Navigation

← Previous Changeset
Next Changeset →

Changeset 996

Timestamp:

04/21/08 12:59:56 (7 months ago)

Author:

_ck_

Message:

0.0.6 advanced restrictions by file type & user role, upload form displays allowed file types

Files:

bb-attachments/trunk/bb-attachments.php (modified) (17 diffs)
bb-attachments/trunk/readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

bb-attachments/trunk/bb-attachments.php

r992	r996
6	6	Author: _ck_
7	7	Author URI: http://bbShowcase.org
8		Version: 0.0.5
	8	Version: 0.0.6
9	9
10	10	License: CC-GNU-GPL http://creativecommons.org/licenses/GPL/2.0/
…	…
13	13	*/
14	14
15		global $bb_attachments;
	15	$bb_attachments['role']['see']="read"; // minimum role to see list of attachments = read/participate/moderate/administrate
	16	$bb_attachments['role']['download']="participate"; // minimum role to download = read/participate/moderate/administrate
	17	$bb_attachments['role']['upload']="moderate"; // minimum role to upload = participate/moderate/administrate (times out with post edit time)
	18	$bb_attachments['role']['delete']="moderate"; // minimum role to delete = read/participate/moderate/administrate
	19
	20	$bb_attachments['allowed']['extensions']['default']=array('gif','jpeg','jpg','pdf','png','txt'); // anyone who can upload can submit these
	21	$bb_attachments['allowed']['extensions']['moderate']=array('gif','gz','jpeg','jpg','pdf','png','txt','zip'); // only if they can moderate
	22	$bb_attachments['allowed']['extensions']['administrate']=array('bmp','doc','gif','gz','jpeg','jpg','pdf','png','txt','xls','zip'); // only if they can administrate
	23
	24	$bb_attachments['allowed']['mime_types']['default']=array('text/plain', 'image/jpeg', 'image/jpg', 'image/png', 'image/gif'); // for anyone that can upload
	25	$bb_attachments['allowed']['mime_types']['moderate']=array('text/plain', 'image/jpeg', 'image/jpg', 'image/png', 'image/gif', 'application/zip', 'application/x-zip' , 'application/x-gzip');
	26	$bb_attachments['allowed']['mime_types']['administrate']=array('text/plain', 'text/x-c', 'image/jpeg', 'image/jpg', 'image/png', 'image/gif', 'application/zip', 'application/x-zip' , 'application/x-gzip');
	27
	28	$bb_attachments['max']['size']['default']=100*1024; // general max for all type/roles, in bytes (ie. 100k)
	29	$bb_attachments['max']['size']['jpg'] =150*1024; // size limit override by extension, bytes (ie. 200k)
	30	$bb_attachments['max']['size']['png']=150*1024; // size limit override by extension, bytes (ie. 200k)
	31	$bb_attachments['max']['size']['moderate']=200*1024; // size limit override by role, bytes (ie. 250k) - note this overrides ALL extension limits
	32	$bb_attachments['max']['size']['administrate']=500*1024; // size limit override by role, bytes (ie. 500k) - note this overrides ALL extension limits
	33
	34	$bb_attachments['max']['per_post']['default']=6; // how many files can be attached per post
	35	$bb_attachments['max']['per_post']['moderate']=10; // override example$bb_attachments['max']['per_post']['administrate']=20; // you don't even need to set for every role, this is just an example
	36	$bb_attachments['max']['uploads']['default']=6; // how many files can be uploaded at a time, in case you want to set per_post high
	37	$bb_attachments['max']['uploads']['moderate']=10; // and again, this is optional per extra roles
	38
	39	$bb_attachments['max']['filename']['default']=40; // maximum length of filename before auto-trim
	40	$bb_attachments['max']['filename']['administrate']=80; // override
	41
	42	// stop editing here (advanced user settings below)
16	43
17	44	$bb_attachments['path']=dirname($_SERVER['DOCUMENT_ROOT'])."/bb-attachments/"; // make NOT WEB ACCESSABLE for security
