namespace BookStack\Uploads;
+use BookStack\Entities\Models\Book;
+use BookStack\Entities\Models\Bookshelf;
+use BookStack\Entities\Models\Page;
use BookStack\Exceptions\ImageUploadException;
use ErrorException;
use Exception;
+use GuzzleHttp\Psr7\Utils;
use Illuminate\Contracts\Cache\Repository as Cache;
-use Illuminate\Contracts\Filesystem\Factory as FileSystem;
use Illuminate\Contracts\Filesystem\FileNotFoundException;
-use Illuminate\Contracts\Filesystem\Filesystem as FileSystemInstance;
use Illuminate\Contracts\Filesystem\Filesystem as Storage;
+use Illuminate\Filesystem\FilesystemAdapter;
+use Illuminate\Filesystem\FilesystemManager;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Str;
use Intervention\Image\Exception\NotSupportedException;
+use Intervention\Image\Image as InterventionImage;
use Intervention\Image\ImageManager;
use League\Flysystem\Util;
use Psr\SimpleCache\InvalidArgumentException;
class ImageService
{
- protected $imageTool;
- protected $cache;
+ protected ImageManager $imageTool;
+ protected Cache $cache;
protected $storageUrl;
- protected $image;
- protected $fileSystem;
+ protected FilesystemManager $fileSystem;
protected static $supportedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
- /**
- * ImageService constructor.
- */
- public function __construct(Image $image, ImageManager $imageTool, FileSystem $fileSystem, Cache $cache)
+ public function __construct(ImageManager $imageTool, FilesystemManager $fileSystem, Cache $cache)
{
- $this->image = $image;
$this->imageTool = $imageTool;
$this->fileSystem = $fileSystem;
$this->cache = $cache;
/**
* Get the storage that will be used for storing images.
*/
- protected function getStorageDisk(string $imageType = ''): FileSystemInstance
+ protected function getStorageDisk(string $imageType = ''): Storage
{
return $this->fileSystem->disk($this->getStorageDiskName($imageType));
}
* Check if local secure image storage (Fetched behind authentication)
* is currently active in the instance.
*/
- protected function usingSecureImages(): bool
+ protected function usingSecureImages(string $imageType = 'gallery'): bool
+ {
+ return $this->getStorageDiskName($imageType) === 'local_secure_images';
+ }
+
+ /**
+ * Check if "local secure restricted" (Fetched behind auth, with permissions enforced)
+ * is currently active in the instance.
+ */
+ protected function usingSecureRestrictedImages()
{
- return $this->getStorageDiskName('gallery') === 'local_secure_images';
+ return config('filesystems.images') === 'local_secure_restricted';
}
/**
{
$path = Util::normalizePath(str_replace('uploads/images/', '', $path));
- if ($this->getStorageDiskName($imageType) === 'local_secure_images') {
+ if ($this->usingSecureImages($imageType)) {
return $path;
}
$storageType = 'local';
}
- if ($storageType === 'local_secure') {
+ // Rename local_secure options to get our image specific storage driver which
+ // is scoped to the relevant image directories.
+ if ($storageType === 'local_secure' || $storageType === 'local_secure_restricted') {
$storageType = 'local_secure_images';
}
$imageDetails['updated_by'] = $userId;
}
- $image = $this->image->newInstance();
- $image->forceFill($imageDetails)->save();
+ $image = (new Image())->forceFill($imageDetails);
+ $image->save();
return $image;
}
return strtolower(pathinfo($image->path, PATHINFO_EXTENSION)) === 'gif';
}
+ /**
+ * Check if the given image and image data is apng.
+ */
+ protected function isApngData(Image $image, string &$imageData): bool
+ {
+ $isPng = strtolower(pathinfo($image->path, PATHINFO_EXTENSION)) === 'png';
+ if (!$isPng) {
+ return false;
+ }
+
+ $initialHeader = substr($imageData, 0, strpos($imageData, 'IDAT'));
+
+ return strpos($initialHeader, 'acTL') !== false;
+ }
+
/**
* Get the thumbnail for an image.
* If $keepRatio is true only the width will be used.
* Checks the cache then storage to avoid creating / accessing the filesystem on every check.
