2011-01-23 03:33:00 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/*
|
2012-01-10 23:48:55 +01:00
|
|
|
* Copyright 2012 Facebook, Inc.
|
2011-01-23 03:33:00 +01:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
class PhabricatorFileViewController extends PhabricatorFileController {
|
|
|
|
|
|
|
|
private $phid;
|
|
|
|
private $view;
|
|
|
|
|
|
|
|
public function willProcessRequest(array $data) {
|
|
|
|
$this->phid = $data['phid'];
|
|
|
|
$this->view = $data['view'];
|
|
|
|
}
|
|
|
|
|
|
|
|
public function processRequest() {
|
|
|
|
|
Use phabricator_ time functions in more places
Summary:
Replace some more date() calls with locale-aware calls.
Also, at least on my system, the DateTimeZone / DateTime stuff didn't actually
work and always rendered in UTC. Fixed that.
Test Plan:
Viewed daemon console, differential revisions, files, and maniphest timestamps
in multiple timezones.
Reviewed By: toulouse
Reviewers: toulouse, fratrik, jungejason, aran, tuomaspelkonen
CC: aran, toulouse
Differential Revision: 530
2011-06-26 18:22:52 +02:00
|
|
|
$request = $this->getRequest();
|
|
|
|
$user = $request->getUser();
|
|
|
|
|
2011-01-23 03:33:00 +01:00
|
|
|
$file = id(new PhabricatorFile())->loadOneWhere(
|
|
|
|
'phid = %s',
|
|
|
|
$this->phid);
|
|
|
|
if (!$file) {
|
|
|
|
return new Aphront404Response();
|
|
|
|
}
|
2011-02-22 18:22:57 +01:00
|
|
|
|
2011-01-23 03:33:00 +01:00
|
|
|
switch ($this->view) {
|
|
|
|
case 'download':
|
|
|
|
case 'view':
|
|
|
|
$data = $file->loadFileData();
|
|
|
|
$response = new AphrontFileResponse();
|
|
|
|
$response->setContent($data);
|
2011-04-11 11:24:39 +02:00
|
|
|
$response->setCacheDurationInSeconds(60 * 60 * 24 * 30);
|
2011-02-22 18:22:57 +01:00
|
|
|
|
2011-02-22 18:19:14 +01:00
|
|
|
if ($this->view == 'view') {
|
|
|
|
if (!$file->isViewableInBrowser()) {
|
|
|
|
return new Aphront400Response();
|
|
|
|
}
|
|
|
|
$download = false;
|
|
|
|
} else {
|
|
|
|
$download = true;
|
|
|
|
}
|
2011-02-22 18:22:57 +01:00
|
|
|
|
2011-08-02 06:01:37 +02:00
|
|
|
if ($download) {
|
|
|
|
if (!$request->isFormPost()) {
|
|
|
|
// Require a POST to download files to hinder attacks where you
|
|
|
|
// <applet src="http://phabricator.example.com/file/..." /> on some
|
|
|
|
// other domain.
|
|
|
|
return id(new AphrontRedirectResponse())
|
|
|
|
->setURI($file->getInfoURI());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-02-22 18:19:14 +01:00
|
|
|
if ($download) {
|
|
|
|
$mime_type = $file->getMimeType();
|
|
|
|
} else {
|
|
|
|
$mime_type = $file->getViewableMimeType();
|
|
|
|
}
|
|
|
|
|
Provide a setting which forces all file views to be served from an alternate
domain
Summary:
See D758, D759.
- Provide a strongly recommended setting which permits configuration of an
alternate domain.
- Lock cookies down better: set them on the exact domain, and use SSL-only if
the configuration is HTTPS.
- Prevent Phabriator from setting cookies on other domains.
This assumes D759 will land, it is not effective without that change.
Test Plan:
- Attempted to login from a different domain and was rejected.
- Logged out, logged back in normally.
- Put install in setup mode and verified it revealed a warning.
- Configured an alterate domain.
- Tried to view an image with an old URI, got a 400.
- Went to /files/ and verified links rendered to the alternate domain.
- Viewed an alternate domain file.
- Tried to view an alternate domain file without the secret key, got a 404.
Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock
CC: aran
Differential Revision: 760
2011-08-02 07:24:00 +02:00
|
|
|
// If an alternate file domain is configured, forbid all views which
|
|
|
|
// don't originate from it.
|
|
|
|
if (!$download) {
|
|
|
|
$alt = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
|
|
|
|
if ($alt) {
|
|
|
|
$domain = id(new PhutilURI($alt))->getDomain();
|
|
|
|
if ($domain != $request->getHost()) {
|
|
|
|
return new Aphront400Response();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-02-22 18:19:14 +01:00
|
|
|
$response->setMimeType($mime_type);
|
2011-02-22 18:22:57 +01:00
|
|
|
|
2011-02-22 18:19:14 +01:00
|
|
|
if ($download) {
|
2011-01-23 03:33:00 +01:00
|
|
|
$response->setDownload($file->getName());
|
|
|
|
}
|
|
|
|
return $response;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2011-07-08 06:17:00 +02:00
|
|
|
$author_child = null;
|
|
|
|
if ($file->getAuthorPHID()) {
|
|
|
|
$author = id(new PhabricatorUser())->loadOneWhere(
|
|
|
|
'phid = %s',
|
|
|
|
$file->getAuthorPHID());
|
|
|
|
|
|
|
|
if ($author) {
|
|
|
|
$author_child = id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Author')
|
|
|
|
->setName('author')
|
|
|
|
->setValue($author->getUserName());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-01-23 03:33:00 +01:00
|
|
|
$form = new AphrontFormView();
|
2011-02-22 18:22:57 +01:00
|
|
|
|
2012-01-16 22:26:44 +01:00
|
|
|
$submit = new AphrontFormSubmitControl();
|
|
|
|
|
2011-02-22 18:19:14 +01:00
|
|
|
if ($file->isViewableInBrowser()) {
|
Provide a setting which forces all file views to be served from an alternate
domain
Summary:
See D758, D759.
- Provide a strongly recommended setting which permits configuration of an
alternate domain.
- Lock cookies down better: set them on the exact domain, and use SSL-only if
the configuration is HTTPS.
- Prevent Phabriator from setting cookies on other domains.
This assumes D759 will land, it is not effective without that change.
Test Plan:
- Attempted to login from a different domain and was rejected.
- Logged out, logged back in normally.
- Put install in setup mode and verified it revealed a warning.
- Configured an alterate domain.
- Tried to view an image with an old URI, got a 400.
- Went to /files/ and verified links rendered to the alternate domain.
- Viewed an alternate domain file.
- Tried to view an alternate domain file without the secret key, got a 404.
Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock
CC: aran
Differential Revision: 760
2011-08-02 07:24:00 +02:00
|
|
|
$form->setAction($file->getViewURI());
|
2012-01-16 22:26:44 +01:00
|
|
|
$submit->setValue('View File');
|
2011-02-22 18:19:14 +01:00
|
|
|
} else {
|
|
|
|
$form->setAction('/file/download/'.$file->getPHID().'/');
|
2012-01-16 22:26:44 +01:00
|
|
|
$submit->setValue('Download File');
|
|
|
|
}
|
|
|
|
|
|
|
|
if (($user->getPHID() == $file->getAuthorPHID()) ||
|
|
|
|
($user->getIsAdmin())) {
|
|
|
|
$submit->addCancelButton(
|
|
|
|
'/file/delete/'.$file->getID().'/',
|
|
|
|
'Delete File');
|
2011-02-22 18:19:14 +01:00
|
|
|
}
|
2011-07-30 01:01:59 +02:00
|
|
|
|
|
|
|
$file_id = 'F'.$file->getID();
|
|
|
|
|
2011-07-08 06:17:00 +02:00
|
|
|
$form->setUser($user);
|
2011-01-23 03:33:00 +01:00
|
|
|
$form
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Name')
|
|
|
|
->setName('name')
|
|
|
|
->setValue($file->getName()))
|
2011-07-30 01:01:59 +02:00
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('ID')
|
|
|
|
->setName('id')
|
|
|
|
->setValue($file_id)
|
|
|
|
->setCaption(
|
|
|
|
'Download this file with: <tt>arc download '.
|
|
|
|
phutil_escape_html($file_id).'</tt>'))
|
2011-01-23 03:33:00 +01:00
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('PHID')
|
|
|
|
->setName('phid')
|
|
|
|
->setValue($file->getPHID()))
|
2011-07-08 06:17:00 +02:00
|
|
|
->appendChild($author_child)
|
2011-01-23 03:33:00 +01:00
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Created')
|
|
|
|
->setName('created')
|
Use phabricator_ time functions in more places
Summary:
Replace some more date() calls with locale-aware calls.
