diff options
author | zotlabs <mike@macgirvin.com> | 2020-05-05 20:01:09 -0700 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2020-05-05 20:01:09 -0700 |
commit | 191e01e3ec4930916ea42927629a5e5d74d07a59 (patch) | |
tree | 053bbcc9c213bd2e1da2b4a1c464be771929b2c3 /Zotlabs | |
parent | 8c65e9cb4a30a86208bdda91d7d764a8c6ee6b4c (diff) | |
download | volse-hubzilla-191e01e3ec4930916ea42927629a5e5d74d07a59.tar.gz volse-hubzilla-191e01e3ec4930916ea42927629a5e5d74d07a59.tar.bz2 volse-hubzilla-191e01e3ec4930916ea42927629a5e5d74d07a59.zip |
re-apply after removing from cherry-picked git hash from wrong branch
Diffstat (limited to 'Zotlabs')
-rw-r--r-- | Zotlabs/Module/Dav.php | 2 | ||||
-rw-r--r-- | Zotlabs/Storage/BasicAuth.php | 11 | ||||
-rw-r--r-- | Zotlabs/Storage/Directory.php | 19 | ||||
-rw-r--r-- | Zotlabs/Storage/File.php | 5 |
4 files changed, 32 insertions, 5 deletions
diff --git a/Zotlabs/Module/Dav.php b/Zotlabs/Module/Dav.php index e8ce6a703..adab25e45 100644 --- a/Zotlabs/Module/Dav.php +++ b/Zotlabs/Module/Dav.php @@ -95,7 +95,7 @@ class Dav extends \Zotlabs\Web\Controller { $auth = new \Zotlabs\Storage\BasicAuth(); - $auth->observer = get_observer_hash(); + // $auth->observer = get_observer_hash(); $auth->setRealm(ucfirst(\Zotlabs\Lib\System::get_platform_name()) . ' ' . 'WebDAV'); diff --git a/Zotlabs/Storage/BasicAuth.php b/Zotlabs/Storage/BasicAuth.php index a5c01fbb7..3a48f5004 100644 --- a/Zotlabs/Storage/BasicAuth.php +++ b/Zotlabs/Storage/BasicAuth.php @@ -2,6 +2,7 @@ namespace Zotlabs\Storage; +use App; use Sabre\DAV; use Sabre\HTTP\RequestInterface; use Sabre\HTTP\ResponseInterface; @@ -128,6 +129,16 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic { $this->channel_name = $r['channel_address']; $this->channel_id = $r['channel_id']; $this->channel_hash = $this->observer = $r['channel_hash']; + + if ($this->observer) { + $r = q("select * from xchan where xchan_hash = '%s' limit 1", + dbesc($this->observer) + ); + if ($r) { + App::set_observer(array_shift($r)); + } + } + $_SESSION['uid'] = $r['channel_id']; $_SESSION['account_id'] = $r['channel_account_id']; $_SESSION['authenticated'] = true; diff --git a/Zotlabs/Storage/Directory.php b/Zotlabs/Storage/Directory.php index 8cda75fd1..1231dfa25 100644 --- a/Zotlabs/Storage/Directory.php +++ b/Zotlabs/Storage/Directory.php @@ -281,8 +281,19 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota, DAV\IMo $xpath = attach_syspaths($this->auth->owner_id, $hash); - // returns the number of bytes that were written to the file, or FALSE on failure - $size = file_put_contents($f, $data); + + if (is_resource($data)) { + $fp = fopen($f,'wb'); + if ($fp) { + pipe_streams($data,$fp); + fclose($fp); + } + $size = filesize($f); + } + else { + $size = file_put_contents($f, $data); + } + // delete attach entry if file_put_contents() failed if ($size === false) { logger('file_put_contents() failed to ' . $f); @@ -315,7 +326,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota, DAV\IMo $d = q("UPDATE attach SET filesize = '%s', os_path = '%s', display_path = '%s', is_photo = %d, edited = '%s' WHERE hash = '%s' AND uid = %d", dbesc($size), dbesc($xpath['os_path']), - dbesc($xpath['display_path']), + dbesc($xpath['path']), intval($is_photo), dbesc($edited), dbesc($hash), @@ -364,7 +375,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota, DAV\IMo $p = photo_upload($c[0], \App::get_observer(), $args); } - \Zotlabs\Daemon\Master::Summon([ 'Thumbnail' , $this->folder_hash ]); + \Zotlabs\Daemon\Master::Summon([ 'Thumbnail' , $hash ]); $sync = attach_export_data($c[0], $hash); diff --git a/Zotlabs/Storage/File.php b/Zotlabs/Storage/File.php index 68edde166..ee96363c4 100644 --- a/Zotlabs/Storage/File.php +++ b/Zotlabs/Storage/File.php @@ -121,6 +121,11 @@ class File extends DAV\Node implements DAV\IFile { logger('put file: ' . basename($this->name), LOGGER_DEBUG); $size = 0; + if ((! $this->auth->owner_id) || (! perm_is_allowed($this->auth->owner_id, $this->auth->observer, 'write_storage'))) { + logger('permission denied for put operation'); + throw new DAV\Exception\Forbidden('Permission denied.'); + } + // @todo only 3 values are needed $c = q("SELECT * FROM channel WHERE channel_id = %d AND channel_removed = 0 LIMIT 1", intval($this->auth->owner_id) |