feat: restored image upload

* only use readonly id when storing image to prevent leaking of the editable id
This commit is contained in:
Florent Chehab 2020-05-12 21:55:43 +02:00
parent 14e1ee5391
commit 2c2c104bbf
No known key found for this signature in database
GPG Key ID: 9A0CE018889EA246
3 changed files with 60 additions and 31 deletions

View File

@ -89,32 +89,37 @@ function startBackendServer(port) {
function progressUploadFormData(formData, callback) {
console.log("Progress new Form Data");
var fields = escapeAllContentStrings(formData.fields);
var files = formData.files;
var whiteboardId = fields["whiteboardId"];
const fields = escapeAllContentStrings(formData.fields);
const wid = fields["whiteboardId"];
if (ReadOnlyBackendService.isReadOnly(wid)) return;
var name = fields["name"] || "";
var date = fields["date"] || +new Date();
var filename = whiteboardId + "_" + date + ".png";
var webdavaccess = fields["webdavaccess"] || false;
const readOnlyWid = ReadOnlyBackendService.getReadOnlyId(wid);
const name = fields["name"] || "";
const date = fields["date"] || +new Date();
const filename = `${readOnlyWid}_${date}.png`;
let webdavaccess = fields["webdavaccess"] || false;
try {
webdavaccess = JSON.parse(webdavaccess);
} catch (e) {
webdavaccess = false;
}
fs.ensureDir("./public/uploads", function (err) {
const savingDir = path.join("./public/uploads", readOnlyWid);
fs.ensureDir(savingDir, function (err) {
if (err) {
console.log("Could not create upload folder!", err);
return;
}
var imagedata = fields["imagedata"];
let imagedata = fields["imagedata"];
if (imagedata && imagedata != "") {
//Save from base64 data
imagedata = imagedata
.replace(/^data:image\/png;base64,/, "")
.replace(/^data:image\/jpeg;base64,/, "");
console.log(filename, "uploaded");
fs.writeFile("./public/uploads/" + filename, imagedata, "base64", function (err) {
const savingPath = path.join(savingDir, filename);
fs.writeFile(savingPath, imagedata, "base64", function (err) {
if (err) {
console.log("error", err);
callback(err);
@ -122,19 +127,16 @@ function startBackendServer(port) {
if (webdavaccess) {
//Save image to webdav
if (enableWebdav) {
saveImageToWebdav(
"./public/uploads/" + filename,
filename,
webdavaccess,
function (err) {
saveImageToWebdav(savingPath, filename, webdavaccess, function (
err
) {
if (err) {
console.log("error", err);
callback(err);
} else {
callback();
}
}
);
});
} else {
callback("Webdav is not enabled on the server!");
}
@ -152,10 +154,10 @@ function startBackendServer(port) {
function saveImageToWebdav(imagepath, filename, webdavaccess, callback) {
if (webdavaccess) {
var webdavserver = webdavaccess["webdavserver"] || "";
var webdavpath = webdavaccess["webdavpath"] || "/";
var webdavusername = webdavaccess["webdavusername"] || "";
var webdavpassword = webdavaccess["webdavpassword"] || "";
const webdavserver = webdavaccess["webdavserver"] || "";
const webdavpath = webdavaccess["webdavpath"] || "/";
const webdavusername = webdavaccess["webdavusername"] || "";
const webdavpassword = webdavaccess["webdavpassword"] || "";
const client = createClient(webdavserver, {
username: webdavusername,
@ -164,7 +166,7 @@ function startBackendServer(port) {
client
.getDirectoryContents(webdavpath)
.then((items) => {
var cloudpath = webdavpath + "" + filename;
const cloudpath = webdavpath + "" + filename;
console.log("webdav saving to:", cloudpath);
fs.createReadStream(imagepath).pipe(client.createWriteStream(cloudpath));
callback();
@ -244,7 +246,9 @@ function startBackendServer(port) {
socket.emit("whiteboardConfig", {
common: config.frontend,
whiteboardSpecific: {
correspondingReadOnlyId: ReadOnlyBackendService.getReadOnlyId(whiteboardId),
correspondingReadOnlyWid: ReadOnlyBackendService.getReadOnlyId(
whiteboardId
),
isReadOnly: ReadOnlyBackendService.isReadOnly(whiteboardId),
},
});

View File

@ -706,7 +706,7 @@ function initWhiteboard() {
);
function uploadImgAndAddToWhiteboard(base64data) {
var date = +new Date();
const date = +new Date();
$.ajax({
type: "POST",
url: document.URL.substr(0, document.URL.lastIndexOf("/")) + "/api/upload",
@ -717,9 +717,11 @@ function initWhiteboard() {
at: accessToken,
},
success: function (msg) {
var filename = whiteboardId + "_" + date + ".png";
const { correspondingReadOnlyWid } = ConfigService;
const filename = `${correspondingReadOnlyWid}_${date}.png`;
const rootUrl = document.URL.substr(0, document.URL.lastIndexOf("/"));
whiteboard.addImgToCanvasByUrl(
document.URL.substr(0, document.URL.lastIndexOf("/")) + "/uploads/" + filename
`${rootUrl}/uploads/${correspondingReadOnlyWid}/${filename}`
); //Add image to canvas
console.log("Image uploaded!");
},

View File

@ -12,6 +12,23 @@ class ConfigService {
return this.#configFromServer;
}
/**
* Associated read-only id for this whiteboad
* @type {string}
*/
#correspondingReadOnlyWid = "";
get correspondingReadOnlyWid() {
return this.#correspondingReadOnlyWid;
}
/**
* @type {boolean}
*/
#isReadOnly = true;
get isReadOnly() {
return this.#isReadOnly;
}
/**
* @type {{displayInfo: boolean, setReadOnly: boolean}}
* @readonly
@ -97,6 +114,12 @@ class ConfigService {
this.#backgroundGridImage = backgroundGridImage;
this.#refreshInfoInterval = 1000 / performance.refreshInfoFreq;
const { whiteboardSpecific } = configFromServer;
const { correspondingReadOnlyWid, isReadOnly } = whiteboardSpecific;
this.#correspondingReadOnlyWid = correspondingReadOnlyWid;
this.#isReadOnly = isReadOnly;
console.log("Whiteboard config from server:", configFromServer, "parsed:", this);
}