From 49c6bb9f0b4ff2cc8b6a8d45d3160f3581b10026 Mon Sep 17 00:00:00 2001
From: steckbrief <steckbrief@chefmail.de>
Date: Sat, 6 May 2017 14:10:31 +0200
Subject: storage-backend: Add functionality to delete a file via an xmpp
 server; removed possibility to request a delete token and delete the file
 afterwards via xmpp client

---
 storage-backend/index.php                          | 74 ++++++++--------------
 storage-backend/lib/functions.filetransfer.inc.php |  6 +-
 2 files changed, 28 insertions(+), 52 deletions(-)

diff --git a/storage-backend/index.php b/storage-backend/index.php
index 3707963..6bcc5fe 100644
--- a/storage-backend/index.php
+++ b/storage-backend/index.php
@@ -41,11 +41,13 @@
  * 
  * The following return codes are used for deleting a file:
  * 204: Success - No Content
- * 403: If a slot does not exist or a slot is not marked for deletion.
- *   The slot does not exist
- *   The slot does not contain a delete token
- *   The slot's delete token does not match the header field "X-FILETRANSFER-HTTP-DELETE-TOKEN"
- *   The slot's delete token is not valid any more
+ * 403:
+ *   In case the XMPP Server Key is not valid
+ *   The user is not allowed to delete a file (e.g. files can only be deleted by the creator and deletion is requested by someone else)
+ *   There is no slot file for the file
+ *   The filename stored in the slot file differs from the filename of the request
+ * 404: If the file does not exist
+ * 500: If an error occured while deleting
  */
 include_once(__DIR__.'/lib/functions.common.inc.php');
 include_once(__DIR__.'/lib/functions.http.inc.php');
@@ -79,30 +81,6 @@ switch ($method) {
         $slots = readSlots($userJid);
         $result = ['list' => $slots];
         break;
-      case 'delete':
-        // Check if all parameters needed for an delete are present - return 400 (bad request) if a parameter is missing / empty
-        $fileURL = getMandatoryPostParameter('file_url');
-        
-        $slotUUID = getUUIDFromUri($fileURL);
-        $filename = getFilenameFromUri($fileURL);
-        if (!slotExists($slotUUID, $config)) {
-          sendHttpReturnCodeAndJson(403, "The slot does not exist.");
-        }
-        
-        if ($config['delete_only_by_creator']) {
-          $slotParameters = loadSlotParameters($slotUUID, $config);
-          if ($slotParameters['user_jid'] != $userJid) {
-            sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it.");
-          }
-        }
-        
-        // generate delete token, register delete token
-        $deleteToken = generate_uuid();
-        registerDeleteToken($slotUUID, $filename, $deleteToken, $config);
-        
-        // return 200 for success and delete url Json formatted ( ['delete'=>url] )
-        $result = ['deletetoken' => $deleteToken];
-      break;
       case 'upload':
       default:
         // Check if all parameters needed for an upload are present - return 400 (bad request) if a parameter is missing / empty
@@ -178,17 +156,25 @@ switch ($method) {
     $uri = $_SERVER["REQUEST_URI"];
     $slotUUID = getUUIDFromUri($uri);
     $filename = getFilenameFromUri($uri);
-    $deleteToken = $_SERVER["HTTP_X_FILETRANSFER_HTTP_DELETE_TOKEN"];
+    $xmppServerKey = $_SERVER["HTTP_X_XMPP_SERVER_KEY"];
+    $userJid = $_SERVER["HTTP_X_USER_JID"];
+
+    // Check if xmppServerKey is allowed to request slots
+    if (false === checkXmppServerKey($config['valid_xmpp_server_keys'], $xmppServerKey)) {
+      sendHttpReturnCodeAndJson(403, 'Server is not allowed to delete a file');
+    }
+
+    if ($config['delete_only_by_creator']) {
+      $slotParameters = loadSlotParameters($slotUUID, $config);
+      if ($slotParameters['user_jid'] != $userJid) {
+        sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it.");
+      }
+    }
+
     if (!slotExists($slotUUID, $config)) {
       sendHttpReturnCodeAndJson(403, "The slot does not exist.");
     }
     $slotParameters = loadSlotParameters($slotUUID, $config);
-    if ($deleteToken != $slotParameters['delete_token']) {
-      sendHttpReturnCodeAndJson(403, "The delete token is not valid.");
-    }
-    if (time() > $slotParameters['delete_token_valid_till']) {
-      sendHttpReturnCodeAndJson(403, "The delete token is not valid anymore.");
-    }
     if (!checkFilenameParameter($filename, $slotParameters)) {
       sendHttpReturnCodeAndJson(403, "Filename to delete differs from requested slot filename.");
     }
@@ -196,7 +182,7 @@ switch ($method) {
     if (!file_exists($uploadFilePath)) {
       sendHttpReturnCodeAndJson(404, "The file does not exist.");
     }
-    
+
     // Delete file
     if (unlink($uploadFilePath)) {
       // Clean up the server - ignore errors
@@ -245,26 +231,16 @@ function getFilenameFromUri($uri) {
   return substr($uri, $lastSlash);
 }
 
