mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Sanitize POST and GET in ajax/share

This commit is contained in:
Michael Gapczynski 2012-07-10 19:54:03 -04:00
parent 3134a962d9
commit c0e1b8e7e7
1 changed files with 38 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
core/ajax/share.php
View File

@ -21,36 +21,60 @@
require_once '../../lib/base.php';
OC_JSON::checkLoggedIn();
if (isset($_POST['action'])) {
if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['item'])) {
$itemType = OCP\Util::sanitizeHTML($_POST['itemType']);
$item = OCP\Util::sanitizeHTML($_POST['item']);
switch ($_POST['action']) {
case 'share':
$return = OCP\Share::share($_POST['itemType'], $_POST['item'], $_POST['shareType'], $_POST['shareWith'], $_POST['permissions']);
// TODO May need to return private link
($return) ? OC_JSON::success() : OC_JSON::error();
error_log($_POST['item']);
if (isset($_POST['shareType']) && isset($_POST['shareWith']) && isset($_POST['permissions'])) {
$shareType = OCP\Util::sanitizeHTML($_POST['shareType']);
$shareWith = OCP\Util::sanitizeHTML($_POST['shareWith']);
$permissions = OCP\Util::sanitizeHTML($_POST['permissions']);
$return = OCP\Share::share($itemType, $item, $shareType, $shareWith, $permissions);
// TODO May need to return private link
($return) ? OC_JSON::success() : OC_JSON::error();
}
break;
case 'unshare':
$return = OCP\Share::unshare($_POST['itemType'], $_POST['item'], $_POST['shareType'], $_POST['shareWith']);
($return) ? OC_JSON::success() : OC_JSON::error();
if (isset($_POST['shareType']) && isset($_POST['shareWith'])) {
$shareType = OCP\Util::sanitizeHTML($_POST['shareType']);
$shareWith = OCP\Util::sanitizeHTML($_POST['shareWith']);
$return = OCP\Share::unshare($itemType, $item, $shareType, $shareWith);
($return) ? OC_JSON::success() : OC_JSON::error();
}
break;
case 'setTarget':
$return = OCP\Share::setTarget($_POST['itemType'], $_POST['item'], $_POST['newTarget']);
($return) ? OC_JSON::success() : OC_JSON::error();
if (isset($_POST['newTarget'])) {
$newTarget = OCP\Util::sanitizeHTML($_POST['newTarget']);
$return = OCP\Share::setTarget($itemType, $item, $newTarget);
($return) ? OC_JSON::success() : OC_JSON::error();
}
break;
case 'setPermissions':
$return = OCP\Share::setPermissions($_POST['itemType'], $_POST['item'], $_POST['shareType'], $_POST['shareWith'], $_POST['permissions']);
($return) ? OC_JSON::success() : OC_JSON::error();
if (isset($_POST['shareType']) && isset($_POST['shareWith']) && isset($_POST['permissions'])) {
$shareType = OCP\Util::sanitizeHTML($_POST['shareType']);
$shareWith = OCP\Util::sanitizeHTML($_POST['shareWith']);
$permissions = OCP\Util::sanitizeHTML($_POST['permissions']);
$return = OCP\Share::setPermissions($itemType, $item, $shareType, $shareWith, $permissions);
($return) ? OC_JSON::success() : OC_JSON::error();
}
break;
}
} else if (isset($_GET['fetch'])) {
} else if (isset($_GET['fetch']) && isset($_GET['itemType'])) {
$itemType = OCP\Util::sanitizeHTML($_GET['itemType']);
switch ($_GET['fetch']) {
case 'getItemsSharedStatuses':
$return = OCP\Share::getItemsShared($_GET['itemType'], OCP\Share::FORMAT_STATUSES);
$return = OCP\Share::getItemsShared($itemType, OCP\Share::FORMAT_STATUSES);
($return) ? OC_JSON::success(array('data' => $return)) : OC_JSON::error();
break;
case 'getItem':
// TODO Check if the item was shared to the current user
$return = OCP\Share::getItemShared($_GET['itemType'], $_GET['item']);
($return) ? OC_JSON::success(array('data' => $return)) : OC_JSON::error();
if (isset($_GET['item'])) {
$item = OCP\Util::sanitizeHTML($_GET['item']);
$return = OCP\Share::getItemShared($itemType, $item);
($return) ? OC_JSON::success(array('data' => $return)) : OC_JSON::error();
}
break;
case 'getShareWith':
// TODO Autocomplete for all users, groups, etc.