fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-05 09:41:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

direct_download = 'Y' 파일이라도 다운로드 권한이 없으면 게시자의 본문 삽입 전까지 act=getFileList에서 실경로를 획득할 수 없도록 보완

Browse source
This commit is contained in:
conory 2019-10-10 16:30:57 +09:00
parent 77122a32b2
commit 27af1fd8f6
3 changed files with 128 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/file/file.admin.controller.php
View file

@ -214,16 +214,9 @@ class fileAdminController extends file
$config->video_mp4_gif_time = intval(Context::get('video_mp4_gif_time'));
}
// Check download grant
// Set download groups
$download_grant = Context::get('download_grant');
if(!is_array($download_grant))
{
$config->download_grant = explode('|@|',$download_grant);
}
else
{
$config->download_grant = array_values($download_grant);
}
$config->download_grant = is_array($download_grant) ? array_values($download_grant) : array($download_grant);
// Update
$oModuleController = getController('module');

65
modules/file/file.controller.php
View file

@ -186,7 +186,7 @@ class fileController extends file
$oFileModel = getModel('file');
$logged_info = Context::get('logged_info');
$file_info = $oFileModel->getFile($file_srl);
if($file_info->file_srl == $file_srl && $oFileModel->getFileGrant($file_info, $logged_info)->is_deletable)
if($file_info->file_srl == $file_srl && $oFileModel->isDeletable($file_info))
{
$this->deleteFile($file_srl);
}
@ -291,18 +291,12 @@ class fileController extends file
$sid = Context::get('sid');
$logged_info = Context::get('logged_info');
// Get file information from the DB
$columnList = array('file_srl', 'sid', 'isvalid', 'source_filename', 'module_srl', 'uploaded_filename', 'file_size', 'member_srl', 'upload_target_srl', 'upload_target_type');
$file_obj = $oFileModel->getFile($file_srl, $columnList);
$file_obj = $oFileModel->getFile($file_srl);
// If the requested file information is incorrect, an error that file cannot be found appears
if($file_obj->file_srl != $file_srl || $file_obj->sid !== $sid)
{
throw new Rhymix\Framework\Exceptions\TargetNotFound('msg_file_not_found');
}
// Notify that file download is not allowed when standing-by(Only a top-administrator is permitted)
if($logged_info->is_admin != 'Y' && $file_obj->isvalid != 'Y')
{
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
}
// File name
$filename = $file_obj->source_filename;
$file_module_config = $oFileModel->getFileModuleConfig($file_obj->module_srl);
@ -356,52 +350,13 @@ class fileController extends file
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_allowed_outlink');
}
}
// Check if a permission for file download is granted
$downloadGrantCount = 0;
if(is_array($file_module_config->download_grant))
// Check if the file is downloadable
if(!$oFileModel->isDownloadable($file_obj))
{
foreach($file_module_config->download_grant AS $value)
if($value) $downloadGrantCount++;
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
}
if(is_array($file_module_config->download_grant) && $downloadGrantCount>0)
{
if(!Context::get('is_logged'))
{
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
}
$logged_info = Context::get('logged_info');
if($logged_info->is_admin != 'Y')
{
$oModuleModel =& getModel('module');
$columnList = array('module_srl', 'site_srl');
$module_info = $oModuleModel->getModuleInfoByModuleSrl($file_obj->module_srl, $columnList);
if(!$oModuleModel->isSiteAdmin($logged_info, $module_info->site_srl))
{
$oMemberModel =& getModel('member');
$member_groups = $oMemberModel->getMemberGroups($logged_info->member_srl, $module_info->site_srl);
$is_permitted = false;
for($i=0;$i<count($file_module_config->download_grant);$i++)
{
$group_srl = $file_module_config->download_grant[$i];
if($member_groups[$group_srl])
{
$is_permitted = true;
break;
}
}
if(!$is_permitted)
{
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
}
}
}
}
// Call a trigger (before)
$output = ModuleHandler::triggerCall('file.downloadFile', 'before', $file_obj);
if(!$output->toBool())
@ -612,11 +567,7 @@ class fileController extends file
$file_info = $output->data;
if(!$file_info) continue;
$file_grant = $oFileModel->getFileGrant($file_info, $logged_info);
if(!$file_grant->is_deletable) continue;
if(!$oFileModel->isDeletable($file_info)) continue;
if($upload_target_srl && $file_srl) $output = $this->deleteFile($file_srl);
}
}

