diff --git a/CHANGELOG.md b/CHANGELOG.md
index f7844c9..babaa20 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,102 @@
# Changelog
+## Changes 10/15/2025 (v1.4.0)
+
+feat(permissions)!: granular ACL (bypassOwnership/canShare/canZip/viewOwnOnly), admin panel v1.4.0 UI, and broad hardening across controllers/models/frontend
+
+### Security / Hardening
+
+- Tightened ownership checks across file ops; introduced centralized permission helper to avoid falsey-permissions bugs.
+- Consistent CSRF verification on mutating endpoints; stricter input validation using `REGEX_*` and `basename()` trims.
+- Safer path handling & metadata reads; reduced noisy error surfaces; consistent HTTP codes (401/403/400/500).
+- Adds defense-in-depth to reduce risk of unauthorized file manipulation.
+
+### Config (`config.php`)
+
+- Add optional defaults for new permissions (all optional):
+ - `DEFAULT_BYPASS_OWNERSHIP` (bool)
+ - `DEFAULT_CAN_SHARE` (bool)
+ - `DEFAULT_CAN_ZIP` (bool)
+ - `DEFAULT_VIEW_OWN_ONLY` (bool)
+- Keep existing behavior unless explicitly enabled (bypassOwnership typically true for admins; configurable per user).
+
+### Controllers
+
+#### `FileController.php`
+
+- New lightweight `loadPerms($username)` helper that **always** returns an array; prevents type errors when permissions are missing.
+- Ownership checks now respect: `isAdmin(...) || perms['bypassOwnership'] || DEFAULT_BYPASS_OWNERSHIP`.
+- Gate sharing/zip operations by `perms['canShare']` / `perms['canZip']`.
+- Implement `viewOwnOnly` filtering in `getFileList()` (supports both map and list shapes).
+- Normalize and validate folder/file input; enforce folder-only scope for writes/moves/copies where applicable.
+- Improve error handling: convert warnings/notices to exceptions within try/catch; consistent JSON error payloads.
+- Add missing `require_once PROJECT_ROOT . '/src/models/UserModel.php'` to fix “Class userModel not found”.
+- Download behavior: inline for images, attachment for others; owner/bypass logic applied.
+
+#### `FolderController.php`
+
+- `createShareFolderLink()` gated by `canShare`; validates duration (cap at 1y), folder names, password optional.
+- (If present) folder share deletion/read endpoints wired to new permission model.
+
+#### `AdminController.php`
+
+- `getConfig()` remains admin-only; returns safe subset. (Non-admins now simply receive 403; client can ignore.)
+
+#### `UserController.php`
+
+- Plumbs new permission fields in get/set endpoints (`folderOnly`, `readOnly`, `disableUpload`, **`bypassOwnership`**, **`canShare`**, **`canZip`**, **`viewOwnOnly`**).
+- Normalizes username keys and defaults to prevent undefined-index errors.
+
+### Models
+
+#### `FileModel.php` / `FolderModel.php`
+
+- Respect caller’s effective permissions (controllers pass-through); stricter input normalization.
+- ZIP creation/extraction guarded via `canZip`; metadata updates consistent; safer temp paths.
+- Improved return shapes and error messages (never return non-array on success paths).
+
+#### `AdminModel.php`
+
+- Reads/writes admin config with new `loginOptions` intact; never exposes sensitive OIDC secrets to the client layer.
+
+#### `UserModel.php`
+
+- Store/load the 4 new flags; helper ensures absent users/fields don’t break caller; returns normalized arrays.
+
+### Frontend
+
+#### `main.js`
+
+- Initialize after CSRF; keep dark-mode persistence, welcome toast, drag-over UX.
+- Leaves `loadAdminConfigFunc()` call in place (non-admins may 403; harmless).
+
+#### `adminPanel.js` (v1.4.0)
+
+- New **User Permissions** UI with collapsible rows per user:
+ - Shows username; clicking expands a checkbox matrix.
+ - Permissions: `folderOnly`, `readOnly`, `disableUpload`, **`bypassOwnership`**, **`canShare`**, **`canZip`**, **`viewOwnOnly`**.
+- **Manage Shared Links** section reads folder & file share metadata; delete buttons per token.
+- Refined modal sizing & dark-mode styling; consistent toasts; unsaved-changes confirmation.
+- Keeps 403 from `/api/admin/getConfig.php` for non-admins (acceptable; no UI break).
+
+### Breaking change
+
+- Non-admin users without `bypassOwnership` can no longer create/rename/move/copy/delete/share/zip files they don’t own.
+- If legacy behavior depended on broad access, set `bypassOwnership` per user or use `DEFAULT_BYPASS_OWNERSHIP=true` in `config.php`.
+
+### Migration
+
+- Add the new flags to existing users in your permissions store (or rely on `config.php` defaults).
+- Verify admin accounts have either `isAdmin` or `bypassOwnership`/`canShare`/`canZip` as desired.
+- Optionally tune `DEFAULT_*` constants for instance-wide defaults.
+
+### Security
+
+- Hardened access controls for file operations based on an external security report.
+ Details are withheld temporarily to protect users; a full advisory will follow after wider adoption of the fix.
+
+---
+
## Changes 10/8/2025 (no new version)
chore: set up CI, add compose, tighten ignores, refresh README
@@ -195,7 +292,7 @@ No behavior change unless SCAN_ON_START=true.
- **Folder strip in file list**
- `loadFileList` now fetches sub-folders in parallel from `/api/folder/getFolderList.php`.
- - Filters to only *direct* children of the current folder, hiding `profile_pics` and `trash`.
+ - Filters to only direct children of the current folder, hiding `profile_pics` and `trash`.
- Injects a new `.folder-strip-container` just below the Files In above (summary + slider).
- Clicking a folder in the strip updates:
- the breadcrumb (via `updateBreadcrumbTitle`)
@@ -243,7 +340,7 @@ No behavior change unless SCAN_ON_START=true.
- Moved previously standalone header buttons into the dropdown menu:
- **User Panel** opens the modal
- - **Admin Panel** only shown when `data.isAdmin` *and* on `demo.filerise.net`
+ - **Admin Panel** only shown when `data.isAdmin` and on `demo.filerise.net`
- **API Docs** calls `openApiModal()`
- **Logout** calls `triggerLogout()`
- Each menu item now has a matching Material icon (e.g. `person`, `admin_panel_settings`, `description`, `logout`).
@@ -364,7 +461,7 @@ No behavior change unless SCAN_ON_START=true.
- Removed the static `AUTH_HEADER` fallback; instead read the adminConfig.json at the end of the file and:
- Overwrote `AUTH_BYPASS` with the `loginOptions.authBypass` setting from disk.
- Defined `AUTH_HEADER` (normalized, e.g. `"X_REMOTE_USER"`) based on `loginOptions.authHeaderName`.
-- Inserted a **proxy-only auto-login** block *before* the usual session/auth checks:
+- Inserted a **proxy-only auto-login** block before the usual session/auth checks:
If `AUTH_BYPASS` is true and the trusted header (`$_SERVER['HTTP_' . AUTH_HEADER]`) is present, bump the session, mark the user authenticated/admin, load their permissions, and skip straight to JSON output.
- Relax filename validation regex to allow broader Unicode and special chars
@@ -406,7 +503,7 @@ No behavior change unless SCAN_ON_START=true.
- In the “not authenticated” branch, only shows the login form if `authBypass` is false.
- No other core fetch/token logic changed; all existing flows remain intact.
-### Security
+### Security old
- **Admin API**: `getConfig.php` now returns only a safe subset of admin settings (omits `clientSecret`) to prevent accidental exposure of sensitive data.
@@ -435,7 +532,7 @@ No behavior change unless SCAN_ON_START=true.
- **Added** `addUserModal`, `removeUserModal` & `renameFileModal` modals to `style="display:none;"`
-### `main.js`
+**`main.js`**
- **Extracted** `initializeApp()` helper to centralize post-auth startup (tag search, file list, drag-and-drop, folder tree, upload, trash/restore, admin config).
- **Updated** DOMContentLoaded `checkAuthentication()` flow to call `initializeApp()` when already authenticated.
diff --git a/SECURITY.md b/SECURITY.md
index 5b748ec..8c66985 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,7 +2,12 @@
## Supported Versions
-FileRise is actively maintained. Only supported versions will receive security updates. For details on which versions are currently supported, please see the [Release Notes](https://github.com/error311/FileRise/releases).
+We provide security fixes for the latest minor release line.
+
+| Version | Supported |
+|------------|-----------|
+| v1.4.x | ✅ |
+| < v1.4.0 | ❌ |
## Reporting a Vulnerability
diff --git a/config/config.php b/config/config.php
index 8dfbb58..d58191d 100644
--- a/config/config.php
+++ b/config/config.php
@@ -36,6 +36,13 @@ define('REGEX_USER', '/^[\p{L}\p{N}_\- ]+$/u');
date_default_timezone_set(TIMEZONE);
+if (!defined('DEFAULT_BYPASS_OWNERSHIP')) define('DEFAULT_BYPASS_OWNERSHIP', false);
+if (!defined('DEFAULT_CAN_SHARE')) define('DEFAULT_CAN_SHARE', true);
+if (!defined('DEFAULT_CAN_ZIP')) define('DEFAULT_CAN_ZIP', true);
+if (!defined('DEFAULT_VIEW_OWN_ONLY')) define('DEFAULT_VIEW_OWN_ONLY', false);
+
+
+
// Encryption helpers
function encryptData($data, $encryptionKey)
{
diff --git a/public/js/adminPanel.js b/public/js/adminPanel.js
index 3d06105..226ae04 100644
--- a/public/js/adminPanel.js
+++ b/public/js/adminPanel.js
@@ -3,9 +3,15 @@ import { loadAdminConfigFunc } from './auth.js';
import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
import { sendRequest } from './networkUtils.js';
-const version = "v1.3.15";
+const version = "v1.4.0";
const adminTitle = `${t("admin_panel")} ${version}`;
+// Translate with fallback: if t(key) just echos the key, use a readable string.
