112 lines
3.1 KiB
Perl
112 lines
3.1 KiB
Perl
package WebGUI::URL::Uploads;
|
|
|
|
=head1 LEGAL
|
|
|
|
-------------------------------------------------------------------
|
|
WebGUI is Copyright 2001-2009 Plain Black Corporation.
|
|
-------------------------------------------------------------------
|
|
Please read the legal notices (docs/legal.txt) and the license
|
|
(docs/license.txt) that came with this distribution before using
|
|
this software.
|
|
-------------------------------------------------------------------
|
|
http://www.plainblack.com info@plainblack.com
|
|
-------------------------------------------------------------------
|
|
|
|
=cut
|
|
|
|
use strict;
|
|
use Apache2::Const -compile => qw(OK DECLINED NOT_FOUND AUTH_REQUIRED FORBIDDEN);
|
|
use WebGUI::Session;
|
|
|
|
=head1 NAME
|
|
|
|
Package WebGUI::URL::Uploads;
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
A URL handler that handles privileges for uploaded files.
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
use WebGUI::URL::Uploads;
|
|
my $status = WebGUI::URL::Uploads::handler($r, $s, $config);
|
|
|
|
=head1 SUBROUTINES
|
|
|
|
These subroutines are available from this package:
|
|
|
|
=cut
|
|
|
|
#-------------------------------------------------------------------
|
|
|
|
=head2 handler ( request, server, config )
|
|
|
|
The Apache request handler for this package.
|
|
|
|
=cut
|
|
|
|
sub handler {
|
|
my ($request, $server, $config) = @_;
|
|
$request->push_handlers(PerlAccessHandler => sub {
|
|
my $path = $request->filename;
|
|
return Apache2::Const::NOT_FOUND
|
|
unless -e $path;
|
|
$path =~ s{[^/]*$}{};
|
|
return Apache2::Const::OK
|
|
unless -e $path . '.wgaccess';
|
|
|
|
open my $FILE, '<' , $path . '.wgaccess';
|
|
my $fileContents = do { local $/; <$FILE> };
|
|
close($FILE);
|
|
my @users;
|
|
my @groups;
|
|
my @assets;
|
|
my $state;
|
|
if ($fileContents =~ /\A(?:\d+|[A-Za-z0-9_-]{22})\n(?:\d+|[A-Za-z0-9_-]{22})\n(?:\d+|[A-Za-z0-9_-]{22})/) {
|
|
my @privs = split("\n", $fileContents);
|
|
push @users, $privs[0];
|
|
push @groups, @privs[1,2];
|
|
}
|
|
else {
|
|
my $privs = JSON->new->decode($fileContents);
|
|
@users = @{ $privs->{users} || [] };
|
|
@groups = @{ $privs->{groups} || [] };
|
|
@assets = @{ $privs->{assets} || [] };
|
|
$state = $privs->{state};
|
|
}
|
|
|
|
return Apache2::Const::FORBIDDEN
|
|
if $state eq "trash";
|
|
|
|
return Apache2::Const::OK
|
|
if grep { $_ eq '1' } @users;
|
|
|
|
return Apache2::Const::OK
|
|
if grep { $_ eq '1' || $_ eq '7' } @groups;
|
|
|
|
my $session = $request->pnotes('wgSession');
|
|
unless (defined $session) {
|
|
$session = WebGUI::Session->open($server->dir_config('WebguiRoot'), $config->getFilename, $request, $server);
|
|
}
|
|
|
|
my $userId = $session->var->get('userId');
|
|
|
|
return Apache2::Const::OK
|
|
if grep { $_ eq $userId } @users;
|
|
|
|
my $user = $session->user;
|
|
|
|
return Apache2::Const::OK
|
|
if grep { $user->isInGroup($_) } @groups;
|
|
|
|
return Apache2::Const::OK
|
|
if grep { WebGUI::Asset->new($session, $_)->canView } @assets;
|
|
|
|
return Apache2::Const::AUTH_REQUIRED;
|
|
} );
|
|
return Apache2::Const::OK;
|
|
}
|
|
|
|
|
|
1;
|
|
|