Skip to content
This repository has been archived by the owner on Aug 9, 2021. It is now read-only.

Commit

Permalink
fix(api): restrict file and package download to the API only
Browse files Browse the repository at this point in the history
  • Loading branch information
@btry @ajsb85
btry authored and ajsb85 committed Jul 27, 2017
1 parent 84be562 commit b2b5bec
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
5 changes: 3 additions & 2 deletions inc/file.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,8 +321,9 @@ public function post_addItem() {
public function post_getFromDB() {
// Check the user can view this itemtype and can view this item
if ($this->canView() && $this->canViewItem()) {
if (isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/octet-stream'
|| isset($_GET['alt']) && $_GET['alt'] == 'media') {
if (isAPI()
&& (isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/octet-stream'
|| isset($_GET['alt']) && $_GET['alt'] == 'media')) {
$this->sendFile(); // and terminate script
}
}
Expand Down
5 changes: 3 additions & 2 deletions inc/package.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -367,8 +367,9 @@ public function prepareInputForUpdate($input) {
public function post_getFromDB() {
// Check the user can view this itemtype and can view this item
if ($this->canView() && $this->canViewItem()) {
if (isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/octet-stream'
|| isset($_GET['alt']) && $_GET['alt'] == 'media') {
if (isAPI()
&& (isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/octet-stream'
|| isset($_GET['alt']) && $_GET['alt'] == 'media')) {
$this->sendFile(); // and terminate script
}
}
Expand Down

0 comments on commit b2b5bec

Please sign in to comment.