nexus/vuefilemanager
2
0
Fork 0
mirror of https://github.com/VueFileManager/vuefilemanager.git synced 2026-04-23 17:50:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

protected sharing update

Browse Source
This commit is contained in:
carodej
2020-04-24 12:50:11 +02:00
parent c4b26d70b5
commit 586f0bba68
22 changed files with 446 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Auth/AuthController.php
+2 -2
View File
@@ -59,7 +59,7 @@ class AuthController extends Controller
$data = json_decode($response->content(), true);
return response('Login Successfull!', 200)->cookie('token', $data['access_token'], 43200);
return response('Login Successfull!', 200)->cookie('access_token', $data['access_token'], 43200);
} else {
return $response;
@@ -118,7 +118,7 @@ class AuthController extends Controller
$token->delete();
});
return response('Logout successfull', 200)->cookie('token', '', -1);
return response('Logout successfull', 200)->cookie('access_token', '', -1);
}
/**
app/Http/Controllers/FileAccessController.php
+92 -57
View File
@@ -2,52 +2,19 @@
namespace App\Http\Controllers;
use App\FileManagerFolder;
use App\Share;
use Illuminate\Support\Arr;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\File;
use Illuminate\Http\Request;
use App\FileManagerFile;
use Illuminate\Support\Str;
use Response;
class FileAccessController extends Controller
{
/**
* Get file
*
* @param $filename
* @return mixed
*/
public function get_file($filename)
{
// Get user id
$user_id = Auth::id();
// Get file record
$file = FileManagerFile::withTrashed()
->where('user_id', $user_id)
->where('basename', $filename)
->firstOrFail();
// Get file path
$path = storage_path() . '/app/file-manager/' . $file->basename;
// Check if file exist
if (!File::exists($path)) abort(404);
$file = File::get($path);
$type = File::mimeType($path);
$size = File::size($path);
// Create response
$response = Response::make($file, 200);
$response->header("Content-Type", $type);
$response->header("Content-Disposition", 'attachment; filename=' . $filename);
$response->header("Content-Length", $size);
$response->header("Accept-Ranges", "bytes");
$response->header("Content-Range", "bytes 0-" . $size . "/" . $size);
return $response;
}
/**
* Get avatar
*
@@ -73,12 +40,13 @@ class FileAccessController extends Controller
}
/**
* Get image thumbnail
* Get file
*
* @param Request $request
* @param $filename
* @return mixed
*/
public function get_thumbnail($filename)
public function get_file(Request $request, $filename)
{
// Get user id
$user_id = Auth::id();
@@ -86,26 +54,57 @@ class FileAccessController extends Controller
// Get file record
$file = FileManagerFile::withTrashed()
->where('user_id', $user_id)
->where('basename', $filename)
->firstOrFail();
// Check user permission
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $file);
}
// Format pretty filename
$file_pretty_name = $file->name . '.' . $file->mimetype;
// Get file path
$path = storage_path() . '/app/file-manager/' . $file->basename;
// Check if file exist
if (!File::exists($path)) abort(404);
$file = File::get($path);
$type = File::mimeType($path);
$size = File::size($path);
// Create response
$response = Response::make($file, 200);
$response->header("Content-Type", $type);
$response->header("Content-Disposition", 'attachment; filename=' . $file_pretty_name);
$response->header("Content-Length", $size);
$response->header("Accept-Ranges", "bytes");
$response->header("Content-Range", "bytes 0-" . $size . "/" . $size);
return $response;
}
/**
* Get image thumbnail
*
* @param Request $request
* @param $filename
* @return mixed
*/
public function get_thumbnail(Request $request, $filename)
{
// Get file record
$file = FileManagerFile::withTrashed()
->where('user_id', $request->user()->id)
->where('thumbnail', $filename)
->firstOrFail();
/* if ($request->has('token')) {
// Get sharing record
$shared = Share::where('token', $request->token)->firstOrFail();
// Get all children folders
$foldersIds = FileManagerFolder::with('folders:id,parent_id,unique_id,name')
->where('user_id', $user_id)
->where('parent_id', $shared->item_id)
->get();
// Get all authorized parent folders by shared folder as root of tree
$authorized_parent_folder_ids = Arr::flatten([filter_folders_ids($foldersIds), $shared->item_id]);
// Check user access
if ( ! in_array($file->folder_id, $authorized_parent_folder_ids)) abort(401);
}*/
// Check user permission
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $file);
}
// Get file path
$path = storage_path() . '/app/file-manager/' . $file->getOriginal('thumbnail');
@@ -122,4 +121,40 @@ class FileAccessController extends Controller
return $response;
}
/**
* Check user file access
*
* @param $request
*/
protected function check_access($request, $file): void
{
// check if shared_token cookie exist
if (! $request->hasCookie('shared_token')) abort('401');
// Get shared token
$shared = Share::where(DB::raw('BINARY `token`'), $request->cookie('shared_token'))
->first();
// Check by parent folder permission
if ($shared->type === 'folder') {
