diff --git a/README.md b/README.md index 49cd7cb..bdbca04 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,10 @@ Add a disk config in `config/admin.php`: 'extensions' => [ 'media-manager' => [ - +            // Select a local disk that you configured in `config/filesystem.php` -         'disk' => 'public' +         'disk' => 'public', + 'allowed_ext' => 'jpg,jpeg,png,pdf,doc,docx,zip' ], ], diff --git a/src/MediaController.php b/src/MediaController.php index 47df705..f6b96a3 100644 --- a/src/MediaController.php +++ b/src/MediaController.php @@ -33,7 +33,14 @@ public function download(Request $request) $manager = new MediaManager($file); - return $manager->download(); + try { + return $manager->download(); + } catch (\Exception $e) { + return response()->json([ + 'status' => false, + 'message' => $e->getMessage(), + ]); + } } public function upload(Request $request) @@ -69,7 +76,7 @@ public function delete(Request $request) } } catch (\Exception $e) { return response()->json([ - 'status' => true, + 'status' => false, 'message' => $e->getMessage(), ]); } @@ -91,7 +98,7 @@ public function move(Request $request) } } catch (\Exception $e) { return response()->json([ - 'status' => true, + 'status' => false, 'message' => $e->getMessage(), ]); } @@ -113,7 +120,7 @@ public function newFolder(Request $request) } } catch (\Exception $e) { return response()->json([ - 'status' => true, + 'status' => false, 'message' => $e->getMessage(), ]); } diff --git a/src/MediaManager.php b/src/MediaManager.php index 68710ff..a8357da 100644 --- a/src/MediaManager.php +++ b/src/MediaManager.php @@ -26,6 +26,13 @@ class MediaManager extends Extension */ protected $storage; + /** + * List of allowed extensions. + * + * @var string + */ + protected $allowed = []; + /** * @var array */ @@ -50,6 +57,10 @@ public function __construct($path = '/') { $this->path = $path; + if (!empty(config('admin.extensions.media-manager.allowed_ext'))) { + $this->allowed = explode(',', config('admin.extensions.media-manager.allowed_ext')); + } + $this->initStorage(); } @@ -77,10 +88,10 @@ public function ls() $directories = $this->storage->directories($this->path); return $this->formatDirectories($directories) - ->merge($this->formatFiles($files)) - ->sort(function ($item) { - return $item['name']; - })->all(); + ->merge($this->formatFiles($files)) + ->sort(function ($item) { + return $item['name']; + })->all(); } /** @@ -92,7 +103,12 @@ public function ls() */ protected function getFullPath($path) { - return $this->storage->getDriver()->getAdapter()->applyPathPrefix($path); + $path = $this->storage->getDriver()->getAdapter()->applyPathPrefix($path); + if (strstr($fullPath, '..')) { + throw new \Exception('Incorrect path'); + } + + return $path; } public function download() @@ -125,6 +141,11 @@ public function delete($path) public function move($new) { + $ext = pathinfo($new, PATHINFO_EXTENSION); + if ($this->allowed && !in_array($ext, $this->allowed)) { + throw new \Exception('File extension '.$ext.' is not allowed'); + } + return $this->storage->move($this->path, $new); } @@ -137,6 +158,10 @@ public function move($new) public function upload($files = []) { foreach ($files as $file) { + if ($this->allowed && !in_array($file->getClientOriginalExtension(), $this->allowed)) { + throw new \Exception('File extension '.$file->getClientOriginalExtension().' is not allowed'); + } + $this->storage->putFileAs($this->path, $file, $file->getClientOriginalName()); }