Individual photo page now takes notice of private albums and doesn't allow the access to be circumvented

2016-09-09 17:08:35 +01:00 · 2016-09-09 17:08:35 +01:00 · 7a59ac03fd
commit 7a59ac03fd
parent 3ed309ec01
2 changed files with 58 additions and 19 deletions
--- a/app/Http/Controllers/Gallery/PhotoController.php
+++ b/app/Http/Controllers/Gallery/PhotoController.php
@ -4,6 +4,7 @@ namespace App\Http\Controllers\Gallery;

 use App\Album;
 use App\Facade\Theme;
+use App\Helpers\DbHelper;
 use app\Http\Controllers\Admin\AlbumController;
 use App\Http\Controllers\Controller;
 use App\Photo;
@ -14,10 +15,17 @@ class PhotoController extends Controller
 {
    public function download(Request $request, $albumUrlAlias, $photoFilename)
    {
-        $album = PhotoController::loadAlbumByAlias($albumUrlAlias);
+        $album = DbHelper::loadAlbumByUrlAlias($albumUrlAlias);
+        if (is_null($album))
+        {
+            App::abort(404);
+            return null;
+        }
+        $this->authorize('album.view', $album);
+
        $albumSource = $album->getAlbumSource();

-        $thumbnail = $request->get('t', $albumSource->getOriginalsFolder());
+        $thumbnail = $request->get('t');
        $photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename);

        return response()->file($albumSource->getPathToPhoto($photo, $thumbnail));
@ -25,29 +33,21 @@ class PhotoController extends Controller

    public function show($albumUrlAlias, $photoFilename)
    {
-        $album = PhotoController::loadAlbumByAlias($albumUrlAlias);
-        $photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename);
-
-        return Theme::render('gallery.photo', [
-            'album' => $album,
-            'photo' => $photo
-        ]);
-    }
-
-    /**
-     * @param $id
-     * @return Album
-     */
-    public static function loadAlbumByAlias($alias)
-    {
-        $album = Album::where('url_alias', $alias)->first();
+        $album = DbHelper::loadAlbumByUrlAlias($albumUrlAlias);
        if (is_null($album))
        {
            App::abort(404);
            return null;
        }

-        return $album;
+        $this->authorize('album.view', $album);
+
+        $photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename);
+
+        return Theme::render('gallery.photo', [
+            'album' => $album,
+            'photo' => $photo
+        ]);
    }

    /**
--- a/database/migrations/2016_09_09_155655_add_album_privacy_column.php
+++ b/database/migrations/2016_09_09_155655_add_album_privacy_column.php
@ -0,0 +1,39 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+class AddAlbumPrivacyColumn extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('albums', function (Blueprint $table) {
+            $table->boolean('is_private');
+            $table->unsignedInteger('user_id');
+
+            $table->foreign('user_id')
+                ->references('id')->on('users')
+                ->onDelete('no action');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('albums', function (Blueprint $table) {
+            $table->dropForeign('albums_user_id_foreign');
+            $table->dropColumn('user_id');
+            $table->dropColumn('is_private');
+        });
+    }
+}