1<?php 2 3use Xmf\Jwt\TokenReader; 4 5/** 6 * PHP Server-Side Example for Fine Uploader (traditional endpoint handler). 7 * Maintained by Widen Enterprises. 8 * 9 * This example: 10 * - handles chunked and non-chunked requests 11 * - supports the concurrent chunking feature 12 * - assumes all upload requests are multipart encoded 13 * - supports the delete file feature 14 * 15 * Follow these steps to get up and running with Fine Uploader in a PHP environment: 16 * 17 * 1. Setup your client-side code, as documented on http://docs.fineuploader.com. 18 * 19 * 2. Copy this file and handler.php to your server. 20 * 21 * 3. Ensure your php.ini file contains appropriate values for 22 * max_input_time, upload_max_filesize and post_max_size. 23 * 24 * 4. Ensure your "chunks" and "files" folders exist and are writable. 25 * "chunks" is only needed if you have enabled the chunking feature client-side. 26 * 27 * 5. If you have chunking enabled in Fine Uploader, you MUST set a value for the `chunking.success.endpoint` option. 28 * This will be called by Fine Uploader when all chunks for a file have been successfully uploaded, triggering the 29 * PHP server to combine all parts into one file. This is particularly useful for the concurrent chunking feature, 30 * but is now required in all cases if you are making use of this PHP example. 31 * 32 * 33 * @license MIT License (MIT) 34 * @copyright Copyright (c) 2015-present, Widen Enterprises, Inc. 35 * @link https://github.com/FineUploader/php-traditional-server 36 * 37 * The MIT License (MIT) 38 * 39 * Copyright (c) 2015-present, Widen Enterprises, Inc. 40 * 41 * Permission is hereby granted, free of charge, to any person obtaining a copy 42 * of this software and associated documentation files (the "Software"), to deal 43 * in the Software without restriction, including without limitation the rights 44 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 45 * copies of the Software, and to permit persons to whom the Software is 46 * furnished to do so, subject to the following conditions: 47 * 48 * The above copyright notice and this permission notice shall be included in all 49 * copies or substantial portions of the Software. 50 * 51 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 52 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 53 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 54 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 55 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 56 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 57 * SOFTWARE. 58 */ 59 60if (isset($_POST['Authorization'])) { 61 define('PROTECTOR_SKIP_DOS_CHECK', 1); 62} 63include __DIR__ . '/mainfile.php'; 64$xoopsLogger->activated = false; 65 66/** 67 * Get our expected claims from the JSON Web Token. 68 * 69 * This is the list of claims which should be included: 70 * 71 * aud audience (asserted as our php script name) 72 * cat category id the user has chosen and is authorized for 73 * uid user id (asserted as the session specified user) 74 * handler handler class 75 * moddir module directory for handler 76 * 77 * We will assert that aud and uid agree with our expectations (for security) 78 */ 79$assert = array( 80 'aud' => basename(__FILE__), 81 'uid' => $xoopsUser instanceof \XoopsUser ? $xoopsUser->id() : 0, 82); 83$claims = TokenReader::fromRequest('fineuploader', 'Authorization', $assert); 84 85if ($claims === false) { 86 echo json_encode(array('error' => "Invalid request token")); 87 exit; 88} 89 90// Include the base upload handler class 91XoopsLoad::load('fineuploadhandler', 'system'); 92 93$handler = (property_exists($claims, 'handler')) ? $claims->handler : ''; 94$moddir = (property_exists($claims, 'moddir')) ? $claims->moddir : ''; 95 96if ($handler === '' || $moddir === '') { 97 header("HTTP/1.0 400 Bad Request"); 98 exit; 99} 100 101/** 102 * The handler claim can be specified as either: 103 * - a fully qualified and autoloading namespaced name, 104 * - a legacy handler name 105 */ 106$className = $handler; 107if (false === strpos($handler, '\\')) { 108 XoopsLoad::load($handler, $moddir); 109 $className = $moddir . $handler; 110} 111/* @var SystemFineUploadHandler $uploader */ 112$uploader = new $className($claims); 113 114$method = get_request_method(); 115 116if ($method === "POST") { 117 header("Content-Type: text/plain"); 118 119 // Assumes you have a chunking.success.endpoint set to point here with a query parameter of "done". 120 // For example: /myserver/handlers/endpoint.php?done 121 if (isset($_GET["done"])) { 122 $result = $uploader->combineChunks(XOOPS_ROOT_PATH . "/uploads"); 123 } else { // Handle upload requests 124 // Call handleUpload() with the name of the folder, relative to PHP's getcwd() 125 $result = $uploader->handleUpload(XOOPS_ROOT_PATH . "/uploads"); 126 127 // To return a name used for uploaded file you can use the following line. 128 $result["uploadName"] = $uploader->getUploadName(); 129 } 130 131 echo json_encode($result); 132} elseif ($method == "DELETE") { // for delete file requests 133 $result = $uploader->handleDelete("files"); 134 echo json_encode($result); 135} else { 136 header("HTTP/1.0 405 Method Not Allowed"); 137} 138 139/** 140 * This will retrieve the "intended" request method. Normally, this is the 141 * actual method of the request. Sometimes, though, the intended request method 142 * must be hidden in the parameters of the request. For example, when attempting to 143 * delete a file using a POST request. In that case, "DELETE" will be sent along with 144 * the request in a "_method" parameter. 145 * 146 * @return string 147 */ 148function get_request_method() 149{ 150 if (isset($_POST["_method"]) && $_POST["_method"] != null) { 151 return $_POST["_method"]; 152 } 153 return $_SERVER["REQUEST_METHOD"]; 154} 155