Esempio n. 1
0
 /**
  * Handle S3 request
  *
  * Permission-checking provided by items()
  */
 private function _handleFileRequest($item)
 {
     if (!$this->permissions->canAccess($this->objectLibraryID, 'files')) {
         $this->e403();
     }
     $this->allowMethods(array('HEAD', 'GET', 'POST', 'PATCH'));
     if (!$item->isAttachment()) {
         $this->e400("Item is not an attachment");
     }
     // File info for 4.0 client sync
     //
     // Use of HEAD method was discontinued after 2.0.8/2.1b1 due to
     // compatibility problems with proxies and security software
     if ($this->method == 'GET' && $this->fileMode == 'info') {
         $info = Zotero_Storage::getLocalFileItemInfo($item);
         if (!$info) {
             $this->e404();
         }
         StatsD::increment("storage.info", 1);
         /*
         header("Last-Modified: " . gmdate('r', $info['uploaded']));
         header("Content-Type: " . $info['type']);
         */
         header("Content-Length: " . $info['size']);
         header("ETag: " . $info['hash']);
         header("X-Zotero-Filename: " . $info['filename']);
         header("X-Zotero-Modification-Time: " . $info['mtime']);
         header("X-Zotero-Compressed: " . ($info['zip'] ? 'Yes' : 'No'));
         header_remove("X-Powered-By");
         $this->end();
     } else {
         if ($this->method == 'GET') {
             $info = Zotero_Storage::getLocalFileItemInfo($item);
             if (!$info) {
                 $this->e404();
             }
             // File viewing
             if ($this->fileView) {
                 $url = Zotero_Attachments::getTemporaryURL($item, !empty($_GET['int']));
                 if (!$url) {
                     $this->e500();
                 }
                 StatsD::increment("storage.view", 1);
                 $this->redirect($url);
                 exit;
             }
             // File download
             $url = Zotero_Storage::getDownloadURL($item, 60);
             if (!$url) {
                 $this->e404();
             }
             // Provide some headers to let 5.0 client skip download
             header("Zotero-File-Modification-Time: {$info['mtime']}");
             header("Zotero-File-MD5: {$info['hash']}");
             header("Zotero-File-Size: {$info['size']}");
             header("Zotero-File-Compressed: " . ($info['zip'] ? 'Yes' : 'No'));
             StatsD::increment("storage.download", 1);
             Zotero_Storage::logDownload($item, $this->userID, IPAddress::getIP());
             $this->redirect($url);
             exit;
         } else {
             if ($this->method == 'POST' || $this->method == 'PATCH') {
                 if (!$item->isImportedAttachment()) {
                     $this->e400("Cannot upload file for linked file/URL attachment item");
                 }
                 $libraryID = $item->libraryID;
                 $type = Zotero_Libraries::getType($libraryID);
                 if ($type == 'group') {
                     $groupID = Zotero_Groups::getGroupIDFromLibraryID($libraryID);
                     $group = Zotero_Groups::get($groupID);
                     if (!$group->userCanEditFiles($this->userID)) {
                         $this->e403("You do not have file editing access");
                     }
                 } else {
                     $group = null;
                 }
                 // If not the client, require If-Match or If-None-Match
                 if (!$this->httpAuth) {
                     if (empty($_SERVER['HTTP_IF_MATCH']) && empty($_SERVER['HTTP_IF_NONE_MATCH'])) {
                         $this->e428("If-Match/If-None-Match header not provided");
                     }
                     if (!empty($_SERVER['HTTP_IF_MATCH'])) {
                         if (!preg_match('/^"?([a-f0-9]{32})"?$/', $_SERVER['HTTP_IF_MATCH'], $matches)) {
                             $this->e400("Invalid ETag in If-Match header");
                         }
                         if (!$item->attachmentStorageHash) {
                             $this->e412("ETag set but file does not exist");
                         }
                         if ($item->attachmentStorageHash != $matches[1]) {
                             $this->libraryVersion = $item->version;
                             $this->libraryVersionOnFailure = true;
                             $this->e412("ETag does not match current version of file");
                         }
                     } else {
                         if ($_SERVER['HTTP_IF_NONE_MATCH'] != "*") {
                             $this->e400("Invalid value for If-None-Match header");
                         }
                         if (Zotero_Storage::getLocalFileItemInfo($item)) {
                             $this->libraryVersion = $item->version;
