source: trunk/action.php @ 15054

Last change on this file since 15054 was 13523, checked in by rvelices, 13 years ago

fix action.php permissions checking when original is small

  • Property svn:eol-style set to LF
File size: 5.6 KB
RevLine 
[985]1<?php
2// +-----------------------------------------------------------------------+
[8728]3// | Piwigo - a PHP based photo gallery                                    |
[2297]4// +-----------------------------------------------------------------------+
[12922]5// | Copyright(C) 2008-2012 Piwigo Team                  http://piwigo.org |
[2297]6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
[985]23
[1560]24define('PHPWG_ROOT_PATH','./');
[13489]25session_cache_limiter('public');
[1560]26include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
27
28// Check Access and exit when user status is not ok
29check_status(ACCESS_GUEST);
30
[1612]31function guess_mime_type($ext)
[985]32{
[1612]33  switch ( strtolower($ext) )
[1560]34  {
[1612]35    case "jpe": case "jpeg":
36    case "jpg": $ctype="image/jpeg"; break;
37    case "png": $ctype="image/png"; break;
38    case "gif": $ctype="image/gif"; break;
39    case "tiff":
40    case "tif": $ctype="image/tiff"; break;
41    case "txt": $ctype="text/plain"; break;
42    case "html":
43    case "htm": $ctype="text/html"; break;
44    case "xml": $ctype="text/xml"; break;
45    case "pdf": $ctype="application/pdf"; break;
46    case "zip": $ctype="application/zip"; break;
47    case "ogg": $ctype="application/ogg"; break;
48    default: $ctype="application/octet-stream";
[1560]49  }
[1612]50  return $ctype;
51}
[985]52
[1612]53function do_error( $code, $str )
54{
[1643]55  set_status_header( $code );
[1612]56  echo $str ;
57  exit();
58}
[985]59
60
[1817]61if (!isset($_GET['id'])
62    or !is_numeric($_GET['id'])
[1612]63    or !isset($_GET['part'])
[12855]64    or !in_array($_GET['part'], array('e','r') ) )
[1612]65{
66  do_error(400, 'Invalid request - id/part');
67}
68
69$query = '
70SELECT * FROM '. IMAGES_TABLE.'
[1817]71  WHERE id='.$_GET['id'].'
[1612]72;';
73
[13489]74$element_info = pwg_db_fetch_assoc(pwg_query($query));
[1612]75if ( empty($element_info) )
76{
77  do_error(404, 'Requested id not found');
78}
[1678]79
80// $filter['visible_categories'] and $filter['visible_images']
[1677]81// are not used because it's not necessary (filter <> restriction)
[1616]82$query='
[1817]83SELECT id
84  FROM '.CATEGORIES_TABLE.'
85    INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON category_id = id
86  WHERE image_id = '.$_GET['id'].'
87'.get_sql_condition_FandF(
[2084]88  array(
89      'forbidden_categories' => 'category_id',
90      'forbidden_images' => 'image_id',
91    ),
[1817]92  '    AND'
93  ).'
[1616]94  LIMIT 1
95;';
[4325]96if ( pwg_db_num_rows(pwg_query($query))<1 )
[1616]97{
98  do_error(401, 'Access denied');
99}
[1612]100
101include_once(PHPWG_ROOT_PATH.'include/functions_picture.inc.php');
102$file='';
103switch ($_GET['part'])
104{
105  case 'e':
[13523]106    if ( !$user['enabled_high'] )
[1616]107    {
[13523]108      $deriv = new DerivativeImage(IMG_XXLARGE, new SrcImage($element_info));
109      if ( !$deriv->same_as_source() )
110      {
111        do_error(401, 'Access denied e');
112      }
[1616]113    }
[12855]114    $file = get_element_path($element_info);
[1612]115    break;
[12855]116  case 'r':
117    $file = original_to_representative( get_element_path($element_info), $element_info['representative_ext'] );
118    break;
[1612]119}
120
121if ( empty($file) )
122{
123  do_error(404, 'Requested file not found');
124}
125
[13489]126if ($_GET['part'] == 'e') {
[1844]127  pwg_log($_GET['id'], 'high');
[1817]128}
[1844]129else if ($_GET['part'] == 'e')
130{
131  pwg_log($_GET['id'], 'other');
132}
[1817]133
[1612]134$http_headers = array();
135
136$ctype = null;
137if (!url_is_remote($file))
138{
139  if ( !@is_readable($file) )
[1560]140  {
[1612]141    do_error(404, "Requested file not found - $file");
[1560]142  }
[1612]143  $http_headers[] = 'Content-Length: '.@filesize($file);
144  if ( function_exists('mime_content_type') )
[1552]145  {
[1612]146    $ctype = mime_content_type($file);
[1552]147  }
[1616]148
149  $gmt_mtime = gmdate('D, d M Y H:i:s', filemtime($file)).' GMT';
150  $http_headers[] = 'Last-Modified: '.$gmt_mtime;
151
152  // following lines would indicate how the client should handle the cache
153  /* $max_age=300;
154  $http_headers[] = 'Expires: '.gmdate('D, d M Y H:i:s', time()+$max_age).' GMT';
155  // HTTP/1.1 only
156  $http_headers[] = 'Cache-Control: private, must-revalidate, max-age='.$max_age;*/
157
158  if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) )
159  {
[1643]160    set_status_header(304);
[1616]161    foreach ($http_headers as $header)
162    {
163      header( $header );
164    }
165    exit();
166  }
[1612]167}
[1616]168
[1612]169if (!isset($ctype))
170{ // give it a guess
171  $ctype = guess_mime_type( get_extension($file) );
172}
[1552]173
[1612]174$http_headers[] = 'Content-Type: '.$ctype;
175
[12855]176if (isset($_GET['download']))
[1612]177{
[4913]178  $http_headers[] = 'Content-Disposition: attachment; filename="'.$element_info['file'].'";';
[1612]179  $http_headers[] = 'Content-Transfer-Encoding: binary';
[985]180}
[1616]181else
182{
183  $http_headers[] = 'Content-Disposition: inline; filename="'
184            .basename($file).'";';
185}
[985]186
[1612]187foreach ($http_headers as $header)
[985]188{
[1612]189  header( $header );
[985]190}
191
[1612]192// Looking at the safe_mode configuration for execution time
193if (ini_get('safe_mode') == 0)
194{
195  @set_time_limit(0);
196}
197
198@readfile($file);
199
200?>
Note: See TracBrowser for help on using the repository browser.