+const tf = (key, fallback) => {
+ const v = t(key);
+ return (v && v !== key) ? v : fallback;
+};
+
// ————— Inject updated styles —————
(function () {
if (document.getElementById('adminPanelStyles')) return;
@@ -493,21 +499,21 @@ export function openAdminPanel() {
}
function handleSave() {
- const dFL = document.getElementById("disableFormLogin").checked;
- const dBA = document.getElementById("disableBasicAuth").checked;
- const dOIDC = document.getElementById("disableOIDCLogin").checked;
- const aBypass= document.getElementById("authBypass").checked;
- const aHeader= document.getElementById("authHeaderName").value.trim() || "X-Remote-User";
- const eWD = document.getElementById("enableWebDAV").checked;
- const sMax = parseInt(document.getElementById("sharedMaxUploadSize").value, 10) || 0;
- const nHT = document.getElementById("headerTitle").value.trim();
- const nOIDC = {
+ const dFL = document.getElementById("disableFormLogin").checked;
+ const dBA = document.getElementById("disableBasicAuth").checked;
+ const dOIDC = document.getElementById("disableOIDCLogin").checked;
+ const aBypass = document.getElementById("authBypass").checked;
+ const aHeader = document.getElementById("authHeaderName").value.trim() || "X-Remote-User";
+ const eWD = document.getElementById("enableWebDAV").checked;
+ const sMax = parseInt(document.getElementById("sharedMaxUploadSize").value, 10) || 0;
+ const nHT = document.getElementById("headerTitle").value.trim();
+ const nOIDC = {
providerUrl: document.getElementById("oidcProviderUrl").value.trim(),
- clientId: document.getElementById("oidcClientId").value.trim(),
- clientSecret:document.getElementById("oidcClientSecret").value.trim(),
+ clientId: document.getElementById("oidcClientId").value.trim(),
+ clientSecret: document.getElementById("oidcClientSecret").value.trim(),
redirectUri: document.getElementById("oidcRedirectUri").value.trim()
};
- const gURL = document.getElementById("globalOtpauthUrl").value.trim();
+ const gURL = document.getElementById("globalOtpauthUrl").value.trim();
if ([dFL, dBA, dOIDC].filter(x => x).length === 3) {
showToast(t("at_least_one_login_method"));
@@ -521,25 +527,25 @@ function handleSave() {
disableFormLogin: dFL,
disableBasicAuth: dBA,
disableOIDCLogin: dOIDC,
- authBypass: aBypass,
- authHeaderName: aHeader
+ authBypass: aBypass,
+ authHeaderName: aHeader
},
- enableWebDAV: eWD,
- sharedMaxUploadSize: sMax,
- globalOtpauthUrl: gURL
+ enableWebDAV: eWD,
+ sharedMaxUploadSize: sMax,
+ globalOtpauthUrl: gURL
}, {
"X-CSRF-Token": window.csrfToken
})
- .then(res => {
- if (res.success) {
- showToast(t("settings_updated_successfully"), "success");
- captureInitialAdminConfig();
- closeAdminPanel();
- loadAdminConfigFunc();
- } else {
- showToast(t("error_updating_settings") + ": " + (res.error || t("unknown_error")), "error");
- }
- }).catch(() => {/*noop*/});
+ .then(res => {
+ if (res.success) {
+ showToast(t("settings_updated_successfully"), "success");
+ captureInitialAdminConfig();
+ closeAdminPanel();
+ loadAdminConfigFunc();
+ } else {
+ showToast(t("error_updating_settings") + ": " + (res.error || t("unknown_error")), "error");
+ }
+ }).catch(() => {/*noop*/ });
}
export async function closeAdminPanel() {
@@ -605,15 +611,16 @@ export function openUserPermissionsModal() {
const rows = userPermissionsModal.querySelectorAll(".user-permission-row");
const permissionsData = [];
rows.forEach(row => {
- const username = row.getAttribute("data-username");
- const folderOnlyCheckbox = row.querySelector("input[data-permission='folderOnly']");
- const readOnlyCheckbox = row.querySelector("input[data-permission='readOnly']");
- const disableUploadCheckbox = row.querySelector("input[data-permission='disableUpload']");
+ const g = k => row.querySelector(`input[data-permission='${k}']`)?.checked ?? false;
permissionsData.push({
- username,
- folderOnly: folderOnlyCheckbox.checked,
- readOnly: readOnlyCheckbox.checked,
- disableUpload: disableUploadCheckbox.checked
+ username: row.getAttribute("data-username"),
+ folderOnly: g("folderOnly"),
+ readOnly: g("readOnly"),
+ disableUpload: g("disableUpload"),
+ bypassOwnership: g("bypassOwnership"),
+ canShare: g("canShare"),
+ canZip: g("canZip"),
+ viewOwnOnly: g("viewOwnOnly"),
});
});
// Send the permissionsData to the server.
@@ -664,38 +671,79 @@ function loadUserPermissionsList() {
folderOnly: false,
readOnly: false,
disableUpload: false,
+ bypassOwnership: false,
+ canShare: false,
+ canZip: false,
+ viewOwnOnly: false,
};
// Normalize the username key to match server storage (e.g., lowercase)
const usernameKey = user.username.toLowerCase();
+
+ const toBool = v => v === true || v === 1 || v === "1";
const userPerm = (permissionsData && typeof permissionsData === "object" && (usernameKey in permissionsData))
? permissionsData[usernameKey]
: defaultPerm;
- // Create a row for the user.
- const row = document.createElement("div");
- row.classList.add("user-permission-row");
- row.setAttribute("data-username", user.username);
- row.style.padding = "10px 0";
- row.innerHTML = `
- ${user.username}
-
-
-
-
-
-
- `;
+
+ // Create a row for the user (collapsed by default)
+const row = document.createElement("div");
+row.classList.add("user-permission-row");
+row.setAttribute("data-username", user.username);
+row.style.padding = "6px 0";
+
+// helper for checkbox checked state
+const checked = key => (userPerm && userPerm[key]) ? "checked" : "";
+
+// header + caret
+row.innerHTML = `
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+`;
+
+// toggle open/closed on click + Enter/Space
+const header = row.querySelector(".user-perm-header");
+const details = row.querySelector(".user-perm-details");
+const caret = row.querySelector(".perm-caret");
+
+function toggleOpen() {
+ const willShow = details.style.display === "none";
+ details.style.display = willShow ? "grid" : "none";
+ header.setAttribute("aria-expanded", willShow ? "true" : "false");
+ caret.style.transform = willShow ? "rotate(0deg)" : "rotate(-90deg)";
+}
+
+header.addEventListener("click", toggleOpen);
+header.addEventListener("keydown", e => {
+ if (e.key === "Enter" || e.key === " ") { e.preventDefault(); toggleOpen(); }
+});
+
+listContainer.appendChild(row);
listContainer.appendChild(row);
});
});
diff --git a/public/js/fileListView.js b/public/js/fileListView.js
index 378358a..3d49079 100644
--- a/public/js/fileListView.js
+++ b/public/js/fileListView.js
@@ -55,6 +55,18 @@ window.advancedSearchEnabled = false;
* --- Helper Functions ---
*/
+// Safely parse JSON; if server returned HTML/text, throw it as a readable error.
+async function safeJson(res) {
+ const text = await res.text();
+ try {
+ return JSON.parse(text);
+ } catch {
+ // Common cases: PHP notice/HTML, "Access forbidden.", etc.
+ const msg = (text || '').toString().trim();
+ throw new Error(msg || `Unexpected ${res.status} ${res.statusText} from ${res.url || 'request'}`);
+ }
+}
+
/**
* Convert a file size string (e.g. "456.9KB", "1.2 MB", "1024") into bytes.
*/
@@ -219,8 +231,14 @@ export async function loadFileList(folderParam) {
try {
// Kick off both in parallel, but we'll render as soon as FILES are ready
- const filesPromise = fetch(`/api/file/getFileList.php?folder=${encodeURIComponent(folder)}&recursive=1&t=${Date.now()}`);
- const foldersPromise = fetch(`/api/folder/getFolderList.php?folder=${encodeURIComponent(folder)}`);
+ const filesPromise = fetch(
+ `/api/file/getFileList.php?folder=${encodeURIComponent(folder)}&recursive=1&t=${Date.now()}`,
+ { credentials: 'include' }
+ );
+ const foldersPromise = fetch(
+ `/api/folder/getFolderList.php?folder=${encodeURIComponent(folder)}`,
+ { credentials: 'include' }
+ );
// ----- FILES FIRST -----
const filesRes = await filesPromise;
@@ -230,7 +248,10 @@ export async function loadFileList(folderParam) {
throw new Error("Unauthorized");
}
- const data = await filesRes.json();
+ const data = await safeJson(filesRes);
+ if (data.error) {
+ throw new Error(typeof data.error === 'string' ? data.error : 'Server returned an error.');
+ }
// If another loadFileList ran after this one, bail before touching the DOM
if (reqId !== __fileListReqSeq) return [];
@@ -403,7 +424,7 @@ export async function loadFileList(folderParam) {
// ----- FOLDERS NEXT (populate strip when ready; doesn't block rows) -----
try {
const foldersRes = await foldersPromise;
- const folderRaw = await foldersRes.json();
+ const folderRaw = await safeJson(foldersRes).catch(() => []); // don't block file render on folder strip issues
if (reqId !== __fileListReqSeq) return data.files;
// --- build ONLY the *direct* children of current folder ---
diff --git a/public/js/main.js b/public/js/main.js
index db14803..e18ef78 100644
--- a/public/js/main.js
+++ b/public/js/main.js
@@ -2,8 +2,6 @@ import { sendRequest } from './networkUtils.js';
import { toggleVisibility, toggleAllCheckboxes, updateFileActionButtons, showToast } from './domUtils.js';
import { initUpload } from './upload.js';
import { initAuth, fetchWithCsrf, checkAuthentication, loadAdminConfigFunc } from './auth.js';
-const _originalFetch = window.fetch;
-window.fetch = fetchWithCsrf;
import { loadFolderTree } from './folderManager.js';
import { setupTrashRestoreDelete } from './trashRestoreDelete.js';
import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js';
@@ -14,14 +12,60 @@ import { initFileActions, renameFile, openDownloadModal, confirmSingleDownload }
import { editFile, saveFile } from './fileEditor.js';
import { t, applyTranslations, setLocale } from './i18n.js';
+/* =========================
+ CSRF HOTFIX UTILITIES
+ ========================= */
+const _nativeFetch = window.fetch; // keep the real fetch
+
+function setCsrfToken(token) {
+ if (!token) return;
+ window.csrfToken = token;
+ localStorage.setItem('csrf', token);
+
+ // meta tag for easy access in other places
+ let meta = document.querySelector('meta[name="csrf-token"]');
+ if (!meta) {
+ meta = document.createElement('meta');
+ meta.name = 'csrf-token';
+ document.head.appendChild(meta);
+ }
+ meta.content = token;
+}
+function getCsrfToken() {
+ return window.csrfToken || localStorage.getItem('csrf') || '';
+}
+
+// Seed CSRF from storage ASAP (before any requests)
+setCsrfToken(getCsrfToken());
+
+// Wrap the existing fetchWithCsrf so we also capture rotated tokens from headers.
+async function fetchWithCsrfAndRefresh(input, init = {}) {
+ const res = await fetchWithCsrf(input, init);
+ try {
+ const rotated = res.headers?.get('X-CSRF-Token');
+ if (rotated) setCsrfToken(rotated);
+ } catch { /* ignore */ }
+ return res;
+}
+
+// Replace global fetch with the wrapped version so *all* callers benefit.
+window.fetch = fetchWithCsrfAndRefresh;
+
+/* =========================
+ APP INIT
+ ========================= */
+
export function initializeApp() {
const saved = parseInt(localStorage.getItem('rowHeight') || '48', 10);
document.documentElement.style.setProperty('--file-row-height', saved + 'px');
+
window.currentFolder = "root";
- initTagSearch();
- loadFileList(window.currentFolder);
const stored = localStorage.getItem('showFoldersInList');
window.showFoldersInList = stored === null ? true : stored === 'true';
+
+ initTagSearch();
+ loadFileList(window.currentFolder);
+
const fileListArea = document.getElementById('fileListContainer');
const uploadArea = document.getElementById('uploadDropArea');
if (fileListArea && uploadArea) {
@@ -35,7 +79,6 @@ export function initializeApp() {
fileListArea.addEventListener('drop', e => {
e.preventDefault();
fileListArea.classList.remove('drop-hover');
- // re-dispatch the same drop into the real upload card
uploadArea.dispatchEvent(new DragEvent('drop', {
dataTransfer: e.dataTransfer,
bubbles: true,
@@ -63,27 +106,36 @@ export function initializeApp() {
}
}
+/**
+ * Bootstrap/refresh CSRF from the server.
+ * Uses the *native* fetch to avoid any wrapper loops and to work even if we don't
+ * yet have a token. Also accepts a rotated token from the response header.
+ */
export function loadCsrfToken() {
- return fetchWithCsrf('/api/auth/token.php', { method: 'GET' })
- .then(res => {
- if (!res.ok) throw new Error(`Token fetch failed with status ${res.status}`);
- return res.json();
- })
- .then(({ csrf_token, share_url }) => {
- window.csrfToken = csrf_token;
+ return _nativeFetch('/api/auth/token.php', { method: 'GET', credentials: 'include' })
+ .then(async res => {
+ // header-based rotation
+ const hdr = res.headers.get('X-CSRF-Token');
+ if (hdr) setCsrfToken(hdr);
- // update CSRF meta
- let meta = document.querySelector('meta[name="csrf-token"]') ||
- Object.assign(document.head.appendChild(document.createElement('meta')), { name: 'csrf-token' });
- meta.content = csrf_token;
+ // body (if provided)
+ let body = {};
+ try { body = await res.json(); } catch { /* token endpoint may return empty */ }
- // force share_url to match wherever we're browsing
+ const token = body.csrf_token || getCsrfToken();
+ setCsrfToken(token);
+
+ // share-url meta should reflect the actual origin
const actualShare = window.location.origin;
- let shareMeta = document.querySelector('meta[name="share-url"]') ||
- Object.assign(document.head.appendChild(document.createElement('meta')), { name: 'share-url' });
+ let shareMeta = document.querySelector('meta[name="share-url"]');
+ if (!shareMeta) {
+ shareMeta = document.createElement('meta');
+ shareMeta.name = 'share-url';
+ document.head.appendChild(shareMeta);
+ }
shareMeta.content = actualShare;
- return { csrf_token, share_url: actualShare };
+ return { csrf_token: token, share_url: actualShare };
});
}
@@ -95,16 +147,15 @@ if (params.get('logout') === '1') {
}
export function triggerLogout() {
- fetch("/api/auth/logout.php", {
+ _nativeFetch("/api/auth/logout.php", {
method: "POST",
credentials: "include",
- headers: { "X-CSRF-Token": window.csrfToken }
+ headers: { "X-CSRF-Token": getCsrfToken() }
})
.then(() => window.location.reload(true))
.catch(() => { });
}
-
// Expose functions for inline handlers.
window.sendRequest = sendRequest;
window.toggleVisibility = toggleVisibility;
@@ -119,105 +170,79 @@ window.openDownloadModal = openDownloadModal;
window.currentFolder = "root";
document.addEventListener("DOMContentLoaded", function () {
+ loadAdminConfigFunc();
- loadAdminConfigFunc(); // Then fetch the latest config and update.
- // Retrieve the saved language from localStorage; default to "en"
+ // i18n
const savedLanguage = localStorage.getItem("language") || "en";
- // Set the locale based on the saved language
setLocale(savedLanguage);
- // Apply the translations to update the UI
applyTranslations();
- // First, load the CSRF token (with retry).
- loadCsrfToken().then(() => {
- // Once CSRF token is loaded, initialize authentication.
- initAuth();
- // Continue with initializations that rely on a valid CSRF token:
- checkAuthentication().then(authenticated => {
- if (authenticated) {
- const overlay = document.getElementById('loadingOverlay');
- if (overlay) overlay.remove();
- initializeApp();
- }
- });
+ // 1) Get/refresh CSRF first
+ loadCsrfToken()
+ .then(() => {
+ // 2) Auth boot
+ initAuth();
- // Other DOM initialization that can happen after CSRF is ready.
- const newPasswordInput = document.getElementById("newPassword");
- if (newPasswordInput) {
- newPasswordInput.addEventListener("input", function () {
- console.log("newPassword input event:", this.value);
+ // 3) If authenticated, start app
+ checkAuthentication().then(authenticated => {
+ if (authenticated) {
+ const overlay = document.getElementById('loadingOverlay');
+ if (overlay) overlay.remove();
+ initializeApp();
+ }
});
- } else {
- console.error("newPassword input not found!");
- }
- // --- Dark Mode Persistence ---
- const darkModeToggle = document.getElementById("darkModeToggle");
- const darkModeIcon = document.getElementById("darkModeIcon");
+ // --- Dark Mode Persistence ---
+ const darkModeToggle = document.getElementById("darkModeToggle");
+ const darkModeIcon = document.getElementById("darkModeIcon");
- if (darkModeToggle && darkModeIcon) {
- // 1) Load stored preference (or null)
- let stored = localStorage.getItem("darkMode");
- const hasStored = stored !== null;
+ if (darkModeToggle && darkModeIcon) {
+ let stored = localStorage.getItem("darkMode");
+ const hasStored = stored !== null;
- // 2) Determine initial mode
- const isDark = hasStored
- ? (stored === "true")
- : (window.matchMedia && window.matchMedia("(prefers-color-scheme: dark)").matches);
+ const isDark = hasStored
+ ? (stored === "true")
+ : (window.matchMedia && window.matchMedia("(prefers-color-scheme: dark)").matches);
- document.body.classList.toggle("dark-mode", isDark);
- darkModeToggle.classList.toggle("active", isDark);
+ document.body.classList.toggle("dark-mode", isDark);
+ darkModeToggle.classList.toggle("active", isDark);
- // 3) Helper to update icon & aria-label
- function updateIcon() {
- const dark = document.body.classList.contains("dark-mode");
- darkModeIcon.textContent = dark ? "light_mode" : "dark_mode";
- darkModeToggle.setAttribute(
- "aria-label",
- dark ? t("light_mode") : t("dark_mode")
- );
- darkModeToggle.setAttribute(
- "title",
- dark
- ? t("switch_to_light_mode")
- : t("switch_to_dark_mode")
- );
- }
-
- updateIcon();
-
- // 4) Click handler: always override and store preference
- darkModeToggle.addEventListener("click", () => {
- const nowDark = document.body.classList.toggle("dark-mode");
- localStorage.setItem("darkMode", nowDark ? "true" : "false");
+ function updateIcon() {
+ const dark = document.body.classList.contains("dark-mode");
+ darkModeIcon.textContent = dark ? "light_mode" : "dark_mode";
+ darkModeToggle.setAttribute("aria-label", dark ? t("light_mode") : t("dark_mode"));
+ darkModeToggle.setAttribute("title", dark ? t("switch_to_light_mode") : t("switch_to_dark_mode"));
+ }
updateIcon();
- });
- // 5) OS‐level change: only if no stored pref at load
- if (!hasStored && window.matchMedia) {
- window
- .matchMedia("(prefers-color-scheme: dark)")
- .addEventListener("change", e => {
+ darkModeToggle.addEventListener("click", () => {
+ const nowDark = document.body.classList.toggle("dark-mode");
+ localStorage.setItem("darkMode", nowDark ? "true" : "false");
+ updateIcon();
+ });
+
+ if (!hasStored && window.matchMedia) {
+ window.matchMedia("(prefers-color-scheme: dark)").addEventListener("change", e => {
document.body.classList.toggle("dark-mode", e.matches);
updateIcon();
});
+ }
}
- }
- // --- End Dark Mode Persistence ---
+ // --- End Dark Mode Persistence ---
- const message = sessionStorage.getItem("welcomeMessage");
- if (message) {
- showToast(message);
- sessionStorage.removeItem("welcomeMessage");
- }
- }).catch(error => {
- console.error("Initialization halted due to CSRF token load failure.", error);
- });
+ const message = sessionStorage.getItem("welcomeMessage");
+ if (message) {
+ showToast(message);
+ sessionStorage.removeItem("welcomeMessage");
+ }
+ })
+ .catch(error => {
+ console.error("Initialization halted due to CSRF token load failure.", error);
+ });
// --- Auto-scroll During Drag ---
- const SCROLL_THRESHOLD = 50; // pixels from edge to start scrolling
- const SCROLL_SPEED = 20; // pixels to scroll per event
-
+ const SCROLL_THRESHOLD = 50;
+ const SCROLL_SPEED = 20;
document.addEventListener("dragover", function (e) {
if (e.clientY < SCROLL_THRESHOLD) {
window.scrollBy(0, -SCROLL_SPEED);
diff --git a/src/controllers/AdminController.php b/src/controllers/AdminController.php
index 855ad1d..759afbd 100644
--- a/src/controllers/AdminController.php
+++ b/src/controllers/AdminController.php
@@ -53,6 +53,17 @@ class AdminController
public function getConfig(): void
{
header('Content-Type: application/json');
+
+ // Require authenticated admin to read config (prevents information disclosure)
+ if (
+ empty($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true ||
+ empty($_SESSION['isAdmin'])
+ ) {
+ http_response_code(403);
+ echo json_encode(['error' => 'Unauthorized access.']);
+ exit;
+ }
+
$config = AdminModel::getConfig();
if (isset($config['error'])) {
http_response_code(500);
@@ -62,14 +73,14 @@ class AdminController
// Build a safe subset for the front-end
$safe = [
- 'header_title' => $config['header_title'],
- 'loginOptions' => $config['loginOptions'],
- 'globalOtpauthUrl' => $config['globalOtpauthUrl'],
- 'enableWebDAV' => $config['enableWebDAV'],
- 'sharedMaxUploadSize' => $config['sharedMaxUploadSize'],
+ 'header_title' => $config['header_title'] ?? '',
+ 'loginOptions' => $config['loginOptions'] ?? [],
+ 'globalOtpauthUrl' => $config['globalOtpauthUrl'] ?? '',
+ 'enableWebDAV' => $config['enableWebDAV'] ?? false,
+ 'sharedMaxUploadSize' => $config['sharedMaxUploadSize'] ?? 0,
'oidc' => [
- 'providerUrl' => $config['oidc']['providerUrl'],
- 'redirectUri' => $config['oidc']['redirectUri'],
+ 'providerUrl' => $config['oidc']['providerUrl'] ?? '',
+ 'redirectUri' => $config['oidc']['redirectUri'] ?? '',
// clientSecret and clientId never exposed here
],
];
@@ -137,106 +148,186 @@ class AdminController
* @return void Outputs a JSON response indicating success or failure.
*/
public function updateConfig(): void
-{
- header('Content-Type: application/json');
+ {
+ header('Content-Type: application/json');
- // —– auth & CSRF checks —–
- if (
- !isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true ||
- !isset($_SESSION['isAdmin']) || !$_SESSION['isAdmin']
- ) {
- http_response_code(403);
- echo json_encode(['error' => 'Unauthorized access.']);
- exit;
- }
- $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
- $receivedToken = trim($headersArr['x-csrf-token'] ?? ($_POST['csrfToken'] ?? ''));
- if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) {
- http_response_code(403);
- echo json_encode(['error' => 'Invalid CSRF token.']);
- exit;
- }
-
- // —– fetch payload —–
- $data = json_decode(file_get_contents('php://input'), true);
- if (!is_array($data)) {
- http_response_code(400);
- echo json_encode(['error' => 'Invalid input.']);
- exit;
- }
-
- // —– load existing on-disk config —–
- $existing = AdminModel::getConfig();
-
- // —– start merge with existing as base —–
- $merged = $existing;
-
- // header_title
- if (array_key_exists('header_title', $data)) {
- $merged['header_title'] = trim($data['header_title']);
- }
-
- // loginOptions: inherit existing then override if provided
- $merged['loginOptions'] = $existing['loginOptions'] ?? [
- 'disableFormLogin' => false,
- 'disableBasicAuth' => false,
- 'disableOIDCLogin'=> true,
- 'authBypass' => false,
- 'authHeaderName' => 'X-Remote-User'
- ];
- foreach (['disableFormLogin','disableBasicAuth','disableOIDCLogin','authBypass'] as $flag) {
- if (isset($data['loginOptions'][$flag])) {
- $merged['loginOptions'][$flag] = filter_var(
- $data['loginOptions'][$flag],
- FILTER_VALIDATE_BOOLEAN
- );
+ // —– auth & CSRF checks —–
+ if (
+ !isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true ||
+ !isset($_SESSION['isAdmin']) || !$_SESSION['isAdmin']
+ ) {
+ http_response_code(403);
+ echo json_encode(['error' => 'Unauthorized access.']);
+ exit;
}
- }
- if (isset($data['loginOptions']['authHeaderName'])) {
- $hdr = trim($data['loginOptions']['authHeaderName']);
- if ($hdr !== '') {
- $merged['loginOptions']['authHeaderName'] = $hdr;
+ $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
+ $receivedToken = trim($headersArr['x-csrf-token'] ?? ($_POST['csrfToken'] ?? ''));
+ if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) {
+ http_response_code(403);
+ echo json_encode(['error' => 'Invalid CSRF token.']);
+ exit;
}
- }
- // globalOtpauthUrl
- if (array_key_exists('globalOtpauthUrl', $data)) {
- $merged['globalOtpauthUrl'] = trim($data['globalOtpauthUrl']);
- }
+ // —– fetch payload —–
+ $data = json_decode(file_get_contents('php://input'), true);
+ if (!is_array($data)) {
+ http_response_code(400);
+ echo json_encode(['error' => 'Invalid input.']);
+ exit;
+ }
- // enableWebDAV
- if (array_key_exists('enableWebDAV', $data)) {
- $merged['enableWebDAV'] = filter_var($data['enableWebDAV'], FILTER_VALIDATE_BOOLEAN);
- }
+ // —– load existing on-disk config —–
+ $existing = AdminModel::getConfig();
+ if (isset($existing['error'])) {
+ http_response_code(500);
+ echo json_encode(['error' => $existing['error']]);
+ exit;
+ }
- // sharedMaxUploadSize
- if (array_key_exists('sharedMaxUploadSize', $data)) {
- $sms = filter_var($data['sharedMaxUploadSize'], FILTER_VALIDATE_INT);
- if ($sms !== false) {
+ // —– start merge with existing as base —–
+ // Ensure minimal structure if the file was partially missing.
+ $merged = $existing + [
+ 'header_title' => '',
+ 'loginOptions' => [
+ 'disableFormLogin' => false,
+ 'disableBasicAuth' => false,
+ 'disableOIDCLogin' => true,
+ 'authBypass' => false,
+ 'authHeaderName' => 'X-Remote-User'
+ ],
+ 'globalOtpauthUrl' => '',
+ 'enableWebDAV' => false,
+ 'sharedMaxUploadSize' => 0,
+ 'oidc' => [
+ 'providerUrl' => '',
+ 'clientId' => '',
+ 'clientSecret'=> '',
+ 'redirectUri' => ''
+ ],
+ ];
+
+ // header_title (cap length and strip control chars)
+ if (array_key_exists('header_title', $data)) {
+ $title = trim((string)$data['header_title']);
+ $title = preg_replace('/[\x00-\x1F\x7F]/', '', $title);
+ if (mb_strlen($title) > 100) { // hard cap
+ $title = mb_substr($title, 0, 100);
+ }
+ $merged['header_title'] = $title;
+ }
+
+ // loginOptions: inherit existing then override if provided
+ foreach (['disableFormLogin','disableBasicAuth','disableOIDCLogin','authBypass'] as $flag) {
+ if (isset($data['loginOptions'][$flag])) {
+ $merged['loginOptions'][$flag] = filter_var(
+ $data['loginOptions'][$flag],
+ FILTER_VALIDATE_BOOLEAN
+ );
+ }
+ }
+ if (isset($data['loginOptions']['authHeaderName'])) {
+ $hdr = trim((string)$data['loginOptions']['authHeaderName']);
+ // very restrictive header-name pattern: letters, numbers, dashes
+ if ($hdr !== '' && preg_match('/^[A-Za-z0-9\-]+$/', $hdr)) {
+ $merged['loginOptions']['authHeaderName'] = $hdr;
+ } else {
+ http_response_code(400);
+ echo json_encode(['error' => 'Invalid authHeaderName.']);
+ exit;
+ }
+ }
+
+ // globalOtpauthUrl
+ if (array_key_exists('globalOtpauthUrl', $data)) {
+ $merged['globalOtpauthUrl'] = trim((string)$data['globalOtpauthUrl']);
+ }
+
+ // enableWebDAV
+ if (array_key_exists('enableWebDAV', $data)) {
+ $merged['enableWebDAV'] = filter_var($data['enableWebDAV'], FILTER_VALIDATE_BOOLEAN);
+ }
+
+ // sharedMaxUploadSize
+ if (array_key_exists('sharedMaxUploadSize', $data)) {
+ $sms = filter_var($data['sharedMaxUploadSize'], FILTER_VALIDATE_INT);
+ if ($sms === false || $sms < 0) {
+ http_response_code(400);
+ echo json_encode(['error' => 'sharedMaxUploadSize must be a non-negative integer (bytes).']);
+ exit;
+ }
+ // Clamp to PHP limits to avoid confusing UX
+ $maxPost = self::iniToBytes(ini_get('post_max_size'));
+ $maxFile = self::iniToBytes(ini_get('upload_max_filesize'));
+ $phpCap = min($maxPost ?: PHP_INT_MAX, $maxFile ?: PHP_INT_MAX);
+ if ($phpCap !== PHP_INT_MAX && $sms > $phpCap) {
+ $sms = $phpCap;
+ }
$merged['sharedMaxUploadSize'] = $sms;
}
- }
- // oidc: only overwrite non-empty inputs
- $merged['oidc'] = $existing['oidc'] ?? [
- 'providerUrl'=>'','clientId'=>'','clientSecret'=>'','redirectUri'=>''
- ];
- foreach (['providerUrl','clientId','clientSecret','redirectUri'] as $f) {
- if (!empty($data['oidc'][$f])) {
- $val = trim($data['oidc'][$f]);
- if ($f === 'providerUrl' || $f === 'redirectUri') {
- $val = filter_var($val, FILTER_SANITIZE_URL);
+ // oidc: only overwrite non-empty inputs; validate when enabling OIDC
+ foreach (['providerUrl','clientId','clientSecret','redirectUri'] as $f) {
+ if (!empty($data['oidc'][$f])) {
+ $val = trim((string)$data['oidc'][$f]);
+ if ($f === 'providerUrl' || $f === 'redirectUri') {
+ $val = filter_var($val, FILTER_SANITIZE_URL);
+ }
+ $merged['oidc'][$f] = $val;
}
- $merged['oidc'][$f] = $val;
}
+
+ // If OIDC login is enabled, ensure required fields are present and sane
+ $oidcEnabled = !empty($merged['loginOptions']['disableOIDCLogin']) ? false : true;
+ if ($oidcEnabled) {
+ $prov = $merged['oidc']['providerUrl'] ?? '';
+ $rid = $merged['oidc']['redirectUri'] ?? '';
+ $cid = $merged['oidc']['clientId'] ?? '';
+ // clientSecret may be empty for some PKCE-only flows, but commonly needed for code flow.