Also, at least on my system, the DateTimeZone / DateTime stuff didn't actually
work and always rendered in UTC. Fixed that.
Test Plan:
Viewed daemon console, differential revisions, files, and maniphest timestamps
in multiple timezones.
Reviewed By: toulouse
Reviewers: toulouse, fratrik, jungejason, aran, tuomaspelkonen
CC: aran, toulouse
Differential Revision: 530
2011-06-26 18:22:52 +02:00
|
|
|
->setValue(phabricator_datetime($file->getDateCreated(), $user)))
|
2011-01-23 03:33:00 +01:00
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Mime Type')
|
|
|
|
->setName('mime')
|
|
|
|
->setValue($file->getMimeType()))
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Size')
|
|
|
|
->setName('size')
|
|
|
|
->setValue($file->getByteSize().' bytes'))
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Engine')
|
|
|
|
->setName('storageEngine')
|
|
|
|
->setValue($file->getStorageEngine()))
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Format')
|
|
|
|
->setName('storageFormat')
|
|
|
|
->setValue($file->getStorageFormat()))
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel('Handle')
|
|
|
|
->setName('storageHandle')
|
|
|
|
->setValue($file->getStorageHandle()))
|
|
|
|
->appendChild(
|
2012-01-16 22:26:44 +01:00
|
|
|
id($submit));
|
2011-01-23 03:33:00 +01:00
|
|
|
|
|
|
|
$panel = new AphrontPanelView();
|
|
|
|
$panel->setHeader('File Info - '.$file->getName());
|
|
|
|
|
|
|
|
$panel->appendChild($form);
|
|
|
|
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
|
|
|
|
2012-01-16 15:54:08 +01:00
|
|
|
$xform_panel = null;
|
2011-05-22 23:40:51 +02:00
|
|
|
|
|
|
|
$transformations = id(new PhabricatorTransformedFile())->loadAllWhere(
|
|
|
|
'originalPHID = %s',
|
|
|
|
$file->getPHID());
|
2012-01-16 15:54:08 +01:00
|
|
|
if ($transformations) {
|
|
|
|
$transformed_phids = mpull($transformations, 'getTransformedPHID');
|
|
|
|
$transformed_files = id(new PhabricatorFile())->loadAllWhere(
|
|
|
|
'phid in (%Ls)',
|
|
|
|
$transformed_phids);
|
|
|
|
$transformed_map = mpull($transformed_files, null, 'getPHID');
|
|
|
|
|
|
|
|
$rows = array();
|
|
|
|
foreach ($transformations as $transformed) {
|
|
|
|
$phid = $transformed->getTransformedPHID();
|
|
|
|
$rows[] = array(
|
|
|
|
phutil_escape_html($transformed->getTransform()),
|
|
|
|
phutil_render_tag(
|
|
|
|
'a',
|
|
|
|
array(
|
|
|
|
'href' => $transformed_map[$phid]->getBestURI(),
|
|
|
|
),
|
|
|
|
$phid));
|
|
|
|
}
|
2011-05-22 23:40:51 +02:00
|
|
|
|
2012-01-16 15:54:08 +01:00
|
|
|
$table = new AphrontTableView($rows);
|
|
|
|
$table->setHeaders(
|
|
|
|
array(
|
|
|
|
'Transform',
|
|
|
|
'File',
|
|
|
|
));
|
|
|
|
|
|
|
|
$xform_panel = new AphrontPanelView();
|
|
|
|
$xform_panel->appendChild($table);
|
|
|
|
$xform_panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
|
|
|
$xform_panel->setHeader('Transformations');
|
|
|
|
}
|
2011-05-22 23:40:51 +02:00
|
|
|
|
2011-01-23 03:33:00 +01:00
|
|
|
return $this->buildStandardPageResponse(
|
2011-05-22 23:40:51 +02:00
|
|
|
array($panel, $xform_panel),
|
2011-01-23 03:33:00 +01:00
|
|
|
array(
|
|
|
|
'title' => 'File Info - '.$file->getName(),
|
|
|
|
));
|
|
|
|
}
|
|
|
|
}
|