153
modules/file/file.model.php
View file

@ -41,7 +41,7 @@ class fileModel extends file
$oDocumentModel = getModel('document');
$oDocument = $oDocumentModel->getDocument($upload_target_srl);
// Check permissions of comment
// Check permissions of the comment
if(!$oDocument->isExists())
{
$oComment = $oCommentModel->getComment($upload_target_srl);
@ -55,7 +55,7 @@ class fileModel extends file
}
}
// Check permissions of document
// Check permissions of the document
if($oDocument->isExists() && !$oDocument->isAccessible())
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
@ -90,7 +90,7 @@ class fileModel extends file
$obj->direct_download = $file_info->direct_download;
$obj->cover_image = ($file_info->cover_image === 'Y') ? true : false;
$obj->download_url = $file_info->download_url;
if($obj->direct_download === 'Y')
if($obj->direct_download === 'Y' && $this->isDownloadable($file_info))
{
$obj->download_url = $this->getDirectFileUrl($file_info->uploaded_filename);
}
@ -126,7 +126,113 @@ class fileModel extends file
$this->add('upload_status', $this->getUploadStatus($attached_size));
$this->add('left_size', $upload_config->allowed_attach_size * 1024 * 1024 - $attached_size);
}
/**
* Check if the file is downloadable
*
* @param object $file_info
* @param object $member_info
* @return bool
*/
function isDownloadable($file_info, $member_info = null)
{
if(!$member_info)
{
$member_info = $this->user;
}
if($this->isDeletable($file_info, $member_info))
{
return true;
}
// Check the validity
if($file_info->isvalid !== 'Y')
{
return false;
}
// Check download groups
$config = $this->getFileConfig($file_info->module_srl);
if($config->download_groups)
{
if(empty($member_info->member_srl))
{
return false;
}
if(!isset($member_info->group_list))
{
$member_info->group_list = getModel('member')->getMemberGroups($member_info->member_srl);
}
$is_group = false;
foreach($config->download_groups as $group_srl)
{
if(isset($member_info->group_list[$group_srl]))
{
$is_group = true;
break;
}
}
if(!$is_group)
{
return false;
}
}
return true;
}
/**
* Check if the file is deletable
*
* @param object $file_info
* @param object $member_info
* @return bool
*/
function isDeletable($file_info, $member_info = null)
{
if(!$member_info)
{
$member_info = $this->user;
}
if($member_info->is_admin === 'Y' || $member_info->member_srl == $file_info->member_srl)
{
return true;
}
if(isset($_SESSION['__XE_UPLOADING_FILES_INFO__'][$file_info->file_srl]))
{
return true;
}
// Check permissions of the module
$oModuleModel = getModel('module');
$module_info = $oModuleModel->getModuleInfoByModuleSrl($file_info->module_srl);
if(empty($module_info->module_srl))
{
return false;
}
$grant = $oModuleModel->getGrant($module_info, $member_info);
if($grant->manager)
{
return true;
}
// Check permissions of the document
$oDocument = getModel('document')->getDocument($file_info->upload_target_srl);
if($oDocument->isExists() && $oDocument->isGranted())
{
return true;
}
// Check permissions of the comment
$oComment = getModel('comment')->getComment($file_info->upload_target_srl);
if($oComment->isExists() && $oComment->isGranted())
{
return true;
}
return false;
}
/**
* Return number of attachments which belongs to a specific document
*
@ -191,6 +297,7 @@ class fileModel extends file
// Default setting if not exists
$config->allowed_filesize = $config->allowed_filesize ?? '2';
$config->allowed_attach_size = $config->allowed_attach_size ?? '3';
$config->allowed_filetypes = $config->allowed_filetypes ?? '*.*';
$config->allow_outlink = $config->allow_outlink ?? 'Y';
$config->download_grant = $config->download_grant ?? [];
$config->inline_download_format = $config->inline_download_format ?? [];
@ -200,8 +307,7 @@ class fileModel extends file
$config->ffmpeg_command = $config->ffmpeg_command ?? '/usr/bin/ffmpeg';
$config->ffprobe_command = $config->ffprobe_command ?? '/usr/bin/ffprobe';
// Format allowed_filetypes
$config->allowed_filetypes = $config->allowed_filetypes ?? '*.*';
// Set allowed_extensions
if(!isset($config->allowed_extensions))
{
$config->allowed_extensions = [];
@ -214,6 +320,9 @@ class fileModel extends file
}
}
// Set download_groups
$config->download_groups = is_array($config->download_grant) ? array_filter($config->download_grant) : [];
return $config;
}
@ -338,10 +447,7 @@ class fileModel extends file
}
/**
* Return file configuration of the module
*
* @param int $module_srl The sequence of module to get configuration
* @return object
* method for compatibility
*/
function getFileModuleConfig($module_srl)
{
@ -349,34 +455,11 @@ class fileModel extends file
}
/**
* Returns a grant of file
*
* @param object $file_info The file information to get grant
* @param object $member_info The member information to get grant
* @return object Returns a grant of file
* method for compatibility
*/
function getFileGrant($file_info, $member_info)
{
if(!$file_info) return null;
$file_grant = new stdClass;
if($_SESSION['__XE_UPLOADING_FILES_INFO__'][$file_info->file_srl])
{
$file_grant->is_deletable = true;
return $file_grant;
}
$oModuleModel = getModel('module');
$grant = $oModuleModel->getGrant($oModuleModel->getModuleInfoByModuleSrl($file_info->module_srl), $member_info);
$oDocumentModel = getModel('document');
$oDocument = $oDocumentModel->getDocument($file_info->upload_target_srl);
if($oDocument->isExists()) $document_grant = $oDocument->isGranted();
$file_grant->is_deletable = ($document_grant || $member_info->is_admin == 'Y' || $member_info->member_srl == $file_info->member_srl || $grant->manager);
return $file_grant;
return (object)['is_deletable' => $this->isDeletable($file_info, $member_info)];
}
}
/* End of file file.model.php */