![CDATA[Diese Datei darfst du leider nicht hochladen.]]></de>
</locale>
<locale name="exception.upload.not.allowed.ending">
<de><![CDATA[Diese Datei darfst du leider nicht hochladen.]]></de>
</locale>
</groups>
<groups name="quiqqer/quiqqer" datatype="js">
<locale name="controls.email.select.email_invalid">
......
......@@ -4747,6 +4747,9 @@ Note: If QUIQQER is installed as GIT repository, no MD5 summary file exists.
<locale name="console.systemtool.licence">
<en><![CDATA[Shows the QUIQQER License]]></en>
</locale>
<locale name="exception.upload.count.limit">
<en><![CDATA[Unfortunately you are not allowed to upload any more files.]]></en>
</locale>
</groups>
<groups name="quiqqer/quiqqer" datatype="js"> <!-- Control: controls/email/Select -->
<locale name="controls.email.select.email_invalid">
......
......@@ -10,12 +10,3 @@
{$Site->getAttribute('content')}
</div>
{/if}
{$FormUpload->create()}
<style>
footer {
display: inline-block;
margin-top: 40px;
}
</style>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment