From 73aa01e8e082b9ed1afa3e05f10bac1c835d7380 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Mon, 3 Apr 2023 18:51:20 -0600 Subject: [PATCH 1/2] Update ApiV1Controller, filter mute/blocks on statuses/context and statuses/replies endpoints --- app/Http/Controllers/Api/ApiV1Controller.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/app/Http/Controllers/Api/ApiV1Controller.php b/app/Http/Controllers/Api/ApiV1Controller.php index 9b79ab868..ed6cbef17 100644 --- a/app/Http/Controllers/Api/ApiV1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Controller.php @@ -2501,6 +2501,8 @@ class ApiV1Controller extends Controller } if($status['replies_count']) { + $filters = UserFilterService::filters($pid); + $descendants = DB::table('statuses') ->where('in_reply_to_id', $id) ->limit(20) @@ -2508,8 +2510,8 @@ class ApiV1Controller extends Controller ->map(function($sid) { return StatusService::getMastodon($sid, false); }) - ->filter(function($post) { - return $post && isset($post['account']); + ->filter(function($post) use($filters) { + return $post && isset($post['account'], $post['account']['id']) && !in_array($post['account']['id'], $filters); }) ->map(function($status) use($pid) { $status['favourited'] = LikeService::liked($pid, $status['id']); @@ -3358,7 +3360,11 @@ class ApiV1Controller extends Controller ->cursorPaginate($limit); } - $data = $ids->map(function($post) use($pid) { + $filters = UserFilterService::filters($pid); + $data = $ids->filter(function($post) use($filters) { + return !in_array($post->profile_id, $filters); + }) + ->map(function($post) use($pid) { $status = StatusService::get($post->id, false); if(!$status || !isset($status['id'])) { From 22da2647c7f28f7e1d6a588f4549c3326aee9356 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Mon, 3 Apr 2023 19:15:20 -0600 Subject: [PATCH 2/2] Update filesystems, store all files as public by default and add default permissions. Fixes #4273, #4275. Closes #3825 --- app/Http/Controllers/AdminController.php | 2 +- app/Http/Controllers/Api/ApiV1Controller.php | 6 +++--- app/Http/Controllers/Api/BaseApiController.php | 2 +- app/Http/Controllers/AvatarController.php | 2 +- app/Http/Controllers/ComposeController.php | 4 ++-- app/Http/Controllers/DirectMessageController.php | 2 +- app/Http/Controllers/Import/Instagram.php | 4 ++-- app/Http/Controllers/Stories/StoryApiV1Controller.php | 2 +- app/Http/Controllers/StoryComposeController.php | 2 +- config/filesystems.php | 10 ++++++++++ 10 files changed, 23 insertions(+), 13 deletions(-) diff --git a/app/Http/Controllers/AdminController.php b/app/Http/Controllers/AdminController.php index 308290459..4cc8688c5 100644 --- a/app/Http/Controllers/AdminController.php +++ b/app/Http/Controllers/AdminController.php @@ -532,7 +532,7 @@ class AdminController extends Controller $emoji->save(); $fileName = $emoji->id . '.' . $request->emoji->extension(); - $request->emoji->storeAs('public/emoji', $fileName); + $request->emoji->storePubliclyAs('public/emoji', $fileName); $emoji->media_path = 'emoji/' . $fileName; $emoji->save(); Cache::forget('pf:custom_emoji'); diff --git a/app/Http/Controllers/Api/ApiV1Controller.php b/app/Http/Controllers/Api/ApiV1Controller.php index ed6cbef17..f31869755 100644 --- a/app/Http/Controllers/Api/ApiV1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Controller.php @@ -260,7 +260,7 @@ class ApiV1Controller extends Controller $file = $request->file('avatar'); $path = "public/avatars/{$profile->id}"; $name = strtolower(str_random(6)). '.' . $file->guessExtension(); - $request->file('avatar')->storeAs($path, $name); + $request->file('avatar')->storePubliclyAs($path, $name); $av->media_path = "{$path}/{$name}"; $av->save(); Cache::forget("avatar:{$profile->id}"); @@ -1610,7 +1610,7 @@ class ApiV1Controller extends Controller } $storagePath = MediaPathService::get($user, 2); - $path = $photo->store($storagePath); + $path = $photo->storePublicly($storagePath); $hash = \hash_file('sha256', $photo); $license = null; $mime = $photo->getMimeType(); @@ -1815,7 +1815,7 @@ class ApiV1Controller extends Controller } $storagePath = MediaPathService::get($user, 2); - $path = $photo->store($storagePath); + $path = $photo->storePublicly($storagePath); $hash = \hash_file('sha256', $photo); $license = null; $mime = $photo->getMimeType(); diff --git a/app/Http/Controllers/Api/BaseApiController.php b/app/Http/Controllers/Api/BaseApiController.php index 83828a9f3..2e1fb5678 100644 --- a/app/Http/Controllers/Api/BaseApiController.php +++ b/app/Http/Controllers/Api/BaseApiController.php @@ -112,7 +112,7 @@ class BaseApiController extends Controller $name = $path['name']; $public = $path['storage']; $currentAvatar = storage_path('app/'.