public function run($request)
{
$shareTokens = ShareToken::get();
$removeCount = 0;
foreach ($shareTokens as $token) {
if ($token->isExpired()) {
$token->delete();
$removeCount++;
}
}
echo "Removed {$removeCount} expired share tokens.\n";
}
/**
* Upload new media.
*
* @return string standard json envelope
*/
public function upload()
{
$httpObj = new Http();
$attributes = $_REQUEST;
$albums = array();
if (isset($attributes['albums']) && !empty($attributes['albums'])) {
$albums = (array) explode(',', $attributes['albums']);
}
$token = null;
if (isset($attributes['token']) && !empty($attributes['token'])) {
$shareTokenObj = new ShareToken();
$tokenArr = $shareTokenObj->get($attributes['token']);
if (empty($tokenArr) || $tokenArr['type'] != 'upload') {
return $this->forbidden('No permissions with the passed in token', false);
}
$attributes['albums'] = $tokenArr['data'];
$token = $tokenArr['id'];
$attributes['permission'] = '0';
} else {
getAuthentication()->requireAuthentication(array(Permission::create), $albums);
getAuthentication()->requireCrumb();
}
// determine localFile
extract($this->parseMediaFromRequest());
// Get file mimetype by instantiating a photo object
// getMediaType is defined in parent abstract class Media
$photoObj = new Photo();
$mediaType = $photoObj->getMediaType($localFile);
// Invoke type-specific
switch ($mediaType) {
case Media::typePhoto:
return $this->api->invoke("/{$this->apiVersion}/photo/upload.json", EpiRoute::httpPost);
case Media::typeVideo:
return $this->api->invoke("/{$this->apiVersion}/video/upload.json", EpiRoute::httpPost);
}
return $this->error('Unsupported media type', false);
}
/**
* @param SS_HTTPRequest $request
*
* @return string|HTMLText
*/
public function preview(SS_HTTPRequest $request)
{
$key = $request->param('Key');
$token = $request->param('Token');
/**
* @var ShareToken $shareToken
*/
$shareToken = ShareToken::get()->filter('token', $token)->first();
if (!$shareToken) {
return $this->errorPage();
}
$page = Versioned::get_one_by_stage('SiteTree', 'Stage', sprintf('"SiteTree"."ID" = \'%d\'', $shareToken->PageID));
$latest = Versioned::get_latest_version('SiteTree', $shareToken->PageID);
$controller = $this->getControllerFor($page);
if (!$shareToken->isExpired() && $page->generateKey($shareToken->Token) === $key) {
Requirements::css(SHAREDRAFTCONTENT_DIR . '/css/top-bar.css');
// Temporarily un-secure the draft site and switch to draft
$oldSecured = Session::get('unsecuredDraftSite');
$oldMode = Versioned::get_reading_mode();
$restore = function () use($oldSecured, $oldMode) {
Session::set('unsecuredDraftSite', $oldSecured);
Versioned::set_reading_mode($oldMode);
};
// Process page inside an unsecured draft container
try {
Session::set('unsecuredDraftSite', true);
Versioned::reading_stage('Stage');
// Create mock request; Simplify request to single top level reqest
$pageRequest = new SS_HTTPRequest('GET', $page->URLSegment);
$pageRequest->match('$URLSegment//$Action/$ID/$OtherID', true);
$rendered = $controller->handleRequest($pageRequest, $this->model);
// Render draft heading
$data = new ArrayData(array('Page' => $page, 'Latest' => $latest));
$include = (string) $data->renderWith('Includes/TopBar');
} catch (Exception $ex) {
$restore();
throw $ex;
}
$restore();
return str_replace('</body>', $include . '</body>', (string) $rendered->getBody());
} else {
return $this->errorPage();
}
}
/**
* @return ShareToken
*/
protected function getNewShareToken()
{
if (!$this->owner->ShareTokenSalt) {
$this->owner->ShareTokenSalt = $this->getNewToken();
$this->owner->write();
}
$found = null;
$token = null;
$tries = 1;
$limit = 5;
while (!$found && $tries++ < $limit) {
$token = $this->getNewToken();
$found = ShareToken::get()->filter(array("Token" => $token, "PageID" => $this->owner->ID))->first();
}
$config = Config::inst()->forClass('ShareDraftContentSiteTreeExtension');
$validForDays = $config->valid_for_days;
$token = ShareToken::create(array("Token" => $token, "ValidForDays" => $validForDays, "PageID" => $this->owner->ID));
$token->write();
return $token;
}
protected function parseFilters($filterOpts)
{
// If the user is logged in then we can display photos based on group membership
$shareTokenObj = new ShareToken();
$token = null;
$permission = 0;
if ($this->user->isAdmin()) {
$permission = 1;
}
// This section enables in path parameters which are normally GET
$pageSize = $this->config->pagination->photos;
$filters = array('sortBy' => 'dateTaken,desc');
if ($filterOpts !== null) {
$filterOpts = (array) explode('/', $filterOpts);
foreach ($filterOpts as $value) {
$dashPosition = strpos($value, '-');
if (!$dashPosition) {
continue;
}
$parameterKey = substr($value, 0, $dashPosition);
$parameterValue = substr($value, $dashPosition + 1);
switch ($parameterKey) {
case 'pageSize':
$pageSize = intval($parameterValue);
break;
case 'sortBy':
$sortOptions = (array) explode(',', $value);
if (count($sortOptions) != 2 || preg_match('/[^a-zA-Z0-9,]/', $parameterValue)) {
continue;
}
$filters[$parameterKey] = $parameterValue;
break;
case 'token':
$token = $shareTokenObj->get($parameterValue);
break;
default:
$filters[$parameterKey] = $parameterValue;
break;
}
}
}
// merge path parameters with GET parameters. GET parameters override
if (isset($_GET['pageSize']) && intval($_GET['pageSize']) == $_GET['pageSize']) {
$pageSize = intval($_GET['pageSize']);
}
$filters = array_merge($filters, $_GET);
$page = 1;
if (isset($filters['page'])) {
$page = $filters['page'];
}
$protocol = $this->utility->getProtocol(false);
if (isset($filters['protocol'])) {
$protocol = $filters['protocol'];
}
if ($token !== null) {
if ($token !== false) {
switch ($token['type']) {
// if it's a token album then we make sure it's an album page by
// checking $filters['album']. this works because even on a photo
// detail page we might be in an album context
// we don't do this for a single photo because it could lead to
// inadvertently leaking an entire album by passing a album token
// but looking at a random photo (that might not belong to the album.
// in this case the only protection is next/previous but the details
// are leaked
case 'album':
if (isset($filters['album']) && $filters['album'] == $token['data']) {
$permission = 1;
}
// set permission to be pubilc for this request
break;
}
}
}
if ($permission == 0) {
$filters['permission'] = $permission;
}
return array('filters' => $filters, 'token' => $token, 'pageSize' => $pageSize, 'protocol' => $protocol, 'page' => $page);
}
