修复部分已知的安全问题
This commit is contained in:
parent
3cbde69311
commit
f390d80e4f
@ -6,10 +6,14 @@ use app\models\CollectionTasks;
|
|||||||
use app\models\CollectionSearch;
|
use app\models\CollectionSearch;
|
||||||
use app\models\CollectionUploaded;
|
use app\models\CollectionUploaded;
|
||||||
use Ramsey\Uuid\Uuid;
|
use Ramsey\Uuid\Uuid;
|
||||||
|
use RuntimeException;
|
||||||
use Yii;
|
use Yii;
|
||||||
|
use yii\filters\AccessControl;
|
||||||
use yii\web\Controller;
|
use yii\web\Controller;
|
||||||
use yii\web\NotFoundHttpException;
|
use yii\web\NotFoundHttpException;
|
||||||
use yii\filters\VerbFilter;
|
use yii\filters\VerbFilter;
|
||||||
|
use yii\web\Request;
|
||||||
|
use yii\web\Response;
|
||||||
use yii\web\ServerErrorHttpException;
|
use yii\web\ServerErrorHttpException;
|
||||||
use yii\web\UploadedFile;
|
use yii\web\UploadedFile;
|
||||||
|
|
||||||
@ -21,16 +25,35 @@ class CollectionController extends Controller
|
|||||||
/**
|
/**
|
||||||
* @inheritDoc
|
* @inheritDoc
|
||||||
*/
|
*/
|
||||||
public function behaviors()
|
public function behaviors(): array
|
||||||
{
|
{
|
||||||
return array_merge(
|
return array_merge(
|
||||||
parent::behaviors(),
|
parent::behaviors(),
|
||||||
[
|
[
|
||||||
|
'access' => [
|
||||||
|
'class' => AccessControl::class,
|
||||||
|
'rules' => [
|
||||||
|
[
|
||||||
|
'allow' => true,
|
||||||
|
'actions' => ['index', 'view', 'create', 'delete'],
|
||||||
|
'roles' => ['user'],
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'allow' => true,
|
||||||
|
'actions' => ['access', 'upload'],
|
||||||
|
'roles' => ['?', '@'], // everyone can access public share
|
||||||
|
]
|
||||||
|
],
|
||||||
|
],
|
||||||
'verbs' => [
|
'verbs' => [
|
||||||
'class' => VerbFilter::className(),
|
'class' => VerbFilter::class,
|
||||||
'actions' => [
|
'actions' => [
|
||||||
|
'index' => ['GET'],
|
||||||
|
'view' => ['GET'],
|
||||||
|
'create' => ['POST'],
|
||||||
'delete' => ['POST'],
|
'delete' => ['POST'],
|
||||||
'upload' => ['POST']
|
'access' => ['GET'],
|
||||||
|
'upload' => ['POST'],
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
]
|
]
|
||||||
@ -42,15 +65,19 @@ class CollectionController extends Controller
|
|||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public function actionIndex()
|
public function actionIndex(): string
|
||||||
{
|
{
|
||||||
$searchModel = new CollectionSearch();
|
$searchModel = new CollectionSearch();
|
||||||
$dataProvider = $searchModel->search($this->request->queryParams);
|
if ($this->request instanceof Request) {
|
||||||
$dataProvider->query->andWhere(['!=', 'status', 0]);
|
$dataProvider = $searchModel->search($this->request->queryParams);
|
||||||
return $this->render('index', [
|
$dataProvider->query->andWhere(['!=', 'status', 0]);
|
||||||
'searchModel' => $searchModel,
|
return $this->render('index', [
|
||||||
'dataProvider' => $dataProvider,
|
'searchModel' => $searchModel,
|
||||||
]);
|
'dataProvider' => $dataProvider,
|
||||||
|
]);
|
||||||
|
} else {
|
||||||
|
throw new RuntimeException('Invalid request type');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -59,7 +86,7 @@ class CollectionController extends Controller
|
|||||||
* @return string
|
* @return string
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
public function actionView($id)
|
public function actionView(int $id): string
|
||||||
{
|
{
|
||||||
return $this->render('view', [
|
return $this->render('view', [
|
||||||
'model' => $this->findModel($id),
|
'model' => $this->findModel($id),
|
||||||
@ -69,24 +96,22 @@ class CollectionController extends Controller
|
|||||||
/**
|
/**
|
||||||
* Creates a new CollectionTasks model.