-function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $receipientJid, $config) {
+function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $recipientJid, $config) {
   $contents = "<?php\n/*\n * This is an autogenerated file - do not edit\n */\n\n";
   $contents .= 'return [\'filename\' => \''.$filename.'\', \'filesize\' => \''.$filesize.'\', ';
-  $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'receipient_jid\' => \''.$receipientJid.'\'];';
+  $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'recipient_jid\' => \''.$recipientJid.'\'];';
   $contents .= "\n?>";
   if (!file_put_contents(getSlotFilePath($slotUUID, $config), $contents)) {
     sendHttpReturnCodeAndMessage(500, "Could not create slot registry entry.");
   }
 }
 
-function registerDeleteToken($slotUUID, $filename, $deleteToken, $config) {
-  $slotFilePath = getSlotFilePath($slotUUID, $config);
-  $contents = file_get_contents($slotFilePath);
-  $validTo = time() + $config['delete_token_validity'];
-  $newContents = str_replace("]", ", 'delete_token' => '".$deleteToken."', 'delete_token_valid_till' => '".$validTo."']", $contents);
-  if (!file_put_contents($slotFilePath, $newContents)) {
-    sendHttpReturnCodeAndMessage(500, "Could not update slot registry entry.");
-  }
-}
-
 function slotExists($slotUUID, $config) {
   return file_exists(getSlotFilePath($slotUUID, $config));
 }
diff --git a/storage-backend/lib/functions.filetransfer.inc.php b/storage-backend/lib/functions.filetransfer.inc.php
index 607d30f..440c41a 100644
--- a/storage-backend/lib/functions.filetransfer.inc.php
+++ b/storage-backend/lib/functions.filetransfer.inc.php
@@ -36,7 +36,7 @@ function readSlots($jid)  {
                 $slotUUID = $entry;
                 $params = loadSlotParameters($slotUUID, $config);
                 $senderBareJid = getBareJid($params['user_jid']);
-                $recipientBareJid = (array_key_exists('receipient_jid', $params)) ? getBareJid($params['receipient_jid']) : '';
+                $recipientBareJid = (array_key_exists('recipient_jid', $params)) ? getBareJid($params['recipient_jid']) : '';
                 if ($senderBareJid == $jid || $recipientBareJid == $jid) {
                     $filePath = getUploadFilePath($slotUUID, $config, $params['filename']);
                     $file = [];
@@ -52,8 +52,8 @@ function readSlots($jid)  {
                     $file['fileinfo']['content_type'] = $params['content_type'];
                     $file['sender_jid'] = $senderBareJid;
                     $file['recipient_jid'] = $recipientBareJid;
-                    if (null == $file['receipient_jid']) {
-                      $file['receipient_jid'] = "";
+                    if (null == $file['recipient_jid']) {
+                      $file['recipient_jid'] = "";
                     }
                     $slots[] = $file;
                 }
-- 
cgit v1.2.3