/**
* Handle S3 request
*
* Permission-checking provided by items()
*/
private function _handleFileRequest($item)
{
if (!$this->permissions->canAccess($this->objectLibraryID, 'files')) {
$this->e403();
}
$this->allowMethods(array('HEAD', 'GET', 'POST', 'PATCH'));
if (!$item->isAttachment()) {
$this->e400("Item is not an attachment");
}
// File info for 4.0 client sync
//
// Use of HEAD method was discontinued after 2.0.8/2.1b1 due to
// compatibility problems with proxies and security software
if ($this->method == 'GET' && $this->fileMode == 'info') {
$info = Zotero_Storage::getLocalFileItemInfo($item);
if (!$info) {
$this->e404();
}
StatsD::increment("storage.info", 1);
/*
header("Last-Modified: " . gmdate('r', $info['uploaded']));
header("Content-Type: " . $info['type']);
*/
header("Content-Length: " . $info['size']);
header("ETag: " . $info['hash']);
header("X-Zotero-Filename: " . $info['filename']);
header("X-Zotero-Modification-Time: " . $info['mtime']);
header("X-Zotero-Compressed: " . ($info['zip'] ? 'Yes' : 'No'));
header_remove("X-Powered-By");
$this->end();
} else {
if ($this->method == 'GET') {
$info = Zotero_Storage::getLocalFileItemInfo($item);
if (!$info) {
$this->e404();
}
// File viewing
if ($this->fileView) {
$url = Zotero_Attachments::getTemporaryURL($item, !empty($_GET['int']));
if (!$url) {
$this->e500();
}
StatsD::increment("storage.view", 1);
$this->redirect($url);
exit;
}
// File download
$url = Zotero_Storage::getDownloadURL($item, 60);
if (!$url) {
$this->e404();
}
// Provide some headers to let 5.0 client skip download
header("Zotero-File-Modification-Time: {$info['mtime']}");
header("Zotero-File-MD5: {$info['hash']}");
header("Zotero-File-Size: {$info['size']}");
header("Zotero-File-Compressed: " . ($info['zip'] ? 'Yes' : 'No'));
StatsD::increment("storage.download", 1);
Zotero_Storage::logDownload($item, $this->userID, IPAddress::getIP());
$this->redirect($url);
exit;
} else {
if ($this->method == 'POST' || $this->method == 'PATCH') {
if (!$item->isImportedAttachment()) {
$this->e400("Cannot upload file for linked file/URL attachment item");
}
$libraryID = $item->libraryID;
$type = Zotero_Libraries::getType($libraryID);
if ($type == 'group') {
$groupID = Zotero_Groups::getGroupIDFromLibraryID($libraryID);
$group = Zotero_Groups::get($groupID);
if (!$group->userCanEditFiles($this->userID)) {
$this->e403("You do not have file editing access");
}
} else {
$group = null;
}
// If not the client, require If-Match or If-None-Match
if (!$this->httpAuth) {
if (empty($_SERVER['HTTP_IF_MATCH']) && empty($_SERVER['HTTP_IF_NONE_MATCH'])) {
$this->e428("If-Match/If-None-Match header not provided");
}
if (!empty($_SERVER['HTTP_IF_MATCH'])) {
if (!preg_match('/^"?([a-f0-9]{32})"?$/', $_SERVER['HTTP_IF_MATCH'], $matches)) {
$this->e400("Invalid ETag in If-Match header");
}
if (!$item->attachmentStorageHash) {
$this->e412("ETag set but file does not exist");
}
if ($item->attachmentStorageHash != $matches[1]) {
$this->libraryVersion = $item->version;
$this->libraryVersionOnFailure = true;
$this->e412("ETag does not match current version of file");
}
} else {
if ($_SERVER['HTTP_IF_NONE_MATCH'] != "*") {
$this->e400("Invalid value for If-None-Match header");
}
if (Zotero_Storage::getLocalFileItemInfo($item)) {
$this->libraryVersion = $item->version;
$this->libraryVersionOnFailure = true;
$this->e412("If-None-Match: * set but file exists");
}
}
}
//
// Upload authorization
//
if (!isset($_POST['update']) && !isset($_REQUEST['upload'])) {
$info = new Zotero_StorageFileInfo();
// Validate upload metadata
if (empty($_REQUEST['md5'])) {
$this->e400('MD5 hash not provided');
}
if (!preg_match('/[abcdefg0-9]{32}/', $_REQUEST['md5'])) {
$this->e400('Invalid MD5 hash');
}
if (!isset($_REQUEST['filename']) || $_REQUEST['filename'] === "") {
$this->e400('Filename not provided');
}
// Multi-file upload
//
// For ZIP files, the filename and hash of the ZIP file are different from those
// of the main file. We use the former for S3, and we store the latter in the
// upload log to set the attachment metadata with them on file registration.