                             $this->libraryVersionOnFailure = true;
                             $this->e412("If-None-Match: * set but file exists");
                         }
                     }
                 }
                 //
                 // Upload authorization
                 //
                 if (!isset($_POST['update']) && !isset($_REQUEST['upload'])) {
                     $info = new Zotero_StorageFileInfo();
                     // Validate upload metadata
                     if (empty($_REQUEST['md5'])) {
                         $this->e400('MD5 hash not provided');
                     }
                     if (!preg_match('/[abcdefg0-9]{32}/', $_REQUEST['md5'])) {
                         $this->e400('Invalid MD5 hash');
                     }
                     if (!isset($_REQUEST['filename']) || $_REQUEST['filename'] === "") {
                         $this->e400('Filename not provided');
                     }
                     // Multi-file upload
                     //
                     // For ZIP files, the filename and hash of the ZIP file are different from those
                     // of the main file. We use the former for S3, and we store the latter in the
                     // upload log to set the attachment metadata with them on file registration.
                     if (!empty($_REQUEST['zipMD5'])) {
                         if (!preg_match('/[abcdefg0-9]{32}/', $_REQUEST['zipMD5'])) {
                             $this->e400('Invalid ZIP MD5 hash');
                         }
                         if (empty($_REQUEST['zipFilename'])) {
                             $this->e400('ZIP filename not provided');
                         }
                         $info->zip = true;
                         $info->hash = $_REQUEST['zipMD5'];
                         $info->filename = $_REQUEST['zipFilename'];
                         $info->itemFilename = $_REQUEST['filename'];
                         $info->itemHash = $_REQUEST['md5'];
                     } else {
                         if (!empty($_REQUEST['zipFilename'])) {
                             $this->e400('ZIP MD5 hash not provided');
                         } else {
                             $info->zip = !empty($_REQUEST['zip']);
                             $info->filename = $_REQUEST['filename'];
                             $info->hash = $_REQUEST['md5'];
                         }
                     }
                     if (empty($_REQUEST['mtime'])) {
                         $this->e400('File modification time not provided');
                     }
                     $info->mtime = $_REQUEST['mtime'];
                     if (!isset($_REQUEST['filesize'])) {
                         $this->e400('File size not provided');
                     }
                     $info->size = $_REQUEST['filesize'];
                     if (!is_numeric($info->size)) {
                         $this->e400("Invalid file size");
                     }
                     $info->contentType = isset($_REQUEST['contentType']) ? $_REQUEST['contentType'] : null;
                     if (!preg_match("/^[a-zA-Z0-9\\-\\/]+\$/", $info->contentType)) {
                         $info->contentType = null;
                     }
                     $info->charset = isset($_REQUEST['charset']) ? $_REQUEST['charset'] : null;
                     if (!preg_match("/^[a-zA-Z0-9\\-]+\$/", $info->charset)) {
                         $info->charset = null;
                     }
                     $contentTypeHeader = $info->contentType . ($info->contentType && $info->charset ? "; charset=" . $info->charset : "");
                     // Reject file if it would put account over quota
                     if ($group) {
                         $quota = Zotero_Storage::getEffectiveUserQuota($group->ownerUserID);
                         $usage = Zotero_Storage::getUserUsage($group->ownerUserID);
                     } else {
                         $quota = Zotero_Storage::getEffectiveUserQuota($this->objectUserID);
                         $usage = Zotero_Storage::getUserUsage($this->objectUserID);
                     }
                     $total = $usage['total'];
                     $fileSizeMB = round($info->size / 1024 / 1024, 1);
                     if ($total + $fileSizeMB > $quota) {
                         StatsD::increment("storage.upload.quota", 1);
                         $this->e413("File would exceed quota ({$total} + {$fileSizeMB} > {$quota})");
                     }
                     Zotero_DB::query("SET TRANSACTION ISOLATION LEVEL SERIALIZABLE");
                     Zotero_DB::beginTransaction();
                     // See if file exists with this filename
                     $localInfo = Zotero_Storage::getLocalFileInfo($info);
