diff options
author | Mario <mario@mariovavti.com> | 2020-05-06 19:56:47 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2020-05-06 19:56:47 +0000 |
commit | ef94072cee64aa465a8fb1b7e11b45591589eba9 (patch) | |
tree | 6ec3600574263981b3224f14ac6d39fff0cdb9d5 | |
parent | ff3ff2478dabc642def14193a01649a384f3a88a (diff) | |
parent | 2757822cd8d23de65b65c59874a6c032d73aba81 (diff) | |
download | volse-hubzilla-ef94072cee64aa465a8fb1b7e11b45591589eba9.tar.gz volse-hubzilla-ef94072cee64aa465a8fb1b7e11b45591589eba9.tar.bz2 volse-hubzilla-ef94072cee64aa465a8fb1b7e11b45591589eba9.zip |
Merge branch 'dev' of https://framagit.org/hubzilla/core into dev
-rw-r--r-- | Zotlabs/Module/Dav.php | 2 | ||||
-rw-r--r-- | Zotlabs/Storage/BasicAuth.php | 11 | ||||
-rw-r--r-- | Zotlabs/Storage/Directory.php | 19 | ||||
-rw-r--r-- | Zotlabs/Storage/File.php | 5 |
4 files changed, 32 insertions, 5 deletions
diff --git a/Zotlabs/Module/Dav.php b/Zotlabs/Module/Dav.php index e8ce6a703..adab25e45 100644 --- a/Zotlabs/Module/Dav.php +++ b/Zotlabs/Module/Dav.php @@ -95,7 +95,7 @@ class Dav extends \Zotlabs\Web\Controller { $auth = new \Zotlabs\Storage\BasicAuth(); - $auth->observer = get_observer_hash(); + // $auth->observer = get_observer_hash(); $auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . ' ' . 'WebDAV'); diff --git a/Zotlabs/Storage/BasicAuth.php b/Zotlabs/Storage/BasicAuth.php index a5c01fbb7..3a48f5004 100644 --- a/Zotlabs/Storage/BasicAuth.php +++ b/Zotlabs/Storage/BasicAuth.php @@ -2,6 +2,7 @@ namespace Zotlabs\Storage; +use App; use Sabre\DAV; use Sabre\HTTP\RequestInterface; use Sabre\HTTP\ResponseInterface; @@ -128,6 +129,16 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic { $this->channel_name = $r['channel_address']; $this->channel_id = $r['channel_id']; $this->channel_hash = $this->observer = $r['channel_hash']; + + if ($this->observer) { + $r = q("select * from xchan where xchan_hash = '%s' limit 1", + dbesc($this->observer) + ); + if ($r) { + App::set_observer(array_shift($r)); + } + } + $_SESSION['uid'] = $r['channel_id']; $_SESSION['account_id'] = $r['channel_account_id']; $_SESSION['authenticated'] = true; diff --git a/Zotlabs/Storage/Directory.php b/Zotlabs/Storage/Directory.php index 8cda75fd1..1231dfa25 100644 --- a/Zotlabs/Storage/Directory.php +++ b/Zotlabs/Storage/Directory.php @@ -281,8 +281,19 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota, DAV\IMo $xpath = attach_syspaths($this->auth->owner_id, $hash); - // returns the number of bytes that were written to the file, or FALSE on failure - $size = file_put_contents($f, $data); + + if (is_resource($data)) { + $fp = fopen($f,'wb'); + if ($fp) { + pipe_streams($data,$fp); + fclose($fp); + } + $size = filesize($f); + } + else { + $size = file_put_contents($f, $data); + } + // delete attach entry if file_put_contents() failed if ($size === false) { logger('file_put_contents() failed to ' . $f); @@ -315,7 +326,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota, DAV\IMo $d = q("UPDATE attach SET filesize = '%s', os_path = '%s', display_path = '%s', is_photo = %d, edited = '%s' WHERE hash = '%s' AND uid = %d", dbesc($size), dbesc($xpath['os_path']), - dbesc($xpath['display_path']), + dbesc($xpath['path']), intval($is_photo), dbesc($edited), dbesc($hash), @@ -364,7 +375,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota, DAV\IMo $p = photo_upload($c[0], \App::get_observer(), $args); } - \Zotlabs\Daemon\Master::Summon([ 'Thumbnail' , $this->folder_hash ]); + \Zotlabs\Daemon\Master::Summon([ 'Thumbnail' , $hash ]); $sync = attach_export_data($c[0], $hash); diff --git a/Zotlabs/Storage/File.php b/Zotlabs/Storage/File.php index 68edde166..ee96363c4 100644 --- a/Zotlabs/Storage/File.php +++ b/Zotlabs/Storage/File.php @@ -121,6 +121,11 @@ class File extends DAV\Node implements DAV\IFile { logger('put file: ' . basename($this->name), LOGGER_DEBUG); $size = 0; + if ((! $this->auth->owner_id) || (! perm_is_allowed($this->auth->owner_id, $this->auth->observer, 'write_storage'))) { + logger('permission denied for put operation'); + throw new DAV\Exception\Forbidden('Permission denied.'); + } + // @todo only 3 values are needed $c = q("SELECT * FROM channel WHERE channel_id = %d AND channel_removed = 0 LIMIT 1", intval($this->auth->owner_id) |