Jingga/oms-Media
1
0
Fork 0
mirror of https://github.com/Karaka-Management/oms-Media.git synced 2026-02-15 08:48:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix billing process

Browse Source
This commit is contained in:
Dennis Eichhorn 2023-04-08 04:36:26 +02:00
parent 31b0f25567
commit 3fedeacbb6
3 changed files with 39 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/user_bug_report.md vendored
View File

@ -8,9 +8,11 @@ assignees: ''
--- ---
# Bug Description # Bug Description
A clear and concise description of what the bug is. A clear and concise description of what the bug is.
# How to Reproduce # How to Reproduce
Steps to reproduce the behavior: Steps to reproduce the behavior:
1. Go to '...' 1. Go to '...'
@ -19,16 +21,20 @@ Steps to reproduce the behavior:
4. See error 4. See error
# Expected Behavior # Expected Behavior
A clear and concise description of what you expected to happen. A clear and concise description of what you expected to happen.
# Screenshots # Screenshots
If applicable, add screenshots to help explain your problem. If applicable, add screenshots to help explain your problem.
# System Information # System Information
- System: [e.g. PC or iPhone11, ...]
- OS: [e.g. iOS] - System: [e.g. PC or iPhone11, ...]
- Browser [e.g. chrome, safari] - OS: [e.g. iOS]
- KarakaVersion [e.g. 22] - Browser [e.g. chrome, safari]
- KarakaVersion [e.g. 22]
# Additional Information # Additional Information
Add any other context about the problem here. Add any other context about the problem here.

