Merge pull request #4497 from Roardom/public-private

(Fix) Store user-uploaded files in private directories

Author: HDVinnie

app/Console/Commands/CleanTorrentFiles.php

@@ -20,6 +20,7 @@
 use App\Models\Torrent;
 use Exception;
 use Illuminate\Console\Command;
+use Illuminate\Support\Facades\Storage;
 use Throwable;
 
 class CleanTorrentFiles extends Command
@@ -47,13 +48,10 @@ final public function handle(): void
     {
         $this->alert('Torrent file cleaning started');
 
-        $directory = public_path('/files/torrents/');
-
-        Torrent::withoutGlobalScopes()->select('file_name')->orderBy('id')->chunk(100, function ($torrents) use ($directory): void {
+        Torrent::withoutGlobalScopes()->select('file_name')->orderBy('id')->chunk(100, function ($torrents): void {
             foreach ($torrents as $torrent) {
-                $filePath = $directory.$torrent->file_name;
-
-                if (file_exists($filePath)) {
+                if (Storage::disk('torrent-files')->exists($torrent->file_name)) {
+                    $filePath = Storage::disk('torrent-files')->path($torrent->file_name);
                     $dict = Bencode::bdecode_file($filePath);
 
                     // Whitelisted keys
@@ -63,7 +61,7 @@ final public function handle(): void
                         'info'       => '',
                     ]);
 
-                    file_put_contents($filePath, Bencode::bencode($dict));
+                    Storage::disk('torrent-files')->put($filePath, Bencode::bencode($dict));
                 }
             }
         });

app/Helpers/TorrentTools.php

@@ -17,6 +17,7 @@
 namespace App\Helpers;
 
 use Illuminate\Http\UploadedFile;
+use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\Stringable;
 
 class TorrentTools
@@ -141,11 +142,12 @@ public static function getNfo(?UploadedFile $inputFile): bool|string|null
         }
 
         $fileName = uniqid('', true).'.nfo';
-        $inputFile->move(getcwd().'/files/tmp/', $fileName);
+        $path = Storage::disk('temporary-nfos')->path('');
+        $inputFile->move($path, $fileName);
 
-        if (file_exists(getcwd().'/files/tmp/'.$fileName)) {
-            $fileContent = file_get_contents(getcwd().'/files/tmp/'.$fileName);
-            unlink(getcwd().'/files/tmp/'.$fileName);
+        if (Storage::disk('temporary-nfos')->exists($fileName)) {
+            $fileContent = Storage::disk('temporary-nfos')->get($fileName);
+            Storage::disk('temporary-nfos')->delete($fileName);
         } else {
             $fileContent = null;
         }

app/Http/Controllers/AuthenticatedImageController.php

@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * NOTICE OF LICENSE.
+ *
+ * UNIT3D Community Edition is open-sourced software licensed under the GNU Affero General Public License v3.0
+ * The details is bundled with this project in the file LICENSE.txt.
+ *
+ * @project    UNIT3D Community Edition
+ *
+ * @author     Roardom <roardom@protonmail.com>
+ * @license    https://www.gnu.org/licenses/agpl-3.0.en.html/ GNU Affero General Public License v3.0
+ */
+
+namespace App\Http\Controllers;
+
+use App\Models\Article;
+use App\Models\Category;
+use App\Models\Playlist;
+use App\Models\Torrent;
+use App\Models\User;
+use Illuminate\Support\Facades\Storage;
+
+class AuthenticatedImageController extends Controller
+{
+    private const array HEADERS = [
+        'Cache-Control' => 'private, max-age=7200',
+    ];
+
+    public function articleImage(Article $article): \Symfony\Component\HttpFoundation\BinaryFileResponse
+    {
+        $path = $article->image === null
+            ? public_path('img/missing-image.png')
+            : Storage::disk('article-images')->path($article->image);
+
+        abort_unless(file_exists($path), 404);
+
+        return response()->file($path, self::HEADERS);
+    }
+
+    public function categoryImage(Category $category): \Symfony\Component\HttpFoundation\BinaryFileResponse
+    {
+        $path = Storage::disk('category-images')->path($category->image);
+
+        abort_unless(file_exists($path), 404);
+
+        return response()->file($path, self::HEADERS);
+    }
+
+    public function playlistImage(Playlist $playlist): \Symfony\Component\HttpFoundation\BinaryFileResponse
+    {
+        $path = Storage::disk('playlist-images')->path($playlist->cover_image);
+
+        abort_unless(file_exists($path), 404);
+
+        return response()->file($path, self::HEADERS);
+    }
+
+    public function torrentBanner(Torrent $torrent): \Symfony\Component\HttpFoundation\BinaryFileResponse
+    {
+        $path = Storage::disk('torrent-banners')->path("torrent-banner_{$torrent->id}");
+
+        abort_unless(file_exists($path), 404);
+
+        return response()->file($path, self::HEADERS);
+    }
+
+    public function torrentCover(Torrent $torrent): \Symfony\Component\HttpFoundation\BinaryFileResponse
+    {
+        $path = Storage::disk('torrent-covers')->path("torrent-cover_{$torrent->id}");
+
+        abort_unless(file_exists($path), 404);
+
+        return response()->file($path, self::HEADERS);
+    }
+
+    public function userAvatar(User $user): \Symfony\Component\HttpFoundation\BinaryFileResponse
+    {
+        $path = Storage::disk('user-avatars')->path($user->image);
+
+        abort_unless(file_exists($path), 404);
+
+        return response()->file($path, self::HEADERS);
+    }
+
+    public function userIcon(User $user): \Symfony\Component\HttpFoundation\BinaryFileResponse
+    {
+        $path = Storage::disk('user-icons')->path($user->icon);
+
+        abort_unless(file_exists($path), 404);
+
+        return response()->file($path, self::HEADERS);
+    }
+}