+ if ($prov === '' || $rid === '' || $cid === '') {
+ http_response_code(400);
+ echo json_encode(['error' => 'OIDC is enabled but providerUrl, redirectUri, and clientId are required.']);
+ exit;
+ }
+ // Require https except for localhost development
+ $httpsOk = function(string $url): bool {
+ if ($url === '') return false;
+ $parts = parse_url($url);
+ if (!$parts || empty($parts['scheme'])) return false;
+ if ($parts['scheme'] === 'https') return true;
+ if ($parts['scheme'] === 'http' && (isset($parts['host']) && ($parts['host'] === 'localhost' || $parts['host'] === '127.0.0.1'))) {
+ return true;
+ }
+ return false;
+ };
+ if (!$httpsOk($prov) || !$httpsOk($rid)) {
+ http_response_code(400);
+ echo json_encode(['error' => 'providerUrl and redirectUri must be https (or http on localhost)']);
+ exit;
+ }
+ }
+
+ // —– persist merged config —–
+ $result = AdminModel::updateConfig($merged);
+ if (isset($result['error'])) {
+ http_response_code(500);
+ }
+ echo json_encode($result);
+ exit;
}
- // —– persist merged config —–
- $result = AdminModel::updateConfig($merged);
- if (isset($result['error'])) {
- http_response_code(500);
+ /** Convert php.ini shorthand like "128M" to bytes */
+ private static function iniToBytes($val)
+ {
+ if ($val === false || $val === null || $val === '') return 0;
+ $val = trim((string)$val);
+ $last = strtolower($val[strlen($val)-1]);
+ $num = (int)$val;
+ switch ($last) {
+ case 'g': $num *= 1024;
+ case 'm': $num *= 1024;
+ case 'k': $num *= 1024;
+ }
+ return $num;
}
- echo json_encode($result);
- exit;
}
-}
\ No newline at end of file
+?>
\ No newline at end of file
diff --git a/src/controllers/FileController.php b/src/controllers/FileController.php
index 6275396..ef38d00 100644
--- a/src/controllers/FileController.php
+++ b/src/controllers/FileController.php
@@ -3,9 +3,163 @@
require_once __DIR__ . '/../../config/config.php';
require_once PROJECT_ROOT . '/src/models/FileModel.php';
+require_once PROJECT_ROOT . '/src/models/UserModel.php';
+
class FileController
{
+ /* =========================
+ * Permission helpers (fail-closed)
+ * ========================= */
+ private function isAdmin(array $perms): bool {
+ // explicit flags in permissions blob
+ if (!empty($perms['admin']) || !empty($perms['isAdmin'])) return true;
+
+ // session-based flags commonly set at login
+ if (!empty($_SESSION['isAdmin']) && $_SESSION['isAdmin'] === true) return true;
+
+ // sometimes apps store role in session
+ $role = $_SESSION['role'] ?? null;
+ if ($role === 'admin' || $role === '1' || $role === 1) return true;
+
+ // definitive fallback: read users.txt role ("1" means admin)
+ $u = $_SESSION['username'] ?? '';
+ if ($u) {
+ $roleStr = userModel::getUserRole($u);
+ if ($roleStr === '1') return true;
+ }
+ return false;
+ }
+
+ private function isFolderOnly(array $perms): bool {
+ return !empty($perms['folderOnly']) || !empty($perms['userFolderOnly']) || !empty($perms['UserFolderOnly']);
+ }
+
+ private function getMetadataPath(string $folder): string {
+ $folder = trim($folder);
+ if ($folder === '' || strtolower($folder) === 'root') {
+ return META_DIR . 'root_metadata.json';
+ }
+ return META_DIR . str_replace(['/', '\\', ' '], '-', $folder) . '_metadata.json';
+ }
+
+ private function loadFolderMetadata(string $folder): array {
+ $meta = $this->getMetadataPath($folder);
+ if (file_exists($meta)) {
+ $data = json_decode(file_get_contents($meta), true);
+ if (is_array($data)) return $data;
+ }
+ return [];
+ }
+
+ // Always return an array for user permissions.
+ private function loadPerms(string $username): array
+ {
+ try {
+ if (function_exists('loadUserPermissions')) {
+ $p = loadUserPermissions($username);
+ return is_array($p) ? $p : [];
+ }
+ if (class_exists('userModel') && method_exists('userModel', 'getUserPermissions')) {
+ $all = userModel::getUserPermissions();
+ if (is_array($all)) {
+ if (isset($all[$username])) return (array)$all[$username];
+ $lk = strtolower($username);
+ if (isset($all[$lk])) return (array)$all[$lk];
+ }
+ }
+ } catch (\Throwable $e) { /* ignore */ }
+ return [];
+ }
+
+ /** Enforce that (a) folder-only users act only in their subtree, and
+ * (b) non-admins own all files in the provided list (metadata.uploader === $username).
+ * Returns an error string on violation, or null if ok. */
+ private function enforceScopeAndOwnership(string $folder, array $files, string $username, array $userPermissions): ?string {
+ $ignoreOwnership = $this->isAdmin($userPermissions)
+ || ($userPermissions['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
+
+ // Folder-only users must stay in "" subtree
+ if ($this->isFolderOnly($userPermissions) && !$this->isAdmin($userPermissions)) {
+ $folder = trim($folder);
+ if ($folder !== '' && strtolower($folder) !== 'root') {
+ if ($folder !== $username && strpos($folder, $username . '/') !== 0) {
+ return "Forbidden: folder scope violation.";
+ }
+ }
+ }
+
+ if ($ignoreOwnership) return null;
+
+ $metadata = $this->loadFolderMetadata($folder);
+ foreach ($files as $f) {
+ $name = basename((string)$f);
+ if (!isset($metadata[$name]['uploader']) || strcasecmp($metadata[$name]['uploader'], $username) !== 0) {
+ return "Forbidden: you are not the owner of '{$name}'.";
+ }
+ }
+ return null;
+ }
+
+ private function enforceFolderScope(string $folder, string $username, array $userPermissions): ?string {
+ if ($this->isAdmin($userPermissions)) return null;
+ if (!$this->isFolderOnly($userPermissions)) return null;
+
+ $folder = trim($folder);
+ if ($folder !== '' && strtolower($folder) !== 'root') {
+ if ($folder !== $username && strpos($folder, $username . '/') !== 0) {
+ return "Forbidden: folder scope violation.";
+ }
+ }
+ return null;
+ }
+
+ // --- JSON/session/error helpers (non-breaking additions) ---
+private function _jsonStart(): void {
+ if (session_status() !== PHP_SESSION_ACTIVE) session_start();
+ header('Content-Type: application/json; charset=utf-8');
+ // Turn notices/warnings into exceptions so we can return JSON instead of HTML
+ set_error_handler(function ($severity, $message, $file, $line) {
+ if (!(error_reporting() & $severity)) return; // respect @-silence
+ throw new ErrorException($message, 0, $severity, $file, $line);
+ });
+}
+
+private function _jsonEnd(): void {
+ restore_error_handler();
+}
+
+private function _jsonOut(array $payload, int $status = 200): void {
+ http_response_code($status);
+ echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+}
+
+private function _checkCsrf(): bool {
+ $headersArr = function_exists('getallheaders')
+ ? array_change_key_case(getallheaders(), CASE_LOWER)
+ : [];
+ $receivedToken = $headersArr['x-csrf-token'] ?? '';
+ if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) {
+ $this->_jsonOut(['error' => 'Invalid CSRF token'], 403);
+ return false;
+ }
+ return true;
+}
+
+private function _requireAuth(): bool {
+ if (empty($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
+ $this->_jsonOut(['error' => 'Unauthorized'], 401);
+ return false;
+ }
+ return true;
+}
+
+private function _readJsonBody(): array {
+ $raw = file_get_contents('php://input');
+ $data = json_decode($raw, true);
+ return is_array($data) ? $data : [];
+}
+
/**
* @OA\Post(
* path="/api/file/copyFiles.php",
@@ -73,8 +227,8 @@ class FileController
// Check user permissions (assuming loadUserPermissions() is available).
$username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if (!empty($userPermissions['readOnly'])) {
+ $userPermissions = $this->loadPerms($username);
+ if (!$this->isAdmin($userPermissions) && !empty($userPermissions['readOnly'])) {
echo json_encode(["error" => "Read-only users are not allowed to copy files."]);
exit;
}
@@ -106,6 +260,12 @@ class FileController
exit;
}
+ // Scope + ownership on source; scope on destination
+ $violation = $this->enforceScopeAndOwnership($sourceFolder, $files, $username, $userPermissions);
+ if ($violation) { http_response_code(403); echo json_encode(["error"=>$violation]); return; }
+ $dv = $this->enforceFolderScope($destinationFolder, $username, $userPermissions);
+ if ($dv) { http_response_code(403); echo json_encode(["error"=>$dv]); return; }
+
// Delegate to the model.
$result = FileModel::copyFiles($sourceFolder, $destinationFolder, $files);
echo json_encode($result);
@@ -177,7 +337,7 @@ class FileController
// Load user's permissions.
$username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
+ $userPermissions = $this->loadPerms($username);
if ($username && isset($userPermissions['readOnly']) && $userPermissions['readOnly'] === true) {
echo json_encode(["error" => "Read-only users are not allowed to delete files."]);
exit;
@@ -199,6 +359,10 @@ class FileController
}
$folder = trim($folder, "/\\ ");
+ // Scope + ownership
+ $violation = $this->enforceScopeAndOwnership($folder, $data['files'], $username, $userPermissions);
+ if ($violation) { http_response_code(403); echo json_encode(["error"=>$violation]); return; }
+
// Delegate to the FileModel.
$result = FileModel::deleteFiles($folder, $data['files']);
echo json_encode($result);
@@ -271,8 +435,8 @@ class FileController
// Verify that the user is not read-only.
$username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if (!empty($userPermissions['readOnly'])) {
+ $userPermissions = $this->loadPerms($username);
+ if (!$this->isAdmin($userPermissions) && !empty($userPermissions['readOnly'])) {
echo json_encode(["error" => "Read-only users are not allowed to move files."]);
exit;
}
@@ -303,6 +467,12 @@ class FileController
exit;
}
+ // Scope + ownership on source; scope on destination
+ $violation = $this->enforceScopeAndOwnership($sourceFolder, $data['files'], $username, $userPermissions);
+ if ($violation) { http_response_code(403); echo json_encode(["error"=>$violation]); return; }
+ $dv = $this->enforceFolderScope($destinationFolder, $username, $userPermissions);
+ if ($dv) { http_response_code(403); echo json_encode(["error"=>$dv]); return; }
+
// Delegate to the model.
$result = FileModel::moveFiles($sourceFolder, $destinationFolder, $data['files']);
echo json_encode($result);
@@ -351,64 +521,63 @@ class FileController
* @return void Outputs a JSON response.
*/
public function renameFile()
- {
- header('Content-Type: application/json');
- header("Cache-Control: no-cache, no-store, must-revalidate");
- header("Pragma: no-cache");
- header("Expires: 0");
+{
+ $this->_jsonStart();
+ try {
+ if (!$this->_checkCsrf()) return;
+ if (!$this->_requireAuth()) return;
- // --- CSRF Protection ---
- $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
- $receivedToken = isset($headersArr['x-csrf-token']) ? trim($headersArr['x-csrf-token']) : '';
- if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) {
- http_response_code(403);
- echo json_encode(["error" => "Invalid CSRF token"]);
- exit;
- }
-
- // Ensure user is authenticated.
- if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
- http_response_code(401);
- echo json_encode(["error" => "Unauthorized"]);
- exit;
- }
-
- // Verify user permissions.