18	45
19		$bb_attachments['allowed_extensions']=array('bmp','doc','gif','gz','jpeg','jpg','pdf','png','txt','xls','zip');
20
21		$bb_attachments['allowed_mime_types']=array('text/plain', 'text/x-c', 'image/jpeg', 'image/jpg', 'image/png', 'image/gif', 'application/zip', 'application/x-zip' , 'application/x-gzip');
22
23		$bb_attachments['icons']=array('bmp'=>'img','doc'=>'doc','gif'=>'img','gz'=>'zip','jpeg'=>'img','jpg'=>'img','pdf'=>'pdf','png'=>'img','txt'=>'txt','xls'=>'xls','zip'=>'zip');
24
25		$bb_attachments['max_size_default']=200*1024; // general max for all, in bytes (ie. 200k)
26
27		$bb_attachments['max_size_overide']=array('jpg'=>2001024,'png'=>2001024); // size limit override by extension, bytes (ie. 200k)
28
29		$bb_attachments['role_upload']="moderate"; // minimum role to upload = participate/moderate/administrate (times out with post edit time)
30
31		$bb_attachments['role_download']="participate"; // minimum role to download = read/participate/moderate/administrate
32
33		$bb_attachments['role_see']="read"; // minimum role to see list of attachments = read/participate/moderate/administrate
34
35		$bb_attachments['role_delete']="moderate"; // minimum role to delete = read/participate/moderate/administrate
36
37		$bb_attachments['max_per_post']=10; // how many can be attached per post
38		$bb_attachments['max_uploads']=10; // how many files can be uploaded at a time / per post
39
40		$bb_attachments['icon_url']=bb_get_option('uri').trim(str_replace(BBPATH,'',dirname(__FILE__)),' /\\').'/icons/';
41
42		$bb_attachments['title']=" <img title='attachments' border='0' align='absmiddle' src='".$bb_attachments['icon_url']."default.gif"."' />"; // text, html or image to show on topic titles if has attachments
43
44		// stop editing here
45
46		$bb_attachments['max_file_size']=2048*1024; // internal php upload limit - only edit if you know what you are doing
	46	$bb_attachments['icons']=array('default'=>'default.gif','bmp'=>'img.gif','doc'=>'doc.gif','gif'=>'img.gif','gz'=>'zip.gif','jpeg'=>'img.gif','jpg'=>'img.gif','pdf'=>'pdf.gif','png'=>'img.gif','txt'=>'txt.gif','xls'=>'xls.gif','zip'=>'zip.gif');
	47	$bb_attachments['icons']['url']=bb_get_option('uri').trim(str_replace(BBPATH,'',dirname(__FILE__)),' /\\').'/icons/';
	48
	49	$bb_attachments['title']=" <img title='attachments' border='0' align='absmiddle' src='".$bb_attachments['icons']['url'].$bb_attachments['icons']['default']."' />"; // text, html or image to show on topic titles if has attachments
	50
	51	$bb_attachments['max']['php_upload_limit']=min(bb_attachments_l2n(ini_get('post_max_size')), bb_attachments_l2n(ini_get('upload_max_filesize'))); // internal php upload limit - only edit if you know what you are doing
47	52
48	53	$bb_attachments['status']=array("ok","deleted","failed","denied extension","denied mime","denied size","denied count","denied duplicate","denied dimensions");
	54
	55	// really stop editing!
49	56
50	57	add_action( 'bb_init', 'bb_attachments_init');
…	…
53	60	function bb_attachments_init() {
54	61	global $bbdb, $post_id, $bb_post, $topic, $bb_attachments;
	62
	63	if (isset($_GET['bb_attachments_diagnostic']) && bb_current_user_can('administrate')) {echo "<pre>"; print_r($bb_attachments); echo "</pre>"; exit();}
	64
55	65	if (isset($_GET['bbat_delete'])) {bb_attachments_delete();}
	66
56	67	if (isset($_GET['bb_attachments'])) {
57	68	if (isset($_GET['bbat'])) {
58	69	bb_attachments_download();
59	70	} else {
60		if (bb_attachments_location()!='edit.php') {
61		bb_repermalink();
62		bb_get_header();
63		bb_attachments();
64		bb_get_footer();
65		exit();
66		}
67		}
