| 1: | <?php |
| 2: | |
| 3: | use Xmf\Jwt\TokenReader; |
| 4: | |
| 5: | /** |
| 6: | * PHP Server-Side Example for Fine Uploader (traditional endpoint handler). |
| 7: | * Maintained by Widen Enterprises. |
| 8: | * |
| 9: | * This example: |
| 10: | * - handles chunked and non-chunked requests |
| 11: | * - supports the concurrent chunking feature |
| 12: | * - assumes all upload requests are multipart encoded |
| 13: | * - supports the delete file feature |
| 14: | * |
| 15: | * Follow these steps to get up and running with Fine Uploader in a PHP environment: |
| 16: | * |
| 17: | * 1. Set up your client-side code, as documented on http://docs.fineuploader.com. |
| 18: | * |
| 19: | * 2. Copy this file and handler.php to your server. |
| 20: | * |
| 21: | * 3. Ensure your php.ini file contains appropriate values for |
| 22: | * max_input_time, upload_max_filesize and post_max_size. |
| 23: | * |
| 24: | * 4. Ensure your "chunks" and "files" folders exist and are writable. |
| 25: | * "chunks" is only needed if you have enabled the chunking feature client-side. |
| 26: | * |
| 27: | * 5. If you have chunking enabled in Fine Uploader, you MUST set a value for the `chunking.success.endpoint` option. |
| 28: | * This will be called by Fine Uploader when all chunks for a file have been successfully uploaded, triggering the |
| 29: | * PHP server to combine all parts into one file. This is particularly useful for the concurrent chunking feature, |
| 30: | * but is now required in all cases if you are making use of this PHP example. |
| 31: | * |
| 32: | * |
| 33: | * @license MIT License (MIT) |
| 34: | * @copyright Copyright (c) 2015-present, Widen Enterprises, Inc. |
| 35: | * @link https://github.com/FineUploader/php-traditional-server |
| 36: | * |
| 37: | * The MIT License (MIT) |
| 38: | * |
| 39: | * Copyright (c) 2015-present, Widen Enterprises, Inc. |
| 40: | * |
| 41: | * Permission is hereby granted, free of charge, to any person obtaining a copy |
| 42: | * of this software and associated documentation files (the "Software"), to deal |
| 43: | * in the Software without restriction, including without limitation the rights |
| 44: | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
| 45: | * copies of the Software, and to permit persons to whom the Software is |
| 46: | * furnished to do so, subject to the following conditions: |
| 47: | * |
| 48: | * The above copyright notice and this permission notice shall be included in all |
| 49: | * copies or substantial portions of the Software. |
| 50: | * |
| 51: | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 52: | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 53: | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 54: | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 55: | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 56: | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 57: | * SOFTWARE. |
| 58: | */ |
| 59: | |
| 60: | if (isset($_POST['Authorization'])) { |
| 61: | define('PROTECTOR_SKIP_DOS_CHECK', 1); |
| 62: | } |
| 63: | include __DIR__ . '/mainfile.php'; |
| 64: | $xoopsLogger->activated = false; |
| 65: | |
| 66: | /** |
| 67: | * Get our expected claims from the JSON Web Token. |
| 68: | * |
| 69: | * This is the list of claims which should be included: |
| 70: | * |
| 71: | * aud audience (asserted as our php script name) |
| 72: | * cat category id the user has chosen and is authorized for |
| 73: | * uid user id (asserted as the session specified user) |
| 74: | * handler handler class |
| 75: | * moddir module directory for handler |
| 76: | * |
| 77: | * We will assert that aud and uid agree with our expectations (for security) |
| 78: | */ |
| 79: | $assert = array( |
| 80: | 'aud' => basename(__FILE__), |
| 81: | 'uid' => $xoopsUser instanceof \XoopsUser ? $xoopsUser->id() : 0, |
| 82: | ); |
| 83: | $claims = TokenReader::fromRequest('fineuploader', 'Authorization', $assert); |
| 84: | |
| 85: | if ($claims === false) { |
| 86: | echo json_encode(array('error' => "Invalid request token")); |
| 87: | exit; |
| 88: | } |
| 89: | |
| 90: | // Include the base upload handler class |
| 91: | XoopsLoad::load('fineuploadhandler', 'system'); |
| 92: | |
| 93: | $handler = (property_exists($claims, 'handler')) ? $claims->handler : ''; |
| 94: | $moddir = (property_exists($claims, 'moddir')) ? $claims->moddir : ''; |
| 95: | |
| 96: | if ($handler === '' || $moddir === '') { |
| 97: | header("HTTP/1.0 400 Bad Request"); |
| 98: | exit; |
| 99: | } |
| 100: | |
| 101: | /** |
| 102: | * The handler claim can be specified as either: |
| 103: | * - a fully qualified and autoloading namespaced name, |
| 104: | * - a legacy handler name |
| 105: | */ |
| 106: | $className = $handler; |
| 107: | if (false === strpos($handler, '\\')) { |
| 108: | XoopsLoad::load($handler, $moddir); |
| 109: | $className = $moddir . $handler; |
| 110: | } |
| 111: | /** @var SystemFineUploadHandler $uploader */ |
| 112: | $uploader = new $className($claims); |
| 113: | |
| 114: | $method = get_request_method(); |
| 115: | |
| 116: | if ($method === "POST") { |
| 117: | header("Content-Type: text/plain"); |
| 118: | |
| 119: | // Assumes you have a chunking.success.endpoint set to point here with a query parameter of "done". |
| 120: | // For example: /myserver/handlers/endpoint.php?done |
| 121: | if (isset($_GET["done"])) { |
| 122: | $result = $uploader->combineChunks(XOOPS_ROOT_PATH . "/uploads"); |
| 123: | } else { // Handle upload requests |
| 124: | // Call handleUpload() with the name of the folder, relative to PHP's getcwd() |
| 125: | $result = $uploader->handleUpload(XOOPS_ROOT_PATH . "/uploads"); |
| 126: | |
| 127: | // To return a name used for uploaded file you can use the following line. |
| 128: | $result["uploadName"] = $uploader->getUploadName(); |
| 129: | } |
| 130: | |
| 131: | echo json_encode($result); |
| 132: | } elseif ($method == "DELETE") { // for delete file requests |
| 133: | $result = $uploader->handleDelete("files"); |
| 134: | echo json_encode($result); |
| 135: | } else { |
| 136: | header("HTTP/1.0 405 Method Not Allowed"); |
| 137: | } |
| 138: | |
| 139: | /** |
| 140: | * This will retrieve the "intended" request method. Normally, this is the |
| 141: | * actual method of the request. Sometimes, though, the intended request method |
| 142: | * must be hidden in the parameters of the request. For example, when attempting to |
| 143: | * delete a file using a POST request. In that case, "DELETE" will be sent along with |
| 144: | * the request in a "_method" parameter. |
| 145: | * |
| 146: | * @return string |
| 147: | */ |
| 148: | function get_request_method() |
| 149: | { |
| 150: | if (isset($_POST["_method"]) && $_POST["_method"] != null) { |
| 151: | return $_POST["_method"]; |
| 152: | } |
| 153: | return $_SERVER["REQUEST_METHOD"]; |
| 154: | } |
| 155: |