                     if ($localInfo) {
                         $storageFileID = $localInfo['storageFileID'];
                         // Verify file size
                         if ($localInfo['size'] != $info->size) {
                             throw new Exception("Specified file size incorrect for existing file " . $info->hash . "/" . $info->filename . " ({$localInfo['size']} != {$info->size})");
                         }
                     } else {
                         $oldStorageFileID = Zotero_Storage::getFileByHash($info->hash, $info->zip);
                         if ($oldStorageFileID) {
                             // Verify file size
                             $localInfo = Zotero_Storage::getFileInfoByID($oldStorageFileID);
                             if ($localInfo['size'] != $info->size) {
                                 throw new Exception("Specified file size incorrect for duplicated file " . $info->hash . "/" . $info->filename . " ({$localInfo['size']} != {$info->size})");
                             }
                             // Create new file on S3 with new name
                             $storageFileID = Zotero_Storage::duplicateFile($oldStorageFileID, $info->filename, $info->zip, $contentTypeHeader);
                         }
                     }
                     // If we already have a file, add/update storageFileItems row and stop
                     if (!empty($storageFileID)) {
                         Zotero_Storage::updateFileItemInfo($item, $storageFileID, $info, $this->httpAuth);
                         Zotero_DB::commit();
                         StatsD::increment("storage.upload.existing", 1);
                         if ($this->httpAuth) {
                             $this->queryParams['format'] = null;
                             header('Content-Type: application/xml');
                             echo "<exists/>";
                         } else {
                             $this->queryParams['format'] = null;
                             header('Content-Type: application/json');
                             $this->libraryVersion = $item->version;
                             echo json_encode(array('exists' => 1));
                         }
                         $this->end();
                     }
                     Zotero_DB::commit();
                     // Add request to upload queue
                     $uploadKey = Zotero_Storage::queueUpload($this->userID, $info);
                     // User over queue limit
                     if (!$uploadKey) {
                         header('Retry-After: ' . Zotero_Storage::$uploadQueueTimeout);
                         if ($this->httpAuth) {
                             $this->e413("Too many queued uploads");
                         } else {
                             $this->e429("Too many queued uploads");
                         }
                     }
                     StatsD::increment("storage.upload.new", 1);
                     // Output XML for client requests (which use HTTP Auth)
                     if ($this->httpAuth) {
                         $params = Zotero_Storage::generateUploadPOSTParams($item, $info, true);
                         $this->queryParams['format'] = null;
                         header('Content-Type: application/xml');
                         $xml = new SimpleXMLElement('<upload/>');
                         $xml->url = Zotero_Storage::getUploadBaseURL();
                         $xml->key = $uploadKey;
                         foreach ($params as $key => $val) {
                             $xml->params->{$key} = $val;
                         }
                         echo $xml->asXML();
                     } else {
                         if (!empty($_REQUEST['params']) && $_REQUEST['params'] == "1") {
                             $params = array("url" => Zotero_Storage::getUploadBaseURL(), "params" => array());
                             foreach (Zotero_Storage::generateUploadPOSTParams($item, $info) as $key => $val) {
                                 $params['params'][$key] = $val;
                             }
                         } else {
                             $params = Zotero_Storage::getUploadPOSTData($item, $info);
                         }
                         $params['uploadKey'] = $uploadKey;
                         $this->queryParams['format'] = null;
                         header('Content-Type: application/json');
                         echo json_encode($params);
                     }
                     exit;
                 }
                 //
                 // API partial upload and post-upload file registration
                 //
                 if (isset($_REQUEST['upload'])) {
                     $uploadKey = $_REQUEST['upload'];
