1.48.04 release

app/controller/admin/log.class.php

@@ -183,7 +183,8 @@ public function add($data=false){
      */
     private function filterIn(){
         $in = $this->in;
-        unset($in['URLrouter'],$in['URLremote'],$in['HTTP_DEBUG_URL'],$in['CSRF_TOKEN'],$in['accessToken'],$in[str_replace(".", "/", ACTION)]);
+        unset($in['URLrouter'],$in['URLremote'],$in['HTTP_DEBUG_URL'],$in['CSRF_TOKEN'],
+			$in['safeToken'],$in['accessToken'],$in[str_replace(".", "/", ACTION)]);
         return $in;
     }
 

app/controller/admin/server.class.php

@@ -9,7 +9,7 @@ function __construct() {
 	}
 
 	// phpinfo
-	public function srvPhpinfo(){
+	public function srvPinfo(){
 		phpinfo();exit;
 	}
 

app/controller/admin/setting.class.php

@@ -180,7 +180,7 @@ private function removeFolder($folder,$children=false){
 	public function server(){
 		$data = Input::getArray(array(
 			'tab'	 => array('default'=>'', 'aliasKey'=>'type'),
-			'action' => array('check'=>'in', 'param'=>array('get', 'phpinfo', 'save', 'task', 'clear'))
+			'action' => array('check'=>'in', 'param'=>array('get', 'pinfo', 'save', 'task', 'clear'))
 		));
 		$function = ($data['type'] ? $data['type'] : 'srv') . ucfirst($data['action']);
 		// srvGet/cacheSave/dbSave/recoverySave

app/controller/explorer/api.class.php

@@ -31,7 +31,9 @@ private function setIdentify(){
 	}
 	public function checkAccessToken(){
 		$config = Model('Plugin')->getConfig('fileView');
-		if(!$config['apiKey']) return;
+		if(!$config || !$config['apiKey']){
+			show_tips('fileView not open ,or apiKey is empty!');
+		}
 
 		$timeTo = isset($this->in['timeTo'])?intval($this->in['timeTo']):'';
 		$token = md5($this->in['path'].$timeTo.$config['apiKey']);

app/controller/explorer/editor.class.php

@@ -83,8 +83,8 @@ private function contentPage($path,$size){
 	private function fileGetZipContentCheck($path){
 		if(!request_url_safe($path)) return;
 		$urlInfo = parse_url_query($path);
-		if(!isset($urlInfo['index']) || !isset($urlInfo['path']) || !isset($urlInfo['accessToken'])) return;
-		if(!Action('user.index')->accessTokenCheck($urlInfo['accessToken'])){return;}
+		if(!isset($urlInfo['index']) || !isset($urlInfo['path']) || !isset($urlInfo['safeToken'])) return;
+		if(!Action('user.index')->safeTokenCheck($urlInfo['safeToken'])){return;}
 
 		$zipFile  = rawurldecode($urlInfo['path']);
 		$indexArr = @json_decode(rawurldecode($urlInfo['index']),true);

app/controller/explorer/fav.class.php

@@ -125,10 +125,12 @@ public function rename() {
 		$data = Input::getArray(array(
 			"name"		=> array("check"=>"require"),
 			"newName"	=> array("check"=>"require"),
+			"path"		=> array("check"=>"require","default"=>false),
 		));
 		$res = $this->model->rename($data['name'],$data['newName']);
 		$msg = !!$res ? LNG('explorer.success') : LNG('explorer.repeatError');
-		show_json($msg,!!$res);
+		$info = $res && $data['path'] ? $data['path']:false;
+		show_json($msg,!!$res,$data['path']);
 	}
 
 	/**

app/controller/explorer/index.class.php

@@ -311,7 +311,10 @@ public function pathAllowCheck($path){
 		if($parse['pathBase']){
 			$path = $parse['param'];
 		}
-		$name = get_path_this($path);
+		$name = trim(get_path_this($path));
+		$name = preg_replace_callback('/./u',function($match){return strlen($match[0]) >= 4 ? '':$match[0];},$name);
+		if(!$name){show_json(LNG('explorer.charNoSupport').'emoji',false);} // 不允许纯emoji表情; 新建后文件名不显示;
+
 		$checkName = str_replace($notAllow,'_',$name);
 		if($name != $checkName){
 		    show_json(LNG('explorer.charNoSupport').implode(',',$notAllow),false);
@@ -325,7 +328,7 @@ public function pathAllowCheck($path){
 	}
 