|
* Creates a new CollectionTasks model.
|
||||||
* If creation is successful, the browser will be redirected to the 'view' page.
|
* If creation is successful, the browser will be redirected to the 'view' page.
|
||||||
* @return string|\yii\web\Response
|
* @return string|Response
|
||||||
*/
|
*/
|
||||||
public function actionCreate()
|
public function actionCreate(): Response|string
|
||||||
{
|
{
|
||||||
$model = new CollectionTasks();
|
$model = new CollectionTasks();
|
||||||
$model->scenario = 'create'; // 设置场景
|
$model->scenario = 'create'; // 设置场景
|
||||||
|
|
||||||
if ($this->request->isPost) {
|
if ($this->request instanceof Request && $this->request->isPost) {
|
||||||
if ($model->load($this->request->post())) {
|
if ($model->load($this->request->post())) {
|
||||||
$model->user_id = Yii::$app->user->id; // 手动设置user_id字段的值
|
$model->user_id = Yii::$app->user->id; // 手动设置user_id字段的值
|
||||||
if ($model->save()) {
|
if ($model->save()) {
|
||||||
return $this->redirect(['view', 'id' => $model->id]);
|
return $this->redirect(['view', 'id' => $model->id]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
$model->loadDefaultValues();
|
|
||||||
}
|
}
|
||||||
|
//不允许get,所以无视下面这个return
|
||||||
return $this->render('create', [
|
return $this->render('create', [
|
||||||
'model' => $model,
|
'model' => $model,
|
||||||
]);
|
]);
|
||||||
@ -96,10 +121,10 @@ class CollectionController extends Controller
|
|||||||
* Deletes an existing CollectionTasks model.
|
* Deletes an existing CollectionTasks model.
|
||||||
* If deletion is successful, the browser will be redirected to the 'index' page.
|
* If deletion is successful, the browser will be redirected to the 'index' page.
|
||||||
* @param int $id ID
|
* @param int $id ID
|
||||||
* @return \yii\web\Response
|
* @return Response
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
public function actionDelete($id)
|
public function actionDelete(int $id): Response
|
||||||
{
|
{
|
||||||
// 获取模型
|
// 获取模型
|
||||||
$model = $this->findModel($id);
|
$model = $this->findModel($id);
|
||||||
@ -124,13 +149,15 @@ class CollectionController extends Controller
|
|||||||
* @return CollectionTasks the loaded model
|
* @return CollectionTasks the loaded model
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
protected function findModel($id)
|
protected function findModel(int $id, bool $is_public = false): CollectionTasks
|
||||||
{
|
{
|
||||||
if (($model = CollectionTasks::findOne(['id' => $id])) !== null) {
|
// Not Allow to access other user's collection manage page
|
||||||
|
// public collection can be accessed by anyone
|
||||||
|
if (($model = CollectionTasks::findOne(['id' => $id])) !== null && ($is_public || $model->user_id === Yii::$app->user->id)) {
|
||||||
return $model;
|
return $model;
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new NotFoundHttpException('The requested page does not exist.');
|
throw new NotFoundHttpException('没有权限访问这个页面或请求的页面不存在');
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -141,13 +168,13 @@ class CollectionController extends Controller
|
|||||||
* @return string
|
* @return string
|
||||||
* @throws NotFoundHttpException
|
* @throws NotFoundHttpException
|
||||||
*/
|
*/
|
||||||
public function actionAccess($id = null, $secret = null)
|
public function actionAccess($id = null, $secret = null): string
|
||||||
{
|
{
|
||||||
$receive_secret = Yii::$app->request->get('CollectionTasks')['secret'] ?? null;
|
$receive_secret = Yii::$app->request->get('CollectionTasks')['secret'] ?? null;
