mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-05-03 17:22:20 +09:00
direct_download = 'Y' 파일이라도 다운로드 권한이 없으면 게시자의 본문 삽입 전까지 act=getFileList에서 실경로를 획득할 수 없도록 보완
This commit is contained in:
conory
parent
77122a32b2
commit
27af1fd8f6
3 changed files with 128 additions and 101 deletions
|
|
@ -214,16 +214,9 @@ class fileAdminController extends file
|
||||||
$config->video_mp4_gif_time = intval(Context::get('video_mp4_gif_time'));
|
$config->video_mp4_gif_time = intval(Context::get('video_mp4_gif_time'));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check download grant
|
// Set download groups
|
||||||
$download_grant = Context::get('download_grant');
|
$download_grant = Context::get('download_grant');
|
||||||
if(!is_array($download_grant))
|
$config->download_grant = is_array($download_grant) ? array_values($download_grant) : array($download_grant);
|
||||||
{
|
|
||||||
$config->download_grant = explode('|@|',$download_grant);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$config->download_grant = array_values($download_grant);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Update
|
// Update
|
||||||
$oModuleController = getController('module');
|
$oModuleController = getController('module');
|
||||||
|
|
|
||||||
|
|
@ -186,7 +186,7 @@ class fileController extends file
|
||||||
$oFileModel = getModel('file');
|
$oFileModel = getModel('file');
|
||||||
$logged_info = Context::get('logged_info');
|
$logged_info = Context::get('logged_info');
|
||||||
$file_info = $oFileModel->getFile($file_srl);
|
$file_info = $oFileModel->getFile($file_srl);
|
||||||
if($file_info->file_srl == $file_srl && $oFileModel->getFileGrant($file_info, $logged_info)->is_deletable)
|
if($file_info->file_srl == $file_srl && $oFileModel->isDeletable($file_info))
|
||||||
{
|
{
|
||||||
$this->deleteFile($file_srl);
|
$this->deleteFile($file_srl);
|
||||||
}
|
}
|
||||||
|
|
@ -291,18 +291,12 @@ class fileController extends file
|
||||||
$sid = Context::get('sid');
|
$sid = Context::get('sid');
|
||||||
$logged_info = Context::get('logged_info');
|
$logged_info = Context::get('logged_info');
|
||||||
// Get file information from the DB
|
// Get file information from the DB
|
||||||
$columnList = array('file_srl', 'sid', 'isvalid', 'source_filename', 'module_srl', 'uploaded_filename', 'file_size', 'member_srl', 'upload_target_srl', 'upload_target_type');
|
$file_obj = $oFileModel->getFile($file_srl);
|
||||||
$file_obj = $oFileModel->getFile($file_srl, $columnList);
|
|
||||||
// If the requested file information is incorrect, an error that file cannot be found appears
|
// If the requested file information is incorrect, an error that file cannot be found appears
|
||||||
if($file_obj->file_srl != $file_srl || $file_obj->sid !== $sid)
|
if($file_obj->file_srl != $file_srl || $file_obj->sid !== $sid)
|
||||||
{
|
{
|
||||||
throw new Rhymix\Framework\Exceptions\TargetNotFound('msg_file_not_found');
|
throw new Rhymix\Framework\Exceptions\TargetNotFound('msg_file_not_found');
|
||||||
}
|
}
|
||||||
// Notify that file download is not allowed when standing-by(Only a top-administrator is permitted)
|
|
||||||
if($logged_info->is_admin != 'Y' && $file_obj->isvalid != 'Y')
|
|
||||||
{
|
|
||||||
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
|
|
||||||
}
|
|
||||||
// File name
|
// File name
|
||||||
$filename = $file_obj->source_filename;
|
$filename = $file_obj->source_filename;
|
||||||
$file_module_config = $oFileModel->getFileModuleConfig($file_obj->module_srl);
|
$file_module_config = $oFileModel->getFileModuleConfig($file_obj->module_srl);
|
||||||
|
|
@ -356,52 +350,13 @@ class fileController extends file
|
||||||
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_allowed_outlink');
|
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_allowed_outlink');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if a permission for file download is granted
