diff --git a/TODO.md b/TODO.md index ca0f828..8fd7672 100644 --- a/TODO.md +++ b/TODO.md @@ -20,9 +20,8 @@ - Айди приглашения - Роли - Новичок - - Может оценивать посты, но не более n в день - - Может создавать посты, но не более n в день и только с одобренными тегами - - Может удалять свои посты + - Может оценивать посты + - Не может создавать посты - Может устанавливать себе аватарку - Проверенный - Нет лимитов на оценку постов diff --git a/api/_auth.php b/api/_auth.php index c56375c..6ecda49 100644 --- a/api/_auth.php +++ b/api/_auth.php @@ -23,6 +23,7 @@ function EndSession () { session_start(); $LOGGED_IN = false; +$THIS_USER = null; // ID of logged in user if (session_status() === PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { // If there are active session // Check if user still exist @@ -35,6 +36,7 @@ if (session_status() === PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { // die("user id used in session does not exist"); } $LOGGED_IN = true; + $THIS_USER = $_SESSION["userid"]; } elseif (session_status() === PHP_SESSION_DISABLED) { // If sessions are disabled die("ERROR: please enable sessions in php config"); } diff --git a/api/_errors.php b/api/_errors.php index 5a8bdfe..f90865b 100644 --- a/api/_errors.php +++ b/api/_errors.php @@ -13,4 +13,7 @@ $Err_DP_IDNotFound = "dp.idnotfound"; // Resource not found by request $Err_DP_AlreadyLoggedIn = "dp.alreadyloggedin"; // User already logged into account $Err_DP_RegClosed = "dp.regclosed"; // Registration is closed $Err_DP_NotEnoughRole = "dp.notenoughrole"; // Power level is not enough for performing action +$Err_DP_FileTooLarge = "dp.filetoolarge"; // Size of file in request is too large +$Err_DP_FileWrongType = "dp.filewrongtype"; // Type of file is invalid +$Err_DP_ImageWrongRes = "dp.imagewrongres"; // Resolution of image is invalid ?> \ No newline at end of file diff --git a/api/_utils.php b/api/_utils.php index ae2847c..9c8019f 100644 --- a/api/_utils.php +++ b/api/_utils.php @@ -18,4 +18,11 @@ function GenerateRandomString (int $length, string $keyspace = "abcdefghijklmnop return implode('', $pieces); } +// Get aspect ratio from width and height +function GetAspectRatio ($x, $y) { + if ($x === $y) + return 1; + return max($x, $y) / min($x, $y); +} + ?> \ No newline at end of file diff --git a/api/post/create.php b/api/post/create.php index dfbb1b9..003b00e 100644 --- a/api/post/create.php +++ b/api/post/create.php @@ -2,6 +2,7 @@ require_once("../_auth.php"); require_once("../_utils.php"); +require_once("../user/index.php"); @@ -30,7 +31,31 @@ if (ThisFileIsRequested(__FILE__)) { if (!(isset($_POST["tags"]) && isset($_FILES["pic"]))) ReturnJSONError($Err_RDP_InvalidArgs, "not enough arguments"); - // TODO + // TODO: add rate-limiting, instead of this + // Check user privs + if (User_HasRole($THIS_USER, "newbie")) + ReturnJSONError($Err_DP_NotEnoughRole, "newbies cant create posts"); + + // Check image properties + + // If size is too large + if ($_FILES["pic"]["size"] > $Config["media"]["max_pic_size"]) + ReturnJSONError($Err_DP_FileTooLarge, "picture is too large"); + + $TmpFilePath = $_FILES["pic"]["tmp_name"]; + $Ext = strtolower(pathinfo($TmpFilePath, PATHINFO_EXTENSION)); + + // If file extension is not in list of allowed + if (in_array($Ext, $Config["media"]["allowed_exts"])) + ReturnJSONError($Err_DP_FileWrongType, "file extension is invalid"); + // If file mime type is not in list of allowed + if (in_array(mime_content_type($TmpFilePath), $Config["media"]["allowed_mimetypes"])) + ReturnJSONError($Err_DP_FileWrongType, "file mime type is invalid"); + + // Check if resolution is bigger than allowed or have unacceptable aspect ratio + list($SzX, $SzY, $Type, $Attr) = getimagesize($TmpFilePath); + if ($SzX > $Config["media"]["max_pic_res"]["x"] || $SzY > $Config["media"]["max_pic_res"]["y"] || (GetAspectRatio($SzX, $SzY) > $Config["media"]["max_pic_res"]["ratio"])) + ReturnJSONError($Err_DP_ImageWrongRes, "image with that resolution or aspect ratio cant be accepted"); } ?> \ No newline at end of file diff --git a/api/post/index.php b/api/post/index.php index 22cfde8..12bba0f 100644 --- a/api/post/index.php +++ b/api/post/index.php @@ -49,7 +49,7 @@ function Post_GetByID ($id) { $result["preview_path"] = $d["preview_path"]; $result["edit_lock"] = $d["edit_lock"]; - Post_AddView($id); + Post_AddView($id); // TODO: add rate-limit or completely rework return $result; } @@ -67,8 +67,6 @@ if (ThisFileIsRequested(__FILE__)) { ReturnJSONError($Err_RDP_InvalidID, "id must be specified"); } - // TODO: check permissions - $ResponseData = Post_GetByID($_REQUEST["id"]); if ($ResponseData) ReturnJSONData($ResponseData); diff --git a/api/user/index.php b/api/user/index.php index 5e070dd..a8abb0d 100644 --- a/api/user/index.php +++ b/api/user/index.php @@ -54,7 +54,7 @@ function User_IsMod ($id) { // Get user information from DB function User_GetInfoByID ($id) { - global $db; + global $db, $THIS_USER; $result = array(); @@ -73,7 +73,7 @@ function User_GetInfoByID ($id) { $result["avatar_path"] = $d["avatar_path"]; $result["role"] = $d["role"]; $result["banned"] = $d["banned"]; - if (($id === $_SESSION["userid"]) || User_IsMod($_SESSION["userid"])) { // User himself and mods can see additional info + if (($id === $THIS_USER) || User_IsMod($THIS_USER)) { // User himself and mods can see additional info $result["email"] = $d["email"]; $result["invite_id"] = $d["invite_id"]; } @@ -94,7 +94,7 @@ if (ThisFileIsRequested(__FILE__)) { $UserID = intval($_REQUEST["id"]); } else { if ($LOGGED_IN) - $UserID = $_SESSION["userid"]; + $UserID = $THIS_USER; else ReturnJSONError($Err_RDP_InvalidID, "id must be specified or valid session must be provided"); } diff --git a/config.json b/config.json index d7d333a..95a370a 100644 --- a/config.json +++ b/config.json @@ -17,6 +17,11 @@ }, "media": { "max_pic_size": 56623104, + "max_pic_res": { + "x": 8192, + "y": 8192, + "ratio": 20 + }, "allowed_exts": [ "jpg", "jpeg",