fix api security issues and update pages issue
This commit is contained in:
@@ -387,7 +387,7 @@ class PrintRequestsPortalService
|
||||
public function storeTeacherUpload(array $data, UploadedFile $file, int $teacherId): PrintRequest
|
||||
{
|
||||
$this->ensureStorageDirectoryExists();
|
||||
$ext = $file->getClientOriginalExtension();
|
||||
$ext = $this->safeExtensionForUpload($file);
|
||||
$stored = Str::uuid()->toString().($ext !== '' ? '.'.$ext : '');
|
||||
$file->move($this->storageDirectory(), $stored);
|
||||
|
||||
@@ -432,7 +432,7 @@ class PrintRequestsPortalService
|
||||
}
|
||||
}
|
||||
}
|
||||
$ext = $newFile->getClientOriginalExtension();
|
||||
$ext = $this->safeExtensionForUpload($newFile);
|
||||
$stored = Str::uuid()->toString().($ext !== '' ? '.'.$ext : '');
|
||||
$newFile->move($this->storageDirectory(), $stored);
|
||||
$update['file_path'] = $stored;
|
||||
@@ -445,6 +445,29 @@ class PrintRequestsPortalService
|
||||
return $request->fresh();
|
||||
}
|
||||
|
||||
private function safeExtensionForUpload(UploadedFile $file): string
|
||||
{
|
||||
$allowed = [
|
||||
'application/pdf' => 'pdf',
|
||||
'image/jpeg' => 'jpg',
|
||||
'image/png' => 'png',
|
||||
'text/plain' => 'txt',
|
||||
'application/msword' => 'doc',
|
||||
'application/vnd.openxmlformats-officedocument.wordprocessingml.document' => 'docx',
|
||||
];
|
||||
|
||||
$mime = strtolower((string) $file->getMimeType());
|
||||
if (! isset($allowed[$mime])) {
|
||||
throw new \InvalidArgumentException('Unsupported upload type.');
|
||||
}
|
||||
|
||||
if ((int) $file->getSize() > 5 * 1024 * 1024) {
|
||||
throw new \InvalidArgumentException('Uploaded file too large. Max 5MB.');
|
||||
}
|
||||
|
||||
return $allowed[$mime];
|
||||
}
|
||||
|
||||
public function applyAdminStatus(PrintRequest $request, string $newStatus, int $adminUserId): PrintRequest
|
||||
{
|
||||
$current = (string) $request->status;
|
||||
|
||||
Reference in New Issue
Block a user