                     if (!$uploadKey) {
                         $this->e400("Upload key not provided");
                     }
                     $info = Zotero_Storage::getUploadInfo($uploadKey);
                     if (!$info) {
                         $this->e400("Upload key not found");
                     }
                     // Partial upload
                     if ($this->method == 'PATCH') {
                         if (empty($_REQUEST['algorithm'])) {
                             throw new Exception("Algorithm not specified", Z_ERROR_INVALID_INPUT);
                         }
                         $storageFileID = Zotero_Storage::patchFile($item, $info, $_REQUEST['algorithm'], $this->body);
                     } else {
                         $remoteInfo = Zotero_Storage::getRemoteFileInfo($info);
                         if (!$remoteInfo) {
                             error_log("Remote file {$info->hash}/{$info->filename} not found");
                             $this->e400("Remote file not found");
                         }
                         if ($remoteInfo->size != $info->size) {
                             error_log("Uploaded file size does not match " . "({$remoteInfo->size} != {$info->size}) " . "for file {$info->hash}/{$info->filename}");
                         }
                     }
                     // Set an automatic shared lock in getLocalFileInfo() to prevent
                     // two simultaneous transactions from adding a file
                     Zotero_DB::query("SET TRANSACTION ISOLATION LEVEL SERIALIZABLE");
                     Zotero_DB::beginTransaction();
                     if (!isset($storageFileID)) {
                         // Check if file already exists, which can happen if two identical
                         // files are uploaded simultaneously
                         $fileInfo = Zotero_Storage::getLocalFileInfo($info);
                         if ($fileInfo) {
                             $storageFileID = $fileInfo['storageFileID'];
                         } else {
                             $storageFileID = Zotero_Storage::addFile($info);
                         }
                     }
                     Zotero_Storage::updateFileItemInfo($item, $storageFileID, $info);
                     Zotero_Storage::logUpload($this->userID, $item, $uploadKey, IPAddress::getIP());
                     Zotero_DB::commit();
                     header("HTTP/1.1 204 No Content");
                     header("Last-Modified-Version: " . $item->version);
                     exit;
                 }
                 //
                 // Client post-upload file registration
                 //
                 if (isset($_POST['update'])) {
                     $this->allowMethods(array('POST'));
                     if (empty($_POST['mtime'])) {
                         throw new Exception('File modification time not provided');
                     }
                     $uploadKey = $_POST['update'];
                     $info = Zotero_Storage::getUploadInfo($uploadKey);
                     if (!$info) {
                         $this->e400("Upload key not found");
                     }
                     $remoteInfo = Zotero_Storage::getRemoteFileInfo($info);
                     if (!$remoteInfo) {
                         $this->e400("Remote file not found");
                     }
                     if (!isset($info->size)) {
                         throw new Exception("Size information not available");
                     }
                     $info->mtime = $_POST['mtime'];
                     // Set an automatic shared lock in getLocalFileInfo() to prevent
                     // two simultaneous transactions from adding a file
                     Zotero_DB::query("SET TRANSACTION ISOLATION LEVEL SERIALIZABLE");
                     Zotero_DB::beginTransaction();
                     // Check if file already exists, which can happen if two identical
                     // files are uploaded simultaneously
                     $fileInfo = Zotero_Storage::getLocalFileInfo($info);
                     if ($fileInfo) {
                         $storageFileID = $fileInfo['storageFileID'];
                     } else {
                         $storageFileID = Zotero_Storage::addFile($info);
                     }
                     Zotero_Storage::updateFileItemInfo($item, $storageFileID, $info, true);
                     Zotero_Storage::logUpload($this->userID, $item, $uploadKey, IPAddress::getIP());
                     Zotero_DB::commit();
                     header("HTTP/1.1 204 No Content");
                     exit;
                 }
                 throw new Exception("Invalid request", Z_ERROR_INVALID_INPUT);
             }
         }
     }
     exit;
 }