From 5da97e99f4ee7507cb2f4f91177c021229b6010e Mon Sep 17 00:00:00 2001 From: Maggie Date: Tue, 29 Apr 2014 15:06:08 -0400 Subject: [PATCH] CRM-14499: Update FourFour upgrade script and changes image urls to improve security but allow access --- CRM/Contact/BAO/Contact.php | 3 +- CRM/Contact/Page/ImageFile.php | 61 ++++++++++++++++++++++++ CRM/Core/xml/Menu/Contact.xml | 6 +++ CRM/Upgrade/Incremental/php/FourFour.php | 57 ++++++++++++++++++++++ CRM/Utils/System.php | 1 + 5 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 CRM/Contact/Page/ImageFile.php diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php index 3d54cde959..73666cdc6d 100644 --- a/CRM/Contact/BAO/Contact.php +++ b/CRM/Contact/BAO/Contact.php @@ -943,7 +943,8 @@ WHERE id={$id}; "; ); if (in_array($params[$imageIndex]['type'], $mimeType)) { - $params[$imageIndex] = CRM_Contact_BAO_Contact::getRelativePath($params[$imageIndex]['name']); + $photo = basename($params[$imageIndex]['name']); + $params[$imageIndex] = CRM_Utils_System::url('civicrm/contact/imagefile', 'photo='.$photo, TRUE); return TRUE; } else { diff --git a/CRM/Contact/Page/ImageFile.php b/CRM/Contact/Page/ImageFile.php new file mode 100644 index 0000000000..f0aa6f9915 --- /dev/null +++ b/CRM/Contact/Page/ImageFile.php @@ -0,0 +1,61 @@ + array($currentURL, 'String')); + $dao = CRM_Core_DAO::executeQuery($sql, $params); + while ($dao->fetch()){ + $cid=$dao->id; + } + if ($cid){ + $config = CRM_Core_Config::singleton(); + $buffer = file_get_contents($config->customFileUploadDir . $_GET['photo']); + $mimeType = 'image/' .pathinfo($_GET['photo'], PATHINFO_EXTENSION); + CRM_Utils_System::download($_GET['photo'], $mimeType, $buffer, + NULL, + TRUE, + 'inline' + ); + } + else{ + echo 'image url not in database'; + } + CRM_Utils_System::civiExit(); + } +} + + diff --git a/CRM/Core/xml/Menu/Contact.xml b/CRM/Core/xml/Menu/Contact.xml index ce54ca8d42..17141ffd85 100644 --- a/CRM/Core/xml/Menu/Contact.xml +++ b/CRM/Core/xml/Menu/Contact.xml @@ -42,6 +42,12 @@ CRM_Contact_BAO_Contact::processImage access uploaded files + + civicrm/contact/imagefile + Get Image File + CRM_Contact_Page_ImageFile + *always allow* + civicrm/contact/search/basic Find Contacts diff --git a/CRM/Upgrade/Incremental/php/FourFour.php b/CRM/Upgrade/Incremental/php/FourFour.php index f01e297af3..b5d8b58ba7 100644 --- a/CRM/Upgrade/Incremental/php/FourFour.php +++ b/CRM/Upgrade/Incremental/php/FourFour.php @@ -95,6 +95,9 @@ WHERE ceft.entity_table = 'civicrm_contribution' AND cft.payment_instrument_id I $postUpgradeMessage .= '

' . ts('Your database contains %1 financial transaction records with no payment instrument (Paid By is empty). If you use the Accounting Batches feature this may result in unbalanced transactions. If you do not use this feature, you can ignore the condition (although you will be required to select a Paid By value for new transactions). You can review steps to correct transactions with missing payment instruments on the wiki.', array(1 => $dao->N, 2 => 'http://wiki.civicrm.org/confluence/display/CRMDOC/Fixing+Transactions+Missing+a+Payment+Instrument+-+4.4.3+Upgrades')) . ''; } } + if ($rev == '4.4.6'){ + $postUpgradeMessage .= '

'. ts('Your contact image urls have been upgraded. If your contact image urls did not follow the standard format for image Urls they have not been upgraded. Please check the log to see image urls that were not upgraded.'); + } } function upgrade_4_4_alpha1($rev) { @@ -304,6 +307,60 @@ ALTER TABLE civicrm_dashboard return TRUE; } + function upgrade_4_4_6($rev){ + $minId = CRM_Core_DAO::singleValueQuery('SELECT coalesce(min(id),0) FROM civicrm_contact'); + $maxId = CRM_Core_DAO::singleValueQuery('SELECT coalesce(max(id),0) FROM civicrm_contact'); + for ($startId = $minId; $startId <= $maxId; $startId += self::BATCH_SIZE) { + $endId = $startId + self::BATCH_SIZE - 1; + $title = ts('Upgrade image_urls (%1 => %2)', array(1 => $startId, 2 => $endId)); + $this->addTask($title, 'upgradeImageUrls', $startId, $endId); + } + } + + static function upgradeImageUrls(CRM_Queue_TaskContext $ctx, $startId, $endId){ + $sql = "CREATE INDEX index_image_url ON civicrm_contact (image_url);"; + $dao = CRM_Core_DAO::executeQuery($sql); + $sql = " +SELECT id, image_url +FROM civicrm_contact +WHERE 1 +AND id BETWEEN %1 AND %2 +"; + $params = array( + 1 => array($startId, 'Integer'), + 2 => array($endId, 'Integer'), + ); + $dao = CRM_Core_DAO::executeQuery($sql, $params, TRUE, NULL, FALSE, FALSE); + $failures = array(); + while ($dao->fetch()){ + $imageURL = $dao->image_url; + $baseurl = CIVICRM_UF_BASEURL; + $baselen = strlen($baseurl); + if (substr($imageURL, 0, $baselen)==$baseurl){ + $photo = basename($dao->image_url); + $config = CRM_Core_Config::singleton(); + $fullpath = $config->customFileUploadDir.$photo; + if (file_exists($fullpath)){ + $newimageurl = CRM_Utils_System::url('civicrm/contact/imagefile', 'photo='.$photo, TRUE); + $sql = 'UPDATE civicrm_contact SET image_url=%1 WHERE id=%2'; + $params = array( + 1 => array($newimageurl, 'String'), + 2 => array($dao->id, 'Integer'), + ); + $updatedao = CRM_Core_DAO::executeQuery($sql, $params); + } + else{ + $failures[$dao->id] = $dao->image_url; + } + } + else{ + $failures[$dao->id] = $dao->image_url; + } + } + CRM_Core_Error::debug_var('imageUrlsNotUpgraded', $failures); + return TRUE; + } + /** * Update activity contacts CRM-12274 * diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php index 5e46870e43..b3d9de6755 100644 --- a/CRM/Utils/System.php +++ b/CRM/Utils/System.php @@ -1596,3 +1596,4 @@ class CRM_Utils_System { } } + -- 2.25.1