bludit/bl-kernel/ajax/profile-picture-upload.php

64 lines
2.0 KiB
PHP
Raw Normal View History

2018-07-30 23:43:12 +02:00
<?php defined('BLUDIT') or die('Bludit CMS.');
header('Content-Type: application/json');
2018-10-29 18:21:42 +01:00
// $_POST
// ----------------------------------------------------------------------------
// (string) $_POST['username']
$username = empty($_POST['username']) ? false : $_POST['username'];
// ----------------------------------------------------------------------------
if ($username===false) {
2019-01-31 20:07:59 +01:00
ajaxResponse(1, 'Error in username.');
2018-10-29 18:21:42 +01:00
}
if ( ($login->role()!='admin') && ($login->username()!=$username) ) {
ajaxResponse(1, 'Error in username.');
}
2018-07-30 23:43:12 +02:00
if (!isset($_FILES['profilePictureInputFile'])) {
2019-01-31 20:07:59 +01:00
ajaxResponse(1, 'Error trying to upload the profile picture.');
2018-07-30 23:43:12 +02:00
}
// Check path traversal
if (Text::stringContains($username, DS, false)) {
$message = 'Path traversal detected.';
2019-03-10 18:27:24 +01:00
Log::set($message, LOG_TYPE_ERROR);
ajaxResponse(1, $message);
}
// Check file extension
$fileExtension = Filesystem::extension($_FILES['profilePictureInputFile']['name']);
$fileExtension = Text::lowercase($fileExtension);
if (!in_array($fileExtension, $GLOBALS['ALLOWED_IMG_EXTENSION']) ) {
$message = $L->g('File type is not supported. Allowed types:').' '.implode(', ',$GLOBALS['ALLOWED_IMG_EXTENSION']);
2019-03-10 18:27:24 +01:00
Log::set($message, LOG_TYPE_ERROR);
ajaxResponse(1, $message);
}
2019-05-29 19:28:11 +02:00
// Tmp filename
$tmpFilename = $username.'.'.$fileExtension;
2019-06-06 19:26:35 +02:00
// Final filename
$filename = $username.'.png';
2018-07-30 23:43:12 +02:00
// Move from temporary directory to uploads folder
rename($_FILES['profilePictureInputFile']['tmp_name'], PATH_TMP.$tmpFilename);
// Resize and convert to png
$image = new Image();
$image->setImage(PATH_TMP.$tmpFilename, PROFILE_IMG_WIDTH, PROFILE_IMG_HEIGHT, 'crop');
$image->saveImage(PATH_UPLOADS_PROFILES.$filename, PROFILE_IMG_QUALITY, false, true);
// Delete temporary file
Filesystem::rmfile(PATH_TMP.$tmpFilename);
2018-07-30 23:43:12 +02:00
// Permissions
chmod(PATH_UPLOADS_PROFILES.$filename, 0644);
2019-01-31 20:07:59 +01:00
ajaxResponse(0, 'Image uploaded.', array(
2018-07-30 23:43:12 +02:00
'filename'=>$filename,
'absoluteURL'=>DOMAIN_UPLOADS_PROFILES.$filename,
'absolutePath'=>PATH_UPLOADS_PROFILES.$filename
2019-01-31 20:07:59 +01:00
));
2018-07-30 23:43:12 +02:00
?>