 	public function mkfile(){
-		$this->pathAllowCheck($this->in['path'],true);
+		$this->pathAllowCheck($this->in['path']);
 		$info = IO::info($this->in['path']);
 		if($info && $info['type'] == 'file'){ //父目录为文件;
 			show_json(LNG('explorer.success'),true,IO::pathFather($info['path']));
@@ -841,7 +844,7 @@ public function fileOutBy(){
 		$parse = kodIO::parse($this->in['path']);
 		$allow = array('',kodIO::KOD_IO,kodIO::KOD_USER_DRIVER,kodIO::KOD_SHARE_LINK);
 		if(in_array($parse['type'],$allow)){
-			$distPath = kodIO::pathTrue(get_path_father($parse['path']).'/'.ltrim($add,'/'));
+			$distPath = kodIO::pathTrue($parse['path'].'/../'.$add);
 			$distInfo = IO::info($distPath);
 		}else{//KOD_SOURCE KOD_SHARE_ITEM(source,)
 			$info = IO::info($parse['path']);
@@ -857,13 +860,16 @@ public function fileOutBy(){
 
 			$displayPathArr = explode('/',trim($info['pathDisplay'],'/'));array_shift($displayPathArr);
 			$displayPath = $pathRoot.'/'.implode('/',$displayPathArr);
-			$distPath = kodIO::pathTrue(get_path_father($displayPath).'/'.$add);
+			$distPath = kodIO::pathTrue($displayPath.'/../'.$add);
 			$distInfo = IO::infoFullSimple($distPath);
 		}
 		// pr($distPath,$distInfo,$parse,[$pathRoot,$displayPath,$info,$shareInfo]);exit;
 		if(!$distInfo || $distInfo['type'] != 'file'){
 			return show_json(LNG('common.pathNotExists'),false);
 		}
+		if(isset($this->in['type']) && $this->in['type'] == 'getTruePath'){
+			show_json($distInfo['path'],true);
+		}
 
 		ActionCall('explorer.auth.canView',$distInfo['path']);// 再次判断新路径权限;
 		$this->updateLastOpen($distInfo['path']);

app/controller/explorer/list.class.php

@@ -281,7 +281,7 @@ public function pathCurrent($path,$loadInfo = true){
 		}else if($pathParse['type'] == KodIO::KOD_USER_FILE_TAG){
 			$list = Action('explorer.tag')->tagList();
 			$current = $list[$pathParse['id']];
-			$current['name'] = LNG('common.tag').' - '.$current['name'];
+			$current['name'] = LNG('explorer.userTag.title').' - '.$current['name'];
 		}
 		$current['type'] = 'folder';
 		$current['path'] = $path;

app/controller/explorer/listBlock.class.php

@@ -62,7 +62,7 @@ public function blockItems(){
 			'files'		=> array('name'=>LNG('common.position'),'open'=>true), 
 			'tools'		=> array('name'=>LNG('common.tools'),'open'=>true),
 			'fileType'	=> array('name'=>LNG('common.fileType'),'open'=>false,'children'=>true,'pathDesc'=> LNG('explorer.pathDesc.fileType')),
-			'fileTag'	=> array('name'=>LNG('common.tag'),'open'=>false,'children'=>true,'pathDesc'=> LNG('explorer.pathDesc.tag')),
+			'fileTag'	=> array('name'=>LNG('explorer.userTag.title'),'open'=>false,'children'=>true,'pathDesc'=> LNG('explorer.pathDesc.tag')),
 			'driver'	=> array('name'=>LNG('common.mount').' (admin)','open'=>false,'pathDesc'=> LNG('explorer.pathDesc.mount')),
 		);
 		return $list;
@@ -120,9 +120,10 @@ private function blockFiles(){
 		// 没有所在部门时不显示;
 		if(isset($list['myGroup'])){
 			$selfGroup 	= Session::get("kodUser.groupInfo");
-			$groupArray = array_to_keyvalue($selfGroup,'','groupID');//自己所在的组
-			$group 		= array_remove_value($groupArray,$groupInfo['groupID']);
-			if(!$group){unset($list['myGroup']);}
+			// $groupArray = array_to_keyvalue($selfGroup,'','groupID');//自己所在的组
+			// $group 		= array_remove_value($groupArray,$groupInfo['groupID']);
+			// if(!$group){unset($list['myGroup']);}
+			if(!$selfGroup){unset($list['myGroup']);}
 		}
 