|
||||||
if (!is_null($receive_secret)) {
|
if (!is_null($receive_secret)) {
|
||||||
$secret = $receive_secret;
|
$secret = $receive_secret;
|
||||||
}
|
}
|
||||||
$model = CollectionTasks::findOne(['id' => $id]);
|
$model = $this->findModel($id, true);
|
||||||
if ($model === null | $model->status === 0) {
|
if ($model === null | $model->status === 0) {
|
||||||
throw new NotFoundHttpException('请求的文件收集任务已失效或不存在');
|
throw new NotFoundHttpException('请求的文件收集任务已失效或不存在');
|
||||||
} elseif (!is_dir(Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->user_id . '/' . $model->folder_path)) {
|
} elseif (!is_dir(Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->user_id . '/' . $model->folder_path)) {
|
||||||
@ -157,7 +184,7 @@ class CollectionController extends Controller
|
|||||||
'model' => new CollectionTasks(),
|
'model' => new CollectionTasks(),
|
||||||
]);
|
]);
|
||||||
} elseif ($model->secret !== $secret) {
|
} elseif ($model->secret !== $secret) {
|
||||||
Yii::$app->session->setFlash('error', '拒绝访问,凭证不正确');
|
Yii::$app->session->setFlash('error', '访问凭证不正确');
|
||||||
return $this->render('_gateway', [
|
return $this->render('_gateway', [
|
||||||
'model' => new CollectionTasks(),
|
'model' => new CollectionTasks(),
|
||||||
]);
|
]);
|
||||||
@ -178,7 +205,7 @@ class CollectionController extends Controller
|
|||||||
* @throws NotFoundHttpException
|
* @throws NotFoundHttpException
|
||||||
* @throws ServerErrorHttpException
|
* @throws ServerErrorHttpException
|
||||||
*/
|
*/
|
||||||
public function actionUpload()
|
public function actionUpload(): Response
|
||||||
{
|
{
|
||||||
$request = Yii::$app->request;
|
$request = Yii::$app->request;
|
||||||
|
|
||||||
@ -189,7 +216,7 @@ class CollectionController extends Controller
|
|||||||
// 获取发送POST请求的用户的IP地址
|
// 获取发送POST请求的用户的IP地址
|
||||||
$uploaderIp = $request->userIP;
|
$uploaderIp = $request->userIP;
|
||||||
|
|
||||||
$task = CollectionTasks::findOne($taskId);
|
$task = $this->findModel($taskId, true); //CollectionTasks::findOne($taskId);
|
||||||
$userId = $task->user_id;
|
$userId = $task->user_id;
|
||||||
$folderPath = $task->folder_path;
|
$folderPath = $task->folder_path;
|
||||||
|
|
||||||
|
@ -17,13 +17,13 @@ class CollectionUploadedController extends Controller
|
|||||||
/**
|
/**
|
||||||
* @inheritDoc
|
* @inheritDoc
|
||||||
*/
|
*/
|
||||||
public function behaviors()
|
public function behaviors(): array
|
||||||
{
|
{
|
||||||
return array_merge(
|
return array_merge(
|
||||||
parent::behaviors(),
|
parent::behaviors(),
|
||||||
[
|
[
|
||||||
'verbs' => [
|
'verbs' => [
|
||||||
'class' => VerbFilter::className(),
|
'class' => VerbFilter::class,
|
||||||
'actions' => [
|
'actions' => [
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
@ -39,7 +39,7 @@ class CollectionUploadedController extends Controller
|
|||||||
* @return CollectionUploaded the loaded model
|
* @return CollectionUploaded the loaded model
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
protected function findModel($id)
|
protected function findModel(int $id): CollectionUploaded
|
||||||
{
|
{
|
||||||
if (($model = CollectionUploaded::findOne(['id' => $id])) !== null) {
|
if (($model = CollectionUploaded::findOne(['id' => $id])) !== null) {
|
||||||
return $model;
|
return $model;
|
||||||
|
@ -16,6 +16,7 @@ use wapmorgan\UnifiedArchive\Exceptions\UnsupportedOperationException;
|
|||||||
use wapmorgan\UnifiedArchive\UnifiedArchive;
|
use wapmorgan\UnifiedArchive\UnifiedArchive;
