Require users to login to view attachments on private sites

Thank you jeff-themovie for this implementation!
This commit is contained in:
Craig Andrews 2010-01-05 17:47:37 -05:00
parent 7e01bb8d4f
commit 250bcfa8dc
6 changed files with 104 additions and 49 deletions

20
README
View File

@ -710,11 +710,21 @@ private site, but users of the private site may be able to subscribe
to users on a remote site. (Or not... it's not well tested.) The to users on a remote site. (Or not... it's not well tested.) The
"proper behaviour" hasn't been defined here, so handle with care. "proper behaviour" hasn't been defined here, so handle with care.
If fancy URLs is enabled, access to file attachments can also be Access to file attachments can also be restricted to logged-in users only.
restricted to logged-in users only. Uncomment the appropriate rewrite 1. Add a directory outside the web root where your file uploads will be
rule in .htaccess or your server's httpd.conf. (This most likely will stored. Usually a command like this will work:
not work if you are using a virtual server for attachments, so consider
the performance/security tradeoff.) mkdir /var/www/mublog-files
2. Make the file uploads directory writeable by the web server. An
insecure way to do this is:
chmod a+x /var/www/mublog-files
3. Tell StatusNet to use this directory for file uploads. Add a line
like this to your config.php:
$config['attachments']['dir'] = '/var/www/mublog-files';
Upgrading Upgrading
========= =========

View File

@ -1,13 +1,13 @@
<?php <?php
/** /**
* StatusNet, the distributed open-source microblogging tool * StatusNet - the distributed open-source microblogging tool
* Copyright (C) 2009, StatusNet, Inc.
* *
* Returns a given file attachment, allowing private sites to only allow * Return a requested file
* access to file attachments after login.
* *
* PHP version 5 * PHP version 5
* *
* LICENCE: This program is free software: you can redistribute it and/or modify * This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by * it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
@ -20,28 +20,32 @@
* You should have received a copy of the GNU Affero General Public License * You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>. * along with this program. If not, see <http://www.gnu.org/licenses/>.
* *
* @category Personal * @category PrivateAttachments
* @package StatusNet * @package StatusNet
* @author Jeffery To <jeffery.to@gmail.com> * @author Jeffery To <jeffery.to@gmail.com>
* @copyright 2008-2009 StatusNet, Inc. * @copyright 2009 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/ * @link http://status.net/
*/ */
if (!defined('STATUSNET') && !defined('LACONICA')) { if (!defined('STATUSNET')) {
exit(1); exit(1);
} }
require_once 'MIME/Type.php'; require_once 'MIME/Type.php';
/** /**
* Action for getting a file attachment * An action for returning a requested file
* *
* @category Personal * The StatusNet system will do an implicit user check if the site is
* @package StatusNet * private before allowing this to continue
* @author Jeffery To <jeffery.to@gmail.com> *
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @category PrivateAttachments
* @link http://status.net/ * @package StatusNet
* @author Jeffery To <jeffery.to@gmail.com>
* @copyright 2009 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/
*/ */
class GetfileAction extends Action class GetfileAction extends Action
@ -68,7 +72,7 @@ class GetfileAction extends Action
$path = null; $path = null;
if ($filename) { if ($filename) {
$path = common_config('attachments', 'dir') . $filename; $path = File::path($filename);
} }
if (empty($path) or !file_exists($path)) { if (empty($path) or !file_exists($path)) {
@ -103,6 +107,10 @@ class GetfileAction extends Action
function lastModified() function lastModified()
{ {
if (common_config('site', 'use_x_sendfile')) {
return null;
}
return filemtime($this->path); return filemtime($this->path);
} }
@ -114,8 +122,24 @@ class GetfileAction extends Action
* *
* @return string etag http header * @return string etag http header
*/ */
function etag() function etag()
{ {
if (common_config('site', 'use_x_sendfile')) {
return null;
}
$cache = common_memcache();
if($cache) {
$key = common_cache_key('attachments:etag:' . $this->path);
$etag = $cache->get($key);
if($etag === false) {
$etag = crc32(file_get_contents($this->path));
$cache->set($key,$etag);
}
return $etag;
}
$stat = stat($this->path); $stat = stat($this->path);
return '"' . $stat['ino'] . '-' . $stat['size'] . '-' . $stat['mtime'] . '"'; return '"' . $stat['ino'] . '-' . $stat['size'] . '-' . $stat['mtime'] . '"';
} }
@ -133,13 +157,19 @@ class GetfileAction extends Action
// undo headers set by PHP sessions // undo headers set by PHP sessions
$sec = session_cache_expire() * 60; $sec = session_cache_expire() * 60;
header('Expires: ' . date(DATE_RFC1123, time() + $sec)); header('Expires: ' . date(DATE_RFC1123, time() + $sec));
header('Cache-Control: public, max-age=' . $sec); header('Cache-Control: max-age=' . $sec);
header('Pragma: public');
parent::handle($args); parent::handle($args);
$path = $this->path; $path = $this->path;
header('Content-Type: ' . MIME_Type::autoDetect($path)); header('Content-Type: ' . MIME_Type::autoDetect($path));
readfile($path);
if (common_config('site', 'use_x_sendfile')) {
header('X-Sendfile: ' . $path);
} else {
header('Content-Length: ' . filesize($path));
readfile($path);
}
} }
} }

