1<?php
2class ControllerToolUpload extends Controller {
3	private $error = array();
4
5	public function index() {
6		$this->load->language('tool/upload');
7
8		$this->document->setTitle($this->language->get('heading_title'));
9
10		$this->load->model('tool/upload');
11
12		$this->getList();
13	}
14
15	public function delete() {
16		$this->load->language('tool/upload');
17
18		$this->document->setTitle($this->language->get('heading_title'));
19
20		$this->load->model('tool/upload');
21
22		if (isset($this->request->post['selected']) && $this->validateDelete()) {
23			foreach ($this->request->post['selected'] as $upload_id) {
24				// Remove file before deleting DB record.
25				$upload_info = $this->model_tool_upload->getUpload($upload_id);
26
27				if ($upload_info && is_file(DIR_UPLOAD . $upload_info['filename'])) {
28					unlink(DIR_UPLOAD . $upload_info['filename']);
29				}
30
31				$this->model_tool_upload->deleteUpload($upload_id);
32			}
33
34			$this->session->data['success'] = $this->language->get('text_success');
35
36			$url = '';
37
38			if (isset($this->request->get['filter_name'])) {
39				$url .= '&filter_name=' . urlencode(html_entity_decode($this->request->get['filter_name'], ENT_QUOTES, 'UTF-8'));
40			}
41
42			if (isset($this->request->get['filter_date_added'])) {
43				$url .= '&filter_date_added=' . $this->request->get['filter_date_added'];
44			}
45
46			if (isset($this->request->get['sort'])) {
47				$url .= '&sort=' . $this->request->get['sort'];
48			}
49
50			if (isset($this->request->get['order'])) {
51				$url .= '&order=' . $this->request->get['order'];
52			}
53
54			if (isset($this->request->get['page'])) {
55				$url .= '&page=' . $this->request->get['page'];
56			}
57
58			$this->response->redirect($this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . $url, true));
59		}
60
61		$this->getList();
62	}
63
64	protected function getList() {
65		if (isset($this->request->get['filter_name'])) {
66			$filter_name = $this->request->get['filter_name'];
67		} else {
68			$filter_name = '';
69		}
70
71		if (isset($this->request->get['filter_date_added'])) {
72			$filter_date_added = $this->request->get['filter_date_added'];
73		} else {
74			$filter_date_added = '';
75		}
76
77		if (isset($this->request->get['sort'])) {
78			$sort = $this->request->get['sort'];
79		} else {
80			$sort = 'date_added';
81		}
82
83		if (isset($this->request->get['order'])) {
84			$order = $this->request->get['order'];
85		} else {
86			$order = 'DESC';
87		}
88
89		if (isset($this->request->get['page'])) {
90			$page = (int)$this->request->get['page'];
91		} else {
92			$page = 1;
93		}
94
95		$url = '';
96
97		if (isset($this->request->get['filter_name'])) {
98			$url .= '&filter_name=' . urlencode(html_entity_decode($this->request->get['filter_name'], ENT_QUOTES, 'UTF-8'));
99		}
100
101		if (isset($this->request->get['filter_date_added'])) {
102			$url .= '&filter_date_added=' . $this->request->get['filter_date_added'];
103		}
104
105		if (isset($this->request->get['sort'])) {
106			$url .= '&sort=' . $this->request->get['sort'];
107		}
108
109		if (isset($this->request->get['order'])) {
110			$url .= '&order=' . $this->request->get['order'];
111		}
112
113		if (isset($this->request->get['page'])) {
114			$url .= '&page=' . $this->request->get['page'];
115		}
116
117		$data['breadcrumbs'] = array();
118
119		$data['breadcrumbs'][] = array(
120			'text' => $this->language->get('text_home'),
121			'href' => $this->url->link('common/dashboard', 'user_token=' . $this->session->data['user_token'], true)
122		);
123
124		$data['breadcrumbs'][] = array(
125			'text' => $this->language->get('heading_title'),
126			'href' => $this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . $url, true)
127		);
128
129		$data['delete'] = $this->url->link('tool/upload/delete', 'user_token=' . $this->session->data['user_token'] . $url, true);
130
131		$data['uploads'] = array();
132
133		$filter_data = array(
134			'filter_name'	    => $filter_name,
135			'filter_date_added'	=> $filter_date_added,
136			'sort'              => $sort,
137			'order'             => $order,
138			'start'             => ($page - 1) * $this->config->get('config_limit_admin'),
139			'limit'             => $this->config->get('config_limit_admin')
140		);
141
142		$upload_total = $this->model_tool_upload->getTotalUploads($filter_data);
143
144		$results = $this->model_tool_upload->getUploads($filter_data);
145
146		foreach ($results as $result) {
147			$data['uploads'][] = array(
148				'upload_id'  => $result['upload_id'],
149				'name'       => $result['name'],
150				'filename'   => $result['filename'],
151				'date_added' => date($this->language->get('date_format_short'), strtotime($result['date_added'])),
152				'download'   => $this->url->link('tool/upload/download', 'user_token=' . $this->session->data['user_token'] . '&code=' . $result['code'] . $url, true)
153			);
154		}
155
156		$data['user_token'] = $this->session->data['user_token'];
157
158		if (isset($this->error['warning'])) {
159			$data['error_warning'] = $this->error['warning'];
160		} elseif (isset($this->session->data['error'])) {
161			$data['error_warning'] = $this->session->data['error'];
162
163			unset($this->session->data['error']);
164		} else {
165			$data['error_warning'] = '';
166		}
167
168		if (isset($this->session->data['success'])) {
169			$data['success'] = $this->session->data['success'];
170
171			unset($this->session->data['success']);
172		} else {
173			$data['success'] = '';
174		}
175
176		if (isset($this->request->post['selected'])) {
177			$data['selected'] = (array)$this->request->post['selected'];
178		} else {
179			$data['selected'] = array();
180		}
181
182		$url = '';
183
184		if (isset($this->request->get['filter_name'])) {
185			$url .= '&filter_name=' . urlencode(html_entity_decode($this->request->get['filter_name'], ENT_QUOTES, 'UTF-8'));
186		}
187
188		if (isset($this->request->get['filter_date_added'])) {
189			$url .= '&filter_date_added=' . $this->request->get['filter_date_added'];
190		}
191
192		if ($order == 'ASC') {
193			$url .= '&order=DESC';
194		} else {
195			$url .= '&order=ASC';
196		}
197
198		if (isset($this->request->get['page'])) {
199			$url .= '&page=' . $this->request->get['page'];
200		}
201
202		$data['sort_name'] = $this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . '&sort=name' . $url, true);
203		$data['sort_filename'] = $this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . '&sort=filename' . $url, true);
204		$data['sort_date_added'] = $this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . '&sort=date_added' . $url, true);
205
206		$url = '';
207
208		if (isset($this->request->get['filter_name'])) {
209			$url .= '&filter_name=' . urlencode(html_entity_decode($this->request->get['filter_name'], ENT_QUOTES, 'UTF-8'));
210		}
211
212		if (isset($this->request->get['filter_date_added'])) {
213			$url .= '&filter_date_added=' . $this->request->get['filter_date_added'];
214		}
215
216		if (isset($this->request->get['sort'])) {
217			$url .= '&sort=' . $this->request->get['sort'];
218		}
219
220		if (isset($this->request->get['order'])) {
221			$url .= '&order=' . $this->request->get['order'];
222		}
223
224		$pagination = new Pagination();
225		$pagination->total = $upload_total;
226		$pagination->page = $page;
227		$pagination->limit = $this->config->get('config_limit_admin');
228		$pagination->url = $this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . $url . '&page={page}', true);
229
230		$data['pagination'] = $pagination->render();
231
232		$data['results'] = sprintf($this->language->get('text_pagination'), ($upload_total) ? (($page - 1) * $this->config->get('config_limit_admin')) + 1 : 0, ((($page - 1) * $this->config->get('config_limit_admin')) > ($upload_total - $this->config->get('config_limit_admin'))) ? $upload_total : ((($page - 1) * $this->config->get('config_limit_admin')) + $this->config->get('config_limit_admin')), $upload_total, ceil($upload_total / $this->config->get('config_limit_admin')));
233
234		$data['filter_name'] = $filter_name;
235		$data['filter_date_added'] = $filter_date_added;
236
237		$data['sort'] = $sort;
238		$data['order'] = $order;
239
240		$data['header'] = $this->load->controller('common/header');
241		$data['column_left'] = $this->load->controller('common/column_left');
242		$data['footer'] = $this->load->controller('common/footer');
243
244		$this->response->setOutput($this->load->view('tool/upload', $data));
245	}
246
247	protected function validateDelete() {
248		if (!$this->user->hasPermission('modify', 'tool/upload')) {
249			$this->error['warning'] = $this->language->get('error_permission');
250		}
251
252		return !$this->error;
253	}
254
255	public function download() {
256		$this->load->model('tool/upload');
257
258		$this->load->language('tool/upload');
259
260		if (isset($this->request->get['code'])) {
261			$code = $this->request->get['code'];
262		} else {
263			$code = 0;
264		}
265
266		$url = '';
267
268		if (isset($this->request->get['filter_name'])) {
269			$url .= '&filter_name=' . urlencode(html_entity_decode($this->request->get['filter_name'], ENT_QUOTES, 'UTF-8'));