|
||||||
use Yii;
|
use Yii;
|
||||||
use yii\bootstrap5\ActiveForm;
|
use yii\bootstrap5\ActiveForm;
|
||||||
|
use yii\filters\AccessControl;
|
||||||
use yii\filters\VerbFilter;
|
use yii\filters\VerbFilter;
|
||||||
use yii\helpers\ArrayHelper;
|
use yii\helpers\ArrayHelper;
|
||||||
use yii\web\Controller;
|
use yii\web\Controller;
|
||||||
@ -33,6 +34,16 @@ class HomeController extends Controller
|
|||||||
return array_merge(
|
return array_merge(
|
||||||
parent::behaviors(),
|
parent::behaviors(),
|
||||||
[
|
[
|
||||||
|
'access' => [
|
||||||
|
'class' => AccessControl::class,
|
||||||
|
'rules' => [
|
||||||
|
[
|
||||||
|
'allow' => true,
|
||||||
|
'actions' => ['index', 'download', 'preview', 'rename', 'delete', 'upload', 'new-folder', 'download-folder', 'multi-ff-zip-dl', 'zip', 'unzip', 'paste'],
|
||||||
|
'roles' => ['user'],
|
||||||
|
],
|
||||||
|
],
|
||||||
|
],
|
||||||
'verbs' => [
|
'verbs' => [
|
||||||
'class' => VerbFilter::class,
|
'class' => VerbFilter::class,
|
||||||
'actions' => [
|
'actions' => [
|
||||||
@ -64,12 +75,12 @@ class HomeController extends Controller
|
|||||||
*/
|
*/
|
||||||
public function actionIndex($directory = null): Response|string
|
public function actionIndex($directory = null): Response|string
|
||||||
{
|
{
|
||||||
if (Yii::$app->user->isGuest) {
|
// if (Yii::$app->user->isGuest) {
|
||||||
Yii::$app->session->setFlash('error','请先登录');
|
// Yii::$app->session->setFlash('error','请先登录');
|
||||||
return $this->redirect(Yii::$app->user->loginUrl);
|
// return $this->redirect(Yii::$app->user->loginUrl);
|
||||||
} else if (!Yii::$app->user->can('accessHome')){
|
// } else if (!Yii::$app->user->can('accessHome')){
|
||||||
throw new NotFoundHttpException('当前用户组不允许访问此页面');
|
// throw new NotFoundHttpException('当前用户组不允许访问此页面');
|
||||||
}
|
// }
|
||||||
$rootDataDirectory = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . Yii::$app->user->id;
|
$rootDataDirectory = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . Yii::$app->user->id;
|
||||||
|
|
||||||
if ($directory === '.' || $directory == null) {
|
if ($directory === '.' || $directory == null) {
|
||||||
@ -335,7 +346,7 @@ class HomeController extends Controller
|
|||||||
*
|
*
|
||||||
* @return int|Response
|
* @return int|Response
|
||||||
*/
|
*/
|
||||||
public function actionUpload()
|
public function actionUpload(): Response|int
|
||||||
{
|
{
|
||||||
$model = new UploadForm();
|
$model = new UploadForm();
|
||||||
$model->targetDir = Yii::$app->request->post('targetDir', '.');
|
$model->targetDir = Yii::$app->request->post('targetDir', '.');
|
||||||
|
@ -4,12 +4,18 @@ namespace app\controllers;
|
|||||||
|
|
||||||
use app\models\Share;
|
use app\models\Share;
|
||||||
use app\models\ShareSearch;
|
use app\models\ShareSearch;
|
||||||
|
use RecursiveDirectoryIterator;
|
||||||
|
use RecursiveIteratorIterator;
|
||||||
|
use RuntimeException;
|
||||||
use Yii;
|
use Yii;
|
||||||
|
use yii\filters\AccessControl;
|
||||||
use yii\web\Controller;
|
use yii\web\Controller;
|
||||||
use yii\web\ForbiddenHttpException;
|
use yii\web\ForbiddenHttpException;
|
||||||
use yii\web\NotFoundHttpException;
|
use yii\web\NotFoundHttpException;
|
||||||
use yii\filters\VerbFilter;
|
use yii\filters\VerbFilter;
|
||||||
|
use yii\web\Request;
|
||||||
use yii\web\Response;
|
use yii\web\Response;
|
||||||
|
use ZipArchive;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ShareController implements the CRUD actions for Share model.
