Individual photo page now takes notice of private albums and doesn't allow the access to be circumvented

This commit is contained in:
Andy Heathershaw 2016-09-09 17:08:35 +01:00
parent 3ed309ec01
commit 7a59ac03fd
2 changed files with 58 additions and 19 deletions

View File

@ -4,6 +4,7 @@ namespace App\Http\Controllers\Gallery;
use App\Album; use App\Album;
use App\Facade\Theme; use App\Facade\Theme;
use App\Helpers\DbHelper;
use app\Http\Controllers\Admin\AlbumController; use app\Http\Controllers\Admin\AlbumController;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
use App\Photo; use App\Photo;
@ -14,10 +15,17 @@ class PhotoController extends Controller
{ {
public function download(Request $request, $albumUrlAlias, $photoFilename) public function download(Request $request, $albumUrlAlias, $photoFilename)
{ {
$album = PhotoController::loadAlbumByAlias($albumUrlAlias); $album = DbHelper::loadAlbumByUrlAlias($albumUrlAlias);
if (is_null($album))
{
App::abort(404);
return null;
}
$this->authorize('album.view', $album);
$albumSource = $album->getAlbumSource(); $albumSource = $album->getAlbumSource();
$thumbnail = $request->get('t', $albumSource->getOriginalsFolder()); $thumbnail = $request->get('t');
$photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename); $photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename);
return response()->file($albumSource->getPathToPhoto($photo, $thumbnail)); return response()->file($albumSource->getPathToPhoto($photo, $thumbnail));
@ -25,29 +33,21 @@ class PhotoController extends Controller
public function show($albumUrlAlias, $photoFilename) public function show($albumUrlAlias, $photoFilename)
{ {
$album = PhotoController::loadAlbumByAlias($albumUrlAlias); $album = DbHelper::loadAlbumByUrlAlias($albumUrlAlias);
$photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename);
return Theme::render('gallery.photo', [
'album' => $album,
'photo' => $photo
]);
}
/**
* @param $id
* @return Album
*/
public static function loadAlbumByAlias($alias)
{
$album = Album::where('url_alias', $alias)->first();
if (is_null($album)) if (is_null($album))
{ {
App::abort(404); App::abort(404);
return null; return null;
} }
return $album; $this->authorize('album.view', $album);
$photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename);
return Theme::render('gallery.photo', [
'album' => $album,
'photo' => $photo
]);
} }
/** /**

View File

@ -0,0 +1,39 @@
<?php
use Illuminate\Support\Facades\Schema;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class AddAlbumPrivacyColumn extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('albums', function (Blueprint $table) {
$table->boolean('is_private');
$table->unsignedInteger('user_id');
$table->foreign('user_id')
->references('id')->on('users')
->onDelete('no action');
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('albums', function (Blueprint $table) {
$table->dropForeign('albums_user_id_foreign');
$table->dropColumn('user_id');
$table->dropColumn('is_private');
});
}
}