aboutsummaryrefslogtreecommitdiffstats
path: root/storage-backend/index.php
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--storage-backend/index.php74
1 files changed, 25 insertions, 49 deletions
diff --git a/storage-backend/index.php b/storage-backend/index.php
index 3707963..6bcc5fe 100644
--- a/storage-backend/index.php
+++ b/storage-backend/index.php
@@ -41,11 +41,13 @@
*
* The following return codes are used for deleting a file:
* 204: Success - No Content
- * 403: If a slot does not exist or a slot is not marked for deletion.
- * The slot does not exist
- * The slot does not contain a delete token
- * The slot's delete token does not match the header field "X-FILETRANSFER-HTTP-DELETE-TOKEN"
- * The slot's delete token is not valid any more
+ * 403:
+ * In case the XMPP Server Key is not valid
+ * The user is not allowed to delete a file (e.g. files can only be deleted by the creator and deletion is requested by someone else)
+ * There is no slot file for the file
+ * The filename stored in the slot file differs from the filename of the request
+ * 404: If the file does not exist
+ * 500: If an error occured while deleting
*/
include_once(__DIR__.'/lib/functions.common.inc.php');
include_once(__DIR__.'/lib/functions.http.inc.php');
@@ -79,30 +81,6 @@ switch ($method) {
$slots = readSlots($userJid);
$result = ['list' => $slots];
break;
- case 'delete':
- // Check if all parameters needed for an delete are present - return 400 (bad request) if a parameter is missing / empty
- $fileURL = getMandatoryPostParameter('file_url');
-
- $slotUUID = getUUIDFromUri($fileURL);
- $filename = getFilenameFromUri($fileURL);
- if (!slotExists($slotUUID, $config)) {
- sendHttpReturnCodeAndJson(403, "The slot does not exist.");
- }
-
- if ($config['delete_only_by_creator']) {
- $slotParameters = loadSlotParameters($slotUUID, $config);
- if ($slotParameters['user_jid'] != $userJid) {
- sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it.");
- }
- }
-
- // generate delete token, register delete token
- $deleteToken = generate_uuid();
- registerDeleteToken($slotUUID, $filename, $deleteToken, $config);
-
- // return 200 for success and delete url Json formatted ( ['delete'=>url] )
- $result = ['deletetoken' => $deleteToken];
- break;
case 'upload':
default:
// Check if all parameters needed for an upload are present - return 400 (bad request) if a parameter is missing / empty
@@ -178,17 +156,25 @@ switch ($method) {
$uri = $_SERVER["REQUEST_URI"];
$slotUUID = getUUIDFromUri($uri);
$filename = getFilenameFromUri($uri);
- $deleteToken = $_SERVER["HTTP_X_FILETRANSFER_HTTP_DELETE_TOKEN"];
+ $xmppServerKey = $_SERVER["HTTP_X_XMPP_SERVER_KEY"];
+ $userJid = $_SERVER["HTTP_X_USER_JID"];
+
+ // Check if xmppServerKey is allowed to request slots
+ if (false === checkXmppServerKey($config['valid_xmpp_server_keys'], $xmppServerKey)) {
+ sendHttpReturnCodeAndJson(403, 'Server is not allowed to delete a file');
+ }
+
+ if ($config['delete_only_by_creator']) {
+ $slotParameters = loadSlotParameters($slotUUID, $config);
+ if ($slotParameters['user_jid'] != $userJid) {
+ sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it.");
+ }
+ }
+
if (!slotExists($slotUUID, $config)) {
sendHttpReturnCodeAndJson(403, "The slot does not exist.");
}
$slotParameters = loadSlotParameters($slotUUID, $config);
- if ($deleteToken != $slotParameters['delete_token']) {
- sendHttpReturnCodeAndJson(403, "The delete token is not valid.");
- }
- if (time() > $slotParameters['delete_token_valid_till']) {
- sendHttpReturnCodeAndJson(403, "The delete token is not valid anymore.");
- }
if (!checkFilenameParameter($filename, $slotParameters)) {
sendHttpReturnCodeAndJson(403, "Filename to delete differs from requested slot filename.");
}
@@ -196,7 +182,7 @@ switch ($method) {
if (!file_exists($uploadFilePath)) {
sendHttpReturnCodeAndJson(404, "The file does not exist.");
}
-
+
// Delete file
if (unlink($uploadFilePath)) {
// Clean up the server - ignore errors
@@ -245,26 +231,16 @@ function getFilenameFromUri($uri) {
return substr($uri, $lastSlash);
}
-function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $receipientJid, $config) {
+function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $recipientJid, $config) {
$contents = "<?php\n/*\n * This is an autogenerated file - do not edit\n */\n\n";
$contents .= 'return [\'filename\' => \''.$filename.'\', \'filesize\' => \''.$filesize.'\', ';
- $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'receipient_jid\' => \''.$receipientJid.'\'];';
+ $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'recipient_jid\' => \''.$recipientJid.'\'];';
$contents .= "\n?>";
if (!file_put_contents(getSlotFilePath($slotUUID, $config), $contents)) {
sendHttpReturnCodeAndMessage(500, "Could not create slot registry entry.");
}
}
-function registerDeleteToken($slotUUID, $filename, $deleteToken, $config) {
- $slotFilePath = getSlotFilePath($slotUUID, $config);
- $contents = file_get_contents($slotFilePath);
- $validTo = time() + $config['delete_token_validity'];
- $newContents = str_replace("]", ", 'delete_token' => '".$deleteToken."', 'delete_token_valid_till' => '".$validTo."']", $contents);
- if (!file_put_contents($slotFilePath, $newContents)) {
- sendHttpReturnCodeAndMessage(500, "Could not update slot registry entry.");
- }
-}
-
function slotExists($slotUUID, $config) {
return file_exists(getSlotFilePath($slotUUID, $config));
}