68		}
	71	if (bb_attachments_location()!='edit.php') {
	72	bb_repermalink();
	73	bb_get_header();
	74	bb_attachments();
	75	bb_get_footer();
	76	exit();
	77	}
	78	}
	79	}
	80
69	81	if (is_topic()) {
70	82	add_action( 'bb_topic.php', 'bb_attachments_cache' );
…	…
74	86	if ($bb_attachments['title']) {add_filter('topic_title', 'bb_attachments_title',200);}
75	87	}
	88
76	89	}
77	90
…	…
100	113
101	114	$output="";
102		if ($post_id && ($bb_attachments['role~~_see']=="read" \|\| bb_current_user_can($bb_attachments['role_~~see']))) {
	115	if ($post_id && ($bb_attachments['role']['see']=="read" \|\| bb_current_user_can($bb_attachments['role']['see']))) {
103	116
104	117	$can_delete=false; $admin=false; $filter=" AND status = 0 "; // speedup checks with flag
105	118	if ((!is_topic() \|\| isset($_GET['bb_attachments'])) && bb_current_user_can('moderate')) {$filter=""; $admin=bb_current_user_can('administrate');}
106		if (bb_current_user_can($bb_attachments['role_delete'])) {$can_delete=true;}
	119	if (bb_current_user_can($bb_attachments['role']['delete'])) {$can_delete=true;}
107	120
108	121	if (!isset($bb_attachments_cache[$post_id])) {
…	…
117	130	$output.="<li>";
118	131	$output.="<span".(($attachment->status>0) ? " class='deleted' ": "")."> ";
119		if (isset($bb_attachments['icons'][$attachment->ext])) {$icon=$bb_attachments['icons'][$attachment->ext];} else {$icon=~~"default"~~;}
120		$output.=" <img align='absmiddle' title='".$attachment->ext."' src='".$bb_attachments['icon~~_url'].$icon.".gif~~' /> ";
	132	if (isset($bb_attachments['icons'][$attachment->ext])) {$icon=$bb_attachments['icons'][$attachment->ext];} else {$icon=$bb_attachments['icons']['default'];}
	133	$output.=" <img align='absmiddle' title='".$attachment->ext."' src='".$bb_attachments['icons']['url'].$icon."' /> ";
121	134
122	135	if ($attachment->status>0 && empty($filter)) {
…	…
161	174	$post_id=intval($_GET['bb_attachments']); // only can upload if user is allowed to edit post
162	175	$user_id=bb_get_current_user_info( 'id' );
163		if (!$user_id \|\| !$post_id \|\| !bb_current_user_can('edit_post',$post_id) \|\| !bb_current_user_can($bb_attachments['role_upload'])) {return;}
	176	if (!$user_id \|\| !$post_id \|\| !bb_current_user_can('edit_post',$post_id) \|\| !bb_current_user_can($bb_attachments['role']['upload'])) {return;}
164	177
165	178	$user_ip=$GLOBALS["HTTP_SERVER_VARS"]["REMOTE_ADDR"];
…	…
171	184	$offset=0; // counter for this pass
172	185	$strip = array(' ','`','"','\'','\\','/','..','__'); // filter for filenames
	186	$maxlength=bb_attachments_lookup($bb_attachments['max']['filename']);
173	187
174	188	echo "<h3>".__("Uploads")."</h3><ol>"; // start output
…	…
182	196	if (intval($_FILES['bb_attachments']['error'][$key])==0) {
183	197
184		$ext = (strrpos($filename, '.')===false) ? "" : strtolower(substr($filename, strrpos($filename, '.')+1));
	198	$ext = (strrpos($filename, '.')===false) ? "" : trim(strtolower(substr($filename, strrpos($filename, '.')+1)));
	199
	200	if (strlen($filename)>$maxlength) {$filename=substr($filename,0,$maxlength-strlen($ext)+1).".".$ext;} // fix filename length
	201
185	202	$tmp=$_FILES['bb_attachments']['tmp_name'][$key];
186	203	$size=filesize($tmp);
…	…
188	205	$status=0; $id=0;
189	206
190		if ($status==0 && !in_array($ext,$bb_attachments['allowed_extensions'])) {$status=3;} // disallowed extension
191		if ($status==0 && !in_array($mime,$bb_attachments['allowed_mime_types'])) {$status=4;} // disallowed mime
192		if ($status==0) {
193		if (isset($bb_attachments['max_size_override'][$ext])) {
194		if ($size>$bb_attachments['max_size_override'][$ext]) {$status=5;} // disallowed filesize