// Get all children folders
$foldersIds = FileManagerFolder::with('folders:id,parent_id,unique_id,name')
->where('user_id', $shared->user_id)
->where('parent_id', $shared->item_id)
->get();
// Get all authorized parent folders by shared folder as root of tree
$accessible_folder_ids = Arr::flatten([filter_folders_ids($foldersIds), $shared->item_id]);
// Check user access
if (!in_array($file->folder_id, $accessible_folder_ids)) abort(403);
}
// Check by single file permission
if ($shared->type === 'file') {
if ($shared->item_id !== $file->unique_id) abort(403);
}
}
}
app/Http/Controllers/FileFunctions/EditController.php
+69 -10
View File
@@ -5,6 +5,7 @@ namespace App\Http\Controllers\FileFunctions;
use App\Share;
use Illuminate\Support\Arr;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB;
use Intervention\Image\ImageManagerStatic as Image;
use Illuminate\Support\Facades\Validator;
use Illuminate\Support\Facades\Storage;
@@ -26,6 +27,11 @@ class EditController extends Controller
*/
public function create_folder(Request $request)
{
// Check permission to create folder for authenticated public editor
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $request->parent_id);
}
// Validate request
$validator = Validator::make($request->all(), [
'parent_id' => 'required|integer',
@@ -45,6 +51,7 @@ class EditController extends Controller
'name' => $request->has('name') ? $request->input('name') : 'New Folder',
'type' => 'folder',
'unique_id' => $this->get_unique_id(),
'user_scope' => $request->user()->token()->scopes[0],
]);
// Return new folder
@@ -79,6 +86,11 @@ class EditController extends Controller
->where('user_id', $user_id)
->firstOrFail();
// Check permission to rename for authenticated public editor
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $item->unique_id);
}
$item->name = $request->name;
$item->save();
@@ -88,6 +100,11 @@ class EditController extends Controller
->where('user_id', $user_id)
->firstOrFail();
// Check permission to rename for authenticated public editor
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $item->folder_id);
}
$item->name = $request->name;
$item->save();
}
@@ -127,6 +144,11 @@ class EditController extends Controller
->where('unique_id', $request->unique_id)
->first();
// Check permission to delete for authenticated public editor
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $folder->unique_id);
}
// Force delete children files
if ($request->force_delete) {
@@ -170,6 +192,11 @@ class EditController extends Controller
->where('unique_id', $request->unique_id)
->first();
// Check permission to delete for authenticated public editor
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $file->folder_id);
}
if ($request->force_delete) {
// Delete file
@@ -196,9 +223,13 @@ class EditController extends Controller
*/
public function upload_item(Request $request)
{
// Check permission to upload for authenticated public editor
if ( ! $request->user()->tokenCan('master') ) {
$this->check_access($request, $request->parent_id);
}
// Check if user can upload
if (config('vuefilemanager.limit_storage_by_capacity') && user_storage_percentage() >= 100) {
abort(423, 'You exceed your storage limit!');
}
@@ -248,15 +279,16 @@ class EditController extends Controller
// Store file
$new_file = FileManagerFile::create([
'user_id' => Auth::id(),
'name' => pathinfo($file->getClientOriginalName())['filename'],
'basename' => $filename,
'folder_id' => $folder_id,
'mimetype' => $file->getClientOriginalExtension(),
'filesize' => $filesize,
'type' => $filetype,
'thumbnail' => $thumbnail,
'unique_id' => $this->get_unique_id(),
'user_id' => Auth::id(),
'name' => pathinfo($file->getClientOriginalName())['filename'],
'basename' => $filename,
'folder_id' => $folder_id,
'mimetype' => $file->getClientOriginalExtension(),
'filesize' => $filesize,
'type' => $filetype,
'thumbnail' => $thumbnail,
'unique_id' => $this->get_unique_id(),
'user_scope' => $request->user()->token()->scopes[0],
]);
return $new_file;
@@ -327,4 +359,31 @@ class EditController extends Controller
return $unique_id;
}
/**
* Check if user has access to requested folder
*
* @param $request
*/
protected function check_access($request, $parent_id): void
{
// check if shared_token cookie exist
if (! $request->hasCookie('shared_token')) abort('401');
// Get shared token
$shared = Share::where(DB::raw('BINARY `token`'), $request->cookie('shared_token'))
->firstOrFail();
// Get all children folders
$foldersIds = FileManagerFolder::with('folders:id,parent_id,unique_id,name')
->where('user_id', $shared->user_id)
->where('parent_id', $shared->item_id)
->get();
// Get all authorized parent folders by shared folder as root of tree
$accessible_folder_ids = Arr::flatten([filter_folders_ids($foldersIds), $shared->item_id]);
// Check user access
if (!in_array($parent_id, $accessible_folder_ids)) abort(403);
}
}
app/Http/Controllers/FileFunctions/ShareController.php
+2 -1
View File
@@ -5,6 +5,7 @@ namespace App\Http\Controllers\FileFunctions;
use Illuminate\Contracts\Routing\ResponseFactory;
