X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/b94b945fb03e21a1997cfe6e50148967586cb26d..refs/pull/3416/head:/app/Http/Controllers/Controller.php diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php index b9576f2fe..c00ac938b 100644 --- a/app/Http/Controllers/Controller.php +++ b/app/Http/Controllers/Controller.php @@ -2,24 +2,22 @@ namespace BookStack\Http\Controllers; -use BookStack\Ownable; +use BookStack\Exceptions\NotifyException; +use BookStack\Facades\Activity; +use BookStack\Interfaces\Loggable; +use BookStack\Model; +use BookStack\Util\WebSafeMimeSniffer; use Illuminate\Foundation\Bus\DispatchesJobs; use Illuminate\Foundation\Validation\ValidatesRequests; -use Illuminate\Http\Exceptions\HttpResponseException; -use Illuminate\Http\Request; +use Illuminate\Http\JsonResponse; +use Illuminate\Http\Response; use Illuminate\Routing\Controller as BaseController; +use Symfony\Component\HttpFoundation\StreamedResponse; abstract class Controller extends BaseController { - use DispatchesJobs, ValidatesRequests; - - /** - * Controller constructor. - */ - public function __construct() - { - // - } + use DispatchesJobs; + use ValidatesRequests; /** * Check if the current user is signed in. @@ -42,9 +40,8 @@ abstract class Controller extends BaseController /** * Adds the page title into the view. - * @param $title */ - public function setPageTitle($title) + public function setPageTitle(string $title) { view()->share('pageTitle', $title); } @@ -52,149 +49,174 @@ abstract class Controller extends BaseController /** * On a permission error redirect to home and display. * the error as a notification. + * + * @return never */ protected function showPermissionError() { - if (request()->wantsJson()) { - $response = response()->json(['error' => trans('errors.permissionJson')], 403); - } else { - $response = redirect('/'); - $this->showErrorNotification(trans('errors.permission')); - } + $message = request()->wantsJson() ? trans('errors.permissionJson') : trans('errors.permission'); - throw new HttpResponseException($response); + throw new NotifyException($message, '/', 403); } /** - * Checks for a permission. - * @param string $permissionName - * @return bool|\Illuminate\Http\RedirectResponse + * Checks that the current user has the given permission otherwise throw an exception. */ - protected function checkPermission($permissionName) + protected function checkPermission(string $permission): void { - if (!user() || !user()->can($permissionName)) { + if (!user() || !user()->can($permission)) { $this->showPermissionError(); } - return true; } /** - * Check the current user's permissions against an ownable item. - * @param $permission - * @param Ownable $ownable - * @return bool + * Check the current user's permissions against an ownable item otherwise throw an exception. */ - protected function checkOwnablePermission($permission, Ownable $ownable) + protected function checkOwnablePermission(string $permission, Model $ownable): void { - if (userCan($permission, $ownable)) { - return true; + if (!userCan($permission, $ownable)) { + $this->showPermissionError(); } - return $this->showPermissionError(); } /** - * Check if a user has a permission or bypass if the callback is true. - * @param $permissionName - * @param $callback - * @return bool + * Check if a user has a permission or bypass the permission + * check if the given callback resolves true. */ - protected function checkPermissionOr($permissionName, $callback) + protected function checkPermissionOr(string $permission, callable $callback): void { - $callbackResult = $callback(); - if ($callbackResult === false) { - $this->checkPermission($permissionName); + if ($callback() !== true) { + $this->checkPermission($permission); } - return true; } /** * Check if the current user has a permission or bypass if the provided user * id matches the current user. - * @param string $permissionName - * @param int $userId - * @return bool */ - protected function checkPermissionOrCurrentUser(string $permissionName, int $userId) + protected function checkPermissionOrCurrentUser(string $permission, int $userId): void { - return $this->checkPermissionOr($permissionName, function () use ($userId) { + $this->checkPermissionOr($permission, function () use ($userId) { return $userId === user()->id; }); } /** * Send back a json error message. - * @param string $messageText - * @param int $statusCode - * @return mixed */ - protected function jsonError($messageText = "", $statusCode = 500) + protected function jsonError(string $messageText = '', int $statusCode = 500): JsonResponse { return