# HG changeset patch # User Matti Hamalainen # Date 1416862090 -7200 # Node ID debad9461b00f20f9201a7b82318a4cba6fe8cee # Parent fc555d954b9907efd54a8729164219ac418fef4f Add stHandleGenericFileUpload(). diff -r fc555d954b99 -r debad9461b00 msite.inc.php --- a/msite.inc.php Mon Nov 24 22:43:22 2014 +0200 +++ b/msite.inc.php Mon Nov 24 22:48:10 2014 +0200 @@ -1088,6 +1088,118 @@ } +// +// File upload handling +// +function stHandleGenericFileUpload($userID) +{ + global $errorSet; + + // Check basics + if (!stChkRequestItem("type", $uploadType, + array(CHK_TYPE, VT_STR, "Invalid upload type."), + array(CHK_ARRAY, VT_STR, array("entry", "preview"), "Invalid upload type.") || + !stChkRequestItem("entry_id", $entryID, + array(CHK_TYPE, VT_INT, "Invalid entry ID.")) + return FALSE; + + // Check entry existence + if (($entry = stFetchSQL("SELECT * FROM entries WHERE id=".$entryID)) === false) + return stError("Entry ID #".$entryID." does not exist??"); + + if (($compo = stFetchSQL("SELECT * FROM compos WHERE id=".$entry["compo_id"])) === false) + return stError("Compo ID does not exist??"); + + // Check permissions for non-admins + if ($userID != 0) + { + // Check if the user even exists, just in case + if (($user = stFetchSQL("SELECT * FROM attendees WHERE id=".$userID) === false) + return stError("User ID #".$userID." does not exist??"); + + if ($entry["owner_id"] != $userID) + return stError("Attempted to upload file to entry not owned by user."); + } + + // Check file status data + $fileEntry = $uploadType."Upload"; + $maxFileSize = stGetSetting($uploadType."MaxSize"); + $fileSize = $_FILES[$fileEntry]["size"]; + if ($fileSize > $maxFileSize) + stError("File size ".$fileSize." exceeds FAPWeb's size of ".$maxFileSize." bytes for ".$uploadType." uploads."); + + if ($fileSize < 128) + stError("File size ".$fileSize." is less than 128 bytes. This can't be right."); + + switch ($_FILES[$fileEntry]["error"]) + { + case UPLOAD_ERR_INI_SIZE: + stError("File size exceeds PHP's max upload size."); + break; + + case UPLOAD_ERR_PARTIAL: + stError("File only partially uploaded."); + break; + + case UPLOAD_ERR_NO_FILE: + stError("No file data received!"); + break; + + case UPLOAD_ERR_NO_TMP_DIR: + stError("Internal error: Temporary file directory not available!"); + break; + + case UPLOAD_ERR_CANT_WRITE: + stError("Internal error: PHP could not write the file to disk."); + break; + + case UPLOAD_ERR_OK: + break; + + default: + stError("Unknown PHP file error occured."); + break; + } + + if ($errorSet) + return FALSE; + + + // Check file properties .. + $tmpFilename = $_FILES[$fileEntry]["tmp_name"]; + if (($fileInfo = stProbeFileInfo($tmpFilename)) === false) + return FALSE; + + if ($uploadType == "preview" && !isset($fileInfo["type"])) + return stError("Preview file upload is not one of the supported preview file types."); + + // Add file entry + if (!stAddFileEntry($_FILES[$fileEntry]["name"], $fileSize, $userID, $uploadType, $entry, $fileID)) + return FALSE; + + // Set rest of the data .. + if (!stSetFileEntryFilename($fileID, $uploadType, $entry, $fileInfo["fext"], $fileInfo["id"], $filename)) + return FALSE; + + // Set permissions before moving the file + if (chmod($tmpFilename, stGetSetting($uploadType."PathPerms")) === false) + { + error_log("Could not set permissions for uploaded file '".$tmpFilename."'.\n"); + return stError("Could not set permissions for uploaded file."); + } + + // Move file to its destination + $fullFile = stMakePath(FALSE, FALSE, array(stGetSetting($uploadType."Path"), $compo["cpath"], $filename); + if (@move_uploaded_file($tmpFilename, $fullFile) === false) + { + error_log("Could not move uploaded file '".$tmpFilename."' to '".$fullFile."'.\n"); + return stError("Deploying uploaded file failed."); + } + + return TRUE; +} + + // Get link helper function function stGetMainPageLink($id, $name, $show = TRUE) {