implemented UPLOAD_CODE variable

If configured, needs a code as POST/GET variable for every upload. Also adds a input field to the main template
HaschekSolutions · Sep 6, 2023 · 61acb54 · 61acb54
1 parent cccb80d
commit 61acb54
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -108,8 +108,8 @@ Read [here](/rtfm/CONFIG.md) what those options do
 - [x] MASTER_DELETE_IP
 - [x] UPLOAD_FORM_LOCATION
 - [x] S3 Backend
+- [x] UPLOAD_CODE
 - [ ] UPLOAD_QUOTA
-- [ ] UPLOAD_CODE
 - [ ] LOW_PROFILE
 - [ ] IMAGE_CHANGE_CODE
 - [ ] MAX_RESIZED_IMAGES

diff --git a/inc/core.php b/inc/core.php
@@ -919,4 +919,12 @@ function executeUploadPermission()
         http_response_code(403);
         exit(json_encode(array('status'=>'err','reason'=> 'Access denied')));
     }
+    else if(defined('UPLOAD_CODE') && UPLOAD_CODE!='')
+    {
+        if(!isset($_REQUEST['uploadcode']) || $_REQUEST['uploadcode']!=UPLOAD_CODE)
+        {
+            http_response_code(403);
+            exit(json_encode(array('status'=>'err','reason'=> 'Incorrect upload code specified - Access denied')));
+        }
+    }
 }
diff --git a/js/pictshare.js b/js/pictshare.js
@@ -1,34 +1,39 @@
 Dropzone.autoDiscover = false;
 
-$(function() {
+$(function () {
     var myDropzone = new Dropzone("#dropzone");
     //console.log(myDropzone.options);
-    if(maxUploadFileSize !== undefined)
+    if (maxUploadFileSize !== undefined)
         myDropzone.options.maxFilesize = maxUploadFileSize;
     myDropzone.options.timeout = 0,
-    myDropzone.on("success", function(file,response) {
-        console.log("raw response: "+response);
-        if(response==null || response =="null")
-            $("#uploadinfo").append("<div class='alert alert-danger' role='alert'><strong>Error uploading "+file.name+"</strong><br/>Reason is unknown :(</div>")
-        else
-        {
-            var o = response;
-            if(o.status=='ok')
-                $("#uploadinfo").append("<div class='alert alert-success' role='alert'><strong>"+file.name+"</strong> uploaded as <a target='_blank' href='/"+o.hash+"'>"+o.hash+"</a><br/>URL: <a target='_blank' href='"+o.url+"'>"+o.url+"</a> <button class='btn btn-xs' onClick='navigator.clipboard.writeText(\""+o.url+"\");'>Copy URL</button></div>")
-            else if(o.status=='err')
-                $("#uploadinfo").append("<div class='alert alert-danger' role='alert'><strong>Error uploading "+file.name+"</strong><br/>Reason: "+o.reason+"</div>")
-            console.log(o)
-        }
-    });
+        myDropzone.on("sending", function(file, xhr, formData) { 
+         formData.append("uploadcode", document.getElementById("uploadcode").value);  
+        });
+        myDropzone.on('error', function(file, response) {
+           alert("Error: "+response.reason);
+        });
+        myDropzone.on("success", function (file, response) {
+            console.log("raw response: " + response);
+            if (response == null || response == "null")
+                $("#uploadinfo").append("<div class='alert alert-danger' role='alert'><strong>Error uploading " + file.name + "</strong><br/>Reason is unknown :(</div>")
+            else {
+                var o = response;
+                if (o.status == 'ok')
+                    $("#uploadinfo").append("<div class='alert alert-success' role='alert'><strong>" + file.name + "</strong> uploaded as <a target='_blank' href='/" + o.hash + "'>" + o.hash + "</a><br/>URL: <a target='_blank' href='" + o.url + "'>" + o.url + "</a> <button class='btn btn-xs' onClick='navigator.clipboard.writeText(\"" + o.url + "\");'>Copy URL</button></div>")
+                else if (o.status == 'err')
+                    $("#uploadinfo").append("<div class='alert alert-danger' role='alert'><strong>Error uploading " + file.name + "</strong><br/>Reason: " + o.reason + "</div>")
+                console.log(o)
+            }
+        });
 
-    document.onpaste = function(event){
+    document.onpaste = function (event) {
         var items = (event.clipboardData || event.originalEvent.clipboardData).items;
         for (index in items) {
-          var item = items[index];
-          if (item.kind === 'file') {
-            // adds the file to your dropzone instance
-            myDropzone.addFile(item.getAsFile())
-          }
+            var item = items[index];
+            if (item.kind === 'file') {
+                // adds the file to your dropzone instance
+                myDropzone.addFile(item.getAsFile())
+            }
         }
-      }
-  })
+    }
+})
diff --git a/rtfm/CONFIG.md b/rtfm/CONFIG.md
@@ -19,8 +19,8 @@ In this file you can set the following options. For a simple working example con
 | UPLOAD_FORM_LOCATION    | string  | If set, will only show the upload form if this url is requested. eg if you set it to /secret/upload then you only see the form if you go to http://your.pictshare.server/secret/upload but bare in mind that the uploads [via API](/rtfm/API.md) will still work for anyone|
 | ALLOWED_SUBNET          | IPv4 or IPv6 CIDR | If set, will limit uploads to IPs that match this CIDR |
 | ALWAYS_WEBP | bool | If set to `true`, JPGs will always be served as WebP, if the client supports it (if `image/webp` is in header `HTTP_ACCEPT`) | 
+| UPLOAD_CODE | string  | If set, all uploads require this code via GET or POST variable "uploadcode" to succeed |
 | UPLOAD_QUOTA (NOT IMPLEMENTED)            | int     | Size in MB. If set, will only allow uploads if combined size of uploads on Server is smaller than this value. Does not account for ALT_FOLDER data and resized versions of original uploads won't be added to calculation |
-| UPLOAD_CODE (NOT IMPLEMENTED             | string  | If set, all uploads require this code via GET or POST variable "uploadcode" or upload will fail |
 | MAX_RESIZED_IMAGES (NOT IMPLEMENTED      | string  | If set, limits count of resized images/videos per file on server |
 
 

diff --git a/rtfm/DOCKER.md b/rtfm/DOCKER.md
@@ -54,7 +54,7 @@ Every other variable can be referenced against the [default PictShare configurat
 - MASTER_DELETE_IP (string | ip which can delete any image)
 - ALLOWED_SUBNET (CIDR IP range (can be comma separated) | IP subnets which are allowed to upload files)
 - ALLOW_BLOATING (true/false | can images be bloated to higher resolutions than the originals)
-- UPLOAD_CODE (string | code that has to be supplied to upload an image)
+- UPLOAD_CODE (string | Code that has to be supplied via POST or GET, to upload an image)
 - UPLOAD_FORM_LOCATION (string | absolute path where upload gui will be shown)
 - LOW_PROFILE (string | won't display error messages on failed uploads)
 - IMAGE_CHANGE_CODE (string | code if provided, needs to be added to image to apply filter/rotation/etc)

diff --git a/templates/main.html b/templates/main.html
@@ -58,6 +58,9 @@ <h2>Upload forbidden</h2>
                             <?php 
                                 echo "Max Upload size: ". (int)(ini_get('upload_max_filesize'))."MB / File<br/>";
                                 echo "Allowed file types: ". implode(', ',getAllContentFiletypes());
+
+                                if(defined('UPLOAD_CODE') && UPLOAD_CODE!='')
+                                    echo '<br>Upload Code: <input type="text" id="uploadcode"  />';
                             ?>
                         </p>
                             <form class="dropzone well" id="dropzone" method="post" action="/api/upload.php" enctype="multipart/form-data">