195		} else {
196		if ($size>$bb_attachments['max_size_default']) {$status=5;} // disallowed filesize
197		}
198		}
199		if ($status==0 && ($count+1)>$bb_attachments['max_per_post']) {$status=6;} // disallowed attachment count
	207	if ($status==0 && !in_array($ext,bb_attachments_lookup($bb_attachments['allowed']['extensions']))) {$status=3;} // disallowed extension
	208	if ($status==0 && !in_array($mime,bb_attachments_lookup($bb_attachments['allowed']['mime_types']))) {$status=4;} // disallowed mime
	209	if ($status==0 && $size>bb_attachments_lookup($bb_attachments['max']['size'],$ext)) {$status=5;} // disallowed size
	210	if ($status==0 && ($count+1)>bb_attachments_lookup($bb_attachments['max']['per_post'])) {$status=6;} // disallowed attachment count
200	211
201	212	if ($size>0 && $filename) { // we still save the status code if any but don't copy file until status = 0
…	…
248	259	if ($status>0) {
249	260	if ($id>0) {$bbdb->query("UPDATE bb_attachments SET `status` = $status WHERE `id` = $id");}
250		echo "<li><span style='color:red'><strong>$filename ".__('error:')." ".$bb_attachments['status'][$status]."</strong></span></li>";
251		} else {echo "<li><span style='color:green'><strong>$filename ".__('successful')."</strong></span></li>";}
	261	echo "<li><span style='color:red'><strong>$filename "." <span class='num'>(".round($size/1024,1)." KB)</span> ".__('error:')." ".$bb_attachments['status'][$status]."</strong></span></li>";
	262	} else {echo "<li><span style='color:green'><strong>$filename "." <span class='num'>(".round($size/1024,1)." KB)</span> ".__('successful')."</strong></span></li>";}
252	263	} // end !$empty
253	264	} // end while
…	…
261	272	if (!$post_id) {$post_id=intval($_GET['bb_attachments']);} // only can upload if user is allowed to edit post
262	273	$user_id=bb_get_current_user_info( 'id' );
263		if (!$user_id \|\| !$post_id \|\| !bb_current_user_can('edit_post',$post_id) \|\| !bb_current_user_can($bb_attachments['role_upload'])) {return;}
	274	if (!$user_id \|\| !$post_id \|\| !bb_current_user_can('edit_post',$post_id) \|\| !bb_current_user_can($bb_attachments['role']['upload'])) {return;}
	275
	276	$count=0; $allowed=__('allowed uploads:')." "; $exts=bb_attachments_lookup($bb_attachments['allowed']['extensions']);
	277	$tcount=count($exts); foreach ($exts as $ext) {
	278	$allowed.=$ext.' <span class="num">('.round(bb_attachments_lookup($bb_attachments['max']['size'],$ext)/1024,1).' KB)</span>, ';
	279	$count++; if ($count==5 && $tcount>7) {$allowed.="<br />";}
	280	}
	281	$allowed=rtrim($allowed," ,");
264	282
265	283	echo '<form class="bb_attachments_upload_form" enctype="multipart/form-data" method="post" action="'.attribute_escape(add_query_arg('bb_attachments',$post_id,remove_query_arg(array('bb_attachments','bbat','bbat_delete')))).'">
266		<h3>'.__("Upload Files from your Computer").'</h3>
267		<input type="hidden" name="MAX_FILE_SIZE" value="'.$bb_attachments['max~~_file_size~~'].'" />
	284	<h3>'.__("Upload Files from your Computer").'</h3>
	285	<input type="hidden" name="MAX_FILE_SIZE" value="'.$bb_attachments['max']['php_upload_limit'].'" />
268	286	<span id="bb_attachments_file_sample">
269	287	<input type="file" name="bb_attachments[]" size="50" /><br />
…	…
274	292	bb_attachment_input_count=2;
275	293	function bb_attachment_inputs() {
276		bb_attachment_input_count=bb_attachment_input_count+2; if (bb_attachment_input_count<='.~~$bb_attachments['max_uploads']~~.') {
	294	bb_attachment_input_count=bb_attachment_input_count+2; if (bb_attachment_input_count<='.bb_attachments_lookup($bb_attachments['max']['uploads']).') {
