mirror of
https://github.com/philomena-dev/philomena.git
synced 2024-11-27 13:47:58 +01:00
image uploader tampering
This commit is contained in:
parent
d8b425bdf6
commit
6d105ffc53
8 changed files with 79 additions and 9 deletions
|
@ -297,6 +297,12 @@ defmodule Philomena.Images do
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def update_uploader(%Image{} = image, attrs) do
|
||||||
|
image
|
||||||
|
|> Image.uploader_changeset(attrs)
|
||||||
|
|> Repo.update()
|
||||||
|
end
|
||||||
|
|
||||||
def hide_image(%Image{} = image, user, attrs) do
|
def hide_image(%Image{} = image, user, attrs) do
|
||||||
Image.hide_changeset(image, attrs, user)
|
Image.hide_changeset(image, attrs, user)
|
||||||
|> internal_hide_image(image)
|
|> internal_hide_image(image)
|
||||||
|
|
|
@ -230,6 +230,21 @@ defmodule Philomena.Images.Image do
|
||||||
|> put_assoc(:source_changes, [])
|
|> put_assoc(:source_changes, [])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def uploader_changeset(image, attrs) do
|
||||||
|
user_id =
|
||||||
|
if attrs["username"] not in [nil, ""] do
|
||||||
|
Repo.get_by!(User, name: attrs["username"]).id
|
||||||
|
else
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
|
image
|
||||||
|
|> cast(attrs, [:anonymous])
|
||||||
|
|> put_change(:user_id, user_id)
|
||||||
|
|> put_change(:ip, %Postgrex.INET{address: {127, 0, 0, 1}, netmask: 32})
|
||||||
|
|> put_change(:fingerprint, "ffff")
|
||||||
|
end
|
||||||
|
|
||||||
def cache_changeset(image) do
|
def cache_changeset(image) do
|
||||||
changeset = change(image)
|
changeset = change(image)
|
||||||
image = apply_changes(changeset)
|
image = apply_changes(changeset)
|
||||||
|
|
30
lib/philomena_web/controllers/image/uploader_controller.ex
Normal file
30
lib/philomena_web/controllers/image/uploader_controller.ex
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
defmodule PhilomenaWeb.Image.UploaderController do
|
||||||
|
use PhilomenaWeb, :controller
|
||||||
|
|
||||||
|
alias Philomena.Images.Image
|
||||||
|
alias Philomena.Images
|
||||||
|
alias Philomena.Repo
|
||||||
|
|
||||||
|
plug :verify_authorized
|
||||||
|
plug :load_resource, model: Image, id_name: "image_id", persisted: true
|
||||||
|
|
||||||
|
def update(conn, %{"image" => image_params}) do
|
||||||
|
{:ok, image} = Images.update_uploader(conn.assigns.image, image_params)
|
||||||
|
|
||||||
|
Images.reindex_image(image)
|
||||||
|
|
||||||
|
image = Repo.preload(image, user: [awards: :badge])
|
||||||
|
changeset = Images.change_image(image)
|
||||||
|
|
||||||
|
conn
|
||||||
|
|> put_view(PhilomenaWeb.ImageView)
|
||||||
|
|> render("_uploader.html", layout: false, image: image, changeset: changeset)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp verify_authorized(conn, _opts) do
|
||||||
|
case Canada.Can.can?(conn.assigns.current_user, :show, :ip_address) do
|
||||||
|
true -> conn
|
||||||
|
_false -> PhilomenaWeb.NotAuthorizedPlug.call(conn)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -127,6 +127,7 @@ defmodule PhilomenaWeb.Router do
|
||||||
resources "/feature", Image.FeatureController, only: [:create], singleton: true
|
resources "/feature", Image.FeatureController, only: [:create], singleton: true
|
||||||
resources "/file", Image.FileController, only: [:update], singleton: true
|
resources "/file", Image.FileController, only: [:update], singleton: true
|
||||||
resources "/scratchpad", Image.ScratchpadController, only: [:edit, :update], singleton: true
|
resources "/scratchpad", Image.ScratchpadController, only: [:edit, :update], singleton: true
|
||||||
|
resources "/uploader", Image.UploaderController, only: [:update], singleton: true
