From e654a733b27f0435331dae44b31eff8ed152ebf6 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Sat, 14 Apr 2012 22:15:53 +0200
Subject: Allow to keep and reclaim uploads without being logged in

If a user keeps the browser open until his session expires and then
tries to upload something we now add it to the database, add the ID to
the new session and when someone logs in with that session the ID is
assigned. Until then even if you guess it correctly, you won't be able
to download it.

If the user still manages to let the 2nd session expire because he can't
find his password, the upload will be lost. Shit happens.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/controllers/file.php | 26 +++++++++++++++++++++-----
 application/models/file_mod.php  | 29 +++++++++++++++++++++++++++--
 application/models/muser.php     | 12 +++++++++++-
 3 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/application/controllers/file.php b/application/controllers/file.php
index cb10e9e2f..152e6a011 100644
--- a/application/controllers/file.php
+++ b/application/controllers/file.php
@@ -210,8 +210,6 @@ class File extends CI_Controller {
 	// Handle pastes
 	function do_paste()
 	{
-		$this->muser->require_access();
-
 		$content = $this->input->post("content");
 		$filesize = strlen($content);
 		$filename = "stdin";
@@ -243,14 +241,12 @@ class File extends CI_Controller {
 		file_put_contents($file, $content);
 		chmod($file, 0600);
 		$this->file_mod->add_file($hash, $id, $filename);
-		$this->file_mod->show_url($id, $extension);
+		$this->file_mod->show_url($id, false);
 	}
 
 	// Handles uploaded files
 	function do_upload()
 	{
-		$this->muser->require_access();
-
 		$extension = $this->input->post('extension');
 		if(!isset($_FILES['file']) || $_FILES['file']['error'] !== 0) {
 			$this->output->set_status_header(400);
@@ -307,6 +303,26 @@ class File extends CI_Controller {
 		$this->file_mod->show_url($id, $extension);
 	}
 
+	function claim_id()
+	{
+		$this->muser->require_access();
+
+		$last_upload = $this->session->userdata("last_upload");
+		$id = $last_upload["id"];
+
+		$filedata = $this->file_mod->get_filedata($id);
+
+		if ($filedata["owner"] != 0) {
+			show_error("Someone already owns '$id', can't reassign.");
+		}
+
+		$this->file_mod->adopt($id);
+
+		$this->session->unset_userdata("last_upload");
+
+		$this->file_mod->show_url($id, $last_upload["mode"]);
+	}
+
 	/* Functions below this comment can only be run via the CLI
 	 * `php index.php file <function name>`
 	 */
diff --git a/application/models/file_mod.php b/application/models/file_mod.php
index 26d384fa9..e65529971 100644
--- a/application/models/file_mod.php
+++ b/application/models/file_mod.php
@@ -83,8 +83,6 @@ class File_mod extends CI_Model {
 	// TODO: Should only update not insert; see new_id()
 	function add_file($hash, $id, $filename)
 	{
-		$this->muser->require_access();
-
 		$userid = $this->muser->get_userid();
 
 		$mimetype = exec("perl ".FCPATH.'scripts/mimetype '.escapeshellarg($filename).' '.escapeshellarg($this->file($hash)));
@@ -95,10 +93,31 @@ class File_mod extends CI_Model {
 			array($hash, $id, $filename, $userid, time(), $mimetype, $filesize));
 	}
 
+	function adopt($id)
+	{
+		$userid = $this->muser->get_userid();
+
+		$this->db->query("
+			UPDATE files
+			SET user = ?
+			WHERE id = ?
+			", array($userid, $id));
+	}
+
 	function show_url($id, $mode)
 	{
 		$redirect = false;
 
+		if (!$this->muser->logged_in()) {
+			// keep the upload but require the user to login
+			$this->session->set_userdata("last_upload", array(
+				"id" => $id,
+				"mode" => $mode
+			));
+			$this->session->set_flashdata("uri", "file/claim_id");
+			$this->muser->require_access();
+		}
+
 		if ($mode) {
 			$this->data['url'] = site_url($id).'/'.$mode;
 		} else {
@@ -191,6 +210,12 @@ class File_mod extends CI_Model {
 			return;
 		}
 
+		// don't allow unowned files to be downloaded
+		if ($filedata["user"] == 0) {
+			$this->non_existent();
+			return;
+		}
+
 		// MODIFIED SINCE SUPPORT -- START
 		// helps to keep traffic low when reloading
 		$etag = strtolower($filedata["hash"]."-".$filedata["date"]);
diff --git a/application/models/muser.php b/application/models/muser.php
index 532fdeb1a..169182c46 100644
--- a/application/models/muser.php
+++ b/application/models/muser.php
@@ -47,11 +47,19 @@ class Muser extends CI_Model {
 
 	function get_username()
 	{
+		if (!$this->logged_in()) {
+			return "";
+		}
+
 		return $this->session->userdata('username');
 	}
 
 	function get_userid()
 	{
+		if (!$this->logged_in()) {
+			return 0;
+		}
+
 		$query = $this->db->query("
 			SELECT id
 			FROM users
@@ -69,7 +77,9 @@ class Muser extends CI_Model {
 				echo "FileBin requires you to have an account, please go to the homepage for more information.\n";
 				exit();
 			} else {
-				$this->session->set_flashdata("uri", $this->uri->uri_string());
+				if (!$this->session->userdata("flash:new:uri")) {
+					$this->session->set_flashdata("uri", $this->uri->uri_string());
+				}
 				redirect('user/login');
 			}
 		}
-- 
cgit v1.2.3-24-g4f1b