X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/27ac1225024fabb8497bb25a57d837ff61806c5d..refs/pull/3918/head:/app/Uploads/ImageService.php diff --git a/app/Uploads/ImageService.php b/app/Uploads/ImageService.php index a82fecdd7..55c327e7a 100644 --- a/app/Uploads/ImageService.php +++ b/app/Uploads/ImageService.php @@ -88,16 +88,17 @@ class ImageService protected function getStorageDiskName(string $imageType): string { $storageType = config('filesystems.images'); + $localSecureInUse = ($storageType === 'local_secure' || $storageType === 'local_secure_restricted'); // Ensure system images (App logo) are uploaded to a public space - if ($imageType === 'system' && $storageType === 'local_secure') { - $storageType = 'local'; + if ($imageType === 'system' && $localSecureInUse) { + return 'local'; } // Rename local_secure options to get our image specific storage driver which // is scoped to the relevant image directories. - if ($storageType === 'local_secure' || $storageType === 'local_secure_restricted') { - $storageType = 'local_secure_images'; + if ($localSecureInUse) { + return 'local_secure_images'; } return $storageType; @@ -315,7 +316,7 @@ class ImageService { try { $thumb = $this->imageTool->make($imageData); - } catch (ErrorException|NotSupportedException $e) { + } catch (ErrorException | NotSupportedException $e) { throw new ImageUploadException(trans('errors.cannot_create_thumbs')); } @@ -501,6 +502,14 @@ class ImageService } $storagePath = $this->adjustPathForStorageDisk($storagePath); + + // Apply access control when local_secure_restricted images are active + if ($this->usingSecureRestrictedImages()) { + if (!$this->checkUserHasAccessToRelationOfImageAtPath($storagePath)) { + return null; + } + } + $storage = $this->getStorageDisk(); $imageData = null; if ($storage->exists($storagePath)) { @@ -548,10 +557,15 @@ class ImageService */ protected function checkUserHasAccessToRelationOfImageAtPath(string $path): bool { + if (strpos($path, '/uploads/images/') === 0) { + $path = substr($path, 15); + } + // Strip thumbnail element from path if existing - $originalPathSplit = array_filter(explode('/', $path), function(string $part) { + $originalPathSplit = array_filter(explode('/', $path), function (string $part) { $resizedDir = (strpos($part, 'thumbs-') === 0 || strpos($part, 'scaled-') === 0); $missingExtension = strpos($part, '.') === false; + return !($resizedDir && $missingExtension); });