|
||||||
|
|
||||||
resources "/comment_lock", Image.CommentLockController, only: [:create, :delete], singleton: true
|
resources "/comment_lock", Image.CommentLockController, only: [:create, :delete], singleton: true
|
||||||
resources "/description_lock", Image.DescriptionLockController, only: [:create, :delete], singleton: true
|
resources "/description_lock", Image.DescriptionLockController, only: [:create, :delete], singleton: true
|
||||||
|
|
|
@ -51,14 +51,8 @@
|
||||||
div
|
div
|
||||||
' Uploaded
|
' Uploaded
|
||||||
=> pretty_time(@image.created_at)
|
=> pretty_time(@image.created_at)
|
||||||
span.image_uploader
|
= render PhilomenaWeb.ImageView, "_uploader.html", assigns
|
||||||
' by
|
|
||||||
=> render PhilomenaWeb.UserAttributionView, "_anon_user.html", object: @image, awards: true, conn: @conn
|
|
||||||
= if can?(@conn, :show, :ip_address) do
|
|
||||||
=> link_to_ip(@conn, @image.ip)
|
|
||||||
=> link_to_fingerprint(@conn, @image.fingerprint)
|
|
||||||
a href="#"
|
|
||||||
i.fas.fa-edit
|
|
||||||
span.image-size
|
span.image-size
|
||||||
|
|
|
|
||||||
= @image.image_width
|
= @image.image_width
|
||||||
|
|
21
lib/philomena_web/templates/image/_uploader.html.slime
Normal file
21
lib/philomena_web/templates/image/_uploader.html.slime
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
span.image_uploader
|
||||||
|
' by
|
||||||
|
=> render PhilomenaWeb.UserAttributionView, "_anon_user.html", object: @image, awards: true, conn: @conn
|
||||||
|
|
||||||
|
= if can?(@conn, :show, :ip_address) do
|
||||||
|
=> link_to_ip(@conn, @image.ip)
|
||||||
|
=> link_to_fingerprint(@conn, @image.fingerprint)
|
||||||
|
a#edit-uploader href="#" data-click-hide=".image_uploader" data-click-show="#uploader-form"
|
||||||
|
i.fas.fa-edit
|
||||||
|
|
||||||
|
= if can?(@conn, :show, :ip_address) do
|
||||||
|
= form_for @changeset, Routes.image_uploader_path(@conn, :update, @image), [class: "block__content hidden", id: "uploader-form", data: [remote: "true", method: "put"]], fn f ->
|
||||||
|
=> label f, :username, "Uploader"
|
||||||
|
=> text_input f, :username, value: username(@image.user), class: "input input--short input--small"
|
||||||
|
|
||||||
|
=> label f, :anonymous
|
||||||
|
= checkbox f, :anonymous, class: "checkbox"
|
||||||
|
|
||||||
|
= submit "Save Changes", class: "button button--small", data: [disable_with: raw("Saving…")]
|
||||||
|
|
||||||
|
div Changes IP to '127.0.0.1' and FP to 'ffff'. Empty for anonymous.
|
|
@ -1,4 +1,4 @@
|
||||||
= render PhilomenaWeb.ImageView, "_image_meta.html", image: @image, watching: @watching, image_galleries: @image_galleries, user_galleries: @user_galleries, conn: @conn
|
= render PhilomenaWeb.ImageView, "_image_meta.html", image: @image, watching: @watching, image_galleries: @image_galleries, user_galleries: @user_galleries, changeset: @image_changeset, conn: @conn
|
||||||
= render PhilomenaWeb.ImageView, "_image_page.html", image: @image, conn: @conn
|
= render PhilomenaWeb.ImageView, "_image_page.html", image: @image, conn: @conn
|
||||||
|
|
||||||
.layout--narrow
|
.layout--narrow
|
||||||
|
|
|
@ -142,6 +142,9 @@ defmodule PhilomenaWeb.ImageView do
|
||||||
Tag.display_order(tags)
|
Tag.display_order(tags)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def username(%{name: name}), do: name
|
||||||
|
def username(_user), do: nil
|
||||||
|
|
||||||
def scope(conn), do: Philomena.ImageScope.scope(conn)
|
def scope(conn), do: Philomena.ImageScope.scope(conn)
|
||||||
|
|
||||||
def anonymous_by_default?(conn) do
|
def anonymous_by_default?(conn) do
|
||||||
|
|
Loading…
Reference in a new issue