|
// Check if the file is downloadable
|
||||||
$downloadGrantCount = 0;
|
if(!$oFileModel->isDownloadable($file_obj))
|
||||||
if(is_array($file_module_config->download_grant))
|
|
||||||
{
|
{
|
||||||
foreach($file_module_config->download_grant AS $value)
|
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
|
||||||
if($value) $downloadGrantCount++;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if(is_array($file_module_config->download_grant) && $downloadGrantCount>0)
|
|
||||||
{
|
|
||||||
if(!Context::get('is_logged'))
|
|
||||||
{
|
|
||||||
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
|
|
||||||
}
|
|
||||||
|
|
||||||
$logged_info = Context::get('logged_info');
|
|
||||||
if($logged_info->is_admin != 'Y')
|
|
||||||
{
|
|
||||||
$oModuleModel =& getModel('module');
|
|
||||||
$columnList = array('module_srl', 'site_srl');
|
|
||||||
$module_info = $oModuleModel->getModuleInfoByModuleSrl($file_obj->module_srl, $columnList);
|
|
||||||
|
|
||||||
if(!$oModuleModel->isSiteAdmin($logged_info, $module_info->site_srl))
|
|
||||||
{
|
|
||||||
$oMemberModel =& getModel('member');
|
|
||||||
$member_groups = $oMemberModel->getMemberGroups($logged_info->member_srl, $module_info->site_srl);
|
|
||||||
|
|
||||||
$is_permitted = false;
|
|
||||||
for($i=0;$i<count($file_module_config->download_grant);$i++)
|
|
||||||
{
|
|
||||||
$group_srl = $file_module_config->download_grant[$i];
|
|
||||||
if($member_groups[$group_srl])
|
|
||||||
{
|
|
||||||
$is_permitted = true;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if(!$is_permitted)
|
|
||||||
{
|
|
||||||
throw new Rhymix\Framework\Exceptions\NotPermitted('msg_not_permitted_download');
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Call a trigger (before)
|
// Call a trigger (before)
|
||||||
$output = ModuleHandler::triggerCall('file.downloadFile', 'before', $file_obj);
|
$output = ModuleHandler::triggerCall('file.downloadFile', 'before', $file_obj);
|
||||||
if(!$output->toBool())
|
if(!$output->toBool())
|
||||||
|
|
@ -612,11 +567,7 @@ class fileController extends file
|
||||||
|
|
||||||
$file_info = $output->data;
|
$file_info = $output->data;
|
||||||
if(!$file_info) continue;
|
if(!$file_info) continue;
|
||||||
|
if(!$oFileModel->isDeletable($file_info)) continue;
|
||||||
$file_grant = $oFileModel->getFileGrant($file_info, $logged_info);
|
|
||||||
|
|
||||||
if(!$file_grant->is_deletable) continue;
|
|
||||||
|
|
||||||
if($upload_target_srl && $file_srl) $output = $this->deleteFile($file_srl);
|
if($upload_target_srl && $file_srl) $output = $this->deleteFile($file_srl);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ class fileModel extends file
|
||||||
$oDocumentModel = getModel('document');
|
$oDocumentModel = getModel('document');
|
||||||
$oDocument = $oDocumentModel->getDocument($upload_target_srl);
|
$oDocument = $oDocumentModel->getDocument($upload_target_srl);
|
||||||
|
|
||||||
// Check permissions of comment
|
// Check permissions of the comment
|
||||||
if(!$oDocument->isExists())
|
if(!$oDocument->isExists())
|
||||||
{
|
{
|
||||||
$oComment = $oCommentModel->getComment($upload_target_srl);
|
$oComment = $oCommentModel->getComment($upload_target_srl);
|
||||||
|
|
@ -55,7 +55,7 @@ class fileModel extends file
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check permissions of document
|
// Check permissions of the document
|
||||||
if($oDocument->isExists() && !$oDocument->isAccessible())
|
if($oDocument->isExists() && !$oDocument->isAccessible())
|
||||||
{
|
{
|
||||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||||
|
|
@ -90,7 +90,7 @@ class fileModel extends file
|
||||||
$obj->direct_download = $file_info->direct_download;
|
$obj->direct_download = $file_info->direct_download;
|
||||||
$obj->cover_image = ($file_info->cover_image === 'Y') ? true : false;
|
$obj->cover_image = ($file_info->cover_image === 'Y') ? true : false;
|
||||||