if (!empty($_REQUEST['zipMD5'])) {
if (!preg_match('/[abcdefg0-9]{32}/', $_REQUEST['zipMD5'])) {
$this->e400('Invalid ZIP MD5 hash');
}
if (empty($_REQUEST['zipFilename'])) {
$this->e400('ZIP filename not provided');
}
$info->zip = true;
$info->hash = $_REQUEST['zipMD5'];
$info->filename = $_REQUEST['zipFilename'];
$info->itemFilename = $_REQUEST['filename'];
$info->itemHash = $_REQUEST['md5'];
} else {
if (!empty($_REQUEST['zipFilename'])) {
$this->e400('ZIP MD5 hash not provided');
} else {
$info->zip = !empty($_REQUEST['zip']);
$info->filename = $_REQUEST['filename'];
$info->hash = $_REQUEST['md5'];
}
}
if (empty($_REQUEST['mtime'])) {
$this->e400('File modification time not provided');
}
$info->mtime = $_REQUEST['mtime'];
if (!isset($_REQUEST['filesize'])) {
$this->e400('File size not provided');
}
$info->size = $_REQUEST['filesize'];
if (!is_numeric($info->size)) {
$this->e400("Invalid file size");
}
$info->contentType = isset($_REQUEST['contentType']) ? $_REQUEST['contentType'] : null;
if (!preg_match("/^[a-zA-Z0-9\\-\\/]+\$/", $info->contentType)) {
$info->contentType = null;
}
$info->charset = isset($_REQUEST['charset']) ? $_REQUEST['charset'] : null;
if (!preg_match("/^[a-zA-Z0-9\\-]+\$/", $info->charset)) {
$info->charset = null;
}
$contentTypeHeader = $info->contentType . ($info->contentType && $info->charset ? "; charset=" . $info->charset : "");
// Reject file if it would put account over quota
if ($group) {
$quota = Zotero_Storage::getEffectiveUserQuota($group->ownerUserID);
$usage = Zotero_Storage::getUserUsage($group->ownerUserID);
} else {
$quota = Zotero_Storage::getEffectiveUserQuota($this->objectUserID);
$usage = Zotero_Storage::getUserUsage($this->objectUserID);
}
$total = $usage['total'];
$fileSizeMB = round($info->size / 1024 / 1024, 1);
if ($total + $fileSizeMB > $quota) {
StatsD::increment("storage.upload.quota", 1);
$this->e413("File would exceed quota ({$total} + {$fileSizeMB} > {$quota})");
}
Zotero_DB::query("SET TRANSACTION ISOLATION LEVEL SERIALIZABLE");
Zotero_DB::beginTransaction();
// See if file exists with this filename
$localInfo = Zotero_Storage::getLocalFileInfo($info);
if ($localInfo) {
$storageFileID = $localInfo['storageFileID'];
// Verify file size
if ($localInfo['size'] != $info->size) {
throw new Exception("Specified file size incorrect for existing file " . $info->hash . "/" . $info->filename . " ({$localInfo['size']} != {$info->size})");
}
} else {
$oldStorageFileID = Zotero_Storage::getFileByHash($info->hash, $info->zip);
if ($oldStorageFileID) {
// Verify file size
$localInfo = Zotero_Storage::getFileInfoByID($oldStorageFileID);
if ($localInfo['size'] != $info->size) {
throw new Exception("Specified file size incorrect for duplicated file " . $info->hash . "/" . $info->filename . " ({$localInfo['size']} != {$info->size})");
}
// Create new file on S3 with new name
$storageFileID = Zotero_Storage::duplicateFile($oldStorageFileID, $info->filename, $info->zip, $contentTypeHeader);
}
}
// If we already have a file, add/update storageFileItems row and stop
if (!empty($storageFileID)) {
Zotero_Storage::updateFileItemInfo($item, $storageFileID, $info, $this->httpAuth);
Zotero_DB::commit();
StatsD::increment("storage.upload.existing", 1);
if ($this->httpAuth) {
$this->queryParams['format'] = null;
header('Content-Type: application/xml');
echo "<exists/>";
} else {
$this->queryParams['format'] = null;
header('Content-Type: application/json');
$this->libraryVersion = $item->version;
echo json_encode(array('exists' => 1));
}
$this->end();
}
Zotero_DB::commit();
// Add request to upload queue
$uploadKey = Zotero_Storage::queueUpload($this->userID, $info);
// User over queue limit
if (!$uploadKey) {
header('Retry-After: ' . Zotero_Storage::$uploadQueueTimeout);
if ($this->httpAuth) {
$this->e413("Too many queued uploads");
} else {
$this->e429("Too many queued uploads");
}
}
StatsD::increment("storage.upload.new", 1);
// Output XML for client requests (which use HTTP Auth)