$username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if ($username && isset($userPermissions['readOnly']) && $userPermissions['readOnly'] === true) {
- echo json_encode(["error" => "Read-only users are not allowed to rename files."]);
- exit;
+ $userPermissions = $this->loadPerms($username);
+ if (!$this->isAdmin($userPermissions) && !empty($userPermissions['readOnly'])) {
+ $this->_jsonOut(["error" => "Read-only users are not allowed to rename files."], 403);
+ return;
}
- // Get JSON input.
- $data = json_decode(file_get_contents("php://input"), true);
- if (!$data || !isset($data['folder']) || !isset($data['oldName']) || !isset($data['newName'])) {
- http_response_code(400);
- echo json_encode(["error" => "Invalid input"]);
- exit;
+ $data = $this->_readJsonBody();
+ if (!$data || !isset($data['folder'], $data['oldName'], $data['newName'])) {
+ $this->_jsonOut(["error" => "Invalid input"], 400);
+ return;
}
- $folder = trim($data['folder']) ?: 'root';
- // Validate folder: allow letters, numbers, underscores, dashes, spaces, and forward slashes.
+ $folder = trim((string)$data['folder']) ?: 'root';
+ $oldName = basename(trim((string)$data['oldName']));
+ $newName = basename(trim((string)$data['newName']));
+
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
- echo json_encode(["error" => "Invalid folder name"]);
- exit;
+ $this->_jsonOut(["error" => "Invalid folder name"], 400);
+ return;
+ }
+ if ($oldName === '' || !preg_match(REGEX_FILE_NAME, $oldName)) {
+ $this->_jsonOut(["error" => "Invalid old file name."], 400);
+ return;
+ }
+ if ($newName === '' || !preg_match(REGEX_FILE_NAME, $newName)) {
+ $this->_jsonOut(["error" => "Invalid new file name."], 400);
+ return;
}
- $oldName = basename(trim($data['oldName']));
- $newName = basename(trim($data['newName']));
+ // Non-admin must own the original
+ $violation = $this->enforceScopeAndOwnership($folder, [$oldName], $username, $userPermissions);
+ if ($violation) { $this->_jsonOut(["error"=>$violation], 403); return; }
- // Validate file names.
- if (!preg_match(REGEX_FILE_NAME, $oldName) || !preg_match(REGEX_FILE_NAME, $newName)) {
- echo json_encode(["error" => "Invalid file name."]);
- exit;
- }
-
- // Delegate the renaming operation to the model.
$result = FileModel::renameFile($folder, $oldName, $newName);
- echo json_encode($result);
+ if (!is_array($result)) {
+ throw new RuntimeException('FileModel::renameFile returned non-array');
+ }
+ if (isset($result['error'])) {
+ $this->_jsonOut($result, 400);
+ return;
+ }
+ $this->_jsonOut($result);
+
+ } catch (Throwable $e) {
+ error_log('FileController::renameFile error: '.$e->getMessage().' @ '.$e->getFile().':'.$e->getLine());
+ $this->_jsonOut(['error' => 'Internal server error while renaming file.'], 500);
+ } finally {
+ $this->_jsonEnd();
}
+}
/**
* @OA\Post(
@@ -452,63 +621,75 @@ class FileController
* @return void Outputs a JSON response.
*/
public function saveFile()
- {
- header('Content-Type: application/json');
-
- // --- CSRF Protection ---
- $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
- $receivedToken = $headersArr['x-csrf-token'] ?? '';
- if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) {
- http_response_code(403);
- echo json_encode(["error" => "Invalid CSRF token"]);
- exit;
- }
-
- // --- Authentication Check ---
- if (empty($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
- http_response_code(401);
- echo json_encode(["error" => "Unauthorized"]);
- exit;
- }
+{
+ $this->_jsonStart();
+ try {
+ if (!$this->_checkCsrf()) return;
+ if (!$this->_requireAuth()) return;
$username = $_SESSION['username'] ?? '';
- // --- Read‑only check ---
- $userPermissions = loadUserPermissions($username);
- if ($username && !empty($userPermissions['readOnly'])) {
- echo json_encode(["error" => "Read-only users are not allowed to save files."]);
- exit;
+ $userPermissions = $this->loadPerms($username);
+ if (!$this->isAdmin($userPermissions) && !empty($userPermissions['readOnly'])) {
+ $this->_jsonOut(["error" => "Read-only users are not allowed to save files."], 403);
+ return;
}
- // --- Input parsing ---
- $data = json_decode(file_get_contents("php://input"), true);
+ $data = $this->_readJsonBody();
if (empty($data) || !isset($data["fileName"], $data["content"])) {
- http_response_code(400);
- echo json_encode(["error" => "Invalid request data", "received" => $data]);
- exit;
+ $this->_jsonOut(["error" => "Invalid request data"], 400);
+ return;
}
- $fileName = basename($data["fileName"]);
- $folder = isset($data["folder"]) ? trim($data["folder"]) : "root";
+ $fileName = basename(trim((string)$data["fileName"]));
+ $folder = isset($data["folder"]) ? trim((string)$data["folder"]) : "root";
- // --- Folder validation ---
+ if ($fileName === '' || !preg_match(REGEX_FILE_NAME, $fileName)) {
+ $this->_jsonOut(["error" => "Invalid file name."], 400);
+ return;
+ }
if (strtolower($folder) !== "root" && !preg_match(REGEX_FOLDER_NAME, $folder)) {
- echo json_encode(["error" => "Invalid folder name"]);
- exit;
+ $this->_jsonOut(["error" => "Invalid folder name"], 400);
+ return;
}
- $folder = trim($folder, "/\\ ");
- // --- Delegate to model, passing the uploader ---
- // Make sure FileModel::saveFile signature is:
- // saveFile(string $folder, string $fileName, $content, ?string $uploader = null)
- $result = FileModel::saveFile(
- $folder,
- $fileName,
- $data["content"],
- $username // ← pass the real uploader here
- );
+ // Folder-only users may only write within their scope
+ $dv = $this->enforceFolderScope($folder, $username, $userPermissions);
+ if ($dv) { $this->_jsonOut(["error"=>$dv], 403); return; }
- echo json_encode($result);
+ // If overwriting, enforce ownership for non-admins
+ $baseDir = rtrim(UPLOAD_DIR, '/\\');
+ $dir = (strtolower($folder) === 'root') ? $baseDir : $baseDir . DIRECTORY_SEPARATOR . $folder;
+ $path = $dir . DIRECTORY_SEPARATOR . $fileName;
+ if (is_file($path)) {
+ $violation = $this->enforceScopeAndOwnership($folder, [$fileName], $username, $userPermissions);
+ if ($violation) { $this->_jsonOut(["error"=>$violation], 403); return; }
+ }
+
+ // Server-side guard: block saving executable/server-side script types
+ $deny = ['php','phtml','phar','php3','php4','php5','php7','php8','pht','shtml','cgi','fcgi'];
+ $ext = strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
+ if (in_array($ext, $deny, true)) {
+ $this->_jsonOut(['error' => 'Saving this file type is not allowed.'], 400);
+ return;
+ }
+
+ $result = FileModel::saveFile($folder, $fileName, (string)$data["content"], $username);
+ if (!is_array($result)) {
+ throw new RuntimeException('FileModel::saveFile returned non-array');
+ }
+ if (isset($result['error'])) {
+ $this->_jsonOut($result, 400);
+ return;
+ }
+ $this->_jsonOut($result);
+
+ } catch (Throwable $e) {
+ error_log('FileController::saveFile error: '.$e->getMessage().' @ '.$e->getFile().':'.$e->getLine());
+ $this->_jsonOut(['error' => 'Internal server error while saving file.'], 500);
+ } finally {
+ $this->_jsonEnd();
}
+}
/**
* @OA\Get(
@@ -582,6 +763,23 @@ class FileController
exit;
}
+// Ownership enforcement (allow admin OR bypassOwnership)
+$username = $_SESSION['username'] ?? '';
+$userPermissions = $this->loadPerms($username);
+
+$ignoreOwnership = $this->isAdmin($userPermissions)
+ || ($userPermissions['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
+
+if (!$ignoreOwnership) {
+ $meta = $this->loadFolderMetadata($folder);
+ if (!isset($meta[$file]['uploader']) || $meta[$file]['uploader'] !== $username) {
+ http_response_code(403);
+ echo json_encode(["error" => "Forbidden: you are not the owner of this file."]);
+ exit;
+ }
+}
+
+
// Retrieve download info from the model.
$downloadInfo = FileModel::getDownloadInfo($folder, $file);
if (isset($downloadInfo['error'])) {
@@ -676,6 +874,13 @@ class FileController
exit;
}
+ if (!$this->isAdmin($userPermissions) && array_key_exists('canZip', $userPermissions) && !$userPermissions['canZip']) {
+ http_response_code(403);
+ header('Content-Type: application/json');
+ echo json_encode(["error" => "ZIP downloads are not allowed for your account."]);
+ exit;
+ }
+
// Read and decode JSON input.
$data = json_decode(file_get_contents("php://input"), true);
if (!is_array($data) || !isset($data['folder']) || !isset($data['files']) || !is_array($data['files'])) {
@@ -701,6 +906,22 @@ class FileController
}
}
+// Ownership enforcement (allow admin OR bypassOwnership)
+$username = $_SESSION['username'] ?? '';
+$userPermissions = $this->loadPerms($username);
+
+$ignoreOwnership = $this->isAdmin($userPermissions)
+ || ($userPermissions['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
+
+if (!$ignoreOwnership) {
+ $meta = $this->loadFolderMetadata($folder);
+ if (!isset($meta[$file]['uploader']) || $meta[$file]['uploader'] !== $username) {
+ http_response_code(403);
+ echo json_encode(["error" => "Forbidden: you are not the owner of this file."]);
+ exit;
+ }
+}
+
// Create ZIP archive using FileModel.
$result = FileModel::createZipArchive($folder, $files);
if (isset($result['error'])) {
@@ -819,6 +1040,12 @@ class FileController
}
}
+ // Folder-only users can only extract inside their subtree
+ $username = $_SESSION['username'] ?? '';
+ $userPermissions = $this->loadPerms($username);
+ $dv = $this->enforceFolderScope($folder, $username, $userPermissions);
+ if ($dv) { http_response_code(403); echo json_encode(["error"=>$dv]); return; }
+
// Delegate to the model.
$result = FileModel::extractZipArchive($folder, $files);
echo json_encode($result);
@@ -1078,13 +1305,19 @@ class FileController
// Check user permissions.
$username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if ($username && !empty($userPermissions['readOnly'])) {
+ $userPermissions = $this->loadPerms($username);
+ if (!$this->isAdmin($userPermissions) && !empty($userPermissions['readOnly'])) {
http_response_code(403);
echo json_encode(["error" => "Read-only users are not allowed to create share links."]);
exit;
}
+ if (!$this->isAdmin($userPermissions) && array_key_exists('canShare', $userPermissions) && !$userPermissions['canShare']) {
+ http_response_code(403);
+ echo json_encode(["error" => "You are not allowed to create share links."]);
+ exit;
+ }
+
// Parse POST JSON input.