View File

@ -182,25 +182,32 @@ class File extends Memcached_DataObject
static function url($filename) static function url($filename)
{ {
$path = common_config('attachments', 'path'); if(common_config('site','private')) {
if ($path[strlen($path)-1] != '/') { return common_local_url('getfile',
$path .= '/'; array('filename' => $filename));
} else {
$path = common_config('attachments', 'path');
if ($path[strlen($path)-1] != '/') {
$path .= '/';
}
if ($path[0] != '/') {
$path = '/'.$path;
}
$server = common_config('attachments', 'server');
if (empty($server)) {
$server = common_config('site', 'server');
}
// XXX: protocol
return 'http://'.$server.$path.$filename;
} }
if ($path[0] != '/') {
$path = '/'.$path;
}
$server = common_config('attachments', 'server');
if (empty($server)) {
$server = common_config('site', 'server');
}
// XXX: protocol
return 'http://'.$server.$path.$filename;
} }
function getEnclosure(){ function getEnclosure(){

View File

@ -41,6 +41,20 @@ $config['site']['path'] = 'statusnet';
// Make the site invisible to non-logged-in users // Make the site invisible to non-logged-in users
// $config['site']['private'] = true; // $config['site']['private'] = true;
// If your web server supports X-Sendfile (Apache with mod_xsendfile,
// lighttpd, nginx), you can enable X-Sendfile support for better
// performance. Presently, only attachment serving when the site is
// in private mode will use X-Sendfile.
// $config['site']['X-Sendfile'] = false;
// You may also need to enable X-Sendfile support for your web server and
// allow it to access files outside of the web root. For Apache with
// mod_xsendfile, you can add these to your .htaccess or server config:
//
// XSendFile on
// XSendFileAllowAbove on
//
// See http://tn123.ath.cx/mod_xsendfile/ for mod_xsendfile.
// If you want logging sent to a file instead of syslog // If you want logging sent to a file instead of syslog
// $config['site']['logfile'] = '/tmp/statusnet.log'; // $config['site']['logfile'] = '/tmp/statusnet.log';
@ -265,6 +279,7 @@ $config['sphinx']['port'] = 3312;
// $config['attachments']['user_quota'] = 50000000; // $config['attachments']['user_quota'] = 50000000;
// $config['attachments']['monthly_quota'] = 15000000; // $config['attachments']['monthly_quota'] = 15000000;
// $config['attachments']['uploads'] = true; // $config['attachments']['uploads'] = true;
// $config['attachments']['path'] = "/file/"; // $config['attachments']['path'] = "/file/"; //ignored if site is private
// $config['attachments']['dir'] = INSTALLDIR . '/file/';
// $config['oohembed']['endpoint'] = 'http://oohembed.com/oohembed/'; // $config['oohembed']['endpoint'] = 'http://oohembed.com/oohembed/';

View File

@ -5,14 +5,6 @@
RewriteBase /mublog/ RewriteBase /mublog/
# If your site is private and want to only allow logged-in users to
# be able to download file attachments, uncomment this rule.
#
# If you have a custom attachment path
# ($config['attachments']['path']), change "file/" to match.
#
#RewriteRule ^file/(.*) getfile/$1
RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php?p=$1 [L,QSA] RewriteRule (.*) index.php?p=$1 [L,QSA]

View File

@ -54,6 +54,7 @@ $default =
'dupelimit' => 60, # default for same person saying the same thing 'dupelimit' => 60, # default for same person saying the same thing
'textlimit' => 140, 'textlimit' => 140,
'indent' => true, 'indent' => true,
'use_x_sendfile' => false,
), ),
'db' => 'db' =>
array('database' => 'YOU HAVE TO SET THIS IN config.php', array('database' => 'YOU HAVE TO SET THIS IN config.php',