app/Http/Controllers/PlaylistController.php

@@ -26,6 +26,7 @@
 use Illuminate\Http\Request;
 use Intervention\Image\Facades\Image;
 use Exception;
+use Illuminate\Support\Facades\Storage;
 
 /**
  * @see \Tests\Todo\Feature\Http\Controllers\PlaylistControllerTest
@@ -69,7 +70,7 @@ public function store(StorePlaylistRequest $request): \Illuminate\Http\RedirectR
 
             $image = $request->file('cover_image');
             $filename = 'playlist-cover_'.uniqid('', true).'.'.$image->getClientOriginalExtension();
-            $path = public_path('/files/img/'.$filename);
+            $path = Storage::disk('playlist-images')->path($filename);
             Image::make($image->getRealPath())->fit(400, 225)->encode('png', 100)->save($path);
         }
 
@@ -153,7 +154,7 @@ public function update(UpdatePlaylistRequest $request, Playlist $playlist): \Ill
             abort_unless($image->getError() === UPLOAD_ERR_OK, 500);
 
             $filename = 'playlist-cover_'.uniqid('', true).'.'.$image->getClientOriginalExtension();
-            $path = public_path('/files/img/'.$filename);
+            $path = Storage::disk('playlist-images')->path($filename);
             Image::make($image->getRealPath())->fit(400, 225)->encode('png', 100)->save($path);
 
             $playlist->update(['cover_image' => $filename] + $request->validated());

app/Http/Controllers/PlaylistZipController.php

@@ -19,6 +19,7 @@
 use App\Helpers\Bencode;
 use App\Models\Playlist;
 use Illuminate\Support\Facades\File;
+use Illuminate\Support\Facades\Storage;
 use ZipArchive;
 
 /**
@@ -41,7 +42,7 @@ public function show(Playlist $playlist): \Illuminate\Http\RedirectResponse|\Sym
         $user = auth()->user();
 
         // Define Dir Folder
-        $path = getcwd().'/files/tmp_zip/';
+        $path = Storage::disk('temporary-zips')->path('');
 
         // Check Directory exists
         if (!File::isDirectory($path)) {
@@ -58,7 +59,7 @@ public function show(Playlist $playlist): \Illuminate\Http\RedirectResponse|\Sym
             $announceUrl = route('announce', ['passkey' => $user->passkey]);
 
             foreach ($playlist->torrents()->get() as $torrent) {
-                $dict = Bencode::bdecode(file_get_contents(getcwd().'/files/torrents/'.$torrent->file_name));
+                $dict = Bencode::bdecode(Storage::disk('torrent-files')->get($torrent->file_name));
 
                 // Set the announce key and add the user passkey
                 $dict['announce'] = $announceUrl;
@@ -80,8 +81,8 @@ public function show(Playlist $playlist): \Illuminate\Http\RedirectResponse|\Sym
             $zipArchive->close();
         }
 
-        if (file_exists($path.$zipFileName)) {
-            return response()->download($path.$zipFileName)->deleteFileAfterSend(true);
+        if (Storage::disk('temporary-zips')->exists($zipFileName)) {
+            return response()->download(Storage::disk('temporary-zips')->path($zipFileName))->deleteFileAfterSend(true);
         }
 
         return redirect()->back()->withErrors(trans('common.something-went-wrong'));

app/Http/Controllers/Staff/ArticleController.php

@@ -22,6 +22,7 @@
 use App\Models\Article;
 use Intervention\Image\Facades\Image;
 use Exception;
+use Illuminate\Support\Facades\Storage;
 
