From 49c6bb9f0b4ff2cc8b6a8d45d3160f3581b10026 Mon Sep 17 00:00:00 2001 From: steckbrief Date: Sat, 6 May 2017 14:10:31 +0200 Subject: storage-backend: Add functionality to delete a file via an xmpp server; removed possibility to request a delete token and delete the file afterwards via xmpp client --- storage-backend/index.php | 74 ++++++++-------------- storage-backend/lib/functions.filetransfer.inc.php | 6 +- 2 files changed, 28 insertions(+), 52 deletions(-) diff --git a/storage-backend/index.php b/storage-backend/index.php index 3707963..6bcc5fe 100644 --- a/storage-backend/index.php +++ b/storage-backend/index.php @@ -41,11 +41,13 @@ * * The following return codes are used for deleting a file: * 204: Success - No Content - * 403: If a slot does not exist or a slot is not marked for deletion. - * The slot does not exist - * The slot does not contain a delete token - * The slot's delete token does not match the header field "X-FILETRANSFER-HTTP-DELETE-TOKEN" - * The slot's delete token is not valid any more + * 403: + * In case the XMPP Server Key is not valid + * The user is not allowed to delete a file (e.g. files can only be deleted by the creator and deletion is requested by someone else) + * There is no slot file for the file + * The filename stored in the slot file differs from the filename of the request + * 404: If the file does not exist + * 500: If an error occured while deleting */ include_once(__DIR__.'/lib/functions.common.inc.php'); include_once(__DIR__.'/lib/functions.http.inc.php'); @@ -79,30 +81,6 @@ switch ($method) { $slots = readSlots($userJid); $result = ['list' => $slots]; break; - case 'delete': - // Check if all parameters needed for an delete are present - return 400 (bad request) if a parameter is missing / empty - $fileURL = getMandatoryPostParameter('file_url'); - - $slotUUID = getUUIDFromUri($fileURL); - $filename = getFilenameFromUri($fileURL); - if (!slotExists($slotUUID, $config)) { - sendHttpReturnCodeAndJson(403, "The slot does not exist."); - } - - if ($config['delete_only_by_creator']) { - $slotParameters = loadSlotParameters($slotUUID, $config); - if ($slotParameters['user_jid'] != $userJid) { - sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it."); - } - } - - // generate delete token, register delete token - $deleteToken = generate_uuid(); - registerDeleteToken($slotUUID, $filename, $deleteToken, $config); - - // return 200 for success and delete url Json formatted ( ['delete'=>url] ) - $result = ['deletetoken' => $deleteToken]; - break; case 'upload': default: // Check if all parameters needed for an upload are present - return 400 (bad request) if a parameter is missing / empty @@ -178,17 +156,25 @@ switch ($method) { $uri = $_SERVER["REQUEST_URI"]; $slotUUID = getUUIDFromUri($uri); $filename = getFilenameFromUri($uri); - $deleteToken = $_SERVER["HTTP_X_FILETRANSFER_HTTP_DELETE_TOKEN"]; + $xmppServerKey = $_SERVER["HTTP_X_XMPP_SERVER_KEY"]; + $userJid = $_SERVER["HTTP_X_USER_JID"]; + + // Check if xmppServerKey is allowed to request slots + if (false === checkXmppServerKey($config['valid_xmpp_server_keys'], $xmppServerKey)) { + sendHttpReturnCodeAndJson(403, 'Server is not allowed to delete a file'); + } + + if ($config['delete_only_by_creator']) { + $slotParameters = loadSlotParameters($slotUUID, $config); + if ($slotParameters['user_jid'] != $userJid) { + sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it."); + } + } + if (!slotExists($slotUUID, $config)) { sendHttpReturnCodeAndJson(403, "The slot does not exist."); } $slotParameters = loadSlotParameters($slotUUID, $config); - if ($deleteToken != $slotParameters['delete_token']) { - sendHttpReturnCodeAndJson(403, "The delete token is not valid."); - } - if (time() > $slotParameters['delete_token_valid_till']) { - sendHttpReturnCodeAndJson(403, "The delete token is not valid anymore."); - } if (!checkFilenameParameter($filename, $slotParameters)) { sendHttpReturnCodeAndJson(403, "Filename to delete differs from requested slot filename."); } @@ -196,7 +182,7 @@ switch ($method) { if (!file_exists($uploadFilePath)) { sendHttpReturnCodeAndJson(404, "The file does not exist."); } - + // Delete file if (unlink($uploadFilePath)) { // Clean up the server - ignore errors @@ -245,26 +231,16 @@ function getFilenameFromUri($uri) { return substr($uri, $lastSlash); } -function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $receipientJid, $config) { +function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $recipientJid, $config) { $contents = " \''.$filename.'\', \'filesize\' => \''.$filesize.'\', '; - $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'receipient_jid\' => \''.$receipientJid.'\'];'; + $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\', \'recipient_jid\' => \''.$recipientJid.'\'];'; $contents .= "\n?>"; if (!file_put_contents(getSlotFilePath($slotUUID, $config), $contents)) { sendHttpReturnCodeAndMessage(500, "Could not create slot registry entry."); } } -function registerDeleteToken($slotUUID, $filename, $deleteToken, $config) { - $slotFilePath = getSlotFilePath($slotUUID, $config); - $contents = file_get_contents($slotFilePath); - $validTo = time() + $config['delete_token_validity']; - $newContents = str_replace("]", ", 'delete_token' => '".$deleteToken."', 'delete_token_valid_till' => '".$validTo."']", $contents); - if (!file_put_contents($slotFilePath, $newContents)) { - sendHttpReturnCodeAndMessage(500, "Could not update slot registry entry."); - } -} - function slotExists($slotUUID, $config) { return file_exists(getSlotFilePath($slotUUID, $config)); } diff --git a/storage-backend/lib/functions.filetransfer.inc.php b/storage-backend/lib/functions.filetransfer.inc.php index 607d30f..440c41a 100644 --- a/storage-backend/lib/functions.filetransfer.inc.php +++ b/storage-backend/lib/functions.filetransfer.inc.php @@ -36,7 +36,7 @@ function readSlots($jid) { $slotUUID = $entry; $params = loadSlotParameters($slotUUID, $config); $senderBareJid = getBareJid($params['user_jid']); - $recipientBareJid = (array_key_exists('receipient_jid', $params)) ? getBareJid($params['receipient_jid']) : ''; + $recipientBareJid = (array_key_exists('recipient_jid', $params)) ? getBareJid($params['recipient_jid']) : ''; if ($senderBareJid == $jid || $recipientBareJid == $jid) { $filePath = getUploadFilePath($slotUUID, $config, $params['filename']); $file = []; @@ -52,8 +52,8 @@ function readSlots($jid) { $file['fileinfo']['content_type'] = $params['content_type']; $file['sender_jid'] = $senderBareJid; $file['recipient_jid'] = $recipientBareJid; - if (null == $file['receipient_jid']) { - $file['receipient_jid'] = ""; + if (null == $file['recipient_jid']) { + $file['recipient_jid'] = ""; } $slots[] = $file; } -- cgit v1.2.3