phorge-phorge/src/applications/files/controller/PhabricatorFileDropUploadController.php

<?php

final class PhabricatorFileDropUploadController
  extends PhabricatorFileController {

  /**
   * @phutil-external-symbol class PhabricatorStartup
   */
  public function processRequest() {
    $request = $this->getRequest();
    $user = $request->getUser();

    // NOTE: Throws if valid CSRF token is not present in the request.
    $request->validateCSRF();

    $data = PhabricatorStartup::getRawInput();
    $name = $request->getStr('name');

    $file = PhabricatorFile::newFromXHRUpload(
      $data,
      array(
        'name' => $request->getStr('name'),
        'authorPHID' => $user->getPHID(),
        'isExplicitUpload' => true,
      ));

    return id(new AphrontAjaxResponse())->setContent(
      array(
        'id'   => $file->getID(),
        'phid' => $file->getPHID(),
        'uri'  => $file->getBestURI(),
      ));
  }

}
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00			`<?php`

Add "final" to all Phabricator "Controller" classes Summary: These are all unambiguously unextensible. Issues I hit: - Maniphest Change/Diff controllers, just consolidated them. - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects. - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962. Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues. Reviewers: btrahan Reviewed By: btrahan CC: aran, epriestley Maniphest Tasks: T795 Differential Revision: https://secure.phabricator.com/D1843 2012-03-10 00:46:25 +01:00			`final class PhabricatorFileDropUploadController`
			`extends PhabricatorFileController {`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00
Implement PhutilRequest parser #2 Summary: D6278 kind of got closed and commited, this is the actual direction. Ref T3432 Depends on D6277 Test Plan: Keep using the site Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, mbishopim3 Maniphest Tasks: T3432 Differential Revision: https://secure.phabricator.com/D6283 2013-06-24 17:21:42 +02:00			`/**`
			`* @phutil-external-symbol class PhabricatorStartup`
			`*/`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00			`public function processRequest() {`
			`$request = $this->getRequest();`
Drag-drop file upload. Summary: - have files be uploaded by drag+drop instead of browse. - Files are named by their uploaded filename, the user isn't given a chance to enter a file name. Is this bad? - Store author PHID now with files - Allow an ?author=<username> to limit the /files/ list by author. - If one file is uploaded, the user is taken to its info page. - If several are uploaded, they are taken to a list of their files. Test Plan: - Quickly tested everything and it still worked, I'd recommend some people try this out before it gets committed though. It's a rather huge revision. Reviewers: epriestley, Ttech CC: Differential Revision: 612 2011-07-08 06:17:00 +02:00			`$user = $request->getUser();`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00
Prevent CSRF uploads via /file/dropupload/ Summary: We don't currently validate CSRF tokens on this workflow. This allows an attacker to upload arbitrary files on the user's behalf. Although I believe the tight list of servable mime-types means that's more or less the end of the attack, this is still a vulnerability. In the long term, the right solution is probably to pass CSRF tokens on all Ajax requests in an HTTP header (or just a GET param) or something like that. However, this endpoint is unique and this is the quickest and most direct way to close the hole. Test Plan: - Drop-uploaded files to Files, Maniphest, Phriction and Differential. - Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form submissions don't work. Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling Commenters: andrewjcg, pedram CC: aran, epriestley, andrewjcg, pedram Differential Revision: 758 2011-08-02 05:23:01 +02:00			`// NOTE: Throws if valid CSRF token is not present in the request.`
			`$request->validateCSRF();`

Implement PhutilRequest parser #2 Summary: D6278 kind of got closed and commited, this is the actual direction. Ref T3432 Depends on D6277 Test Plan: Keep using the site Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, mbishopim3 Maniphest Tasks: T3432 Differential Revision: https://secure.phabricator.com/D6283 2013-06-24 17:21:42 +02:00			`$data = PhabricatorStartup::getRawInput();`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00			`$name = $request->getStr('name');`

Enforce upload size limits and transport exceptions with appropriate response encoding Summary: - When a user uploads an oversized file, throw an exception. - When an uncaught exception occurs during a Conduit request, return a Conduit response. - When an uncaught exception occurs during a non-workflow Ajax request, return an Ajax response. Test Plan: - Uploaded overlarge files. - Hit an exception page with ?__ajax__=1 and ?__conduit__=1 Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T875, T788 Differential Revision: https://secure.phabricator.com/D2385 2012-05-07 15:17:00 +02:00			`$file = PhabricatorFile::newFromXHRUpload(`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00			`$data,`
			`array(`
			`'name' => $request->getStr('name'),`
Drag-drop file upload. Summary: - have files be uploaded by drag+drop instead of browse. - Files are named by their uploaded filename, the user isn't given a chance to enter a file name. Is this bad? - Store author PHID now with files - Allow an ?author=<username> to limit the /files/ list by author. - If one file is uploaded, the user is taken to its info page. - If several are uploaded, they are taken to a list of their files. Test Plan: - Quickly tested everything and it still worked, I'd recommend some people try this out before it gets committed though. It's a rather huge revision. Reviewers: epriestley, Ttech CC: Differential Revision: 612 2011-07-08 06:17:00 +02:00			`'authorPHID' => $user->getPHID(),`
File list now shows only files which are explicitly uploaded Summary: Added explicit tags to files which are explicitly uploaded. Fixes T2749 Test Plan: Tested by checking out the files application. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2749 Differential Revision: https://secure.phabricator.com/D5406 2013-03-22 12:59:50 +01:00			`'isExplicitUpload' => true,`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00			`));`

			`return id(new AphrontAjaxResponse())->setContent(`
			`array(`
Streamline Files interfaces Summary: - There's no way you can figure out the ID of a file right now. Expose that more prominently. - Put the drag-and-drop uploader on the main page so you don't have to click through. - Restore the basic uploader so IE users can theoretically use the suite I guess? Added author info to basic uploader. - Show author information in the table. - Show date information in the table. - Link file names. - Rename table for filter views. - When you upload one file, just jump to it. When you upload multiple files, jump to your uploads and highlight them. - Add an "arc download" hint. Test Plan: Uploaded single files, groups of files, and files via simple uploader. Reviewers: codeblock, jungejason, tuomaspelkonen, aran Commenters: codeblock CC: aran, codeblock, epriestley Differential Revision: 746 2011-07-30 01:01:59 +02:00			`'id' => $file->getID(),`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00			`'phid' => $file->getPHID(),`
Streamline Files interfaces Summary: - There's no way you can figure out the ID of a file right now. Expose that more prominently. - Put the drag-and-drop uploader on the main page so you don't have to click through. - Restore the basic uploader so IE users can theoretically use the suite I guess? Added author info to basic uploader. - Show author information in the table. - Show date information in the table. - Link file names. - Rename table for filter views. - When you upload one file, just jump to it. When you upload multiple files, jump to your uploads and highlight them. - Add an "arc download" hint. Test Plan: Uploaded single files, groups of files, and files via simple uploader. Reviewers: codeblock, jungejason, tuomaspelkonen, aran Commenters: codeblock CC: aran, codeblock, epriestley Differential Revision: 746 2011-07-30 01:01:59 +02:00			`'uri' => $file->getBestURI(),`
Drag-and-drop upload for Maniphest Summary: This needs a bunch of UI polish (critically, it's totally undiscoverable) but it basically works correctly. I'll clean it up in some followups. Test Plan: Uploaded some files via drag-and-drop, made comments, etc. Reviewed By: aran Reviewers: tomo, aran, jungejason, tuomaspelkonen CC: anjali, aran Differential Revision: 332 2011-05-22 20:55:10 +02:00			`));`
			`}`

			`}`