X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/cc10d1ddfc652f6bcf3bbf61d5ec2e2861394c03..refs/heads/development:/app/Http/Controller.php

diff --git a/app/Http/Controller.php b/app/Http/Controller.php
index 6e81dfd65..7f2134dd8 100644
--- a/app/Http/Controller.php
+++ b/app/Http/Controller.php
@@ -9,6 +9,8 @@ use BookStack\Facades\Activity;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Foundation\Validation\ValidatesRequests;
 use Illuminate\Http\JsonResponse;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
 use Illuminate\Routing\Controller as BaseController;
 
 abstract class Controller extends BaseController
@@ -47,13 +49,13 @@ abstract class Controller extends BaseController
      * On a permission error redirect to home and display.
      * the error as a notification.
      *
-     * @return never
+     * @throws NotifyException
      */
-    protected function showPermissionError()
+    protected function showPermissionError(string $redirectLocation = '/'): never
     {
         $message = request()->wantsJson() ? trans('errors.permissionJson') : trans('errors.permission');
 
-        throw new NotifyException($message, '/', 403);
+        throw new NotifyException($message, $redirectLocation, 403);
     }
 
     /**
@@ -79,10 +81,10 @@ abstract class Controller extends BaseController
     /**
      * Check the current user's permissions against an ownable item otherwise throw an exception.
      */
-    protected function checkOwnablePermission(string $permission, Model $ownable): void
+    protected function checkOwnablePermission(string $permission, Model $ownable, string $redirectLocation = '/'): void
     {
         if (!userCan($permission, $ownable)) {
-            $this->showPermissionError();
+            $this->showPermissionError($redirectLocation);
         }
     }
 
@@ -150,10 +152,8 @@ abstract class Controller extends BaseController
 
     /**
      * Log an activity in the system.
-     *
-     * @param string|Loggable $detail
      */
-    protected function logActivity(string $type, $detail = ''): void
+    protected function logActivity(string $type, string|Loggable $detail = ''): void
     {
         Activity::add($type, $detail);
     }
@@ -163,6 +163,22 @@ abstract class Controller extends BaseController
      */
     protected function getImageValidationRules(): array
     {
-        return ['image_extension', 'mimes:jpeg,png,gif,webp', 'max:' . (config('app.upload_limit') * 1000)];
+        return ['image_extension', 'mimes:jpeg,png,gif,webp,avif', 'max:' . (config('app.upload_limit') * 1000)];
+    }
+
+    /**
+     * Redirect to the URL provided in the request as a '_return' parameter.
+     * Will check that the parameter leads to a URL under the root path of the system.
+     */
+    protected function redirectToRequest(Request $request): RedirectResponse
+    {
+        $basePath = url('/');
+        $returnUrl = $request->input('_return') ?? $basePath;
+
+        if (!str_starts_with($returnUrl, $basePath)) {
+            return redirect($basePath);
+        }
+
+        return redirect($returnUrl);
     }
 }