adm_program/system/ckeditor_upload_handler.php from Admidio/admidio

adm_program/system/ckeditor_upload_handler.php
Summary

Maintainability

0 mins
Test Coverage

Issues
<?php
/**
 ***********************************************************************************************
 * Handle image uploads from CKEditor
 *
 * @copyright The Admidio Team
 * @see https://www.admidio.org/
 * @license https://www.gnu.org/licenses/gpl-2.0.html GNU General Public License v2.0 only
 *
 * Parameters:
 *
 * id : ID of textarea, that had triggered the upload
 ***********************************************************************************************
 */
use Admidio\Exception;

try {
    require_once(__DIR__ . '/common.php');
    require(__DIR__ . '/login_valid.php');

    $getCKEditorID = admFuncVariableIsValid($_GET, 'id', 'string', array('requireValue' => true));

    // check if a file was really uploaded
    if (!file_exists($_FILES['upload']['tmp_name']) || !is_uploaded_file($_FILES['upload']['tmp_name'])) {
        throw new Exception('SYS_FILE_NOT_EXIST');
    }

    // checks if the server settings for file_upload are set to ON
    if (!PhpIniUtils::isFileUploadEnabled()) {
        throw new Exception('SYS_SERVER_NO_UPLOAD');
    }

    if (!FileSystemUtils::allowedFileExtension($_FILES['upload']['name'])) {
        throw new Exception('SYS_FILE_EXTENSION_INVALID');
    }

    // if necessary create the module folders in adm_my_files
    switch ($getCKEditorID) {
        case 'ann_description':
            $folderName = 'announcements';
            break;
        case 'dat_description':
            $folderName = 'events';
            break;
        case 'lnk_description':
            $folderName = 'weblinks';
            break;
        case 'msg_body':
            $folderName = 'mail';
            break;
        case 'room_description':
            $folderName = 'rooms';
            break;
        case 'usf_description':
            $folderName = 'user_fields';
            break;
        default:
            $folderName = 'plugins';
            break;
    }

    $imagesPath = ADMIDIO_PATH . FOLDER_DATA . '/' . $folderName . '/images';
    FileSystemUtils::createDirectoryIfNotExists($imagesPath);

    // create a filename with a timestamp and 16 chars secure-random string,
    // so we have a scheme for the filenames and the risk of duplicates is negligible.
    // Format: 20180131-123456_0123456789abcdef.jpg
    $fileName = FileSystemUtils::getGeneratedFilename($_FILES['upload']['name']);
    $fileNamePath = $imagesPath . '/' . $fileName;

    move_uploaded_file($_FILES['upload']['tmp_name'], $fileNamePath);

    // check if the file contains a valid image
    if (!getimagesize($fileNamePath)) {
        FileSystemUtils::deleteFileIfExists($fileNamePath);
        throw new Exception('SYS_PHOTO_FORMAT_INVALID');
    }

    echo json_encode(
        array(
            'url' => SecurityUtils::encodeUrl(
                ADMIDIO_URL . '/adm_program/system/show_image.php',
                array(
                    'module' => $folderName,
                    'file' => $fileName
                )
            )
        )
    );
} catch (Throwable $exception) {
    echo json_encode(array('error' => array('message' => $exception->getMessage())));
}