$obj->download_url = $file_info->download_url;
|
$obj->download_url = $file_info->download_url;
|
||||||
if($obj->direct_download === 'Y')
|
if($obj->direct_download === 'Y' && $this->isDownloadable($file_info))
|
||||||
{
|
{
|
||||||
$obj->download_url = $this->getDirectFileUrl($file_info->uploaded_filename);
|
$obj->download_url = $this->getDirectFileUrl($file_info->uploaded_filename);
|
||||||
}
|
}
|
||||||
|
|
@ -126,7 +126,113 @@ class fileModel extends file
|
||||||
$this->add('upload_status', $this->getUploadStatus($attached_size));
|
$this->add('upload_status', $this->getUploadStatus($attached_size));
|
||||||
$this->add('left_size', $upload_config->allowed_attach_size * 1024 * 1024 - $attached_size);
|
$this->add('left_size', $upload_config->allowed_attach_size * 1024 * 1024 - $attached_size);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the file is downloadable
|
||||||
|
*
|
||||||
|
* @param object $file_info
|
||||||
|
* @param object $member_info
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
function isDownloadable($file_info, $member_info = null)
|
||||||
|
{
|
||||||
|
if(!$member_info)
|
||||||
|
{
|
||||||
|
$member_info = $this->user;
|
||||||
|
}
|
||||||
|
if($this->isDeletable($file_info, $member_info))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check the validity
|
||||||
|
if($file_info->isvalid !== 'Y')
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check download groups
|
||||||
|
$config = $this->getFileConfig($file_info->module_srl);
|
||||||
|
if($config->download_groups)
|
||||||
|
{
|
||||||
|
if(empty($member_info->member_srl))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if(!isset($member_info->group_list))
|
||||||
|
{
|
||||||
|
$member_info->group_list = getModel('member')->getMemberGroups($member_info->member_srl);
|
||||||
|
}
|
||||||
|
$is_group = false;
|
||||||
|
foreach($config->download_groups as $group_srl)
|
||||||
|
{
|
||||||
|
if(isset($member_info->group_list[$group_srl]))
|
||||||
|
{
|
||||||
|
$is_group = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if(!$is_group)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the file is deletable
|
||||||
|
*
|
||||||
|
* @param object $file_info
|
||||||
|
* @param object $member_info
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
function isDeletable($file_info, $member_info = null)
|
||||||
|
{
|
||||||
|
if(!$member_info)
|
||||||
|
{
|
||||||
|
$member_info = $this->user;
|
||||||
|
}
|
||||||
|
if($member_info->is_admin === 'Y' || $member_info->member_srl == $file_info->member_srl)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if(isset($_SESSION['__XE_UPLOADING_FILES_INFO__'][$file_info->file_srl]))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check permissions of the module
|
||||||
|
$oModuleModel = getModel('module');
|
||||||
|
$module_info = $oModuleModel->getModuleInfoByModuleSrl($file_info->module_srl);
|
||||||
|
if(empty($module_info->module_srl))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
$grant = $oModuleModel->getGrant($module_info, $member_info);
|
||||||
|
if($grant->manager)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check permissions of the document
|
||||||
|
$oDocument = getModel('document')->getDocument($file_info->upload_target_srl);
|
||||||
|
if($oDocument->isExists() && $oDocument->isGranted())
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check permissions of the comment
|
||||||
|
$oComment = getModel('comment')->getComment($file_info->upload_target_srl);
|
||||||
|
if($oComment->isExists() && $oComment->isGranted())
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return number of attachments which belongs to a specific document
|
* Return number of attachments which belongs to a specific document
|
||||||
*
|
*
|
||||||
|
|
@ -191,6 +297,7 @@ class fileModel extends file
|
||||||
// Default setting if not exists
|
// Default setting if not exists
