impl. todos or move to Project.md

CONTRIBUTING.md

@@ -12,14 +12,7 @@ If you have a good idea for improvement feel free to create a new issue with all
 
 ### Issues
 
-Feel free to grab any open issue implement it and create a new pull request. Most issues can be found in the code and have the following structure:
-
-```php
-/**
- * @todo Orange-Management/Orange-Management#ISSUE_NUMBER [d:difficulty]
- *  Description for the issue
- */
-```
+Feel free to grab any open issue implement it and create a new pull request. Most issues can be found in the `Project.md` file in the `Docs` repository.
 
 The issue information can be used to provide additional information such as priority, difficulty and type. For your first issue try to find a issue marked `[d:first]` or `[d:beginner]`.
 

Controller/ApiController.php

@@ -84,8 +84,6 @@ final class ApiController extends Controller
         $ids = [];
         foreach ($uploads as $file) {
             $ids[] = $file->getId();
-
-            // @todo: maybe improve, this could potentially be done immediately in the createDBEntry, especially if tags replace the type? But probably we need type and tags (both are slightly different e.g. tags are public, types are for modules e.g. itemmanagement item image)
             // add tags
             if (!empty($tags = $request->getDataJson('tags'))) {
                 foreach ($tags as $tag) {
@@ -366,7 +364,8 @@ final class ApiController extends Controller
         // @todo: implement a security check to ensure the user is allowed to write to the file. Right now you could overwrite ANY file with a malicious $path
         if ($id === 0
             && $media instanceof NullMedia
-            && \is_file(__DIR__ . '/../Files' . ($path = \urldecode($request->getData('path'))))
+            && \is_file($fullPath = __DIR__ . '/../Files' . ($path = \urldecode($request->getData('path'))))
+            && \stripos(FileUtils::absolute(__DIR__ . '/../Files/'), FileUtils::absolute($fullPath)) === 0
         ) {
             $name = \explode('.', \basename($path));
 
@@ -635,6 +634,8 @@ final class ApiController extends Controller
         $view = new View($this->app->l11nManager, $request, $response);
         $view->setData('media', $media);
 
+        $response->endAllOutputBuffering(); // for large files
+
         if (($type = $request->getData('type')) === null) {
             $view->setTemplate('/Modules/Media/Theme/Api/render');
         } elseif ($type === 'html') {

Models/UploadFile.php

@@ -159,7 +159,6 @@ class UploadFile
 
             if (!$this->preserveFileName || \is_file($path . '/' . $result[$key]['filename'])) {
                 try {
-                    // @todo: split filename to tmp_name and extension for this function call!
                     $result[$key]['filename'] = $this->createFileName($path, $f['tmp_name'], $extension);
                 } catch (\Exception $e) {
                     $result[$key]['filename'] = $f['name'];

Theme/Api/render.tpl.php

@@ -12,13 +12,8 @@
  */
 declare(strict_types=1);
 
-// @todo: is this chunked/streamed output or bulk output
-// if it is streamed it is not working because of ob_* in the actual response rendering
-
 $media = $this->getData('media');
 
-$t = ($media->isAbsolute ? '' : __DIR__ . '/../../../../') . $media->getPath();
-
 $fp = \fopen(($media->isAbsolute ? '' : __DIR__ . '/../../../../') . $media->getPath(), 'r');
 \fpassthru($fp);
 \fclose($fp);

tests/Controller/test/path/created.md

@@ -0,0 +1 @@
+file content