+ *
* @throws Exception
* @throws InvalidArgumentException
*/
public function getThumbnail(Image $image, ?int $width, ?int $height, bool $keepRatio = false): string
{
+ // Do not resize GIF images where we're not cropping
if ($keepRatio && $this->isGif($image)) {
return $this->getPublicUrl($image->path);
}
$imagePath = $image->path;
$thumbFilePath = dirname($imagePath) . $thumbDirName . basename($imagePath);
- if ($this->cache->has('images-' . $image->id . '-' . $thumbFilePath) && $this->cache->get('images-' . $thumbFilePath)) {
- return $this->getPublicUrl($thumbFilePath);
+ $thumbCacheKey = 'images::' . $image->id . '::' . $thumbFilePath;
+
+ // Return path if in cache
+ $cachedThumbPath = $this->cache->get($thumbCacheKey);
+ if ($cachedThumbPath) {
+ return $this->getPublicUrl($cachedThumbPath);
}
+ // If thumbnail has already been generated, serve that and cache path
$storage = $this->getStorageDisk($image->type);
if ($storage->exists($this->adjustPathForStorageDisk($thumbFilePath, $image->type))) {
+ $this->cache->put($thumbCacheKey, $thumbFilePath, 60 * 60 * 72);
+
return $this->getPublicUrl($thumbFilePath);
}
- $thumbData = $this->resizeImage($storage->get($this->adjustPathForStorageDisk($imagePath, $image->type)), $width, $height, $keepRatio);
+ $imageData = $storage->get($this->adjustPathForStorageDisk($imagePath, $image->type));
+
+ // Do not resize apng images where we're not cropping
+ if ($keepRatio && $this->isApngData($image, $imageData)) {
+ $this->cache->put($thumbCacheKey, $image->path, 60 * 60 * 72);
+
+ return $this->getPublicUrl($image->path);
+ }
+ // If not in cache and thumbnail does not exist, generate thumb and cache path
+ $thumbData = $this->resizeImage($imageData, $width, $height, $keepRatio);
$this->saveImageDataInPublicSpace($storage, $this->adjustPathForStorageDisk($thumbFilePath, $image->type), $thumbData);
- $this->cache->put('images-' . $image->id . '-' . $thumbFilePath, $thumbFilePath, 60 * 60 * 72);
+ $this->cache->put($thumbCacheKey, $thumbFilePath, 60 * 60 * 72);
return $this->getPublicUrl($thumbFilePath);
}
{
try {
$thumb = $this->imageTool->make($imageData);
- } catch (ErrorException | NotSupportedException $e) {
+ } catch (ErrorException|NotSupportedException $e) {
throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
}
+ $this->orientImageToOriginalExif($thumb, $imageData);
+
if ($keepRatio) {
$thumb->resize($width, $height, function ($constraint) {
$constraint->aspectRatio();
return $thumbData;
}
+ /**
+ * Orientate the given intervention image based upon the given original image data.
+ * Intervention does have an `orientate` method but the exif data it needs is lost before it
+ * can be used (At least when created using binary string data) so we need to do some
+ * implementation on our side to use the original image data.
+ * Bulk of logic taken from: https://github.com/Intervention/image/blob/b734a4988b2148e7d10364b0609978a88d277536/src/Intervention/Image/Commands/OrientateCommand.php
+ * Copyright (c) Oliver Vogel, MIT License.
+ */
+ protected function orientImageToOriginalExif(InterventionImage $image, string $originalData): void
+ {
+ if (!extension_loaded('exif')) {
+ return;
+ }
+
+ $stream = Utils::streamFor($originalData)->detach();
+ $exif = @exif_read_data($stream);
+ $orientation = $exif ? ($exif['Orientation'] ?? null) : null;
+
+ switch ($orientation) {
+ case 2:
+ $image->flip();
+ break;
+ case 3:
+ $image->rotate(180);
+ break;
+ case 4:
+ $image->rotate(180)->flip();
+ break;
+ case 5:
+ $image->rotate(270)->flip();
+ break;
+ case 6:
+ $image->rotate(270);
+ break;
+ case 7:
+ $image->rotate(90)->flip();
+ break;
+ case 8:
+ $image->rotate(90);
+ break;
+ }
+ }
+
/**
* Get the raw data content from an image.