response()->json(['message' => $messageText, 'status' => 'error'], $statusCode); } /** - * Create the response for when a request fails validation. - * @param \Illuminate\Http\Request $request - * @param array $errors - * @return \Symfony\Component\HttpFoundation\Response + * Create a response that forces a download in the browser. + */ + protected function downloadResponse(string $content, string $fileName): Response + { + return response()->make($content, 200, [ + 'Content-Type' => 'application/octet-stream', + 'Content-Disposition' => 'attachment; filename="' . str_replace('"', '', $fileName) . '"', + 'X-Content-Type-Options' => 'nosniff', + ]); + } + + /** + * Create a response that forces a download, from a given stream of content. */ - protected function buildFailedValidationResponse(Request $request, array $errors) + protected function streamedDownloadResponse($stream, string $fileName): StreamedResponse { - if ($request->expectsJson()) { - return response()->json(['validation' => $errors], 422); - } + return response()->stream(function () use ($stream) { + // End & flush the output buffer otherwise we still seem to use memory. + // Ignore in testing since output buffers are used to gather a response. + if (!app()->runningUnitTests()) { + ob_end_clean(); + } - return redirect()->to($this->getRedirectUrl()) - ->withInput($request->input()) - ->withErrors($errors, $this->errorBag()); + fpassthru($stream); + fclose($stream); + }, 200, [ + 'Content-Type' => 'application/octet-stream', + 'Content-Disposition' => 'attachment; filename="' . str_replace('"', '', $fileName) . '"', + 'X-Content-Type-Options' => 'nosniff', + ]); } /** - * Create a response that forces a download in the browser. - * @param string $content - * @param string $fileName - * @return \Illuminate\Http\Response + * Create a file download response that provides the file with a content-type + * correct for the file, in a way so the browser can show the content in browser. */ - protected function downloadResponse(string $content, string $fileName) + protected function inlineDownloadResponse(string $content, string $fileName): Response { + $mime = (new WebSafeMimeSniffer())->sniff($content); + return response()->make($content, 200, [ - 'Content-Type' => 'application/octet-stream', - 'Content-Disposition' => 'attachment; filename="' . $fileName . '"' + 'Content-Type' => $mime, + 'Content-Disposition' => 'inline; filename="' . str_replace('"', '', $fileName) . '"', + 'X-Content-Type-Options' => 'nosniff', + ]); + } + + /** + * Create a file download response that provides the file with a content-type + * correct for the file, in a way so the browser can show the content in browser, + * for a given content stream. + */ + protected function streamedInlineDownloadResponse($stream, string $fileName): StreamedResponse + { + $sniffContent = fread($stream, 1000); + $mime = (new WebSafeMimeSniffer())->sniff($sniffContent); + + return response()->stream(function () use ($sniffContent, $stream) { + echo $sniffContent; + fpassthru($stream); + fclose($stream); + }, 200, [ + 'Content-Type' => $mime, + 'Content-Disposition' => 'inline; filename="' . str_replace('"', '', $fileName) . '"', + 'X-Content-Type-Options' => 'nosniff', ]); } /** * Show a positive, successful notification to the user on next view load. - * @param string $message */ - protected function showSuccessNotification(string $message) + protected function showSuccessNotification(string $message): void { session()->flash('success', $message); } /** * Show a warning notification to the user on next view load. - * @param string $message */ - protected function showWarningNotification(string $message) + protected function showWarningNotification(string $message): void { session()->flash('warning', $message); } /** * Show an error notification to the user on next view load. - * @param string $message */ - protected function showErrorNotification(string $message) + protected function showErrorNotification(string $message): void { session()->flash('error', $message); } + /** + * Log an activity in the system. + * + * @param string|Loggable $detail + */ + protected function logActivity(string $type, $detail = ''): void + { + Activity::add($type, $detail); + } + /** * Get the validation rules for image files. */ - protected function getImageValidationRules(): string + protected function getImageValidationRules(): array { - return 'image_extension|no_double_extension|mimes:jpeg,png,gif,bmp,webp,tiff'; + return ['image_extension', 'mimes:jpeg,png,gif,webp', 'max:' . (config('app.upload_limit') * 1000)]; } }