 		$explorer = Action('explorer.list');

app/controller/explorer/listGroup.class.php

@@ -114,19 +114,22 @@ private function groupArray($groupArray){
 		$groupArray = array_sort_by($groupArray,'sort');// 排序处理;
 		$groupArray	= array_to_keyvalue($groupArray,'groupID');//自己所在的组
 		$this->_filterDisGroup($groupArray);	// 过滤已禁用部门
-		$group = array_remove_value(array_keys($groupArray),1);
+		// $group = array_remove_value(array_keys($groupArray),1);
+		$group = array_keys($groupArray);
 		if(!$group) return array();
 
 		$groupSource = $this->model->sourceRootGroup($group);
 		$groupSource = array_to_keyvalue($groupSource,'targetID');
 		$result = array();
 		foreach($groupArray as $group){ // 保持部门查询结构的顺序;
 			$groupID = $group['groupID'];
-			if($groupID == '1') continue; // 去除根部门
+			// if($groupID == '1') continue; // 去除根部门
 			if(!isset($groupSource[$groupID])) continue;
 
-			$pathInfo = $groupSource[$groupID];			
+			$groupInfo = Model('Group')->getInfo($groupID);
+			$pathInfo  = $groupSource[$groupID];			
 			$pathInfo['sourceRoot'] = 'groupPath';
+			$pathInfo['hasGroup']   = $groupInfo ? $groupInfo['hasChildren']:0;
 			$pathInfo['pathDisplay']= $pathInfo['groupPathDisplay'];
 			if(!$pathInfo['auth']){
 				$pathInfo['auth'] = Model("SourceAuth")->authDeepCheck($pathInfo['sourceID']);
@@ -138,13 +141,6 @@ private function groupArray($groupArray){
 					continue;// 没有权限;
 				}
 			}
-
-			// 没有子文件夹; 则获取是否有子部门;
-			// if( !$pathInfo['hasFolder'] && !$pathInfo['hasFile'] ){
-			if( !$pathInfo['hasFolder'] ){
-				$groupInfo = Model('Group')->getInfo($groupID);
-				$pathInfo['hasFolder']  = $groupInfo ? $groupInfo['hasChildren']:false;
-			}
 			$result[] = $pathInfo;
 		}
 		// pr($result,$groupSource,$group,$groupArray);exit;

app/controller/explorer/share.class.php

@@ -80,7 +80,7 @@ public function linkOut($path,$token=false){
 			$etag = substr(md5($info['modifyTime'].$info['size']),0,5);
 		}
 		$url = urlApi($apiKey,"path=".rawurlencode($path).'&et='.$etag.'&name=/'.$name);
-		if($token) $url .= '&accessToken='.Action('user.index')->accessToken();
+		if($token) $url .= '&safeToken='.Action('user.index')->safeToken();
 		return $url;
 	}
 
@@ -327,9 +327,8 @@ public function pathInfo(){
 	//输出文件
 	public function fileOut(){
 		$path = rawurldecode($this->in['path']);//允许中文空格等;
-		if(request_url_safe($path)) {
-			header('Location:' . $path);exit;
-		} 
+		if(request_url_safe($path)){header('Location:'.$path);exit;}
+
 		$path = $this->parsePath($path);
 		$isDownload = isset($this->in['download']) && $this->in['download'] == 1;
 		Hook::trigger('explorer.fileOut', $path);
@@ -349,6 +348,18 @@ public function fileDownload(){
 		$this->in['download'] = 1;
 		$this->fileOut();
 	}
+	public function fileOutBy(){
+		$add   = rawurldecode($this->in['add']);
+		$path  = rawurldecode($this->in['path']);
+		if(request_url_safe($path)){header('Location:'.$path);exit;}
+
+		$distPath = kodIO::pathTrue($path.'/../'.$add);
+		$this->in['path'] = rawurlencode($distPath);
+		if(isset($this->in['type']) && $this->in['type'] == 'getTruePath'){
+			show_json($distPath,true);
+		}
+		$this->fileOut();
+	}
 
 	private function call($action){
 		$this->in['path'] = $this->parsePath($this->in['path'],true);
@@ -384,7 +395,7 @@ public function fileGetHash(){
 		$url = $this->in['path'];
 		$urlInfo = parse_url_query($url);
 		if( !isset($urlInfo["explorer/share/unzipListHash"]) && 
-			!isset($urlInfo["accessToken"])){
+			!isset($urlInfo["safeToken"])){
 			show_json(LNG('common.pathNotExists'),false);
 		}
 		$index 	  = json_decode(rawurldecode($urlInfo['index']),true);

app/controller/explorer/tag.class.php

@@ -80,7 +80,7 @@ public function listSource($tags){
 		$result = Model("Source")->listUserTag($tags);
 		$tagInfo= $this->tagsInfo($tags);
 		$tagInfo['pathAddress'] = array(
-			array("name"=> LNG('common.tag'),"path"=>'{block:fileTag}/'),
+			array("name"=> LNG('explorer.userTag.title'),"path"=>'{block:fileTag}/'),
 			array("name"=> $tagInfo['name'],"path"=>$this->in['path']),
 		);
 		$tagInfo['pathDesc'] = LNG('explorer.tag.pathDesc');

app/controller/explorer/userShare.class.php

@@ -537,8 +537,7 @@ private function _getParam($key='shareID'){
 			if($options['shareLinkAllow'] == '0'){
 				show_json(LNG('admin.setting.shareLinkAllowTips'),false);
 			}
-			// 初始化不检测
-			if($data['shareID'] && $options['shareLinkPasswordAllowEmpty'] == '0' && !$data['password']){
+			if($options['shareLinkPasswordAllowEmpty'] == '0' && !$data['password']){
 				show_json(LNG('user.pwdNotNull'),false);
 			}
 			if($options['shareLinkAllowGuest'] == '0'){

app/controller/filter/fileOut.class.php

@@ -0,0 +1,89 @@
+<?php 
+/*
+* @link http://kodcloud.com/
+* @author warlee | e-mail:[email protected]
+* @copyright warlee 2014.(Shanghai)Co.,Ltd
+* @license http://kodcloud.com/tools/license/license.txt
+*/
+
+/**
+ * fileOut数据过滤; fileOutBy 相对路径处理:js-import; css-import.src处理;
+ */
+class filterFileOut extends Controller{
+	function __construct(){
+		parent::__construct();
+	}
+	// 自动绑定处理;
+	public function bind(){
+		$action = strtolower(ACTION);
+		$disableCookie = array(
+			'explorer.index.filedownload',
+			'explorer.index.fileout',
+			'explorer.index.fileoutby',
+			'explorer.share.filedownload',
+			'explorer.share.fileout',
+			'explorer.share.fileoutby',
+		);
+		if(in_array($action,$disableCookie)){Cookie::disable(true);allowCROS();}
+		Hook::bind('PathDriverBase.fileOut.before',array($this,'fileOut'));
+	}
+
+	public function fileOut($file,$fileSize,$filename,$ext){
+		if(!isset($this->in['replaceType']) || !$this->in['replaceType']){return;}
+		if(!$filename || $fileSize >= 10*1024*1024 || !in_array($ext,array('css','js')) ){return;}
+
+		$content = IO::getContent($file);
+		if($ext == 'css' && $this->in['replaceType'] == 'css-import'){$this->cssParse($content);}
+		if($ext == 'js'  && $this->in['replaceType'] == 'script-import'){$this->scriptParse($content);}
+		if($ext == 'js'  && $this->in['replaceType'] == 'script-wasm'){$this->scriptParseWasm($content);}
+	}
+
+	private function cssParse($content){
+		$self = $this;
+		$content = preg_replace_callback("/url\s*\(\s*['\"]*(.*?)['\"]*\s*\)/",function($matchs) use($self){
+			return 'url("'.$self->urlFilter($matchs[1]).'")';
+		},$content);
+		$content = preg_replace_callback("/@import\s+['\"](.*\.css)['\"]/u",function($matchs) use($self){
+			return '@import "'.$self->urlFilter($matchs[1]).'"';
+		},$content);
+		$this->output($content);
+	}
+	private function scriptParse($content){
+		$self = $this;
+		$content = preg_replace_callback("/self\.importScripts\s*\(\s*['\"]*(.*?)['\"]*\s*\)/",function($matchs) use($self){
+			return 'self.importScripts("'.$self->urlFilter($matchs[1]).'")';
+		},$content);
+		$content = preg_replace_callback("/\s+from\s+['\"](.*?\.js)['\"]/",function($matchs) use($self){
+			return ' from "'.$self->urlFilter($matchs[1]).'"';
+		},$content);
+		$content = preg_replace_callback("/import\s+['\"](.*?\.js)['\"]/",function($matchs) use($self){
+			return 'import "'.$self->urlFilter($matchs[1]).'"';
+		},$content);
+		$this->output($content);
+	}
+	private function scriptParseWasm($content){
+		$self = $this;
+		$content = preg_replace_callback("/=\s*\"([\w\.\-\_]+\.wasm)\"/",function($matchs) use($self){
+			return '="'.$self->urlFilter($matchs[1]).'"';
+		},$content);
+		$this->output($content);
+	}
+
+	private function urlFilter($url){
+		if(strpos($url,'?') > 0){$url = substr($url,0,strpos($url,'?'));}
+		if(strpos($url,'#') > 0){$url = substr($url,0,strpos($url,'#'));}
+
+		// 采用相对路径重新计算; 确保多个位置import 最后引用路径一致; 
+		// 路径有变化时js多个地方import同一个文件,但url路径不一致,时会导致重复执行;
+		$addNew = kodIO::pathTrue($this->in['add'].'/../'.$url);
+		$param  = '&safeToken='.$this->in['safeToken'].'&replaceType='.$this->in['replaceType'];
+		$url = APP_HOST.'?'.str_replace('.','/',ACTION);
+		return $url.$param.'&path='.rawurlencode($this->in['path']).'&add='.rawurlencode($addNew);
+	}
+	private function output($content){
+		header('HTTP/1.1 200 OK');
+		header('Content-Encoding: none');
+		header('Content-Length:'.strlen($content));
+		echo $content;exit;
+	}
+}

app/controller/filter/index.class.php

@@ -17,6 +17,10 @@ class filterIndex extends Controller{
 	function __construct() {
 		parent::__construct();
 	}
+
+	public function bindBefore(){
+		Action("filter.fileOut")->bind();
+	}
 	public function bind(){
 		Action("filter.userRequest")->bind();
 		Action("filter.userCheck")->bind();

app/controller/filter/post.class.php

@@ -49,7 +49,7 @@ public function check(){
 			'explorer.fileview'	=> 'index',
 			'explorer.history'	=> 'fileOut',
 			'explorer.index'	=> 'fileOut,fileDownload,fileOutBy,fileDownloadRemove',
-			'explorer.share'	=> 'file,fileOut,fileDownload,zipDownload,fileDownloadRemove',
+			'explorer.share'	=> 'fileOut,fileDownload,fileOutBy,zipDownload,fileDownloadRemove,file',
 			'admin.setting'		=> 'get,server',
 			'admin.repair'		=> '*',
 
@@ -102,7 +102,7 @@ public function check(){
 
 	// csrfToken检测; 允许UA为APP,PC客户端的情况;
 	private function checkCsrfToken(){
-		if(isset($_REQUEST['accessToken'])) return;
+		if(isset($_REQUEST['accessToken']) || isset($_REQUEST['safeToken'])) return;
 		if(!$this->in['CSRF_TOKEN'] || $this->in['CSRF_TOKEN'] != Cookie::get('CSRF_TOKEN')){
 			$className	= substr(ACTION,0,strrpos(ACTION,'.'));
 			if(!Action($className)){header('HTTP/1.1 404 Not Found');exit;}

app/controller/filter/userGroup.class.php

@@ -92,9 +92,9 @@ private function checkItem($actions){
 		if($allow){$allow = $this->userAuthEditCheck();$err=$allow?$err:1;}
 		if($allow && $check['user']){ $allow = $this->allowChangeUser($this->in[$check['user']]);$err=$allow?$err:2;}
 		if($allow && $check['userRole']){$allow = $this->allowChangeUserRole($this->in[$check['userRole']]);$err=$allow?$err:3;}
-		if($allow && $check['roleAuth']){$allow = $this->roleActionAllow($this->in[$check['roleAuth']]);$err=$allow?$err:4;}
+		if($allow && $check['roleAuth'] && isset($this->in['roleID'])){$allow = $this->roleActionAllow($this->in[$check['roleAuth']]);$err=$allow?$err:4;}
 		if($allow && $check['groupArray']){$allow = $this->allowChangeGroupArray($check);$err=$allow?$err:5;}
-		// pr($err,$allow,$check,$this->in,'GET:',$_REQUEST);exit;
+		// trace_log([$err,$allow,$check,$this->in,'GET:',$_REQUEST]);
 		if($allow) return true;
 		$this->checkError($check);
 	}
@@ -291,7 +291,7 @@ public function allowViewGroup($selfGroup,$groups,$returnAllow=false){
 
 	// 权限修改删除范围处理: 只能操作权限包含内容小于等于自己权限包含内容的类型;  设置用户权限也以此为标准;
 	public function allowChangeUserRole($roleID){
-		if(_get($GLOBALS,'isRoot')) return true;
+		if(_get($GLOBALS,'isRoot') || !$roleID) return true;
 		$authInfo = Model('SystemRole')->listData($roleID);
 		if($authInfo && $authInfo['administrator'] == 1) return false; // 系统管理员不允许非系统管理员获取,设置
 		if(!$this->config["ADMIN_ALLOW_ALL_ACTION"]){return true;} // 启用了三权分立,安全保密员允许获取,或设置用户的角色;