$input = json_decode(file_get_contents("php://input"), true);
if (!$input) {
@@ -1107,6 +1340,23 @@ class FileController
exit;
}
+ // Non-admins can only share their own files
+// Ownership enforcement (allow admin OR bypassOwnership)
+$username = $_SESSION['username'] ?? '';
+$userPermissions = $this->loadPerms($username);
+
+$ignoreOwnership = $this->isAdmin($userPermissions)
+ || ($userPermissions['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
+
+if (!$ignoreOwnership) {
+ $meta = $this->loadFolderMetadata($folder);
+ if (!isset($meta[$file]['uploader']) || $meta[$file]['uploader'] !== $username) {
+ http_response_code(403);
+ echo json_encode(["error" => "Forbidden: you are not the owner of this file."]);
+ exit;
+ }
+}
+
// Convert the provided value+unit into seconds
switch ($unit) {
case 'seconds':
@@ -1349,7 +1599,7 @@ class FileController
// Delegate deletion to the model.
$result = FileModel::deleteTrashFiles($filesToDelete);
- // Build a human‑friendly success or error message
+ // Build a human-friendly success or error message
if (!empty($result['deleted'])) {
$count = count($result['deleted']);
$msg = "Trash item" . ($count === 1 ? "" : "s") . " deleted: " . implode(", ", $result['deleted']);
@@ -1469,7 +1719,7 @@ class FileController
// Check that the user is not read-only.
$username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
+ $userPermissions = $this->loadPerms($username);
if ($username && isset($userPermissions['readOnly']) && $userPermissions['readOnly'] === true) {
echo json_encode(["error" => "Read-only users are not allowed to file tags"]);
exit;
@@ -1502,6 +1752,22 @@ class FileController
exit;
}
+// Ownership enforcement (allow admin OR bypassOwnership)
+$username = $_SESSION['username'] ?? '';
+$userPermissions = $this->loadPerms($username);
+
+$ignoreOwnership = $this->isAdmin($userPermissions)
+ || ($userPermissions['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
+
+if (!$ignoreOwnership) {
+ $meta = $this->loadFolderMetadata($folder);
+ if (!isset($meta[$file]['uploader']) || $meta[$file]['uploader'] !== $username) {
+ http_response_code(403);
+ echo json_encode(["error" => "Forbidden: you are not the owner of this file."]);
+ exit;
+ }
+}
+
// Delegate to the model.
$result = FileModel::saveFileTag($folder, $file, $tags, $deleteGlobal, $tagToDelete);
echo json_encode($result);
@@ -1545,32 +1811,96 @@ class FileController
* @return void Outputs JSON response.
*/
public function getFileList(): void
- {
- header('Content-Type: application/json');
+{
+ if (session_status() !== PHP_SESSION_ACTIVE) {
+ session_start();
+ }
- // Ensure user is authenticated.
- if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
+ header('Content-Type: application/json; charset=utf-8');
+
+ set_error_handler(function ($severity, $message, $file, $line) {
+ if (!(error_reporting() & $severity)) return;
+ throw new ErrorException($message, 0, $severity, $file, $line);
+ });
+
+ try {
+ if (empty($_SESSION['username'])) {
http_response_code(401);
- echo json_encode(["error" => "Unauthorized"]);
- exit;
+ echo json_encode(['error' => 'Unauthorized']);
+ return;
}
- // Retrieve the folder from GET; default to "root".
- $folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root';
+ if (!is_dir(META_DIR)) {
+ @mkdir(META_DIR, 0775, true);
+ }
+
+ $folder = isset($_GET['folder']) ? trim((string)$_GET['folder']) : 'root';
+
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
http_response_code(400);
- echo json_encode(["error" => "Invalid folder name."]);
- exit;
+ echo json_encode(['error' => 'Invalid folder name.']);
+ return;
+ }
+
+ if (!is_dir(UPLOAD_DIR)) {
+ http_response_code(500);
+ echo json_encode(['error' => 'Uploads directory not found.']);
+ return;
}
- // Delegate to the model.
$result = FileModel::getFileList($folder);
+
+ if ($result === false || $result === null) {
+ http_response_code(500);
+ echo json_encode(['error' => 'File model failed.']);
+ return;
+ }
+ if (!is_array($result)) {
+ throw new RuntimeException('FileModel::getFileList returned a non-array.');
+ }
if (isset($result['error'])) {
http_response_code(400);
+ echo json_encode($result);
+ return;
}
- echo json_encode($result);
- exit;
+
+ // --- viewOwnOnly (for non-admins) ---
+ $username = $_SESSION['username'] ?? '';
+ $perms = $this->loadPerms($username);
+ $admin = $this->isAdmin($perms);
+ $ownOnly = !$admin && !empty($perms['viewOwnOnly']);
+
+ if ($ownOnly && isset($result['files'])) {
+ $files = $result['files'];
+ if (is_array($files) && array_keys($files) !== range(0, count($files) - 1)) {
+ // associative: name => meta
+ $filtered = [];
+ foreach ($files as $name => $meta) {
+ if (!isset($meta['uploader']) || strcasecmp((string)$meta['uploader'], $username) === 0) {
+ $filtered[$name] = $meta;
+ }
+ }
+ $result['files'] = $filtered;
+ } elseif (is_array($files)) {
+ // list of objects
+ $result['files'] = array_values(array_filter($files, function ($f) use ($username) {
+ return !isset($f['uploader']) || strcasecmp((string)$f['uploader'], $username) === 0;
+ }));
+ }
+ }
+
+ echo json_encode($result, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+ return;
+
+ } catch (Throwable $e) {
+ error_log('FileController::getFileList error: ' . $e->getMessage() .
+ ' in ' . $e->getFile() . ':' . $e->getLine());
+ http_response_code(500);
+ echo json_encode(['error' => 'Internal server error while listing files.']);
+ } finally {
+ restore_error_handler();
}
+}
/**
* GET /api/file/getShareLinks.php
@@ -1631,26 +1961,44 @@ class FileController
* POST /api/file/createFile.php
*/
public function createFile(): void
- {
+{
+ $this->_jsonStart();
+ try {
+ if (!$this->_requireAuth()) return;
- // Check user permissions (assuming loadUserPermissions() is available).
$username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if (!empty($userPermissions['readOnly'])) {
- echo json_encode(["error" => "Read-only users are not allowed to create files."]);
- exit;
+ $userPermissions = $this->loadPerms($username);
+ if (!$this->isAdmin($userPermissions) && !empty($userPermissions['readOnly'])) {
+ $this->_jsonOut(["error" => "Read-only users are not allowed to create files."], 403);
+ return;
}
- $body = json_decode(file_get_contents('php://input'), true);
- $folder = $body['folder'] ?? 'root';
- $filename = $body['name'] ?? '';
- $result = FileModel::createFile($folder, $filename, $_SESSION['username'] ?? 'Unknown');
+ $body = $this->_readJsonBody();
+ $folder = isset($body['folder']) ? trim((string)$body['folder']) : 'root';
+ $filename = isset($body['name']) ? basename(trim((string)$body['name'])) : '';
- if (!$result['success']) {
- http_response_code($result['code'] ?? 400);
- echo json_encode(['success'=>false,'error'=>$result['error']]);
- } else {
- echo json_encode(['success'=>true]);
+ if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
+ $this->_jsonOut(["error" => "Invalid folder name."], 400); return;
}
+ if ($filename === '' || !preg_match(REGEX_FILE_NAME, $filename)) {
+ $this->_jsonOut(["error" => "Invalid file name."], 400); return;
+ }
+
+ $dv = $this->enforceFolderScope($folder, $username, $userPermissions);
+ if ($dv) { $this->_jsonOut(["error"=>$dv], 403); return; }
+
+ $result = FileModel::createFile($folder, $filename, $username);
+ if (empty($result['success'])) {
+ $this->_jsonOut(['success'=>false,'error'=>$result['error'] ?? 'Failed to create file'], $result['code'] ?? 400);
+ return;
+ }
+ $this->_jsonOut(['success'=>true]);
+
+ } catch (Throwable $e) {
+ error_log('FileController::createFile error: '.$e->getMessage().' @ '.$e->getFile().':'.$e->getLine());
+ $this->_jsonOut(['error' => 'Internal server error while creating file.'], 500);
+ } finally {
+ $this->_jsonEnd();
}
}
+}
\ No newline at end of file
diff --git a/src/controllers/FolderController.php b/src/controllers/FolderController.php
index 9d3f823..65495a6 100644
--- a/src/controllers/FolderController.php
+++ b/src/controllers/FolderController.php
@@ -6,6 +6,94 @@ require_once PROJECT_ROOT . '/src/models/FolderModel.php';
class FolderController
{
+ // ---- Helpers -----------------------------------------------------------
+ private static function getHeadersLower(): array
+ {
+ // getallheaders() may not exist on some SAPIs
+ if (function_exists('getallheaders')) {
+ $h = getallheaders();
+ if (is_array($h)) return array_change_key_case($h, CASE_LOWER);
+ }
+ $headers = [];
+ foreach ($_SERVER as $k => $v) {
+ if (strpos($k, 'HTTP_') === 0) {
+ $name = strtolower(str_replace('_', '-', substr($k, 5)));
+ $headers[$name] = $v;
+ }
+ }
+ return $headers;
+ }
+
+ private static function requireCsrf(): void
+ {
+ $headers = self::getHeadersLower();
+ $received = trim($headers['x-csrf-token'] ?? ($_POST['csrfToken'] ?? ''));
+ if (!isset($_SESSION['csrf_token']) || $received !== $_SESSION['csrf_token']) {
+ http_response_code(403);
+ header('Content-Type: application/json');
+ echo json_encode(['error' => 'Invalid CSRF token']);
+ exit;
+ }
+ }
+
+ private static function requireAuth(): void
+ {
+ if (empty($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
+ http_response_code(401);
+ header('Content-Type: application/json');
+ echo json_encode(['error' => 'Unauthorized']);
+ exit;
+ }
+ }
+
+ private static function requireNotReadOnly(): void
+ {
+ $username = $_SESSION['username'] ?? '';
+ $perms = loadUserPermissions($username);
+ if ($username && !empty($perms['readOnly'])) {
+ http_response_code(403);
+ header('Content-Type: application/json');
+ echo json_encode(['error' => 'Read-only users are not allowed to perform this action.']);
+ exit;
+ }
+ }
+
+ private static function requireAdmin(): void
+ {
+ if (empty($_SESSION['isAdmin'])) {
+ http_response_code(403);
+ header('Content-Type: application/json');
+ echo json_encode(['error' => 'Admin privileges required.']);
+ exit;
+ }
+ }
+
+ private static function formatBytes(int $bytes): string
+ {
+ if ($bytes < 1024) {
+ return $bytes . " B";
+ } elseif ($bytes < 1048576) {
+ return round($bytes / 1024, 2) . " KB";
+ } elseif ($bytes < 1073741824) {
+ return round($bytes / 1048576, 2) . " MB";
+ } else {
+ return round($bytes / 1073741824, 2) . " GB";
+ }
+ }
+
+ private function enforceFolderScope(string $folder, string $username, array $userPermissions): ?string {
+ if ($this->isAdmin($userPermissions) || !empty($userPermissions['bypassFolderScope'])) return null;
+ if (!$this->isFolderOnly($userPermissions)) return null;
+
+ $folder = trim($folder);
+ if ($folder !== '' && strtolower($folder) !== 'root') {
+ if ($folder !== $username && strpos($folder, $username . '/') !== 0) {
+ return "Forbidden: folder scope violation.";
+ }
+ }
+ return null;
+ }
+
/**
* @OA\Post(
* path="/api/folder/createFolder.php",
@@ -41,74 +129,41 @@ class FolderController
* description="Invalid CSRF token or permission denied"
* )
* )
- *
- * Creates a new folder in the upload directory, optionally under a parent folder.