use App\Http\Controllers\Controller;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Http\Request;
use Illuminate\Support\Arr;
@@ -28,7 +29,7 @@ class ShareController extends Controller
// Generate unique token
$token = Str::random(16);
} while (Share::where('token', $token)->exists());
} while (Share::where(DB::raw('BINARY `token`'), $token)->exists());
// Create shared options
$options = [
app/Http/Controllers/Sharing/FileSharingController.php
+43 -25
View File
@@ -3,6 +3,9 @@
namespace App\Http\Controllers\Sharing;
use App\Http\Controllers\Controller;
use Illuminate\Contracts\View\Factory;
use Illuminate\Support\Facades\Cookie;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Collection;
use Illuminate\Http\Request;
@@ -14,16 +17,42 @@ use App\Share;
class FileSharingController extends Controller
{
/**
* Show page index and delete access_token & shared_token cookie
*
* @return Factory|\Illuminate\View\View
*/
public function index($token)
{
// Get shared token
$shared = Share::where(DB::raw('BINARY `token`'), $token)
->firstOrFail(['token', 'item_id', 'type', 'permission', 'protected']);
// Delete old access_token if exist
Cookie::queue('access_token', '', -1);
// Set cookies
if ($shared->protected) {
// Set shared token
Cookie::queue('shared_token', $token, 43200);
}
// Return page index
return view("index");
}
/**
* Get shared record
*
* @param Request $request
* @return mixed
*/
public function index($token)
public function show($token)
{
// Get sharing record
return Share::where('token', $token)
return Share::where(DB::raw('BINARY `token`'), $token)
->firstOrFail(['token', 'item_id', 'type', 'permission', 'protected']);
}
@@ -39,7 +68,7 @@ class FileSharingController extends Controller
// TODO: validacia
// Get sharing record
$shared = Share::where('token', $token)->firstOrFail();
$shared = Share::where(DB::raw('BINARY `token`'), $token)->firstOrFail();
// Check password
if (!Hash::check($request->password, $shared->password)) {
@@ -54,12 +83,12 @@ class FileSharingController extends Controller
$scope = !is_null($shared->permission) ? $shared->permission : 'visitor';
// Generate token for visitor/editor
$token = $user->createToken('token', [$scope])->accessToken;
$token = $user->createToken('access_token', [$scope])->accessToken;
// Return authorize token with shared options
return response(Arr::except($shared, ['password', 'user_id', 'updated_at', 'created_at']), 200)
->cookie('shared_token', $shared->token, 43200)
->cookie('token', $token, 43200);
->cookie('access_token', $token, 43200);
}
/**
@@ -72,14 +101,11 @@ class FileSharingController extends Controller
public function browse_private(Request $request, $unique_id)
{
// Check if token exist
if (!$request->has('token'))
if (! $request->hasCookie('shared_token') )
abort(404, "Sorry, you don't request any content");
// Get sharing record
$shared = Share::where('token', $request->token)->firstOrFail();
// Check directory authentication
$this->check_authenticated_access($request);
$shared = Share::where('token', $request->cookie('shared_token'))->firstOrFail();
// Check if user can get directory
$this->check_folder_access($unique_id, $shared);
@@ -104,15 +130,10 @@ class FileSharingController extends Controller
* @param $unique_id
* @return Collection
*/
public function browse_public(Request $request, $unique_id)
public function browse_public($token, $unique_id)
{
// Check if token exist
if (!$request->has('token'))
abort(404, "Sorry, you don't request any content");
// Get sharing record
$shared = Share::where('token', $request->token)->firstOrFail();
$shared = Share::where(DB::raw('BINARY `token`'), $token)->firstOrFail();
// Abort if folder is protected
if ($shared->protected) {
@@ -154,7 +175,7 @@ class FileSharingController extends Controller
public function file_public($token)
{
// Get sharing record
$shared = Share::where('token', $token)->firstOrFail();
$shared = Share::where(DB::raw('BINARY `token`'), $token)->firstOrFail();
// Abort if file is protected
if ($shared->protected) {
@@ -173,13 +194,10 @@ class FileSharingController extends Controller
* @param $token
* @return mixed
*/
public function file_private(Request $request, $token)
public function file_private(Request $request)
{
// Get sharing record
$shared = Share::where('token', $token)->firstOrFail();
// Check file authentication
$this->check_authenticated_access($request);
$shared = Share::where('token', $request->cookie('shared_token'))->firstOrFail();
// Return record
return FileManagerFile::where('user_id', $shared->user_id)
@@ -202,10 +220,10 @@ class FileSharingController extends Controller
->get();
// Get all authorized parent folders by shared folder as root of tree
$authorized_parent_folder_ids = Arr::flatten([filter_folders_ids($foldersIds), $shared->item_id]);
$accessible_folder_ids = Arr::flatten([filter_folders_ids($foldersIds), $shared->item_id]);
// Check user access
if (!in_array($unique_id, $authorized_parent_folder_ids)) abort(401);
if (!in_array($unique_id, $accessible_folder_ids)) abort(401);
}
/**