54
Controller/ApiController.php
View File

@ -269,7 +269,7 @@ final class ApiController extends Controller
array $fileNames = [], array $fileNames = [],
array $files = [], array $files = [],
int $account = 0, int $account = 0,
string $basePath = '/Modules/Media/Files', string $basePath = '',
string $virtualPath = '', string $virtualPath = '',
string $password = '', string $password = '',
string $encryptionKey = '', string $encryptionKey = '',
@ -286,8 +286,6 @@ final class ApiController extends Controller
$outputDir = ''; $outputDir = '';
$absolute = false; $absolute = false;
// @todo sandatize $basePath, we don't know if it might be relative!
if ($pathSettings === PathSettings::RANDOM_PATH) { if ($pathSettings === PathSettings::RANDOM_PATH) {
$outputDir = self::createMediaPath($basePath); $outputDir = self::createMediaPath($basePath);
} elseif ($pathSettings === PathSettings::FILE_PATH) { } elseif ($pathSettings === PathSettings::FILE_PATH) {
@ -297,6 +295,10 @@ final class ApiController extends Controller
return []; return [];
} }
if (!Guard::isSafePath($outputDir, __DIR__ . '/../../../')) {
return [];
}
$upload = new UploadFile(); $upload = new UploadFile();
$upload->outputDir = $outputDir; $upload->outputDir = $outputDir;
$upload->preserveFileName = empty($fileNames) || \count($fileNames) === \count($files); $upload->preserveFileName = empty($fileNames) || \count($fileNames) === \count($files);
@ -428,11 +430,11 @@ final class ApiController extends Controller
] ]
); );
$app?->moduleManager->get('Admin')->createAccountModelPermission( $app?->moduleManager->get('Admin', 'Api')->createAccountModelPermission(
new AccountPermission( new AccountPermission(
$account, $account,
$app->unitId, $app->unitId,
$app->appName, $app->appId,
self::NAME, self::NAME,
self::NAME, self::NAME,
PermissionCategory::MEDIA, PermissionCategory::MEDIA,
@ -576,19 +578,17 @@ final class ApiController extends Controller
$media->setPath((string) ($request->getData('path') ?? $media->getPath())); $media->setPath((string) ($request->getData('path') ?? $media->getPath()));
$media->setVirtualPath(\urldecode((string) ($request->getData('virtualpath') ?? $media->getVirtualPath()))); $media->setVirtualPath(\urldecode((string) ($request->getData('virtualpath') ?? $media->getVirtualPath())));
// @todo: implement a security check to ensure the user is allowed to write to the file. Right now you could overwrite ANY file with a malicious $path if ($media instanceof NullMedia
if ($id === 0 || !$this->app->accountManager->get($request->header->account)->hasPermission(
&& $media instanceof NullMedia PermissionType::MODIFY,
&& \is_file($fullPath = __DIR__ . '/../Files' . ($path = \urldecode($request->getData('path')))) $this->app->unitId,
&& \stripos(FileUtils::absolute(__DIR__ . '/../Files/'), FileUtils::absolute($fullPath)) === 0 $this->app->appId,
self::NAME,
PermissionCategory::MEDIA,
$request->header->account
)
) { ) {
$name = \explode('.', \basename($path)); return $media;
$media->name = $name[0];
$media->extension = $name[\count($name) - 1] ?? '';
$media->setVirtualPath(\dirname($path));
$media->setPath('/Modules/Media/Files/' . \ltrim($path, '\\/'));
$media->isAbsolute = false;
} }
if ($request->hasData('content')) { if ($request->hasData('content')) {
@ -695,8 +695,8 @@ final class ApiController extends Controller
private function validateReferenceCreate(RequestAbstract $request) : array private function validateReferenceCreate(RequestAbstract $request) : array
{ {
$val = []; $val = [];
if (($val['parent'] = (empty($request->getData('parent')) && empty($request->getData('virtualpath')))) if (($val['parent'] = (!$request->hasData('parent') && !$request->hasData('virtualpath')))
|| ($val['source'] = (empty($request->getData('source')) && empty($request->getData('child')))) || ($val['source'] = (!$request->hasData('source') && !$request->hasData('child')))
) { ) {
return $val; return $val;
} }
@ -779,7 +779,7 @@ final class ApiController extends Controller
private function validateCollectionCreate(RequestAbstract $request) : array private function validateCollectionCreate(RequestAbstract $request) : array
{ {
$val = []; $val = [];
if (($val['name'] = empty($request->getData('name')))) { if (($val['name'] = !$request->hasData('name'))) {
return $val; return $val;
} }
@ -812,7 +812,7 @@ final class ApiController extends Controller
$outputDir = ''; $outputDir = '';
$basePath = __DIR__ . '/../../../Modules/Media/Files'; $basePath = __DIR__ . '/../../../Modules/Media/Files';
if (empty($request->getData('path'))) { if (!$request->hasData('path')) {
$outputDir = self::createMediaPath($basePath); $outputDir = self::createMediaPath($basePath);
} else { } else {
$outputDir = $basePath . '/' . \ltrim($request->getData('path'), '\\/'); $outputDir = $basePath . '/' . \ltrim($request->getData('path'), '\\/');
@ -958,7 +958,7 @@ final class ApiController extends Controller
$outputDir = ''; $outputDir = '';
$basePath = __DIR__ . '/../../../Modules/Media/Files'; $basePath = __DIR__ . '/../../../Modules/Media/Files';
if (empty($request->getData('path'))) { if (!$request->hasData('path')) {
$outputDir = self::createMediaPath($basePath); $outputDir = self::createMediaPath($basePath);
} else { } else {
if (\stripos( if (\stripos(
@ -1053,7 +1053,7 @@ final class ApiController extends Controller
&& !$this->app->accountManager->get($request->header->account)->hasPermission( && !$this->app->accountManager->get($request->header->account)->hasPermission(
PermissionType::READ, PermissionType::READ,
$this->app->unitId, $this->app->unitId,
$this->app->appName, $this->app->appId,
self::NAME, self::NAME,
PermissionCategory::MEDIA, PermissionCategory::MEDIA,
$media->getId() $media->getId()
@ -1247,7 +1247,7 @@ final class ApiController extends Controller
private function validateMediaTypeCreate(RequestAbstract $request) : array private function validateMediaTypeCreate(RequestAbstract $request) : array
{ {
$val = []; $val = [];
if (($val['name'] = empty($request->getData('name'))) if (($val['name'] = !$request->hasData('name'))
) { ) {
return $val; return $val;
} }
@ -1297,7 +1297,7 @@ final class ApiController extends Controller
$type = new MediaType(); $type = new MediaType();
$type->name = $request->getDataString('name') ?? ''; $type->name = $request->getDataString('name') ?? '';
if (!empty($request->getData('title'))) { if ($request->hasData('title')) {
$type->setL11n($request->getDataString('title') ?? '', $request->getData('lang') ?? $request->getLanguage()); $type->setL11n($request->getDataString('title') ?? '', $request->getData('lang') ?? $request->getLanguage());
} }
@ -1316,8 +1316,8 @@ final class ApiController extends Controller
private function validateMediaTypeL11nCreate(RequestAbstract $request) : array private function validateMediaTypeL11nCreate(RequestAbstract $request) : array
{ {
$val = []; $val = [];
if (($val['title'] = empty($request->getData('title'))) if (($val['title'] = !$request->hasData('title'))
|| ($val['type'] = empty($request->getData('type'))) || ($val['type'] = !$request->hasData('type'))
) { ) {
return $val; return $val;
} }

4
Controller/BackendController.php
View File

@ -82,7 +82,7 @@ final class BackendController extends Controller
->hasPermission( ->hasPermission(
PermissionType::READ, PermissionType::READ,
$this->app->unitId, $this->app->unitId,
$this->app->appName, $this->app->appId,
self::NAME, self::NAME,
PermissionCategory::MEDIA, PermissionCategory::MEDIA,
); );
@ -94,7 +94,7 @@ final class BackendController extends Controller
->groups($this->app->accountManager->get($request->header->account)->getGroupIds()) ->groups($this->app->accountManager->get($request->header->account)->getGroupIds())
->account($request->header->account) ->account($request->header->account)
->units([null, $this->app->unitId]) ->units([null, $this->app->unitId])
->apps([null, 'Api', $this->app->appName]) ->apps([null, 'Api', $this->app->appId])
->modules([null, self::NAME]) ->modules([null, self::NAME])
->categories([null, PermissionCategory::MEDIA]) ->categories([null, PermissionCategory::MEDIA])
->permission(PermissionType::READ) ->permission(PermissionType::READ)