#2: Added an intermediate step to the quick-post/upload feature that validates the request

This commit is contained in:
Andy Heathershaw 2017-09-10 15:25:59 +01:00
parent 544d3c5153
commit fee2841910
5 changed files with 49 additions and 2 deletions

View File

@ -9,6 +9,7 @@ use App\Facade\UserConfig;
use App\Group;
use App\Helpers\ConfigHelper;
use App\Helpers\DbHelper;
use App\Helpers\MiscHelper;
use App\Http\Controllers\Controller;
use App\Http\Requests\SaveSettingsRequest;
use App\Label;
@ -56,6 +57,36 @@ class DefaultController extends Controller
]);
}
public function quickUpload(Request $request)
{
$this->authorizeAccessToAdminPanel('admin:manage-albums');
$returnUrl = $request->headers->get('referer');
if (!MiscHelper::isSafeUrl($returnUrl))
{
$returnUrl = route('home');
}
// Pre-validate the upload before passing to the Photos controller
$files = $request->files->get('photo');
if (!is_array($files) || count($files) == 0)
{
$request->session()->flash('error', trans('admin.quick_upload.no_image_provided'));
return redirect($returnUrl);
}
$albumID = $request->get('album_id');
if (intval($albumID) == 0)
{
$request->session()->flash('error', trans('admin.quick_upload.no_album_selected'));
return redirect($returnUrl);
}
/** @var PhotoController $photoController */
$photoController = app(PhotoController::class);
return $photoController->store($request);
}
public function saveSettings(SaveSettingsRequest $request)
{
$this->authorizeAccessToAdminPanel('admin:configure');

View File

@ -51,6 +51,7 @@ class GlobalConfiguration
$this->addThemeInfoToView();
$this->addAlbumsToView();
$this->addLabelsToView();
$this->addFlashMessages();
}
// Set the default mail configuration as per user's requirements
@ -68,6 +69,16 @@ class GlobalConfiguration
View::share('g_albums_upload', $albumsToUpload);
}
private function addFlashMessages()
{
/** @var Request $request */
$request = app('request');
if ($request->session()->has('error'))
{
View::share('error', $request->session()->get('error'));
}
}
private function addLabelsToView()
{
$NUMBER_TO_SHOW_IN_NAVBAR = 5;

View File

@ -146,6 +146,10 @@ return [
'rotate_left' => 'Rotate left',
'rotate_right' => 'Rotate right'
],
'quick_upload' => [
'no_album_selected' => 'Please select an album to upload your photo(s) into.',
'no_image_provided' => 'Please select one or more images to upload.'
],
'redirects_heading' => 'Redirects',
'redirects_actions_heading' => 'Actions',
'redirects_source_url_heading' => 'Source Address',

View File

@ -1,4 +1,4 @@
<form method="POST" action="{{ route('photos.store') }}" enctype="multipart/form-data">
<form method="POST" action="{{ route('admin.quickUpload') }}" enctype="multipart/form-data">
{{ csrf_field() }}
<input type="hidden" name="queue_token" value="{{ Misc::randomString() }}"/>
<div class="modal" id="quick-upload-modal">
@ -30,7 +30,7 @@
</div>
<div class="modal-footer">
<button type="button" class="btn btn-link" data-dismiss="modal">@lang('forms.cancel_action')</button>
<button type="submit" class="btn btn-success" onclick="this.disabled = true;"><i class="fa fa-upload"></i> @lang('forms.upload_action')</button>
<button type="submit" class="btn btn-success"><i class="fa fa-upload"></i> @lang('forms.upload_action')</button>
</div>
</div>
</div>

View File

@ -16,6 +16,7 @@ Auth::routes();
// Administration
Route::group(['prefix' => 'admin'], function () {
Route::get('/', 'Admin\DefaultController@index')->name('admin');
Route::post('quick-upload', 'Admin\DefaultController@quickUpload')->name('admin.quickUpload');
Route::post('settings/save', 'Admin\DefaultController@saveSettings')->name('admin.saveSettings');
Route::post('settings/test-email', 'Admin\DefaultController@testMailSettings')->name('admin.testMailSettings');
Route::get('settings', 'Admin\DefaultController@settings')->name('admin.settings');