namespace BookStack\Uploads;
+use BookStack\Entities\Models\Book;
+use BookStack\Entities\Models\Bookshelf;
+use BookStack\Entities\Models\Page;
use BookStack\Exceptions\ImageUploadException;
use ErrorException;
use Exception;
class ImageService
{
- protected $imageTool;
- protected $cache;
+ protected ImageManager $imageTool;
+ protected Cache $cache;
protected $storageUrl;
- protected $image;
- protected $fileSystem;
+ protected FilesystemManager $fileSystem;
protected static $supportedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
- /**
- * ImageService constructor.
- */
- public function __construct(Image $image, ImageManager $imageTool, FilesystemManager $fileSystem, Cache $cache)
+ public function __construct(ImageManager $imageTool, FilesystemManager $fileSystem, Cache $cache)
{
- $this->image = $image;
$this->imageTool = $imageTool;
$this->fileSystem = $fileSystem;
$this->cache = $cache;
* Check if local secure image storage (Fetched behind authentication)
* is currently active in the instance.
*/
- protected function usingSecureImages(): bool
+ protected function usingSecureImages(string $imageType = 'gallery'): bool
+ {
+ return $this->getStorageDiskName($imageType) === 'local_secure_images';
+ }
+
+ /**
+ * Check if "local secure restricted" (Fetched behind auth, with permissions enforced)
+ * is currently active in the instance.
+ */
+ protected function usingSecureRestrictedImages()
{
- return $this->getStorageDiskName('gallery') === 'local_secure_images';
+ return config('filesystems.images') === 'local_secure_restricted';
}
/**
{
$path = Util::normalizePath(str_replace('uploads/images/', '', $path));
- if ($this->getStorageDiskName($imageType) === 'local_secure_images') {
+ if ($this->usingSecureImages($imageType)) {
return $path;
}
protected function getStorageDiskName(string $imageType): string
{
$storageType = config('filesystems.images');
+ $localSecureInUse = ($storageType === 'local_secure' || $storageType === 'local_secure_restricted');
// Ensure system images (App logo) are uploaded to a public space
- if ($imageType === 'system' && $storageType === 'local_secure') {
- $storageType = 'local';
+ if ($imageType === 'system' && $localSecureInUse) {
+ return 'local';
}
- if ($storageType === 'local_secure') {
- $storageType = 'local_secure_images';
+ // Rename local_secure options to get our image specific storage driver which
+ // is scoped to the relevant image directories.
+ if ($localSecureInUse) {
+ return 'local_secure_images';
}
return $storageType;
$imageDetails['updated_by'] = $userId;
}
- $image = $this->image->newInstance();
- $image->forceFill($imageDetails)->save();
+ $image = (new Image())->forceFill($imageDetails);
+ $image->save();
return $image;
}
{
try {
$thumb = $this->imageTool->make($imageData);
- } catch (ErrorException|NotSupportedException $e) {
+ } catch (ErrorException | NotSupportedException $e) {
throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
}
$types = ['gallery', 'drawio'];
$deletedPaths = [];
- $this->image->newQuery()->whereIn('type', $types)
+ Image::query()->whereIn('type', $types)
->chunk(1000, function ($images) use ($checkRevisions, &$deletedPaths, $dryRun) {
foreach ($images as $image) {
$searchQuery = '%' . basename($image->path) . '%';
}
$storagePath = $this->adjustPathForStorageDisk($storagePath);
+
+ // Apply access control when local_secure_restricted images are active
+ if ($this->usingSecureRestrictedImages()) {
+ if (!$this->checkUserHasAccessToRelationOfImageAtPath($storagePath)) {
+ return null;
+ }
+ }
+
$storage = $this->getStorageDisk();
$imageData = null;
if ($storage->exists($storagePath)) {
}
/**
- * Check if the given path exists in the local secure image system.
- * Returns false if local_secure is not in use.
+ * Check if the given path exists and is accessible in the local secure image system.
+ * Returns false if local_secure is not in use, if the file does not exist, if the
+ * file is likely not a valid image, or if permission does not allow access.
*/
- public function pathExistsInLocalSecure(string $imagePath): bool
+ public function pathAccessibleInLocalSecure(string $imagePath): bool
{
/** @var FilesystemAdapter $disk */
$disk = $this->getStorageDisk('gallery');
+ if ($this->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImageAtPath($imagePath)) {
+ return false;
+ }
+
// Check local_secure is active
return $this->usingSecureImages()
&& $disk instanceof FilesystemAdapter
&& strpos($disk->getMimetype($imagePath), 'image/') === 0;
}
+ /**
+ * Check that the current user has access to the relation
+ * of the image at the given path.
+ */
+ protected function checkUserHasAccessToRelationOfImageAtPath(string $path): bool
+ {
+ if (strpos($path, '/uploads/images/') === 0) {
+ $path = substr($path, 15);
+ }
+
+ // Strip thumbnail element from path if existing
+ $originalPathSplit = array_filter(explode('/', $path), function (string $part) {
+ $resizedDir = (strpos($part, 'thumbs-') === 0 || strpos($part, 'scaled-') === 0);
+ $missingExtension = strpos($part, '.') === false;
+
+ return !($resizedDir && $missingExtension);
+ });
+
+ // Build a database-format image path and search for the image entry
+ $fullPath = '/uploads/images/' . ltrim(implode('/', $originalPathSplit), '/');
+ $image = Image::query()->where('path', '=', $fullPath)->first();
+
+ if (is_null($image)) {
+ return false;
+ }
+
+ $imageType = $image->type;
+
+ // Allow user or system (logo) images
+ // (No specific relation control but may still have access controlled by auth)
+ if ($imageType === 'user' || $imageType === 'system') {
+ return true;
+ }
+
+ if ($imageType === 'gallery' || $imageType === 'drawio') {
+ return Page::visible()->where('id', '=', $image->uploaded_to)->exists();
+ }
+
+ if ($imageType === 'cover_book') {
+ return Book::visible()->where('id', '=', $image->uploaded_to)->exists();
+ }
+
+ if ($imageType === 'cover_bookshelf') {
+ return Bookshelf::visible()->where('id', '=', $image->uploaded_to)->exists();
+ }
+
+ return false;
+ }
+
/**
* For the given path, if existing, provide a response that will stream the image contents.
*/
projects / bookstack / blobdiff