diff options
Diffstat (limited to 'storage-backend/index.php')
-rw-r--r-- | storage-backend/index.php | 74 |
1 files changed, 25 insertions, 49 deletions
diff --git a/storage-backend/index.php b/storage-backend/index.php index 3707963..6bcc5fe 100644 --- a/storage-backend/index.php +++ b/storage-backend/index.php @@ -41,11 +41,13 @@ * * The following return codes are used for deleting a file: * 204: Success - No Content - * 403: If a slot does not exist or a slot is not marked for deletion. - * The slot does not exist - * The slot does not contain a delete token - * The slot's delete token does not match the header field "X-FILETRANSFER-HTTP-DELETE-TOKEN" - * The slot's delete token is not valid any more + * 403: + * In case the XMPP Server Key is not valid + * The user is not allowed to delete a file (e.g. files can only be deleted by the creator and deletion is requested by someone else) + * There is no slot file for the file + * The filename stored in the slot file differs from the filename of the request + * 404: If the file does not exist + * 500: If an error occured while deleting */ include_once(__DIR__.'/lib/functions.common.inc.php'); include_once(__DIR__.'/lib/functions.http.inc.php'); @@ -79,30 +81,6 @@ switch ($method) { $slots = readSlots($userJid); $result = ['list' => $slots]; break; - case 'delete': - // Check if all parameters needed for an delete are present - return 400 (bad request) if a parameter is missing / empty - $fileURL = getMandatoryPostParameter('file_url'); - - $slotUUID = getUUIDFromUri($fileURL); - $filename = getFilenameFromUri($fileURL); - if (!slotExists($slotUUID, $config)) { - sendHttpReturnCodeAndJson(403, "The slot does not exist."); - } - - if ($config['delete_only_by_creator']) { - $slotParameters = loadSlotParameters($slotUUID, $config); - if ($slotParameters['user_jid'] != $userJid) { - sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it."); - } - } - - // generate delete token, register delete token - $deleteToken = generate_uuid(); - registerDeleteToken($slotUUID, $filename, $deleteToken, $config); - - // return 200 for success and delete url Json formatted ( ['delete'=>url] ) - $result = ['deletetoken' => $deleteToken]; - break; case 'upload': default: // Check if all parameters needed for an upload are present - return 400 (bad request) if a parameter is missing / empty @@ -178,17 +156,25 @@ switch ($method) { $uri = $_SERVER["REQUEST_URI"]; $slotUUID = getUUIDFromUri($uri); $filename = getFilenameFromUri($uri); - $deleteToken = $_SERVER["HTTP_X_FILETRANSFER_HTTP_DELETE_TOKEN"]; + $xmppServerKey = $_SERVER["HTTP_X_XMPP_SERVER_KEY"]; + $userJid = $_SERVER["HTTP_X_USER_JID"]; + + // Check if xmppServerKey is allowed to request slots + if (false === checkXmppServerKey($config['valid_xmpp_server_keys'], $xmppServerKey)) { + sendHttpReturnCodeAndJson(403, 'Server is not allowed to delete a file'); + } + + if ($config['delete_only_by_creator']) { + $slotParameters = loadSlotParameters($slotUUID, $config); + if ($slotParameters['user_jid'] != $userJid) { + sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it."); + } + } + if (!slotExists($slotUUID, $config)) { sendHttpReturnCodeAndJson(403, "The slot does not exist."); } $slotParameters = loadSlotParameters($slotUUID, $config); - if ($deleteToken != $slotParameters['delete_token']) { - sendHttpReturnCodeAndJson(403, "The delete token is not valid."); - } - if (time() > $slotParameters['delete_token_valid_till']) { - sendHttpReturnCodeAndJson(403, "The delete token is not valid anymore."); - } if (!checkFilenameParameter($filename, $slotParameters)) { sendHttpReturnCodeAndJson(403, "Filename to delete differs from requested slot filename."); } @@ -196,7 +182,7 @@ switch ($method) { if (!file_exists($uploadFilePath)) { sendHttpReturnCodeAndJson(404, "The file does not exist."); } - + // Delete file if (unlink($uploadFilePath)) { // Clean up the server - ignore errors @@ -245,26 +231,16 @@ function getFilenameFromUri($uri) { return substr($uri, $lastSlash); } -function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $receipientJid, $config) { +function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $recipientJid, $config) { $contents = "<?php\n/*\n * This is an autogenerated file - do not edit\n */\n\n"; $contents .= 'return [\'filename\' => \''.$filename.'\', \'filesize\' => \''.$filesize.'\', '; - $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'receipient_jid\' => \''.$receipientJid.'\'];'; + $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'recipient_jid\' => \''.$recipientJid.'\'];'; $contents .= "\n?>"; if (!file_put_contents(getSlotFilePath($slotUUID, $config), $contents)) { sendHttpReturnCodeAndMessage(500, "Could not create slot registry entry."); } } -function registerDeleteToken($slotUUID, $filename, $deleteToken, $config) { - $slotFilePath = getSlotFilePath($slotUUID, $config); - $contents = file_get_contents($slotFilePath); - $validTo = time() + $config['delete_token_validity']; - $newContents = str_replace("]", ", 'delete_token' => '".$deleteToken."', 'delete_token_valid_till' => '".$validTo."']", $contents); - if (!file_put_contents($slotFilePath, $newContents)) { - sendHttpReturnCodeAndMessage(500, "Could not update slot registry entry."); - } -} - function slotExists($slotUUID, $config) { return file_exists(getSlotFilePath($slotUUID, $config)); } |