if ($this->httpAuth) {
$params = Zotero_Storage::generateUploadPOSTParams($item, $info, true);
$this->queryParams['format'] = null;
header('Content-Type: application/xml');
$xml = new SimpleXMLElement('<upload/>');
$xml->url = Zotero_Storage::getUploadBaseURL();
$xml->key = $uploadKey;
foreach ($params as $key => $val) {
$xml->params->{$key} = $val;
}
echo $xml->asXML();
} else {
if (!empty($_REQUEST['params']) && $_REQUEST['params'] == "1") {
$params = array("url" => Zotero_Storage::getUploadBaseURL(), "params" => array());
foreach (Zotero_Storage::generateUploadPOSTParams($item, $info) as $key => $val) {
$params['params'][$key] = $val;
}
} else {
$params = Zotero_Storage::getUploadPOSTData($item, $info);
}
$params['uploadKey'] = $uploadKey;
$this->queryParams['format'] = null;
header('Content-Type: application/json');
echo json_encode($params);
}
exit;
}
//
// API partial upload and post-upload file registration
//
if (isset($_REQUEST['upload'])) {
$uploadKey = $_REQUEST['upload'];
if (!$uploadKey) {
$this->e400("Upload key not provided");
}
$info = Zotero_Storage::getUploadInfo($uploadKey);
if (!$info) {
$this->e400("Upload key not found");
}
// Partial upload
if ($this->method == 'PATCH') {
if (empty($_REQUEST['algorithm'])) {
throw new Exception("Algorithm not specified", Z_ERROR_INVALID_INPUT);
}
$storageFileID = Zotero_Storage::patchFile($item, $info, $_REQUEST['algorithm'], $this->body);
} else {
$remoteInfo = Zotero_Storage::getRemoteFileInfo($info);
if (!$remoteInfo) {
error_log("Remote file {$info->hash}/{$info->filename} not found");
$this->e400("Remote file not found");
}
if ($remoteInfo->size != $info->size) {
error_log("Uploaded file size does not match " . "({$remoteInfo->size} != {$info->size}) " . "for file {$info->hash}/{$info->filename}");
}
}
// Set an automatic shared lock in getLocalFileInfo() to prevent
// two simultaneous transactions from adding a file
Zotero_DB::query("SET TRANSACTION ISOLATION LEVEL SERIALIZABLE");
Zotero_DB::beginTransaction();
if (!isset($storageFileID)) {
// Check if file already exists, which can happen if two identical
// files are uploaded simultaneously
$fileInfo = Zotero_Storage::getLocalFileInfo($info);
if ($fileInfo) {
$storageFileID = $fileInfo['storageFileID'];
} else {
$storageFileID = Zotero_Storage::addFile($info);
}
}
Zotero_Storage::updateFileItemInfo($item, $storageFileID, $info);
Zotero_Storage::logUpload($this->userID, $item, $uploadKey, IPAddress::getIP());
Zotero_DB::commit();
header("HTTP/1.1 204 No Content");
header("Last-Modified-Version: " . $item->version);
exit;
}
//
// Client post-upload file registration
//
if (isset($_POST['update'])) {
$this->allowMethods(array('POST'));
if (empty($_POST['mtime'])) {
throw new Exception('File modification time not provided');
}
$uploadKey = $_POST['update'];
$info = Zotero_Storage::getUploadInfo($uploadKey);
if (!$info) {
$this->e400("Upload key not found");
}
$remoteInfo = Zotero_Storage::getRemoteFileInfo($info);
if (!$remoteInfo) {
$this->e400("Remote file not found");
}
if (!isset($info->size)) {
throw new Exception("Size information not available");
}
$info->mtime = $_POST['mtime'];
// Set an automatic shared lock in getLocalFileInfo() to prevent
// two simultaneous transactions from adding a file
Zotero_DB::query("SET TRANSACTION ISOLATION LEVEL SERIALIZABLE");
Zotero_DB::beginTransaction();
// Check if file already exists, which can happen if two identical
// files are uploaded simultaneously
$fileInfo = Zotero_Storage::getLocalFileInfo($info);
if ($fileInfo) {
$storageFileID = $fileInfo['storageFileID'];
} else {
$storageFileID = Zotero_Storage::addFile($info);
}
Zotero_Storage::updateFileItemInfo($item, $storageFileID, $info, true);
Zotero_Storage::logUpload($this->userID, $item, $uploadKey, IPAddress::getIP());
Zotero_DB::commit();
header("HTTP/1.1 204 No Content");
exit;
}
throw new Exception("Invalid request", Z_ERROR_INVALID_INPUT);
}
}
}
exit;
}