- *
- * @return void Outputs a JSON response.
*/
public function createFolder(): void
{
header('Content-Type: application/json');
- // Ensure user is authenticated.
- if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
- http_response_code(401);
- echo json_encode(["error" => "Unauthorized"]);
- exit;
- }
-
- // Ensure the request method is POST.
+ self::requireAuth();
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
- echo json_encode(['error' => 'Invalid request method.']);
+ http_response_code(405);
+ echo json_encode(['error' => 'Method not allowed.']);
exit;
}
+ self::requireCsrf();
+ self::requireNotReadOnly();
- // CSRF check.
- $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
- $receivedToken = $headersArr['x-csrf-token'] ?? '';
- if (!isset($_SESSION['csrf_token']) || trim($receivedToken) !== $_SESSION['csrf_token']) {
- http_response_code(403);
- echo json_encode(['error' => 'Invalid CSRF token.']);
- exit;
- }
-
- // Check permissions.
- $username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if ($username && isset($userPermissions['readOnly']) && $userPermissions['readOnly'] === true) {
- http_response_code(403);
- echo json_encode([
- "success" => false,
- "error" => "Read-only users are not allowed to create folders."
- ]);
- exit;
- }
-
- // Get and decode JSON input.
$input = json_decode(file_get_contents('php://input'), true);
if (!isset($input['folderName'])) {
+ http_response_code(400);
echo json_encode(['error' => 'Folder name not provided.']);
exit;
}
$folderName = trim($input['folderName']);
- $parent = isset($input['parent']) ? trim($input['parent']) : "";
+ $parent = isset($input['parent']) ? trim($input['parent']) : "";
- // Basic sanitation for folderName.
if (!preg_match(REGEX_FOLDER_NAME, $folderName)) {
http_response_code(400);
echo json_encode(['error' => 'Invalid folder name.']);
exit;
}
-
- // Optionally sanitize the parent.
if ($parent && !preg_match(REGEX_FOLDER_NAME, $parent)) {
http_response_code(400);
echo json_encode(['error' => 'Invalid parent folder name.']);
exit;
}
- // Delegate to FolderModel.
$result = FolderModel::createFolder($folderName, $parent);
echo json_encode($result);
exit;
@@ -148,60 +203,39 @@ class FolderController
* description="Invalid CSRF token or permission denied"
* )
* )
- *
- * Deletes a folder if it is empty and not the root folder.
- *
- * @return void Outputs a JSON response.
*/
public function deleteFolder(): void
{
header('Content-Type: application/json');
- // Ensure user is authenticated.
- if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
- http_response_code(401);
- echo json_encode(["error" => "Unauthorized"]);
- exit;
- }
-
- // Ensure the request is a POST.
+ self::requireAuth();
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
- echo json_encode(["error" => "Invalid request method."]);
+ http_response_code(405);
+ echo json_encode(["error" => "Method not allowed."]);
exit;
}
+ self::requireCsrf();
+ self::requireNotReadOnly();
- // CSRF Protection.
- $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
- $receivedToken = isset($headersArr['x-csrf-token']) ? trim($headersArr['x-csrf-token']) : '';
- if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) {
- http_response_code(403);
- echo json_encode(["error" => "Invalid CSRF token."]);
- exit;
- }
-
- // Check user permissions.
- $username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if ($username && isset($userPermissions['readOnly']) && $userPermissions['readOnly'] === true) {
- echo json_encode(["error" => "Read-only users are not allowed to delete folders."]);
- exit;
- }
-
- // Get and decode JSON input.
$input = json_decode(file_get_contents('php://input'), true);
if (!isset($input['folder'])) {
+ http_response_code(400);
echo json_encode(["error" => "Folder name not provided."]);
exit;
}
$folder = trim($input['folder']);
- // Prevent deletion of the root folder.
if (strtolower($folder) === 'root') {
+ http_response_code(400);
echo json_encode(["error" => "Cannot delete root folder."]);
exit;
}
+ if (!preg_match(REGEX_FOLDER_NAME, $folder)) {
+ http_response_code(400);
+ echo json_encode(["error" => "Invalid folder name."]);
+ exit;
+ }
- // Delegate to the model.
$result = FolderModel::deleteFolder($folder);
echo json_encode($result);
exit;
@@ -242,48 +276,23 @@ class FolderController
* description="Invalid CSRF token or permission denied"
* )
* )
- *
- * Renames a folder by validating inputs and delegating to the model.
- *
- * @return void Outputs a JSON response.
*/
public function renameFolder(): void
{
header('Content-Type: application/json');
- // Ensure user is authenticated.
- if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
- http_response_code(401);
- echo json_encode(["error" => "Unauthorized"]);
- exit;
- }
-
- // Ensure the request method is POST.
+ self::requireAuth();
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
- echo json_encode(['error' => 'Invalid request method.']);
+ http_response_code(405);
+ echo json_encode(['error' => 'Method not allowed.']);
exit;
}
+ self::requireCsrf();
+ self::requireNotReadOnly();
- // CSRF Protection.
- $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
- $receivedToken = isset($headersArr['x-csrf-token']) ? trim($headersArr['x-csrf-token']) : '';
- if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) {
- http_response_code(403);
- echo json_encode(["error" => "Invalid CSRF token."]);
- exit;
- }
-
- // Check that the user is not read-only.
- $username = $_SESSION['username'] ?? '';
- $userPermissions = loadUserPermissions($username);
- if ($username && isset($userPermissions['readOnly']) && $userPermissions['readOnly'] === true) {
- echo json_encode(["error" => "Read-only users are not allowed to rename folders."]);
- exit;
- }
-
- // Get JSON input.
$input = json_decode(file_get_contents('php://input'), true);
if (!isset($input['oldFolder']) || !isset($input['newFolder'])) {
+ http_response_code(400);
echo json_encode(['error' => 'Required folder names not provided.']);
exit;
}
@@ -291,13 +300,12 @@ class FolderController
$oldFolder = trim($input['oldFolder']);
$newFolder = trim($input['newFolder']);
- // Validate folder names.
if (!preg_match(REGEX_FOLDER_NAME, $oldFolder) || !preg_match(REGEX_FOLDER_NAME, $newFolder)) {
+ http_response_code(400);
echo json_encode(['error' => 'Invalid folder name(s).']);
exit;
}
- // Delegate to the model.
$result = FolderModel::renameFolder($oldFolder, $newFolder);
echo json_encode($result);
exit;
@@ -334,21 +342,19 @@ class FolderController
* description="Bad request"
* )
* )
- *
- * Retrieves the folder list and associated metadata.
- *
- * @return void Outputs JSON response.
*/
public function getFolderList(): void
{
header('Content-Type: application/json');
- if (empty($_SESSION['authenticated'])) {
- http_response_code(401);
- echo json_encode(["error" => "Unauthorized"]);
+ self::requireAuth();
+
+ $parent = $_GET['folder'] ?? null;
+ if ($parent !== null && $parent !== '' && $parent !== 'root' && !preg_match(REGEX_FOLDER_NAME, $parent)) {
+ http_response_code(400);
+ echo json_encode(["error" => "Invalid folder name."]);
exit;
}
- $parent = $_GET['folder'] ?? null;
$folderList = FolderModel::getFolderList($parent);
echo json_encode($folderList);
exit;
@@ -400,34 +406,13 @@ class FolderController
* description="Share folder not found"
* )
* )
- *
- * Displays a shared folder with file listings, pagination, and an upload container if allowed.
- *
- * @return void Outputs HTML content.
*/
-
- function formatBytes($bytes)
- {
- if ($bytes < 1024) {
- return $bytes . " B";
- } elseif ($bytes < 1024 * 1024) {
- return round($bytes / 1024, 2) . " KB";
- } elseif ($bytes < 1024 * 1024 * 1024) {
- return round($bytes / (1024 * 1024), 2) . " MB";
- } else {
- return round($bytes / (1024 * 1024 * 1024), 2) . " GB";
- }
- }
-
public function shareFolder(): void
{
- // Retrieve GET parameters.
- $token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+ $token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
$providedPass = filter_input(INPUT_GET, 'pass', FILTER_SANITIZE_STRING);
- $page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT);
- if ($page === false || $page < 1) {
- $page = 1;
- }
+ $page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT);
+ if ($page === false || $page < 1) $page = 1;
if (empty($token)) {
http_response_code(400);
@@ -436,57 +421,24 @@ class FolderController
exit;
}
- // Delegate to the model.
$data = FolderModel::getSharedFolderData($token, $providedPass, $page);
- // If a password is needed, output an HTML form.
if (isset($data['needs_password']) && $data['needs_password'] === true) {
- header("Content-Type: text/html; charset=utf-8");
-?>
+ header("Content-Type: text/html; charset=utf-8"); ?>
-
Enter Password
-
Folder Protected
@@ -499,13 +451,10 @@ class FolderController
-
-
+ header("Content-Type: text/html; charset=utf-8"); ?>
-
Shared Folder: <?php echo htmlspecialchars($folderName, ENT_QUOTES, 'UTF-8'); ?>
-
-
-
This folder is empty.
-
- | Filename |
- Size |
-
+ | Filename | Size |
|---|
-
-
- |
-
-
- ⇩
-
- |
- |
-
-
+
+
+ |
+
+ ⇩
+
+ |
+ |
+
+
-
-
-
-
+
Upload File
- ( max size)
+ ( max size)