 /**
  * @see \Tests\Feature\Http\Controllers\ArticleControllerTest
@@ -60,7 +61,7 @@ public function store(StoreArticleRequest $request): \Illuminate\Http\RedirectRe
             abort_if(\is_array($image), 400);
 
             $filename = 'article-'.uniqid('', true).'.'.$image->getClientOriginalExtension();
-            $path = public_path('/files/img/'.$filename);
+            $path = Storage::disk('article-images')->path($filename);
             Image::make($image->getRealPath())->fit(75, 75)->encode('png', 100)->save($path);
         }
 
@@ -91,7 +92,7 @@ public function update(UpdateArticleRequest $request, Article $article): \Illumi
             abort_if(\is_array($image), 400);
 
             $filename = 'article-'.uniqid('', true).'.'.$image->getClientOriginalExtension();
-            $path = public_path('/files/img/'.$filename);
+            $path = Storage::disk('article-images')->path($filename);
             Image::make($image->getRealPath())->fit(75, 75)->encode('png', 100)->save($path);
         }
 

app/Http/Controllers/Staff/CategoryController.php

@@ -22,6 +22,7 @@
 use App\Models\Category;
 use Intervention\Image\Facades\Image;
 use Exception;
+use Illuminate\Support\Facades\Storage;
 
 /**
  * @see \Tests\Feature\Http\Controllers\CategoryControllerTest
@@ -57,7 +58,7 @@ public function store(StoreCategoryRequest $request): \Illuminate\Http\RedirectR
             abort_if(\is_array($image), 400);
 
             $filename = 'category-'.uniqid('', true).'.'.$image->getClientOriginalExtension();
-            $path = public_path('/files/img/'.$filename);
+            $path = Storage::disk('category-images')->path($filename);
             Image::make($image->getRealPath())->fit(50, 50)->encode('png', 100)->save($path);
         }
 
@@ -95,7 +96,7 @@ public function update(UpdateCategoryRequest $request, Category $category): \Ill
             abort_if(\is_array($image), 400);
 
             $filename = 'category-'.uniqid('', true).'.'.$image->getClientOriginalExtension();
-            $path = public_path('/files/img/'.$filename);
+            $path = Storage::disk('category-images')->path($filename);
             Image::make($image->getRealPath())->fit(50, 50)->encode('png', 100)->save($path);
         }
 

app/Http/Controllers/SubtitleController.php

@@ -97,7 +97,7 @@ public function store(StoreSubtitleRequest $request): \Illuminate\Http\RedirectR
         ] + $request->safe()->except('subtitle_file'));
 
         // Save Subtitle
-        Storage::disk('subtitles')->putFileAs('', $subtitleFile, $filename);
+        Storage::disk('subtitle-files')->putFileAs('', $subtitleFile, $filename);
 
         // Announce To Shoutbox
         if (!$subtitle->anon) {
@@ -165,8 +165,8 @@ public function destroy(Request $request, Subtitle $subtitle): \Illuminate\Http\
 
         abort_unless($user->group->is_modo || $user->id === $subtitle->user_id, 403);
 
-        if (Storage::disk('subtitles')->exists($subtitle->file_name)) {
-            Storage::disk('subtitles')->delete($subtitle->file_name);
+        if (Storage::disk('subtitle-files')->exists($subtitle->file_name)) {
+            Storage::disk('subtitle-files')->delete($subtitle->file_name);
         }
 
         $subtitle->delete();
@@ -194,8 +194,8 @@ public function download(Request $request, Subtitle $subtitle): \Illuminate\Http
         // Increment downloads count
         $subtitle->increment('downloads');
 
-        $headers = ['Content-Type: '.Storage::disk('subtitles')->mimeType($subtitle->file_name)];
+        $headers = ['Content-Type: '.Storage::disk('subtitle-files')->mimeType($subtitle->file_name)];
 
-        return Storage::disk('subtitles')->download($subtitle->file_name, $tempFilename, $headers);
+        return Storage::disk('subtitle-files')->download($subtitle->file_name, $tempFilename, $headers);
     }
 }

app/Http/Controllers/TicketAttachmentController.php

@@ -20,6 +20,7 @@
 use App\Models\Ticket;
 use App\Models\TicketAttachment;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Storage;
 
 class TicketAttachmentController extends Controller
 {
@@ -30,7 +31,7 @@ final public function download(Request $request, Ticket $ticket, TicketAttachmen
     {
         abort_unless($request->user()->group->is_modo || $request->user()->id === $ticket->user_id, 403);
 
-        return response()->download(getcwd().'/files/attachments/attachments/'.$attachment->file_name)->deleteFileAfterSend(false);
+        return response()->download(Storage::disk('attachment-files')->path($attachment->file_name))->deleteFileAfterSend(false);
     }
 
     /**

app/Http/Controllers/TorrentController.php

@@ -47,6 +47,7 @@
 use MarcReichel\IGDBLaravel\Models\PlatformLogo;
 use Exception;
 use Illuminate\Support\Facades\Notification;
+use Illuminate\Support\Facades\Storage;
 use ReflectionException;
 use JsonException;
 
@@ -232,7 +233,7 @@ public function update(UpdateTorrentRequest $request, int $id): \Illuminate\Http
             abort_if(\is_array($image_cover), 400);
 
             $filename_cover = 'torrent-cover_'.$torrent->id.'.jpg';
-            $path_cover = public_path('/files/img/'.$filename_cover);
+            $path_cover = Storage::disk('torrent-covers')->path($filename_cover);
             Image::make($image_cover->getRealPath())->fit(400, 600)->encode('jpg', 90)->save($path_cover);
         }
 
@@ -243,7 +244,7 @@ public function update(UpdateTorrentRequest $request, int $id): \Illuminate\Http
             abort_if(\is_array($image_cover), 400);
 
             $filename_cover = 'torrent-banner_'.$torrent->id.'.jpg';
-            $path_cover = public_path('/files/img/'.$filename_cover);
+            $path_cover = Storage::disk('torrent-banners')->path($filename_cover);
             Image::make($image_cover->getRealPath())->fit(960, 540)->encode('jpg', 90)->save($path_cover);
         }
 
@@ -395,7 +396,7 @@ public function store(StoreTorrentRequest $request): \Illuminate\Http\RedirectRe
         $meta = Bencode::get_meta($decodedTorrent);
 
         $fileName = uniqid('', true).'.torrent'; // Generate a unique name
-        file_put_contents(getcwd().'/files/torrents/'.$fileName, Bencode::bencode($decodedTorrent));
+        Storage::disk('torrent-files')->put($fileName, Bencode::bencode($decodedTorrent));
 
         $torrent = Torrent::create([
             'mediainfo'    => TorrentTools::anonymizeMediainfo($request->filled('mediainfo') ? $request->string('mediainfo') : null),
@@ -435,7 +436,7 @@ public function store(StoreTorrentRequest $request): \Illuminate\Http\RedirectRe
             abort_if(\is_array($image_cover), 400);
 
             $filename_cover = 'torrent-cover_'.$torrent->id.'.jpg';
-            $path_cover = public_path('/files/img/'.$filename_cover);
+            $path_cover = Storage::disk('torrent-covers')->path($filename_cover);
             Image::make($image_cover->getRealPath())->fit(400, 600)->encode('jpg', 90)->save($path_cover);
         }
 
@@ -446,7 +447,7 @@ public function store(StoreTorrentRequest $request): \Illuminate\Http\RedirectRe
             abort_if(\is_array($image_cover), 400);
 
             $filename_cover = 'torrent-banner_'.$torrent->id.'.jpg';
-            $path_cover = public_path('/files/img/'.$filename_cover);
+            $path_cover = Storage::disk('torrent-banners')->path($filename_cover);
             Image::make($image_cover->getRealPath())->fit(960, 540)->encode('jpg', 90)->save($path_cover);
         }
 

app/Http/Controllers/TorrentDownloadController.php

@@ -22,6 +22,7 @@
 use App\Models\TorrentDownload;
 use App\Models\User;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Storage;
 
 class TorrentDownloadController extends Controller
 {
@@ -68,7 +69,7 @@ public function store(Request $request, int $id, ?string $rsskey = null): \Illum
         }
 
         // The torrent file exist ?
-        if (!file_exists(getcwd().'/files/torrents/'.$torrent->file_name)) {
+        if (!Storage::disk('torrents')->exists($torrent->file_name)) {
             return to_route('torrents.show', ['id' => $torrent->id])
                 ->withErrors('Torrent File Not Found! Please Report This Torrent!');
         }
@@ -85,7 +86,7 @@ public function store(Request $request, int $id, ?string $rsskey = null): \Illum
 
         return response()->streamDownload(
             function () use ($id, $user, $torrent): void {
-                $dict = Bencode::bdecode(file_get_contents(getcwd().'/files/torrents/'.$torrent->file_name));
+                $dict = Bencode::bdecode(Storage::disk('torrents')->get($torrent->file_name));
 
                 // Set the announce key and add the user passkey
                 $dict['announce'] = route('announce', ['passkey' => $user->passkey]);