disallows some mime types for upload

claroline · Feb 1, 2023 · 00983e3 · 00983e3
1 parent 0d80277
commit 00983e3
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/src/main/core/Controller/APINew/FileController.php b/src/main/core/Controller/APINew/FileController.php
@@ -14,6 +14,7 @@
 use Claroline\AppBundle\API\Crud;
 use Claroline\AppBundle\Controller\AbstractCrudController;
 use Claroline\CoreBundle\Entity\File\PublicFile;
+use Claroline\CoreBundle\Library\Configuration\PlatformConfigurationHandler;
 use Claroline\CoreBundle\Validator\Exception\InvalidDataException;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -26,6 +27,14 @@
  */
 class FileController extends AbstractCrudController
 {
+    /** @var PlatformConfigurationHandler */
+    private $config;
+
+    public function __construct(PlatformConfigurationHandler $config)
+    {
+        $this->config = $config;
+    }
+
     public function getClass(): string
     {
         return PublicFile::class;
@@ -50,6 +59,10 @@ public function uploadAction(Request $request): JsonResponse
 
         $objects = [];
         foreach ($files as $file) {
+            if (!empty($this->config->getParameter('file_blacklist')) && in_array($file->getMimeType(), $this->config->getParameter('file_blacklist'))) {
+                throw new InvalidDataException('Unauthorized file type.');
+            }
+
             $object = $this->crud->create(PublicFile::class, [], ['file' => $file, Crud::THROW_EXCEPTION]);
             $objects[] = $this->serializer->serialize($object);
         }

diff --git a/src/main/core/Installation/Migrations/pdo_mysql/Version20230129092146.php b/src/main/core/Installation/Migrations/pdo_mysql/Version20230129092146.php
@@ -21,8 +21,8 @@ public function up(Schema $schema): void
 
         // merge organization managers and organization members table
         $this->addSql('
-            INSERT INTO user_organization (user_id, organization_id, is_manager)
-                SELECT a.user_id, a.organization_id, 1 AS is_manager
+            INSERT INTO user_organization (user_id, organization_id, is_manager, is_main)
+                SELECT a.user_id, a.organization_id, 1 AS is_manager, 0 AS is_main
                 FROM claro_user_administrator AS a
                 WHERE NOT EXISTS (
                     SELECT uo.*

diff --git a/src/main/core/Resources/config/services/controller.yml b/src/main/core/Resources/config/services/controller.yml
@@ -130,6 +130,8 @@ services:
     Claroline\CoreBundle\Controller\APINew\FileController:
         parent: Claroline\AppBundle\Controller\AbstractCrudController
         public: true
+        arguments:
+            - '@Claroline\CoreBundle\Library\Configuration\PlatformConfigurationHandler'
 
     Claroline\CoreBundle\Controller\APINew\ObjectLockController:
         arguments: