tmdinosaurcenter
/
tainacan
mirror of https://github.com/tainacan/tainacan
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: any user can read any file without any restrictions

This commit is contained in:
vnmedeiros 2024-07-29 10:20:34 -03:00
parent 0bdd0d18e1
commit 1324d1626d
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
View File

@ -373,9 +373,28 @@ class REST_Background_Processes_Controller extends REST_Controller {
'error_message' => __('guid must be specified', 'tainacan' ) 'error_message' => __('guid must be specified', 'tainacan' )
], 400); ], 400);
} }
if (!is_user_logged_in() || !current_user_can('read') ) {
$error_def = [
"code" => "unauthorized",
"message" => "Unauthorized",
"data" => [ "status" => 403 ],
];
return new \WP_REST_Response($error_def, 403, array('content-type' => 'text/html; charset=utf-8'));
}
$guid = $request['guid']; $guid = $request['guid'];
$upload_url = wp_upload_dir(); $upload_url = wp_upload_dir();
$path = $upload_url['basedir'] . '/tainacan/' . $guid; $path = $upload_url['basedir'] . '/tainacan/' . $guid;
$real_file_path = realpath($path);
if (strpos($real_file_path, $path) !== 0) {
$error_def = [
"code" => "unauthorized_file_path",
"message" => "Unauthorized file path",
"data" => [ "status" => 403 ],
];
return new \WP_REST_Response($error_def, 403, array('content-type' => 'application/json; charset=utf-8'));
}
if ( file_exists( $path ) ) { if ( file_exists( $path ) ) {
$finfo = @finfo_open(FILEINFO_MIME_TYPE); $finfo = @finfo_open(FILEINFO_MIME_TYPE);
$mime_type = @finfo_file($finfo, $path); $mime_type = @finfo_file($finfo, $path);