Sanitize POST and GET in ajax/share
This commit is contained in:
parent
3134a962d9
commit
c0e1b8e7e7
|
@ -21,36 +21,60 @@
|
|||
require_once '../../lib/base.php';
|
||||
|
||||
OC_JSON::checkLoggedIn();
|
||||
if (isset($_POST['action'])) {
|
||||
if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['item'])) {
|
||||
$itemType = OCP\Util::sanitizeHTML($_POST['itemType']);
|
||||
$item = OCP\Util::sanitizeHTML($_POST['item']);
|
||||
switch ($_POST['action']) {
|
||||
case 'share':
|
||||
$return = OCP\Share::share($_POST['itemType'], $_POST['item'], $_POST['shareType'], $_POST['shareWith'], $_POST['permissions']);
|
||||
// TODO May need to return private link
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
error_log($_POST['item']);
|
||||
if (isset($_POST['shareType']) && isset($_POST['shareWith']) && isset($_POST['permissions'])) {
|
||||
$shareType = OCP\Util::sanitizeHTML($_POST['shareType']);
|
||||
$shareWith = OCP\Util::sanitizeHTML($_POST['shareWith']);
|
||||
$permissions = OCP\Util::sanitizeHTML($_POST['permissions']);
|
||||
$return = OCP\Share::share($itemType, $item, $shareType, $shareWith, $permissions);
|
||||
// TODO May need to return private link
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
}
|
||||
break;
|
||||
case 'unshare':
|
||||
$return = OCP\Share::unshare($_POST['itemType'], $_POST['item'], $_POST['shareType'], $_POST['shareWith']);
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
if (isset($_POST['shareType']) && isset($_POST['shareWith'])) {
|
||||
$shareType = OCP\Util::sanitizeHTML($_POST['shareType']);
|
||||
$shareWith = OCP\Util::sanitizeHTML($_POST['shareWith']);
|
||||
$return = OCP\Share::unshare($itemType, $item, $shareType, $shareWith);
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
}
|
||||
break;
|
||||
case 'setTarget':
|
||||
$return = OCP\Share::setTarget($_POST['itemType'], $_POST['item'], $_POST['newTarget']);
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
if (isset($_POST['newTarget'])) {
|
||||
$newTarget = OCP\Util::sanitizeHTML($_POST['newTarget']);
|
||||
$return = OCP\Share::setTarget($itemType, $item, $newTarget);
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
}
|
||||
break;
|
||||
case 'setPermissions':
|
||||
$return = OCP\Share::setPermissions($_POST['itemType'], $_POST['item'], $_POST['shareType'], $_POST['shareWith'], $_POST['permissions']);
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
if (isset($_POST['shareType']) && isset($_POST['shareWith']) && isset($_POST['permissions'])) {
|
||||
$shareType = OCP\Util::sanitizeHTML($_POST['shareType']);
|
||||
$shareWith = OCP\Util::sanitizeHTML($_POST['shareWith']);
|
||||
$permissions = OCP\Util::sanitizeHTML($_POST['permissions']);
|
||||
$return = OCP\Share::setPermissions($itemType, $item, $shareType, $shareWith, $permissions);
|
||||
($return) ? OC_JSON::success() : OC_JSON::error();
|
||||
}
|
||||
break;
|
||||
}
|
||||
} else if (isset($_GET['fetch'])) {
|
||||
} else if (isset($_GET['fetch']) && isset($_GET['itemType'])) {
|
||||
$itemType = OCP\Util::sanitizeHTML($_GET['itemType']);
|
||||
switch ($_GET['fetch']) {
|
||||
case 'getItemsSharedStatuses':
|
||||
$return = OCP\Share::getItemsShared($_GET['itemType'], OCP\Share::FORMAT_STATUSES);
|
||||
$return = OCP\Share::getItemsShared($itemType, OCP\Share::FORMAT_STATUSES);
|
||||
($return) ? OC_JSON::success(array('data' => $return)) : OC_JSON::error();
|
||||
break;
|
||||
case 'getItem':
|
||||
// TODO Check if the item was shared to the current user
|
||||
$return = OCP\Share::getItemShared($_GET['itemType'], $_GET['item']);
|
||||
($return) ? OC_JSON::success(array('data' => $return)) : OC_JSON::error();
|
||||
if (isset($_GET['item'])) {
|
||||
$item = OCP\Util::sanitizeHTML($_GET['item']);
|
||||
$return = OCP\Share::getItemShared($itemType, $item);
|
||||
($return) ? OC_JSON::success(array('data' => $return)) : OC_JSON::error();
|
||||
}
|
||||
break;
|
||||
case 'getShareWith':
|
||||
// TODO Autocomplete for all users, groups, etc.
|
||||
|
|
Loading…
Reference in New Issue