PHP Classes

File: htdocs/ajaxfineupload.php

Recommend this page to a friend!
  Classes of Michael Beck   Xoops 2.5   htdocs/ajaxfineupload.php   Download  
File: htdocs/ajaxfineupload.php
Role: Example script
Content type: text/plain
Description: Example script
Class: Xoops 2.5
Modular content management publication system
Author: By
Last change: Minor fixes
Minor fixes
Fineuploader review

Reviewing fineuploader support for security and operational issues
resulted in the following changes:

- allow fully qualified namespaced autoloading handler name
- require handler to be specified (removed default)
- require allowedMimeTypes property to be set in handlers
- disallow direct use of system fineuploadhandler class (now abstract)
Date: 5 years ago
Size: 5,781 bytes
 

Contents

Class file image Download
<?php

use Xmf\Jwt\TokenReader;

/**
 * PHP Server-Side Example for Fine Uploader (traditional endpoint handler).
 * Maintained by Widen Enterprises.
 *
 * This example:
 * - handles chunked and non-chunked requests
 * - supports the concurrent chunking feature
 * - assumes all upload requests are multipart encoded
 * - supports the delete file feature
 *
 * Follow these steps to get up and running with Fine Uploader in a PHP environment:
 *
 * 1. Setup your client-side code, as documented on http://docs.fineuploader.com.
 *
 * 2. Copy this file and handler.php to your server.
 *
 * 3. Ensure your php.ini file contains appropriate values for
 * max_input_time, upload_max_filesize and post_max_size.
 *
 * 4. Ensure your "chunks" and "files" folders exist and are writable.
 * "chunks" is only needed if you have enabled the chunking feature client-side.
 *
 * 5. If you have chunking enabled in Fine Uploader, you MUST set a value for the `chunking.success.endpoint` option.
 * This will be called by Fine Uploader when all chunks for a file have been successfully uploaded, triggering the
 * PHP server to combine all parts into one file. This is particularly useful for the concurrent chunking feature,
 * but is now required in all cases if you are making use of this PHP example.
 *
 *
 * @license MIT License (MIT)
 * @copyright Copyright (c) 2015-present, Widen Enterprises, Inc.
 * @link https://github.com/FineUploader/php-traditional-server
 *
 * The MIT License (MIT)
 *
 * Copyright (c) 2015-present, Widen Enterprises, Inc.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

if (isset($_POST['Authorization'])) {
   
define('PROTECTOR_SKIP_DOS_CHECK', 1);
}
include
__DIR__ . '/mainfile.php';
$xoopsLogger->activated = false;

/**
 * Get our expected claims from the JSON Web Token.
 *
 * This is the list of claims which should be included:
 *
 * aud audience (asserted as our php script name)
 * cat category id the user has chosen and is authorized for
 * uid user id (asserted as the session specified user)
 * handler handler class
 * moddir module directory for handler
 *
 * We will assert that aud and uid agree with our expectations (for security)
 */
$assert = array(
   
'aud' => basename(__FILE__),
   
'uid' => $xoopsUser instanceof \XoopsUser ? $xoopsUser->id() : 0,
);
$claims = TokenReader::fromRequest('fineuploader', 'Authorization', $assert);

if (
$claims === false) {
    echo
json_encode(array('error' => "Invalid request token"));
    exit;
}

// Include the base upload handler class
XoopsLoad::load('fineuploadhandler', 'system');

$handler = (property_exists($claims, 'handler')) ? $claims->handler : '';
$moddir = (property_exists($claims, 'moddir')) ? $claims->moddir : '';

if (
$handler === '' || $moddir === '') {
   
header("HTTP/1.0 400 Bad Request");
    exit;
}

/**
 * The handler claim can be specified as either:
 * - a fully qualified and autoloading namespaced name,
 * - a legacy handler name
 */
$className = $handler;
if (
false === strpos($handler, '\\')) {
   
XoopsLoad::load($handler, $moddir);
   
$className = $moddir . $handler;
}
/* @var SystemFineUploadHandler $uploader */
$uploader = new $className($claims);

$method = get_request_method();

if (
$method === "POST") {
   
header("Content-Type: text/plain");

   
// Assumes you have a chunking.success.endpoint set to point here with a query parameter of "done".
    // For example: /myserver/handlers/endpoint.php?done
   
if (isset($_GET["done"])) {
       
$result = $uploader->combineChunks(XOOPS_ROOT_PATH . "/uploads");
    } else {
// Handle upload requests
        // Call handleUpload() with the name of the folder, relative to PHP's getcwd()
       
$result = $uploader->handleUpload(XOOPS_ROOT_PATH . "/uploads");

       
// To return a name used for uploaded file you can use the following line.
       
$result["uploadName"] = $uploader->getUploadName();
    }

    echo
json_encode($result);
} elseif (
$method == "DELETE") { // for delete file requests
   
$result = $uploader->handleDelete("files");
    echo
json_encode($result);
} else {
   
header("HTTP/1.0 405 Method Not Allowed");
}

/**
 * This will retrieve the "intended" request method. Normally, this is the
 * actual method of the request. Sometimes, though, the intended request method
 * must be hidden in the parameters of the request. For example, when attempting to
 * delete a file using a POST request. In that case, "DELETE" will be sent along with
 * the request in a "_method" parameter.
 *
 * @return string
 */
function get_request_method()
{
    if (isset(
$_POST["_method"]) && $_POST["_method"] != null) {
        return
$_POST["_method"];
    }
    return
$_SERVER["REQUEST_METHOD"];
}