270		}
271
272		if (isset($this->request->get['filter_date_added'])) {
273			$url .= '&filter_date_added=' . $this->request->get['filter_date_added'];
274		}
275
276		if (isset($this->request->get['sort'])) {
277			$url .= '&sort=' . $this->request->get['sort'];
278		}
279
280		if (isset($this->request->get['order'])) {
281			$url .= '&order=' . $this->request->get['order'];
282		}
283
284		if (isset($this->request->get['page'])) {
285			$url .= '&page=' . $this->request->get['page'];
286		}
287
288		$upload_info = $this->model_tool_upload->getUploadByCode($code);
289
290		if ($upload_info) {
291			$file = DIR_UPLOAD . $upload_info['filename'];
292			$mask = basename($upload_info['name']);
293
294			if (file_exists($file) && filesize($file) > 0) {
295				$this->response->addheader('Pragma: public');
296				$this->response->addheader('Expires: 0');
297				$this->response->addheader('Content-Description: File Transfer');
298				$this->response->addheader('Content-Type: application/octet-stream');
299				$this->response->addheader('Content-Disposition: attachment; filename="' . ($mask ? $mask : basename($file)) . '"');
300				$this->response->addheader('Content-Transfer-Encoding: binary');
301
302				$this->response->setOutput(file_get_contents($file, FILE_USE_INCLUDE_PATH, null));
303			} else {
304				$this->session->data['error'] = $this->language->get('error_file');
305
306				$this->response->redirect($this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . $url, true));
307			}
308		} else {
309			$this->session->data['error'] = $this->language->get('error_upload');
310
311			$this->response->redirect($this->url->link('tool/upload', 'user_token=' . $this->session->data['user_token'] . $url, true));
312		}
313	}
314
315	public function upload() {
316		$this->load->language('sale/order');
317
318		$json = array();
319
320		// Check user has permission
321		if (!$this->user->hasPermission('modify', 'tool/upload')) {
322			$json['error'] = $this->language->get('error_permission');
323		}
324
325		if (!$json) {
326			if (!empty($this->request->files['file']['name']) && is_file($this->request->files['file']['tmp_name'])) {
327				// Sanitize the filename
328				$filename = html_entity_decode($this->request->files['file']['name'], ENT_QUOTES, 'UTF-8');
329
330				if ((utf8_strlen($filename) < 3) || (utf8_strlen($filename) > 128)) {
331					$json['error'] = $this->language->get('error_filename');
332				}
333
334				// Allowed file extension types
335				$allowed = array();
336
337				$extension_allowed = preg_replace('~\r?\n~', "\n", $this->config->get('config_file_ext_allowed'));
338
339				$filetypes = explode("\n", $extension_allowed);
340
341				foreach ($filetypes as $filetype) {
342					$allowed[] = trim($filetype);
343				}
344
345				if (!in_array(strtolower(substr(strrchr($filename, '.'), 1)), $allowed)) {
346					$json['error'] = $this->language->get('error_filetype');
347				}
348
349				// Allowed file mime types
350				$allowed = array();
351
352				$mime_allowed = preg_replace('~\r?\n~', "\n", $this->config->get('config_file_mime_allowed'));
353
354				$filetypes = explode("\n", $mime_allowed);
355
356				foreach ($filetypes as $filetype) {
357					$allowed[] = trim($filetype);
358				}
359
360				if (!in_array($this->request->files['file']['type'], $allowed)) {
361					$json['error'] = $this->language->get('error_filetype');
362				}
363
364				// Check to see if any PHP files are trying to be uploaded
365				$content = file_get_contents($this->request->files['file']['tmp_name']);
366
367				if (preg_match('/\<\?php/i', $content)) {
368					$json['error'] = $this->language->get('error_filetype');
369				}
370
371				// Return any upload error
372				if ($this->request->files['file']['error'] != UPLOAD_ERR_OK) {
373					$json['error'] = $this->language->get('error_upload_' . $this->request->files['file']['error']);
374				}
375			} else {
376				$json['error'] = $this->language->get('error_upload');
377			}
378		}
379
380		if (!$json) {
381			$file = $filename . '.' . token(32);
382
383			move_uploaded_file($this->request->files['file']['tmp_name'], DIR_UPLOAD . $file);
384
385			// Hide the uploaded file name so people can not link to it directly.
386			$this->load->model('tool/upload');
387
388			$json['code'] = $this->model_tool_upload->addUpload($filename, $file);
389
390			$json['success'] = $this->language->get('text_upload');
391		}
392
393		$this->response->addHeader('Content-Type: application/json');
394		$this->response->setOutput(json_encode($json));
395	}
396}