|
||||||
$config->allowed_filesize = $config->allowed_filesize ?? '2';
|
$config->allowed_filesize = $config->allowed_filesize ?? '2';
|
||||||
$config->allowed_attach_size = $config->allowed_attach_size ?? '3';
|
$config->allowed_attach_size = $config->allowed_attach_size ?? '3';
|
||||||
|
$config->allowed_filetypes = $config->allowed_filetypes ?? '*.*';
|
||||||
$config->allow_outlink = $config->allow_outlink ?? 'Y';
|
$config->allow_outlink = $config->allow_outlink ?? 'Y';
|
||||||
$config->download_grant = $config->download_grant ?? [];
|
$config->download_grant = $config->download_grant ?? [];
|
||||||
$config->inline_download_format = $config->inline_download_format ?? [];
|
$config->inline_download_format = $config->inline_download_format ?? [];
|
||||||
|
|
@ -200,8 +307,7 @@ class fileModel extends file
|
||||||
$config->ffmpeg_command = $config->ffmpeg_command ?? '/usr/bin/ffmpeg';
|
$config->ffmpeg_command = $config->ffmpeg_command ?? '/usr/bin/ffmpeg';
|
||||||
$config->ffprobe_command = $config->ffprobe_command ?? '/usr/bin/ffprobe';
|
$config->ffprobe_command = $config->ffprobe_command ?? '/usr/bin/ffprobe';
|
||||||
|
|
||||||
// Format allowed_filetypes
|
// Set allowed_extensions
|
||||||
$config->allowed_filetypes = $config->allowed_filetypes ?? '*.*';
|
|
||||||
if(!isset($config->allowed_extensions))
|
if(!isset($config->allowed_extensions))
|
||||||
{
|
{
|
||||||
$config->allowed_extensions = [];
|
$config->allowed_extensions = [];
|
||||||
|
|
@ -214,6 +320,9 @@ class fileModel extends file
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Set download_groups
|
||||||
|
$config->download_groups = is_array($config->download_grant) ? array_filter($config->download_grant) : [];
|
||||||
|
|
||||||
return $config;
|
return $config;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -338,10 +447,7 @@ class fileModel extends file
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return file configuration of the module
|
* method for compatibility
|
||||||
*
|
|
||||||
* @param int $module_srl The sequence of module to get configuration
|
|
||||||
* @return object
|
|
||||||
*/
|
*/
|
||||||
function getFileModuleConfig($module_srl)
|
function getFileModuleConfig($module_srl)
|
||||||
{
|
{
|
||||||
|
|
@ -349,34 +455,11 @@ class fileModel extends file
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns a grant of file
|
* method for compatibility
|
||||||
*
|
|
||||||
* @param object $file_info The file information to get grant
|
|
||||||
* @param object $member_info The member information to get grant
|
|
||||||
* @return object Returns a grant of file
|
|
||||||
*/
|
*/
|
||||||
function getFileGrant($file_info, $member_info)
|
function getFileGrant($file_info, $member_info)
|
||||||
{
|
{
|
||||||
if(!$file_info) return null;
|
return (object)['is_deletable' => $this->isDeletable($file_info, $member_info)];
|
||||||
|
|
||||||
$file_grant = new stdClass;
|
|
||||||
|
|
||||||
if($_SESSION['__XE_UPLOADING_FILES_INFO__'][$file_info->file_srl])
|
|
||||||
{
|
|
||||||
$file_grant->is_deletable = true;
|
|
||||||
return $file_grant;
|
|
||||||
}
|
|
||||||
|
|
||||||
$oModuleModel = getModel('module');
|
|
||||||
$grant = $oModuleModel->getGrant($oModuleModel->getModuleInfoByModuleSrl($file_info->module_srl), $member_info);
|
|
||||||
|
|
||||||
$oDocumentModel = getModel('document');
|
|
||||||
$oDocument = $oDocumentModel->getDocument($file_info->upload_target_srl);
|
|
||||||
if($oDocument->isExists()) $document_grant = $oDocument->isGranted();
|
|
||||||
|
|
||||||
$file_grant->is_deletable = ($document_grant || $member_info->is_admin == 'Y' || $member_info->member_srl == $file_info->member_srl || $grant->manager);
|
|
||||||
|
|
||||||
return $file_grant;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/* End of file file.model.php */
|
/* End of file file.model.php */
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue