Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-13 16:56:04 +01:00
Code Issues Packages Projects Releases Activity

Merge branch 'advisory-fix-1' into develop

Browse Source 
# Conflicts:
#	CHANGELOG.md
This commit is contained in:
Andy Miller
2020-11-30 16:00:52 -07:00
parent f77aa31685 018940c1bc
commit 5eb2e6375f
4 changed files with 64 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -10,6 +10,9 @@
* Forward a `sid` to GPM when downloading a premium package * Forward a `sid` to GPM when downloading a premium package
1. [](#bugfix) 1. [](#bugfix)
* Escape page title in `pages` field * Escape page title in `pages` field
* Fixed unused task RemoveMedia, it cannot be used directly anymore
* Tightened checks when removing a media file
* Removed unused parameter in file field
# v1.9.17 # v1.9.17
## 10/07/2020 ## 10/07/2020

11
classes/adminbasecontroller.php
View File

@@ -913,11 +913,11 @@ class AdminBaseController
$uri = $this->grav['uri']; $uri = $this->grav['uri'];
$blueprint = base64_decode($uri->param('blueprint')); $blueprint = base64_decode($uri->param('blueprint'));
$path = base64_decode($uri->param('path')); $path = base64_decode($uri->param('path'));
$filename = basename($this->post['filename'] ?? ''); $route = base64_decode($uri->param('proute'));
$proute = base64_decode($uri->param('proute'));
$type = $uri->param('type'); $type = $uri->param('type');
$field = $uri->param('field'); $field = $uri->param('field');
$filename = basename($this->post['filename'] ?? '');
if ($filename === '') { if ($filename === '') {
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
@@ -929,7 +929,7 @@ class AdminBaseController
// Get Blueprint // Get Blueprint
if ($type === 'pages' || strpos($blueprint, 'pages/') === 0) { if ($type === 'pages' || strpos($blueprint, 'pages/') === 0) {
$page = $this->admin->page(true, $proute); $page = $this->admin->page(true, $route);
if (!$page) { if (!$page) {
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
@@ -1039,10 +1039,7 @@ class AdminBaseController
} }
if (null === $filename) { if (null === $filename) {
$filename = base64_decode($this->grav['uri']->param('route')); throw new \RuntimeException('Admin task RemoveMedia has been disabled.');
if (!$filename) {
$filename = base64_decode($this->route);
}
} }
$file = File::instance($filename); $file = File::instance($filename);

82
classes/admincontroller.php
View File

@@ -1566,6 +1566,8 @@ class AdminController extends AdminBaseController
/** /**
* Determines the file types allowed to be uploaded * Determines the file types allowed to be uploaded
* *
* Used by pagemedia field.
*
* @return bool True if the action was performed. * @return bool True if the action was performed.
*/ */
protected function taskListmedia() protected function taskListmedia()
@@ -1615,33 +1617,65 @@ class AdminController extends AdminBaseController
} }
/** /**
* @return Media * Get page media.
*
* @return Media|null
*/ */
protected function getMedia() public function getMedia()
{ {
$this->uri = $this->uri ?? $this->grav['uri']; if ($this->view !== 'media') {
$uri = $this->uri->post('uri'); return null;
$order = $this->uri->post('order') ?: null;
if ($uri) {
/** @var UniformResourceLocator $locator */
$locator = $this->grav['locator'];
$media_path = $locator->isStream($uri) ? $uri : null;
} else {
$page = $this->admin->page(true);
$media_path = $page ? $page->path() : null;
} }
if ($order) {
$this->uri = $this->uri ?? $this->grav['uri'];
$this->grav['twig']->twig_vars['current_form_data'] = (array)$this->data;
$field = (string)$this->uri->post('field', '');
$order = $this->uri->post('order') ?: null;
if (!is_array($order)) {
$order = array_map('trim', explode(',', $order)); $order = array_map('trim', explode(',', $order));
} }
return $media_path ? new Media($media_path, $order) : null; $page = $this->admin->page($this->route);
if (!$page) {
return null;
}
$blueprints = $page->blueprints();
$settings = $this->getMediaFieldSettings($blueprints, $field);
$path = $settings['destination'] ?? $page->path();
return $path ? new Media($path, $order) : null;
} }
/** /**
* Handles adding a media file to a page * @param Data\Blueprint|null $blueprint
* @param string $field
* @return array|null
*/
protected function getMediaFieldSettings(?Data\Blueprint $blueprint, string $field): ?array
{
$schema = $blueprint ? $blueprint->schema() : null;
if (!$schema || $field === '') {
return null;
}
$settings = is_object($schema) ? (array)$schema->getProperty($field) : null;
if (null === $settings) {
return null;
}
if (empty($settings['destination']) || \in_array($settings['destination'], ['@self', 'self@', '@self@'], true)) {
unset($settings['destination']);
}
return $settings + ['accept' => '*', 'limit' => 1000];
}
/**
* Handles adding a media file to a page.
*
* Used by pagemedia field.
* *
* @return bool True if the action was performed. * @return bool True if the action was performed.
*/ */
@@ -1801,7 +1835,9 @@ class AdminController extends AdminBaseController
} }
/** /**
* Handles deleting a media file from a page * Handles deleting a media file from a page.
*
* Used by pagemedia field.
* *
* @return bool True if the action was performed. * @return bool True if the action was performed.
*/ */
@@ -1821,14 +1857,10 @@ class AdminController extends AdminBaseController
return false; return false;
} }
$filename = !empty($this->post['filename']) ? $this->post['filename'] : null; $filename = !empty($this->post['filename']) ? basename($this->post['filename']) : null;
// Handle bad filenames. // Handle bad filenames.
if (!Utils::checkFilename($filename)) { if (!$filename || !Utils::checkFilename($filename)) {
$filename = null;
}
if (!$filename) {
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.NO_FILE_FOUND') 'message' => $this->admin::translate('PLUGIN_ADMIN.NO_FILE_FOUND')

1
themes/grav/templates/forms/fields/file/file.html.twig
View File

@@ -40,7 +40,6 @@
{% set remove = global.file_task_remove ? global.file_url_remove : uri.addNonce( {% set remove = global.file_task_remove ? global.file_url_remove : uri.addNonce(
global.file_url_remove ~ global.file_url_remove ~
'/media.json' ~ '/media.json' ~
'/route' ~ config.system.param_sep ~ base64_encode(global.base_path ~ '/' ~ real_path) ~
'/task' ~ config.system.param_sep ~ 'removeFileFromBlueprint' ~ '/task' ~ config.system.param_sep ~ 'removeFileFromBlueprint' ~
'/proute' ~ config.system.param_sep ~ base64_encode(route) ~ '/proute' ~ config.system.param_sep ~ base64_encode(route) ~
'/blueprint' ~ config.system.param_sep ~ blueprint ~ '/blueprint' ~ config.system.param_sep ~ blueprint ~