|
* ShareController implements the CRUD actions for Share model.
|
||||||
@ -19,15 +25,36 @@ class ShareController extends Controller
|
|||||||
/**
|
/**
|
||||||
* @inheritDoc
|
* @inheritDoc
|
||||||
*/
|
*/
|
||||||
public function behaviors()
|
public function behaviors(): array
|
||||||
{
|
{
|
||||||
return array_merge(
|
return array_merge(
|
||||||
parent::behaviors(),
|
parent::behaviors(),
|
||||||
[
|
[
|
||||||
|
'access' => [
|
||||||
|
'class' => AccessControl::class,
|
||||||
|
'rules' => [
|
||||||
|
[
|
||||||
|
'allow' => true,
|
||||||
|
'actions' => ['index', 'view', 'create', 'update', 'delete'],
|
||||||
|
'roles' => ['user'],
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'allow' => true,
|
||||||
|
'actions' => ['access', 'download'],
|
||||||
|
'roles' => ['?', '@'], // everyone can access public share
|
||||||
|
]
|
||||||
|
],
|
||||||
|
],
|
||||||
'verbs' => [
|
'verbs' => [
|
||||||
'class' => VerbFilter::className(),
|
'class' => VerbFilter::class,
|
||||||
'actions' => [
|
'actions' => [
|
||||||
|
'index' => ['GET'],
|
||||||
|
'view' => ['GET'],
|
||||||
|
'create' => ['POST'],
|
||||||
|
'update' => ['GET', 'POST'],
|
||||||
'delete' => ['POST'],
|
'delete' => ['POST'],
|
||||||
|
'access' => ['GET', 'POST'],
|
||||||
|
'download' => ['GET'],
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
]
|
]
|
||||||
@ -39,16 +66,19 @@ class ShareController extends Controller
|
|||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public function actionIndex()
|
public function actionIndex(): string
|
||||||
{
|
{
|
||||||
$searchModel = new ShareSearch();
|
$searchModel = new ShareSearch();
|
||||||
$dataProvider = $searchModel->search($this->request->queryParams);
|
if ($this->request instanceof Request) {
|
||||||
$dataProvider->query->andWhere(['!=', 'status', 0]);
|
$dataProvider = $searchModel->search($this->request->queryParams);
|
||||||
|
$dataProvider->query->andWhere(['!=', 'status', 0]);
|
||||||
return $this->render('index', [
|
return $this->render('index', [
|
||||||
'searchModel' => $searchModel,
|
'searchModel' => $searchModel,
|
||||||
'dataProvider' => $dataProvider,
|
'dataProvider' => $dataProvider,
|
||||||
]);
|
]);
|
||||||
|
} else {
|
||||||
|
throw new RuntimeException('Invalid request type');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -57,7 +87,7 @@ class ShareController extends Controller
|
|||||||
* @return string
|
* @return string
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
public function actionView($share_id)
|
public function actionView(int $share_id): string
|
||||||
{
|
{
|
||||||
return $this->render('view', [
|
return $this->render('view', [
|
||||||
'model' => $this->findModel($share_id),
|
'model' => $this->findModel($share_id),
|
||||||
@ -73,7 +103,7 @@ class ShareController extends Controller
|
|||||||
{
|
{
|
||||||
$model = new Share();
|
$model = new Share();
|
||||||
|
|
||||||
if ($this->request->isPost) {
|
if ($this->request instanceof Request && $this->request->isPost) {
|
||||||
if ($model->load($this->request->post())) {
|
if ($model->load($this->request->post())) {
|
||||||
//对access_code进行检测
|
//对access_code进行检测
|
||||||
if (empty($model->access_code) || !preg_match('/^[a-zA-Z0-9]{4}$/', $model->access_code)) {
|
if (empty($model->access_code) || !preg_match('/^[a-zA-Z0-9]{4}$/', $model->access_code)) {
|
||||||
@ -94,10 +124,8 @@ class ShareController extends Controller
|
|||||||
return $this->redirect(['view', 'share_id' => $model->share_id]);
|
return $this->redirect(['view', 'share_id' => $model->share_id]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