*
/**
* Check whether a folder is empty.
*/
- protected function isFolderEmpty(FileSystemInstance $storage, string $path): bool
+ protected function isFolderEmpty(Storage $storage, string $path): bool
{
$files = $storage->files($path);
$folders = $storage->directories($path);
$types = ['gallery', 'drawio'];
$deletedPaths = [];
- $this->image->newQuery()->whereIn('type', $types)
+ Image::query()->whereIn('type', $types)
->chunk(1000, function ($images) use ($checkRevisions, &$deletedPaths, $dryRun) {
foreach ($images as $image) {
$searchQuery = '%' . basename($image->path) . '%';
}
$storagePath = $this->adjustPathForStorageDisk($storagePath);
+
+ // Apply access control when local_secure_restricted images are active
+ if ($this->usingSecureRestrictedImages()) {
+ if (!$this->checkUserHasAccessToRelationOfImageAtPath($storagePath)) {
+ return null;
+ }
+ }
+
$storage = $this->getStorageDisk();
$imageData = null;
if ($storage->exists($storagePath)) {
}
/**
- * Check if the given path exists in the local secure image system.
- * Returns false if local_secure is not in use.
+ * Check if the given path exists and is accessible in the local secure image system.
+ * Returns false if local_secure is not in use, if the file does not exist, if the
+ * file is likely not a valid image, or if permission does not allow access.
*/
- public function pathExistsInLocalSecure(string $imagePath): bool
+ public function pathAccessibleInLocalSecure(string $imagePath): bool
{
+ /** @var FilesystemAdapter $disk */
$disk = $this->getStorageDisk('gallery');
+ if ($this->usingSecureRestrictedImages() && !$this->checkUserHasAccessToRelationOfImageAtPath($imagePath)) {
+ return false;
+ }
+
// Check local_secure is active
return $this->usingSecureImages()
+ && $disk instanceof FilesystemAdapter
// Check the image file exists
&& $disk->exists($imagePath)
// Check the file is likely an image file
&& strpos($disk->getMimetype($imagePath), 'image/') === 0;
}
+ /**
+ * Check that the current user has access to the relation
+ * of the image at the given path.
+ */
+ protected function checkUserHasAccessToRelationOfImageAtPath(string $path): bool
+ {
+ if (strpos($path, '/uploads/images/') === 0) {
+ $path = substr($path, 15);
+ }
+
+ // Strip thumbnail element from path if existing
+ $originalPathSplit = array_filter(explode('/', $path), function(string $part) {
+ $resizedDir = (strpos($part, 'thumbs-') === 0 || strpos($part, 'scaled-') === 0);
+ $missingExtension = strpos($part, '.') === false;
+ return !($resizedDir && $missingExtension);
+ });
+
+ // Build a database-format image path and search for the image entry
+ $fullPath = '/uploads/images/' . ltrim(implode('/', $originalPathSplit), '/');
+ $image = Image::query()->where('path', '=', $fullPath)->first();
+
+ if (is_null($image)) {
+ return false;
+ }
+
+ $imageType = $image->type;
+
+ // Allow user or system (logo) images
+ // (No specific relation control but may still have access controlled by auth)
+ if ($imageType === 'user' || $imageType === 'system') {
+ return true;
+ }
+
+ if ($imageType === 'gallery' || $imageType === 'drawio') {
+ return Page::visible()->where('id', '=', $image->uploaded_to)->exists();
+ }
+
+ if ($imageType === 'cover_book') {
+ return Book::visible()->where('id', '=', $image->uploaded_to)->exists();
+ }
+
+ if ($imageType === 'cover_bookshelf') {
+ return Bookshelf::visible()->where('id', '=', $image->uploaded_to)->exists();
+ }
+
+ return false;
+ }
+
/**
* For the given path, if existing, provide a response that will stream the image contents.
*/
public function streamImageFromStorageResponse(string $imageType, string $path): StreamedResponse
{
$disk = $this->getStorageDisk($imageType);
+
return $disk->response($path);
}
projects / bookstack / blobdiff