Add possibility to restrict uploads to mime type, filename and maximu…

…m size usage exampe: $this->addResource(new Kwf_Acl_Resource_MediaUpload('upload_image', 'image/.*', '(jpe?g|png|gif)$', 1024*1024*10)); or (the same): $this->addResource(new Kwf_Acl_Resource_MediaUpload_Image('upload_image', 1024*1024*10)); (10MB is the maximum file size (optional))
koala-framework · Jun 21, 2017 · 3f54d6f · 3f54d6f
1 parent 9e4d72c
commit 3f54d6f
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/Kwf/Acl/Resource/MediaUpload.php b/Kwf/Acl/Resource/MediaUpload.php
@@ -0,0 +1,28 @@
+<?php
+class Kwf_Acl_Resource_MediaUpload extends Zend_Acl_Resource
+{
+    private $_mimeTypePattern;
+    private $_filenamePattern;
+    private $_maxFilesize;
+
+    public function __construct($resourceId, $mimeTypePattern, $filenamePattern, $maxFilesize = null)
+    {
+        $this->_mimeTypePattern = $mimeTypePattern;
+        $this->_filenamePattern = $filenamePattern;
+        $this->_maxFilesize = $maxFilesize;
+        parent::__construct($resourceId);
+    }
+
+    public function getMimeTypePattern()
+    {
+        return $this->_mimeTypePattern;
+    }
+    public function getFilenamePattern()
+    {
+        return $this->_filenamePattern;
+    }
+    public function getMaxFilesize()
+    {
+        return $this->_maxFilesize;
+    }
+}
diff --git a/Kwf/Acl/Resource/MediaUpload/Image.php b/Kwf/Acl/Resource/MediaUpload/Image.php
@@ -0,0 +1,9 @@
+<?php
+class Kwf_Acl_Resource_MediaUpload_Image extends Kwf_Acl_Resource_MediaUpload
+{
+    public function __construct($resourceId, $maxFilesize = null)
+    {
+        parent::__construct($resourceId, 'image/.*', '(jpe?g|png|gif)$', $maxFilesize);
+    }
+}
+
diff --git a/Kwf/Controller/Action/Media/UploadController.php b/Kwf/Controller/Action/Media/UploadController.php
@@ -13,6 +13,26 @@ protected function _validateSessionToken()
     {
     }
 
+    private function _isUploadAllowed($mimeType, $filename, $filesize)
+    {
+        $acl = Kwf_Acl::getInstance();
+
+        foreach ($acl->getAllResources() as $resource) {
+            if ($resource instanceof Kwf_Acl_Resource_MediaUpload && $acl->isAllowed(Kwf_Registry::get('userModel')->getAuthedUserRole(), $resource)) {
+                if ($resource->getMimeTypePattern() && !preg_match('#'.$resource->getMimeTypePattern().'#', $mimeType)) {
+                    return false;
+                }
+                if ($resource->getFilenamePattern() && !preg_match('#'.$resource->getFilenamePattern().'#', $filename)) {
+                    return false;
+                }
+                if ($resource->getMaxFilesize() && $filesize > $resource->getMaxFilesize()) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
     public function jsonUploadAction()
     {
         Kwf_Util_MemoryLimit::set(1024);
@@ -55,6 +75,9 @@ public function jsonUploadAction()
             $extension = substr(strrchr($file['name'], '.'), 1);
             $uploadedFile['filename'] = $filename;
             $uploadedFile['extension'] = $extension;
+            if (!$this->_isUploadAllowed($file['type'], $file['name'], $file['size'])) {
+                throw new Kwf_Exception_Client(trlKwf("Invalid file"));
+            }
             if ($maxResolution > 0) {
                 $fileData = Kwf_Media_Image::scale($file['tmp_name'], array('width' => $maxResolution, 'height' => $maxResolution, 'cover' => false));
                 Kwf_Uploads_Model::verifyUpload($file);
@@ -84,6 +107,9 @@ public function jsonUploadAction()
             if (isset($_SERVER['HTTP_X_UPLOAD_TYPE'])) {
                 $mimeType = $_SERVER['HTTP_X_UPLOAD_TYPE'];
             }
+            if (!$this->_isUploadAllowed($mimeType, $name, strlen($fileData))) {
+                throw new Kwf_Exception_Client(trlKwf("Invalid file"));
+            }
 
             $tempFile = tempnam('temp', 'upload');
             file_put_contents($tempFile, $fileData);