Added ability to secure images behind auth

[bookstack] / app / Http / Controllers / ImageController.php

diff --git a/app/Http/Controllers/ImageController.php b/app/Http/Controllers/ImageController.php
index 2e5d5f3034180dd3b2d6f40483a664ff677f6f6c..d783507545d421ba63a536eaf5cbfeaaaf51dccd 100644 (file)
--- a/app/Http/Controllers/ImageController.php
+++ b/app/Http/Controllers/ImageController.php
@@ -1,6 +1,8 @@
 <?php namespace BookStack\Http\Controllers;
 
 use BookStack\Exceptions\ImageUploadException;
+use BookStack\Exceptions\NotFoundException;
+use BookStack\Repos\EntityRepo;
 use BookStack\Repos\ImageRepo;
 use Illuminate\Filesystem\Filesystem as File;
 use Illuminate\Http\Request;
@@ -27,6 +29,21 @@ class ImageController extends Controller
         parent::__construct();
     }
 
+    /**
+     * Provide an image file from storage.
+     * @param string $path
+     * @return mixed
+     */
+    public function showImage(string $path)
+    {
+        $path = storage_path('uploads/images/' . $path);
+        if (!file_exists($path)) {
+            abort(404);
+        }
+
+        return response()->file($path);
+    }
+
     /**
      * Get all images for a specific type, Paginated
      * @param string $type
@@ -51,9 +68,9 @@ class ImageController extends Controller
         $this->validate($request, [
             'term' => 'required|string'
         ]);
-        
+
         $searchTerm = $request->get('term');
-        $imgData = $this->imageRepo->searchPaginatedByType($type, $page,24, $searchTerm);
+        $imgData = $this->imageRepo->searchPaginatedByType($type, $page, 24, $searchTerm);
         return response()->json($imgData);
     }
 
@@ -73,6 +90,7 @@ class ImageController extends Controller
      * @param $filter
      * @param int $page
      * @param Request $request
+     * @return \Illuminate\Contracts\Routing\ResponseFactory|\Illuminate\Http\JsonResponse|\Symfony\Component\HttpFoundation\Response
      */
     public function getGalleryFiltered($filter, $page = 0, Request $request)
     {
@@ -99,13 +117,13 @@ class ImageController extends Controller
     {
         $this->checkPermission('image-create-all');
         $this->validate($request, [
-            'file' => 'image|mimes:jpeg,gif,png'
+            'file' => 'is_image'
         ]);
 
         $imageUpload = $request->file('file');
 
         try {
-            $uploadedTo = $request->has('uploaded_to') ? $request->get('uploaded_to') : 0;
+            $uploadedTo = $request->filled('uploaded_to') ? $request->get('uploaded_to') : 0;
             $image = $this->imageRepo->saveNew($imageUpload, $type, $uploadedTo);
         } catch (ImageUploadException $e) {
             return response($e->getMessage(), 500);
@@ -149,27 +167,27 @@ class ImageController extends Controller
 
     /**
      * Deletes an image and all thumbnail/image files
-     * @param PageRepo $pageRepo
+     * @param EntityRepo $entityRepo
      * @param Request $request
      * @param int $id
      * @return \Illuminate\Http\JsonResponse
      */
-    public function destroy(PageRepo $pageRepo, Request $request, $id)
+    public function destroy(EntityRepo $entityRepo, Request $request, $id)
     {
         $image = $this->imageRepo->getById($id);
         $this->checkOwnablePermission('image-delete', $image);
 
         // Check if this image is used on any pages
-        $isForced = ($request->has('force') && ($request->get('force') === 'true') || $request->get('force') === true);
+        $isForced = in_array($request->get('force', ''), [true, 'true']);
         if (!$isForced) {
-            $pageSearch = $pageRepo->searchForImage($image->url);
+            $pageSearch = $entityRepo->searchForImage($image->url);
             if ($pageSearch !== false) {
                 return response()->json($pageSearch, 400);
             }
         }
 
         $this->imageRepo->destroyImage($image);
-        return response()->json('Image Deleted');
+        return response()->json(trans('components.images_deleted'));
     }