diff --git a/ext/approval/main.php b/ext/approval/main.php index f2a97bcf..c26a93d0 100644 --- a/ext/approval/main.php +++ b/ext/approval/main.php @@ -99,9 +99,9 @@ class Approval extends Extension public function onDisplayingImage(DisplayingImageEvent $event) { - global $user, $page, $config; + global $page; - if ($config->get_bool(ApprovalConfig::IMAGES) && $event->image->approved===false && !$user->can(Permissions::APPROVE_IMAGE)) { + if (!$this->check_permissions(($event->image))) { $page->set_mode(PageMode::REDIRECT); $page->set_redirect(make_link("post/list")); } @@ -187,6 +187,26 @@ class Approval extends Extension ); } + private function check_permissions(Image $image): bool + { + global $user, $config; + + if ($config->get_bool(ApprovalConfig::IMAGES) && $image->approved===false && !$user->can(Permissions::APPROVE_IMAGE)) { + return false; + } + return true; + } + + public function onImageDownloading(ImageDownloadingEvent $event) + { + /** + * Deny images upon insufficient permissions. + **/ + if (!$this->check_permissions($event->image)) { + throw new SCoreException("Access denied"); + } + } + public function onImageAdminBlockBuilding(ImageAdminBlockBuildingEvent $event) { global $user, $config; diff --git a/ext/download/events.php b/ext/download/events.php new file mode 100644 index 00000000..431cbe37 --- /dev/null +++ b/ext/download/events.php @@ -0,0 +1,16 @@ +image = $image; + $this->path = $path; + $this->mime = $mime; + } +} diff --git a/ext/download/info.php b/ext/download/info.php new file mode 100644 index 00000000..e1f5228a --- /dev/null +++ b/ext/download/info.php @@ -0,0 +1,14 @@ +"matthew@darkholme.net"]; + public $license = self::LICENSE_WTFPL; + public $description = "System-wide download functions"; + public $core = true; + public $visibility = self::VISIBLE_HIDDEN; +} diff --git a/ext/download/main.php b/ext/download/main.php new file mode 100644 index 00000000..23aa6092 --- /dev/null +++ b/ext/download/main.php @@ -0,0 +1,26 @@ +set_mime($event->mime); + + $page->set_mode(PageMode::FILE); + + $page->set_file($event->path, $event->file_modified); + + $event->stop_processing = true; + } +} diff --git a/ext/image/main.php b/ext/image/main.php index bba0e551..4b98c9de 100644 --- a/ext/image/main.php +++ b/ext/image/main.php @@ -271,10 +271,9 @@ class ImageIO extends Extension private function send_file(int $image_id, string $type) { - global $config; - $image = Image::by_id($image_id); + global $config, $page; - global $page; + $image = Image::by_id($image_id); if (!is_null($image)) { if ($type == "thumb") { $ext = $config->get_string(ImageConfig::THUMB_TYPE); @@ -285,7 +284,6 @@ class ImageIO extends Extension $page->set_type($image->get_mime_type()); $file = $image->get_image_filename(); } - if (!file_exists($file)) { http_response_code(404); die(); @@ -319,6 +317,8 @@ class ImageIO extends Extension } $page->add_http_header('Expires: ' . $expires); } + + send_event(new ImageDownloadingEvent($image, $file, $mime)); } else { $page->set_title("Not Found"); $page->set_heading("Not Found"); diff --git a/ext/random_image/main.php b/ext/random_image/main.php index fee4f418..e65546c5 100644 --- a/ext/random_image/main.php +++ b/ext/random_image/main.php @@ -28,9 +28,9 @@ class RandomImage extends Extension } if ($action === "download") { - $page->set_mode(PageMode::DATA); - $page->set_type($image->get_mime_type()); - $page->set_data(file_get_contents($image->get_image_filename())); + if (!is_null($image)) { + send_event(new ImageDownloadingEvent($image, $image->get_image_filename(), $image->get_mime_type())); + } } elseif ($action === "view") { send_event(new DisplayingImageEvent($image)); } elseif ($action === "widget") { diff --git a/ext/rating/main.php b/ext/rating/main.php index 77a61d1f..40a04654 100644 --- a/ext/rating/main.php +++ b/ext/rating/main.php @@ -115,11 +115,32 @@ class Ratings extends Extension } } + private function check_permissions(Image $image): bool + { + global $user; + + $user_view_level = Ratings::get_user_class_privs($user); + if (!in_array($image->rating, $user_view_level)) { + return false; + } + return true; + } + public function onInitUserConfig(InitUserConfigEvent $event) { $event->user_config->set_default_array(RatingsConfig::USER_DEFAULTS, self::get_user_class_privs($event->user)); } + public function onImageDownloading(ImageDownloadingEvent $event) + { + /** + * Deny images upon insufficient permissions. + **/ + if (!$this->check_permissions($event->image)) { + throw new SCoreException("Access denied"); + } + } + public function onUserOptionsBuilding(UserOptionsBuildingEvent $event) { global $user; @@ -159,12 +180,11 @@ class Ratings extends Extension public function onDisplayingImage(DisplayingImageEvent $event) { - global $user, $page; + global $page; /** * Deny images upon insufficient permissions. **/ - $user_view_level = Ratings::get_user_class_privs($user); - if (!in_array($event->image->rating, $user_view_level)) { + if (!$this->check_permissions($event->image)) { $page->set_mode(PageMode::REDIRECT); $page->set_redirect(make_link("post/list")); } diff --git a/ext/trash/main.php b/ext/trash/main.php index afeccb3e..98f68edc 100644 --- a/ext/trash/main.php +++ b/ext/trash/main.php @@ -41,11 +41,31 @@ class Trash extends Extension } } + private function check_permissions(Image $image): bool + { + global $user; + + if ($image->trash===true && !$user->can(Permissions::VIEW_TRASH)) { + return false; + } + return true; + } + + public function onImageDownloading(ImageDownloadingEvent $event) + { + /** + * Deny images upon insufficient permissions. + **/ + if (!$this->check_permissions($event->image)) { + throw new SCoreException("Access denied"); + } + } + public function onDisplayingImage(DisplayingImageEvent $event) { - global $user, $page; + global $page; - if ($event->image->trash===true && !$user->can(Permissions::VIEW_TRASH)) { + if (!$this->check_permissions(($event->image))) { $page->set_mode(PageMode::REDIRECT); $page->set_redirect(make_link("post/list")); }