Добавил проверку изображения в апи постов и ещё по мелочи

2023-09-07 23:05:23 +03:00 · 2023-09-07 23:05:23 +03:00 · e487ed79c4
commit e487ed79c4
parent 9a4658f3ea
8 changed files with 49 additions and 10 deletions
--- a/TODO.md
+++ b/TODO.md
@ -20,9 +20,8 @@
 			- Айди приглашения
 		- Роли
 			- Новичок
-				- Может оценивать посты, но не более n в день
+				- Может оценивать посты
-				- Может создавать посты, но не более n в день и только с одобренными тегами
+				- Не может создавать посты
 				- Может удалять свои посты
 				- Может устанавливать себе аватарку
 			- Проверенный
 				- Нет лимитов на оценку постов
--- a/api/_auth.php
+++ b/api/_auth.php
@ -23,6 +23,7 @@ function EndSession () {
 session_start();
 $LOGGED_IN = false;
 $THIS_USER = null; // ID of logged in user
 if (session_status() === PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { // If there are active session
 	// Check if user still exist
@ -35,6 +36,7 @@ if (session_status() === PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { //
 		die("user id used in session does not exist");
 	}
 	$LOGGED_IN = true;
 	$THIS_USER = $_SESSION["userid"];
 } elseif (session_status() === PHP_SESSION_DISABLED) { // If sessions are disabled
 	die("ERROR: please enable sessions in php config");
 }
--- a/api/_errors.php
+++ b/api/_errors.php
@ -13,4 +13,7 @@ $Err_DP_IDNotFound      = "dp.idnotfound";      // Resource not found by request
 $Err_DP_AlreadyLoggedIn = "dp.alreadyloggedin"; // User already logged into account
 $Err_DP_RegClosed       = "dp.regclosed";       // Registration is closed
 $Err_DP_NotEnoughRole   = "dp.notenoughrole";   // Power level is not enough for performing action
 $Err_DP_FileTooLarge    = "dp.filetoolarge";    // Size of file in request is too large
 $Err_DP_FileWrongType   = "dp.filewrongtype";   // Type of file is invalid
 $Err_DP_ImageWrongRes   = "dp.imagewrongres";   // Resolution of image is invalid
 ?>
--- a/api/_utils.php
+++ b/api/_utils.php
@ -18,4 +18,11 @@ function GenerateRandomString (int $length, string $keyspace = "abcdefghijklmnop
 	return implode('', $pieces);
 }
 // Get aspect ratio from width and height
 function GetAspectRatio ($x, $y) {
 	if ($x === $y)
 		return 1;
 	return max($x, $y) / min($x, $y);
 }
 ?>
--- a/api/post/create.php
+++ b/api/post/create.php
@ -2,6 +2,7 @@
 require_once("../_auth.php");
 require_once("../_utils.php");
 require_once("../user/index.php");
@ -30,7 +31,31 @@ if (ThisFileIsRequested(__FILE__)) {
 	if (!(isset($_POST["tags"]) && isset($_FILES["pic"])))
 		ReturnJSONError($Err_RDP_InvalidArgs, "not enough arguments");
-	// TODO
+	// TODO: add rate-limiting, instead of this
 	// Check user privs
 	if (User_HasRole($THIS_USER, "newbie"))
 		ReturnJSONError($Err_DP_NotEnoughRole, "newbies cant create posts");
 	// Check image properties
 	// If size is too large
 	if ($_FILES["pic"]["size"] > $Config["media"]["max_pic_size"])
 		ReturnJSONError($Err_DP_FileTooLarge, "picture is too large");
 	$TmpFilePath = $_FILES["pic"]["tmp_name"];
 	$Ext = strtolower(pathinfo($TmpFilePath, PATHINFO_EXTENSION));
 	// If file extension is not in list of allowed
 	if (in_array($Ext, $Config["media"]["allowed_exts"]))
 		ReturnJSONError($Err_DP_FileWrongType, "file extension is invalid");
 	// If file mime type is not in list of allowed
 	if (in_array(mime_content_type($TmpFilePath), $Config["media"]["allowed_mimetypes"]))
 		ReturnJSONError($Err_DP_FileWrongType, "file mime type is invalid");
 	// Check if resolution is bigger than allowed or have unacceptable aspect ratio
 	list($SzX, $SzY, $Type, $Attr) = getimagesize($TmpFilePath);
 	if ($SzX > $Config["media"]["max_pic_res"]["x"] || $SzY > $Config["media"]["max_pic_res"]["y"] || (GetAspectRatio($SzX, $SzY) > $Config["media"]["max_pic_res"]["ratio"]))
 		ReturnJSONError($Err_DP_ImageWrongRes, "image with that resolution or aspect ratio cant be accepted");
 }
 ?>
--- a/api/post/index.php
+++ b/api/post/index.php
@ -49,7 +49,7 @@ function Post_GetByID ($id) {
 	$result["preview_path"]           = $d["preview_path"];
 	$result["edit_lock"]              = $d["edit_lock"];
-	Post_AddView($id);
+	Post_AddView($id); // TODO: add rate-limit or completely rework
 	return $result;
 }
@ -67,8 +67,6 @@ if (ThisFileIsRequested(__FILE__)) {
 		ReturnJSONError($Err_RDP_InvalidID, "id must be specified");
 	}
 	// TODO: check permissions
 	$ResponseData = Post_GetByID($_REQUEST["id"]);
 	if ($ResponseData)
 		ReturnJSONData($ResponseData);
--- a/api/user/index.php
+++ b/api/user/index.php
@ -54,7 +54,7 @@ function User_IsMod ($id) {
 // Get user information from DB
 function User_GetInfoByID ($id) {
-	global $db;
+	global $db, $THIS_USER;
 	$result = array();
@ -73,7 +73,7 @@ function User_GetInfoByID ($id) {
 	$result["avatar_path"]   = $d["avatar_path"];
 	$result["role"]          = $d["role"];
 	$result["banned"]        = $d["banned"];
-	if (($id === $_SESSION["userid"]) || User_IsMod($_SESSION["userid"])) { // User himself and mods can see additional info
+	if (($id === $THIS_USER) || User_IsMod($THIS_USER)) { // User himself and mods can see additional info
 		$result["email"]     = $d["email"];
 		$result["invite_id"] = $d["invite_id"];
 	}
@ -94,7 +94,7 @@ if (ThisFileIsRequested(__FILE__)) {
 		$UserID = intval($_REQUEST["id"]);
 	} else {
 		if ($LOGGED_IN)
-			$UserID = $_SESSION["userid"];
+			$UserID = $THIS_USER;
 		else
 			ReturnJSONError($Err_RDP_InvalidID, "id must be specified or valid session must be provided");
 	}
--- a/config.json
+++ b/config.json
@ -17,6 +17,11 @@
 	},
 	"media": {
 		"max_pic_size": 56623104,
 		"max_pic_res": {
 			"x": 8192,
 			"y": 8192,
 			"ratio": 20
 		},
 		"allowed_exts": [
 			"jpg",
 			"jpeg",