projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Block access if no Hash is supplied
[civicrm-core.git] / CRM / Core / Page / File.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | CiviCRM version 5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2019 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
9 | |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
13 | |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
18 | |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
26 */
27
28 /**
29 *
30 * @package CRM
31 * @copyright CiviCRM LLC (c) 2004-2019
32 * $Id$
33 *
34 */
35 class CRM_Core_Page_File extends CRM_Core_Page {
36
37 /**
38 * Run page.
39 */
40 public function run() {
41 $action = CRM_Utils_Request::retrieve('action', 'String', $this);
42 $download = CRM_Utils_Request::retrieve('download', 'Integer', $this, FALSE, 1);
43 $disposition = $download == 0 ? 'inline' : 'download';
44
45 $eid = CRM_Utils_Request::retrieve('eid', 'Positive', $this, TRUE);
46 $fid = CRM_Utils_Request::retrieve('fid', 'Positive', $this, FALSE);
47 $id = CRM_Utils_Request::retrieve('id', 'Positive', $this, TRUE);
48 $hash = CRM_Utils_Request::retrieve('fcs', 'Alphanumeric', $this);
49 if (!self::validateFileHash($hash, $eid, $fid)) {
50 CRM_Core_Error::statusBounce('URL for file is not valid');
51 }
52
53 list($path, $mimeType) = CRM_Core_BAO_File::path($id, $eid);
54 $mimeType = CRM_Utils_Request::retrieveValue('mime-type', 'String', $mimeType, FALSE);
55
56 if (!$path) {
57 CRM_Core_Error::statusBounce('Could not retrieve the file');
58 }
59
60 $buffer = file_get_contents($path);
61 if (!$buffer) {
62 CRM_Core_Error::statusBounce('The file is either empty or you do not have permission to retrieve the file');
63 }
64
65 if ($action & CRM_Core_Action::DELETE) {
66 if (CRM_Utils_Request::retrieve('confirmed', 'Boolean')) {
67 CRM_Core_BAO_File::deleteFileReferences($id, $eid, $fid);
68 CRM_Core_Session::setStatus(ts('The attached file has been deleted.'), ts('Complete'), 'success');
69
70 $session = CRM_Core_Session::singleton();
71 $toUrl = $session->popUserContext();
72 CRM_Utils_System::redirect($toUrl);
73 }
74 }
75 else {
76 CRM_Utils_System::download(
77 CRM_Utils_File::cleanFileName(basename($path)),
78 $mimeType,
79 $buffer,
80 NULL,
81 TRUE,
82 $disposition
83 );
84 }
85 }
86
87 /**
88 * Validate a file Hash
89 * @param string $hash
90 * @param int $eid Entity Id the file is attached to
91 * @param int $fid File Id
92 * @return bool
93 */
94 public static function validateFileHash($hash, $eid, $fid) {
95 $testHash = CRM_Core_BAO_File::generateFileHash($eid, $fid);
96 if ($testHash == $hash) {
97 return TRUE;
98 }
99 return FALSE;
100 }
101
102 }