parent::getAuth(); // load company!
//return true;
$au = $this->getAuthUser();
- //if (!$au) {
- // die("Access denied");
- // }
+
+ if (!$au) {
+ die("Access denied");
+ }
+
$this->authUser = $au;
return true;
function get($s) // determin what to serve!!!!
{
+ // for testing only.
+ //if (!empty($_GET['_post'])) {
+ // return $this->post();
+ //}
+
$this->as_mimetype = empty($_REQUEST['as']) ? '' : $_REQUEST['as'];
$bits= explode('/', $s);
} else if (!empty($bits[0]) && $bits[0] == 'events') {
- $popts = PEAR::getStaticProperty('Pman','options');
- $ev = DB_DAtaObject::Factory('events');
- if (!$ev->get($bits[1])) {
- die("could not find event id");
- }
- // technically same user only.. -- normally www-data..
- if (function_exists('posix_getpwuid')) {
- $uinfo = posix_getpwuid( posix_getuid () );
- $user = $uinfo['name'];
- } else {
- $user = getenv('USERNAME'); // windows.
- }
- $ff = HTML_FlexyFramework::get();
- $file = $ff->Pman['event_log_dir']. '/'. $user. date('/Y/m/d/',strtotime($ev->event_when)). $ev->id . ".json";
- $filesJ = json_decode(file_get_contents($file));
-
- //print_r($filesJ);
-
- foreach($filesJ->FILES as $k=>$f){
- if ($f->tmp_name != $bits[2]) {
- continue;
- }
-
- $src = $ff->Pman['event_log_dir']. '/'. $user. date('/Y/m/d/', strtotime($ev->event_when)). $f->tmp_name ;
- if (!file_exists($src)) {
- die("file was not saved");
- }
- header ('Content-Type: ' . $f->type);
+ $this->downloadEvent($bits);
- header("Content-Disposition: attachment; filename=\"".basename($f->name)."\";" );
- @ob_clean();
- flush();
- readfile($src);
- exit;
- }
die ("unknown file?");
+
} else {
$id = empty($bits[0]) ? 0 : $bits[0];
$img = DB_DataObjecT::factory('Images');
-
+
if (!$id || !$img->get($id)) {
header('Location: ' . $this->rootURL . '/Pman/templates/images/file-broken.png?reason=' .
urlencode("image has been removed or deleted."));
- print_r($id);exit;
+
+ }
+
+ if(!$this->hasPermission($img)){
+ header('Location: ' . $this->rootURL . '/Pman/templates/images/file-broken.png?reason=' .
+ urlencode("access to this image/file has been denied."));
}
+
$this->serve($img);
exit;
}
+ function hasPermission($img)
+ {
+ return true;
+ }
function post()
{
require_once 'File/Convert.php';
if (!file_exists($img->getStoreName())) {
- //print_r($img);exit;
+// print_r($img);exit;
header('Location: ' . $this->rootURL . '/Pman/templates/images/file-broken.png?reason=' .
urlencode("Original file was missing : " . $img->getStoreName()));
}
function validateSize()
{
-
- if ($this->authUser && $this->authUser->company_id && $this->authUser->company()->comptype=='OWNER') {
+ if (($this->authUser && $this->authUser->company_id && $this->authUser->company()->comptype=='OWNER') || $_SERVER['SERVER_ADDR'] == $_SERVER['REMOTE_ADDR']) {
return true;
}
- // DEFAULT allowed - override with $cfg['sizes'];
+ // DEFAULT allowed - override with Pman_Core_Images[sizes] => array();
$sizes = array(
'100',
// this should be configurable...
$ff = HTML_FlexyFramework::get();
+
+
$cfg = isset($ff->Pman_Images) ? $ff->Pman_Images :
(isset($ff->Pman_Core_Images) ? $ff->Pman_Core_Images : array());
if (!in_array($this->size, $sizes)) {
+ print_r($sizes);
die("invalid scale - ".$this->size);
}
}
}
+ function downloadEvent($bits)
+ {
+ $popts = PEAR::getStaticProperty('Pman','options');
+ $ev = DB_DAtaObject::Factory('events');
+ if (!$ev->get($bits[1])) {
+ die("could not find event id");
+ }
+ // technically same user only.. -- normally www-data..
+ if (function_exists('posix_getpwuid')) {
+ $uinfo = posix_getpwuid( posix_getuid () );
+ $user = $uinfo['name'];
+ } else {
+ $user = getenv('USERNAME'); // windows.
+ }
+ $ff = HTML_FlexyFramework::get();
+ $file = $ff->Pman['event_log_dir']. '/'. $user. date('/Y/m/d/',strtotime($ev->event_when)). $ev->id . ".json";
+ $filesJ = json_decode(file_get_contents($file));
+
+ //print_r($filesJ);
+
+ foreach($filesJ->FILES as $k=>$f){
+ if ($f->tmp_name != $bits[2]) {
+ continue;
+ }
+
+ $src = $ff->Pman['event_log_dir']. '/'. $user. date('/Y/m/d/', strtotime($ev->event_when)). $f->tmp_name ;
+ if (!file_exists($src)) {
+ die("file was not saved");
+ }
+ header ('Content-Type: ' . $f->type);
+
+ header("Content-Disposition: attachment; filename=\"".basename($f->name)."\";" );
+ @ob_clean();
+ flush();
+ readfile($src);
+ exit;
+ }
+ }
+
}