diff --git a/CHANGELOG.md b/CHANGELOG.md index dbe39531..6f8b3de4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ * Forward a `sid` to GPM when downloading a premium package 1. [](#bugfix) * Escape page title in `pages` field + * Fixed unused task RemoveMedia, it cannot be used directly anymore + * Tightened checks when removing a media file + * Removed unused parameter in file field # v1.9.17 ## 10/07/2020 diff --git a/classes/adminbasecontroller.php b/classes/adminbasecontroller.php index 74868de9..971f60a3 100644 --- a/classes/adminbasecontroller.php +++ b/classes/adminbasecontroller.php @@ -913,11 +913,11 @@ class AdminBaseController $uri = $this->grav['uri']; $blueprint = base64_decode($uri->param('blueprint')); $path = base64_decode($uri->param('path')); - $filename = basename($this->post['filename'] ?? ''); - $proute = base64_decode($uri->param('proute')); + $route = base64_decode($uri->param('proute')); $type = $uri->param('type'); $field = $uri->param('field'); + $filename = basename($this->post['filename'] ?? ''); if ($filename === '') { $this->admin->json_response = [ 'status' => 'error', @@ -929,7 +929,7 @@ class AdminBaseController // Get Blueprint if ($type === 'pages' || strpos($blueprint, 'pages/') === 0) { - $page = $this->admin->page(true, $proute); + $page = $this->admin->page(true, $route); if (!$page) { $this->admin->json_response = [ 'status' => 'error', @@ -1039,10 +1039,7 @@ class AdminBaseController } if (null === $filename) { - $filename = base64_decode($this->grav['uri']->param('route')); - if (!$filename) { - $filename = base64_decode($this->route); - } + throw new \RuntimeException('Admin task RemoveMedia has been disabled.'); } $file = File::instance($filename); diff --git a/classes/admincontroller.php b/classes/admincontroller.php index 05b9bfc7..980f6e00 100644 --- a/classes/admincontroller.php +++ b/classes/admincontroller.php @@ -1566,6 +1566,8 @@ class AdminController extends AdminBaseController /** * Determines the file types allowed to be uploaded * + * Used by pagemedia field. + * * @return bool True if the action was performed. */ protected function taskListmedia() @@ -1615,33 +1617,65 @@ class AdminController extends AdminBaseController } /** - * @return Media + * Get page media. + * + * @return Media|null */ - protected function getMedia() + public function getMedia() { - $this->uri = $this->uri ?? $this->grav['uri']; - $uri = $this->uri->post('uri'); - $order = $this->uri->post('order') ?: null; - - if ($uri) { - /** @var UniformResourceLocator $locator */ - $locator = $this->grav['locator']; - - $media_path = $locator->isStream($uri) ? $uri : null; - } else { - $page = $this->admin->page(true); - - $media_path = $page ? $page->path() : null; + if ($this->view !== 'media') { + return null; } - if ($order) { + + $this->uri = $this->uri ?? $this->grav['uri']; + $this->grav['twig']->twig_vars['current_form_data'] = (array)$this->data; + + $field = (string)$this->uri->post('field', ''); + $order = $this->uri->post('order') ?: null; + if (!is_array($order)) { $order = array_map('trim', explode(',', $order)); } - return $media_path ? new Media($media_path, $order) : null; + $page = $this->admin->page($this->route); + if (!$page) { + return null; + } + + $blueprints = $page->blueprints(); + $settings = $this->getMediaFieldSettings($blueprints, $field); + $path = $settings['destination'] ?? $page->path(); + + return $path ? new Media($path, $order) : null; } /** - * Handles adding a media file to a page + * @param Data\Blueprint|null $blueprint + * @param string $field + * @return array|null + */ + protected function getMediaFieldSettings(?Data\Blueprint $blueprint, string $field): ?array + { + $schema = $blueprint ? $blueprint->schema() : null; + if (!$schema || $field === '') { + return null; + } + + $settings = is_object($schema) ? (array)$schema->getProperty($field) : null; + if (null === $settings) { + return null; + } + + if (empty($settings['destination']) || \in_array($settings['destination'], ['@self', 'self@', '@self@'], true)) { + unset($settings['destination']); + } + + return $settings + ['accept' => '*', 'limit' => 1000]; + } + + /** + * Handles adding a media file to a page. + * + * Used by pagemedia field. * * @return bool True if the action was performed. */ @@ -1801,7 +1835,9 @@ class AdminController extends AdminBaseController } /** - * Handles deleting a media file from a page + * Handles deleting a media file from a page. + * + * Used by pagemedia field. * * @return bool True if the action was performed. */ @@ -1821,14 +1857,10 @@ class AdminController extends AdminBaseController return false; } - $filename = !empty($this->post['filename']) ? $this->post['filename'] : null; + $filename = !empty($this->post['filename']) ? basename($this->post['filename']) : null; // Handle bad filenames. - if (!Utils::checkFilename($filename)) { - $filename = null; - } - - if (!$filename) { + if (!$filename || !Utils::checkFilename($filename)) { $this->admin->json_response = [ 'status' => 'error', 'message' => $this->admin::translate('PLUGIN_ADMIN.NO_FILE_FOUND') diff --git a/themes/grav/templates/forms/fields/file/file.html.twig b/themes/grav/templates/forms/fields/file/file.html.twig index ccc3953c..d30c4e76 100644 --- a/themes/grav/templates/forms/fields/file/file.html.twig +++ b/themes/grav/templates/forms/fields/file/file.html.twig @@ -40,7 +40,6 @@ {% set remove = global.file_task_remove ? global.file_url_remove : uri.addNonce( global.file_url_remove ~ '/media.json' ~ - '/route' ~ config.system.param_sep ~ base64_encode(global.base_path ~ '/' ~ real_path) ~ '/task' ~ config.system.param_sep ~ 'removeFileFromBlueprint' ~ '/proute' ~ config.system.param_sep ~ base64_encode(route) ~ '/blueprint' ~ config.system.param_sep ~ blueprint ~