$model->loadDefaultValues();
|
|
||||||
}
|
}
|
||||||
|
// 看看就好,不给用get的
|
||||||
return $this->render('create', [
|
return $this->render('create', [
|
||||||
'model' => $model,
|
'model' => $model,
|
||||||
]);
|
]);
|
||||||
@ -110,12 +138,12 @@ class ShareController extends Controller
|
|||||||
* @return string|Response
|
* @return string|Response
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
public function actionUpdate($share_id)
|
public function actionUpdate(int $share_id): Response|string
|
||||||
{
|
{
|
||||||
$model = $this->findModel($share_id);
|
$model = $this->findModel($share_id);
|
||||||
$model->scenario = Share::SCENARIO_UPDATE; // 设置模型为 'update' 场景
|
$model->scenario = Share::SCENARIO_UPDATE; // 设置模型为 'update' 场景
|
||||||
|
|
||||||
if ($this->request->isPost) {
|
if ($this->request instanceof Request && $this->request->isPost) {
|
||||||
$postData = $this->request->post();
|
$postData = $this->request->post();
|
||||||
if (isset($postData['Share']['access_code'])) { // 只加载 'access_code' 字段
|
if (isset($postData['Share']['access_code'])) { // 只加载 'access_code' 字段
|
||||||
$model->access_code = $postData['Share']['access_code'];
|
$model->access_code = $postData['Share']['access_code'];
|
||||||
@ -133,11 +161,12 @@ class ShareController extends Controller
|
|||||||
/**
|
/**
|
||||||
* Deletes an existing Share model.
|
* Deletes an existing Share model.
|
||||||
* If deletion is successful, the browser will be redirected to the 'index' page.
|
* If deletion is successful, the browser will be redirected to the 'index' page.
|
||||||
|
* 注: 不是真的删除
|
||||||
* @param int $share_id Share ID
|
* @param int $share_id Share ID
|
||||||
* @return Response
|
* @return Response
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
public function actionDelete($share_id)
|
public function actionDelete(int $share_id): Response
|
||||||
{
|
{
|
||||||
// 获取模型
|
// 获取模型
|
||||||
$model = $this->findModel($share_id);
|
$model = $this->findModel($share_id);
|
||||||
@ -162,24 +191,33 @@ class ShareController extends Controller
|
|||||||
* @return Share the loaded model
|
* @return Share the loaded model
|
||||||
* @throws NotFoundHttpException if the model cannot be found
|
* @throws NotFoundHttpException if the model cannot be found
|
||||||
*/
|
*/
|
||||||
protected function findModel($share_id): Share
|
protected function findModel(int $share_id, bool $is_public = false): Share
|
||||||
{
|
{
|
||||||
if (($model = Share::findOne(['share_id' => $share_id])) !== null) {
|
// Not Allow to access other user's share manage page
|
||||||
|
// public share can be accessed by anyone
|
||||||
|
if (($model = Share::findOne(['share_id' => $share_id])) !== null && ($is_public || $model->sharer_id == Yii::$app->user->id)) {
|
||||||
return $model;
|
return $model;
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new NotFoundHttpException('The requested page does not exist.');
|
throw new NotFoundHttpException('没有权限访问这个页面或请求的页面不存在');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 分享的公开访问点
|
||||||
|
* @param $share_id
|
||||||
|
* @param $access_code
|
||||||
|
* @return string
|
||||||
|
* @throws NotFoundHttpException
|
||||||
|
*/
|
||||||
public function actionAccess($share_id, $access_code = null): string
|
public function actionAccess($share_id, $access_code = null): string
|
||||||
{
|
{
|
||||||
$model = $this->findModel($share_id);
|
$model = $this->findModel($share_id, true);
|
||||||
//检查文件/文件夹是否存在
|
//检查文件/文件夹是否存在
|
||||||
$abp = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->sharer_id . '/' . $model->file_relative_path;
