function check_constraints($constraints, $file) {
$path = $file->get_temporary_path();
if (!empty($constraints['mime_types'])) {
if (!$file->mime_type_matches($constraints['mime_types'])) {
final_response(415, "File is not of an allowed type.");
}
}
if (!empty($constraints['extensions'])) {
$filename_parts = explode('.', $file->get_filename());
$extension = strtolower(end($filename_parts));
if (!in_array($extension, $constraints['extensions'])) {
final_response(415, "File is not of an allowed type.");
}
}
if (!empty($constraints['max_size'])) {
if ($file->get_size() > (int) $constraints['max_size']) {
final_response(413, "File is unacceptably large.");
}
}
if (!empty($constraints['validator'])) {
list($file, $callback) = $constraints['validator'];
reason_include_once($file);
if (!call_user_func($callback, $file)) {
final_response(406, "Invalid or unacceptable file uploaded.");
}
}
}
$reason_session->start($_REQUEST['reason_sid']);
} else {
$reason_session->start();
}
$upload_sid = @$_REQUEST['upload_sid'];
$session = _get_async_upload_session($upload_sid);
if (!$session) {
if (empty($_REQUEST['upload_sid'])) {
final_response(400, "Upload session (upload_sid) not provided.");
} else {
final_response(400, "No upload session with ID " . $upload_sid);
}
}
// Permission check.
if (!can_upload($session)) {
final_response(403, "Permission denied.");
}
function can_upload($session)
{
if ($session['authenticator']) {
$auth = $session['authenticator'];
$reason_session =& get_reason_session();
$username = $reason_session->get("username");
if (isset($_REQUEST['user_id']) && !empty($_REQUEST['user_id'])) {
$username = $reason_session->get('username');
$param_cleanup_rules = array('user_id' => array('function' => 'turn_into_int', 'extra_args' => array('zero_to_null' => 'true')));
$cleanRequest = array_merge($_REQUEST, carl_clean_vars($_REQUEST, $param_cleanup_rules));
$nametag = $cleanRequest['user_id'];
$id = get_user_id($username);
if (reason_user_has_privs($id, 'pose_as_other_user')) {
$user = new Entity($nametag);
/**
* Handles removing files that were uploaded asynchronously.
*
* @package reason
* @subpackage scripts
* @since Reason 4.0 beta 8
* @author Eric Naeseth <*****@*****.**>
*/
require 'common.inc.php';
if (empty($_POST['name']) || !isset($_POST['index'])) {
final_response(400, "Invalid file removal request.");
}
$name = $_POST['name'];
if (empty($session['files'][$name])) {
final_response(404, "No files have been uploaded with that name.");
}
$index = $_POST['index'];
if (empty($session['files'][$name][$index])) {
final_response(404, "No file has been uploaded with that index.");
}
$info = $session['files'][$name][$index];
if ($info['path']) {
@unlink($info['path']);
}
if ($info['original_path']) {
@unlink($info['original_path']);
}
unset($session['files'][$name][$index]);
$reason_session->set(_async_upload_session_key($upload_sid), $session);
final_response(200, "File removed.");
