From fee2841910a599b74ccc70ac10af4b0c924fb2a9 Mon Sep 17 00:00:00 2001
From: Andy Heathershaw <andy@andys.eu>
Date: Sun, 10 Sep 2017 15:25:59 +0100
Subject: [PATCH] #2: Added an intermediate step to the quick-post/upload
 feature that validates the request

---
 .../Controllers/Admin/DefaultController.php   | 31 +++++++++++++++++++
 app/Http/Middleware/GlobalConfiguration.php   | 11 +++++++
 resources/lang/en/admin.php                   |  4 +++
 .../base/partials/quick_upload.blade.php      |  4 +--
 routes/web.php                                |  1 +
 5 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/Admin/DefaultController.php b/app/Http/Controllers/Admin/DefaultController.php
index 16fdd9c..cc6eb8a 100644
--- a/app/Http/Controllers/Admin/DefaultController.php
+++ b/app/Http/Controllers/Admin/DefaultController.php
@@ -9,6 +9,7 @@ use App\Facade\UserConfig;
 use App\Group;
 use App\Helpers\ConfigHelper;
 use App\Helpers\DbHelper;
+use App\Helpers\MiscHelper;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\SaveSettingsRequest;
 use App\Label;
@@ -56,6 +57,36 @@ class DefaultController extends Controller
         ]);
     }
 
+    public function quickUpload(Request $request)
+    {
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
+
+        $returnUrl = $request->headers->get('referer');
+        if (!MiscHelper::isSafeUrl($returnUrl))
+        {
+            $returnUrl = route('home');
+        }
+
+        // Pre-validate the upload before passing to the Photos controller
+        $files = $request->files->get('photo');
+        if (!is_array($files) || count($files) == 0)
+        {
+            $request->session()->flash('error', trans('admin.quick_upload.no_image_provided'));
+            return redirect($returnUrl);
+        }
+
+        $albumID = $request->get('album_id');
+        if (intval($albumID) == 0)
+        {
+            $request->session()->flash('error', trans('admin.quick_upload.no_album_selected'));
+            return redirect($returnUrl);
+        }
+
+        /** @var PhotoController $photoController */
+        $photoController = app(PhotoController::class);
+        return $photoController->store($request);
+    }
+
     public function saveSettings(SaveSettingsRequest $request)
     {
         $this->authorizeAccessToAdminPanel('admin:configure');
diff --git a/app/Http/Middleware/GlobalConfiguration.php b/app/Http/Middleware/GlobalConfiguration.php
index 869863a..f324a9a 100644
--- a/app/Http/Middleware/GlobalConfiguration.php
+++ b/app/Http/Middleware/GlobalConfiguration.php
@@ -51,6 +51,7 @@ class GlobalConfiguration
             $this->addThemeInfoToView();
             $this->addAlbumsToView();
             $this->addLabelsToView();
+            $this->addFlashMessages();
         }
 
         // Set the default mail configuration as per user's requirements
@@ -68,6 +69,16 @@ class GlobalConfiguration
         View::share('g_albums_upload', $albumsToUpload);
     }
 
+    private function addFlashMessages()
+    {
+        /** @var Request $request */
+        $request = app('request');
+        if ($request->session()->has('error'))
+        {
+            View::share('error', $request->session()->get('error'));
+        }
+    }
+
     private function addLabelsToView()
     {
         $NUMBER_TO_SHOW_IN_NAVBAR = 5;
diff --git a/resources/lang/en/admin.php b/resources/lang/en/admin.php
index 3d39cff..3f912a8 100644
--- a/resources/lang/en/admin.php
+++ b/resources/lang/en/admin.php
@@ -146,6 +146,10 @@ return [
         'rotate_left' => 'Rotate left',
         'rotate_right' => 'Rotate right'
     ],
+    'quick_upload' => [
+        'no_album_selected' => 'Please select an album to upload your photo(s) into.',
+        'no_image_provided' => 'Please select one or more images to upload.'
+    ],
     'redirects_heading' => 'Redirects',
     'redirects_actions_heading' => 'Actions',
     'redirects_source_url_heading' => 'Source Address',
diff --git a/resources/views/themes/base/partials/quick_upload.blade.php b/resources/views/themes/base/partials/quick_upload.blade.php
index 6e2503e..9039091 100644
--- a/resources/views/themes/base/partials/quick_upload.blade.php
+++ b/resources/views/themes/base/partials/quick_upload.blade.php
@@ -1,4 +1,4 @@
-<form method="POST" action="{{ route('photos.store') }}" enctype="multipart/form-data">
+<form method="POST" action="{{ route('admin.quickUpload') }}" enctype="multipart/form-data">
     {{ csrf_field() }}
     <input type="hidden" name="queue_token" value="{{ Misc::randomString() }}"/>
     <div class="modal" id="quick-upload-modal">
@@ -30,7 +30,7 @@
                 </div>
                 <div class="modal-footer">
                     <button type="button" class="btn btn-link" data-dismiss="modal">@lang('forms.cancel_action')</button>
-                    <button type="submit" class="btn btn-success" onclick="this.disabled = true;"><i class="fa fa-upload"></i> @lang('forms.upload_action')</button>
+                    <button type="submit" class="btn btn-success"><i class="fa fa-upload"></i> @lang('forms.upload_action')</button>
                 </div>
             </div>
         </div>
diff --git a/routes/web.php b/routes/web.php
index f74304c..317d6e2 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -16,6 +16,7 @@ Auth::routes();
 // Administration
 Route::group(['prefix' => 'admin'], function () {
     Route::get('/', 'Admin\DefaultController@index')->name('admin');
+    Route::post('quick-upload', 'Admin\DefaultController@quickUpload')->name('admin.quickUpload');
     Route::post('settings/save', 'Admin\DefaultController@saveSettings')->name('admin.saveSettings');
     Route::post('settings/test-email', 'Admin\DefaultController@testMailSettings')->name('admin.testMailSettings');
     Route::get('settings', 'Admin\DefaultController@settings')->name('admin.settings');