|
$abp = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->sharer_id . '/' . $model->file_relative_path;
|
||||||
if (!file_exists($abp) || $model->status == 0) {
|
if (!file_exists($abp) || $model->status == 0) {
|
||||||
throw new NotFoundHttpException('分享失效,文件或文件夹不存在');
|
throw new NotFoundHttpException('分享失效,文件或文件夹不存在');
|
||||||
}
|
}
|
||||||
if ($this->request->isPost) {
|
if ($this->request instanceof Request && $this->request->isPost) {
|
||||||
$access_code = $this->request->post('Share')['access_code'];
|
$access_code = $this->request->post('Share')['access_code'];
|
||||||
if ($access_code === $model->access_code) {
|
if ($access_code === $model->access_code) {
|
||||||
// 访问密码正确,显示文件信息和下载按钮
|
// 访问密码正确,显示文件信息和下载按钮
|
||||||
@ -210,14 +248,14 @@ class ShareController extends Controller
|
|||||||
* @throws ForbiddenHttpException
|
* @throws ForbiddenHttpException
|
||||||
* @throws NotFoundHttpException
|
* @throws NotFoundHttpException
|
||||||
*/
|
*/
|
||||||
public function actionDownload($share_id)
|
public function actionDownload($share_id): Response|\yii\console\Response
|
||||||
{
|
{
|
||||||
$access_granted = Yii::$app->session->get('access_granted', []);
|
$access_granted = Yii::$app->session->get('access_granted', []);
|
||||||
if (!isset($access_granted[$share_id]) || !$access_granted[$share_id]) {
|
if (!isset($access_granted[$share_id]) || !$access_granted[$share_id]) {
|
||||||
throw new \yii\web\ForbiddenHttpException('你没有权限下载这个文件');
|
throw new ForbiddenHttpException('你没有权限下载这个文件');
|
||||||
}
|
}
|
||||||
|
|
||||||
$model = $this->findModel($share_id);
|
$model = $this->findModel($share_id, true);
|
||||||
|
|
||||||
$absolutePath = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->sharer_id . '/' . $model->file_relative_path;
|
$absolutePath = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->sharer_id . '/' . $model->file_relative_path;
|
||||||
if (is_file($absolutePath)) {
|
if (is_file($absolutePath)) {
|
||||||
@ -225,9 +263,9 @@ class ShareController extends Controller
|
|||||||
} else if (is_dir($absolutePath)) {
|
} else if (is_dir($absolutePath)) {
|
||||||
// 如果是文件夹,压缩后发送
|
// 如果是文件夹,压缩后发送
|
||||||
$zipPath = $absolutePath . '.zip';
|
$zipPath = $absolutePath . '.zip';
|
||||||
$zip = new \ZipArchive();
|
$zip = new ZipArchive();
|
||||||
$zip->open($zipPath, \ZipArchive::CREATE | \ZipArchive::OVERWRITE);
|
$zip->open($zipPath, ZipArchive::CREATE | ZipArchive::OVERWRITE);
|
||||||
$files = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($absolutePath));
|
$files = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($absolutePath));
|
||||||
foreach ($files as $file) {
|
foreach ($files as $file) {
|
||||||
if (!$file->isDir()) {
|
if (!$file->isDir()) {
|
||||||
$filePath = $file->getRealPath();
|
$filePath = $file->getRealPath();
|
||||||
@ -237,7 +275,7 @@ class ShareController extends Controller
|
|||||||
}
|
}
|
||||||
$zip->close();
|
$zip->close();
|
||||||
return Yii::$app->response->sendFile($zipPath);
|
return Yii::$app->response->sendFile($zipPath);
|
||||||
}else{
|
} else {
|
||||||
throw new NotFoundHttpException('异常,文件不存在');
|
throw new NotFoundHttpException('异常,文件不存在');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -21,7 +21,7 @@ class CollectionUploaded extends ActiveRecord
|
|||||||
/**
|
/**
|
||||||
* {@inheritdoc}
|
* {@inheritdoc}
|
||||||
*/
|
*/
|
||||||
public static function tableName()
|
public static function tableName(): string
|
||||||
{
|
{
|
||||||
return 'collection_uploaded';
|
return 'collection_uploaded';
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user