$profile->avatar->media_path); - $loc = $request->file('upload')->storeAs($public, $name); + $loc = $request->file('upload')->storePubliclyAs($public, $name); $avatar = Avatar::whereProfileId($profile->id)->firstOrFail(); $opath = $avatar->media_path; diff --git a/app/Http/Controllers/AvatarController.php b/app/Http/Controllers/AvatarController.php index ea5f84783..6ee8b610f 100644 --- a/app/Http/Controllers/AvatarController.php +++ b/app/Http/Controllers/AvatarController.php @@ -30,7 +30,7 @@ class AvatarController extends Controller $dir = $path['root']; $name = $path['name']; $public = $path['storage']; - $loc = $request->file('avatar')->storeAs($public, $name); + $loc = $request->file('avatar')->storePubliclyAs($public, $name); $avatar = Avatar::firstOrNew(['profile_id' => $profile->id]); $currentAvatar = $avatar->recentlyCreated ? null : storage_path('app/'.$profile->avatar->media_path); diff --git a/app/Http/Controllers/ComposeController.php b/app/Http/Controllers/ComposeController.php index e817c6652..441223679 100644 --- a/app/Http/Controllers/ComposeController.php +++ b/app/Http/Controllers/ComposeController.php @@ -123,7 +123,7 @@ class ComposeController extends Controller abort_if(in_array($photo->getMimeType(), $mimes) == false, 400, 'Invalid media format'); $storagePath = MediaPathService::get($user, 2); - $path = $photo->store($storagePath); + $path = $photo->storePublicly($storagePath); $hash = \hash_file('sha256', $photo); $mime = $photo->getMimeType(); @@ -209,7 +209,7 @@ class ComposeController extends Controller $name = last($fragments); array_pop($fragments); $dir = implode('/', $fragments); - $path = $photo->storeAs($dir, $name); + $path = $photo->storePubliclyAs($dir, $name); $res = [ 'url' => $media->url() . '?v=' . time() ]; diff --git a/app/Http/Controllers/DirectMessageController.php b/app/Http/Controllers/DirectMessageController.php index 8c367e726..5346be845 100644 --- a/app/Http/Controllers/DirectMessageController.php +++ b/app/Http/Controllers/DirectMessageController.php @@ -602,7 +602,7 @@ class DirectMessageController extends Controller } $storagePath = MediaPathService::get($user, 2) . Str::random(8); - $path = $photo->store($storagePath); + $path = $photo->storePublicly($storagePath); $hash = \hash_file('sha256', $photo); abort_if(MediaBlocklistService::exists($hash) == true, 451); diff --git a/app/Http/Controllers/Import/Instagram.php b/app/Http/Controllers/Import/Instagram.php index 39d1d4d2e..95d290f61 100644 --- a/app/Http/Controllers/Import/Instagram.php +++ b/app/Http/Controllers/Import/Instagram.php @@ -93,7 +93,7 @@ trait Instagram continue; } $storagePath = "import/{$job->uuid}"; - $path = $v->store($storagePath); + $path = $v->storePublicly($storagePath); DB::transaction(function() use ($profile, $job, $path, $original) { $data = new ImportData; $data->profile_id = $profile->id; @@ -141,7 +141,7 @@ trait Instagram return abort(500); } $storagePath = "import/{$job->uuid}"; - $path = $media->store($storagePath); + $path = $media->storePublicly($storagePath); $job->media_json = $path; $job->stage = 3; $job->save(); diff --git a/app/Http/Controllers/Stories/StoryApiV1Controller.php b/app/Http/Controllers/Stories/StoryApiV1Controller.php index 20dbf247d..16d1805b9 100644 --- a/app/Http/Controllers/Stories/StoryApiV1Controller.php +++ b/app/Http/Controllers/Stories/StoryApiV1Controller.php @@ -354,7 +354,7 @@ class StoryApiV1Controller extends Controller } $storagePath = MediaPathService::story($user->profile); - $path = $photo->storeAs($storagePath, Str::random(random_int(2, 12)) . '_' . Str::random(random_int(32, 35)) . '_' . Str::random(random_int(1, 14)) . '.' . $photo->extension()); + $path = $photo->storePubliclyAs($storagePath, Str::random(random_int(2, 12)) . '_' . Str::random(random_int(32, 35)) . '_' . Str::random(random_int(1, 14)) . '.' . $photo->extension()); return $path; } } diff --git a/app/Http/Controllers/StoryComposeController.php b/app/Http/Controllers/StoryComposeController.php index 93486a488..f913d859f 100644 --- a/app/Http/Controllers/StoryComposeController.php +++ b/app/Http/Controllers/StoryComposeController.php @@ -111,7 +111,7 @@ class StoryComposeController extends Controller } $storagePath = MediaPathService::story($user->profile); - $path = $photo->storeAs($storagePath, Str::random(random_int(2, 12)) . '_' . Str::random(random_int(32, 35)) . '_' . Str::random(random_int(1, 14)) . '.' . $photo->extension()); + $path = $photo->storePubliclyAs($storagePath, Str::random(random_int(2, 12)) . '_' . Str::random(random_int(32, 35)) . '_' . Str::random(random_int(1, 14)) . '.' . $photo->extension()); if(in_array($photo->getMimeType(), ['image/jpeg','image/png'])) { $fpath = storage_path('app/' . $path); $img = Intervention::make($fpath); diff --git a/config/filesystems.php b/config/filesystems.php index 38feb2173..0d2a27743 100644 --- a/config/filesystems.php +++ b/config/filesystems.php @@ -46,6 +46,16 @@ return [ 'local' => [ 'driver' => 'local', 'root' => storage_path('app'), + 'permissions' => [ + 'file' => [ + 'public' => 0644, + 'private' => 0600, + ], + 'dir' => [ + 'public' => 0755, + 'private' => 0700, + ], + ], ], 'public' => [