277	295	document.getElementById('."'bb_attachments_file_input_'".'+bb_attachment_input_count).innerHTML+=document.getElementById('."'bb_attachments_file_sample'".').innerHTML+"<div id=bb_attachments_file_input_"+(bb_attachment_input_count+2)+"></div>";
278	296	}
279	297	}
280	298	</script>
	299	'.$allowed.'<br />
281	300	<div style="margin:1em 0 0 0;">
282	301	<a style="margin-right:12em;" href="'. get_post_link( $post_id ).'">'.__("« return to post").'</a>
…	…
291	310	$filenum=intval($filenum);
292	311	if ($filenum==0 && isset($_GET['bbat'])) {$filenum=intval($_GET['bbat']);}
293		if ($filenum>0 && ($bb_attachments['role~~_download']=="read" \|\| bb_current_user_can($bb_attachments['role_~~download']))) {
	312	if ($filenum>0 && ($bb_attachments['role']['download']=="read" \|\| bb_current_user_can($bb_attachments['role']['download']))) {
294	313	$file=$bbdb->get_results("SELECT * FROM bb_attachments WHERE id = $filenum AND status = 0 LIMIT 1");
295	314	if (isset($file[0]) && $file[0]->id) {
…	…
321	340	$filenum=intval($filenum);
322	341	if ($filenum==0 && isset($_GET['bbat_delete'])) {$filenum=intval($_GET['bbat_delete']);}
323		if ($filenum>0 && bb_current_user_can($bb_attachments['role_delete'])) {
	342	if ($filenum>0 && bb_current_user_can($bb_attachments['role']['delete'])) {
324	343	$file=$bbdb->get_results("SELECT * FROM bb_attachments WHERE id = $filenum AND status = 0 LIMIT 1");
325	344	if (isset($file[0]) && $file[0]->id) {
…	…
355	374	global $bb_attachments, $bb_attachments_cache, $bb_post, $bb_current_user;
356	375	$post_id=$bb_post->post_id;
357		if (($bb_current_user->ID ==$bb_post->poster_id \|\| $bb_attachments_cache[$post_id]) && bb_current_user_can($bb_attachments['role_upload']) ) {
	376	if (($bb_current_user->ID ==$bb_post->poster_id \|\| $bb_attachments_cache[$post_id]) && bb_current_user_can($bb_attachments['role']['upload']) ) {
358	377	echo " <a href='" . attribute_escape(add_query_arg('bb_attachments',$post_id,remove_query_arg(array('bb_attachments','bbat','bbat_delete')))) . "' >" . __('Attachments') ."</a> ";
359	378	}
…	…
375	394	return bb_find_filename( $file );
376	395	}
	396
	397	function bb_attachments_lookup($array,$specific='') {
	398	$key='default'; // there is probably a faster/more dynamic way to do role checks???
	399	if (isset($array['administrate']) && bb_current_user_can('administrate')) {$key='administrate';}
	400	else {if (isset($array['moderate']) && bb_current_user_can('moderate')) {$key='moderate';}
	401	else {if ($specific && isset($array[$specific])) {$key=$specific;}}}
	402	if (isset($array[$key])) {return $array[$key];} else {return '';}
	403	}
	404
	405	function bb_attachments_l2n($v){
	406	$l = substr($v, -1); $ret = substr($v, 0, -1);
	407	switch(strtoupper($l)){ case 'P': $ret = 1024; case 'T': $ret = 1024; case 'G': $ret = 1024; case 'M': $ret = 1024; case 'K': $ret *= 1024; break;}
	408	return $ret;
	409	}
377	410
378	411	if ( ! function_exists ( 'mime_content_type' ) ) { // most newer PHP doesn't have this, so try shell ?

bb-attachments/trunk/readme.txt

r993	r996
34	34	* mime_content_type function or shell access must exist to verify mime types
35	35	* filesize max might be 2mb because of passthrough/readfile limit (supposedly fixed in newer PHP)
	36	* administrators can debug settings (ie. PHP upload limit) by adding to url `?bb_attachments_diagnostic`
36	37
37	38	== License ==
…	…
46	47
47	48	* 0.0.5 first public beta release for review
	49	* 0.0.6 advanced restrictions by file type & user role, upload form displays allowed file types
48	50
49	51	== To Do ==

Navigation

Changeset 996

Legend:

bb-attachments/trunk/bb-attachments.php

bb-attachments/trunk/readme.txt

Download in other formats: