slicker check for upload permissions, included http response code

2025-11-11 18:56:21 +00:00 · 2020-06-23 09:17:49 +02:00
parent e13f4816fb
commit 0250b6a577
5 changed files with 13 additions and 8 deletions
--- a/api/base64.php
+++ b/api/base64.php
@@ -13,8 +13,7 @@ include_once(ROOT . DS . 'inc' . DS. 'core.php');
 loadAllContentControllers();

 // check if client has permission to upload
-if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET ))
-    exit(json_encode(array('status'=>'err','reason'=> 'Access denied')));
+executeUploadPermission();

 // check write permissions first
 if(!isFolderWritable(ROOT.DS.'data'))
--- a/api/geturl.php
+++ b/api/geturl.php
@@ -13,8 +13,7 @@ include_once(ROOT . DS . 'inc' . DS. 'core.php');
 loadAllContentControllers();

 // check if client has permission to upload
-if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET ))
-    exit(json_encode(array('status'=>'err','reason'=> 'Access denied')));
+executeUploadPermission();

 // check write permissions first
 if(!isFolderWritable(ROOT.DS.'data'))
--- a/api/pastebin.php
+++ b/api/pastebin.php
@@ -15,8 +15,7 @@ if(!in_array('TextController',$controllers))
    exit(json_encode(array('status'=>'err','reason'=>'Text controller not enabled')));

 // check if client has permission to upload
-if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET ))
-    exit(json_encode(array('status'=>'err','reason'=> 'Access denied')));
+executeUploadPermission();

 // check write permissions first
 if(!isFolderWritable(ROOT.DS.'data'))
--- a/api/upload.php
+++ b/api/upload.php
@@ -19,8 +19,7 @@ else if(!isFolderWritable(ROOT.DS.'tmp'))
    exit(json_encode(array('status'=>'err','reason'=>'Temp directory not writable')));

 // check if client has permission to upload
-if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET ))
-    exit(json_encode(array('status'=>'err','reason'=> 'Access denied')));
+executeUploadPermission();

 $hash = sanatizeString(trim($_REQUEST['hash']))?sanatizeString(trim($_REQUEST['hash'])):false;

--- a/inc/core.php
+++ b/inc/core.php
@@ -692,3 +692,12 @@ function isCloudflare() {
    $requestCheck   = _cloudflare_Requests_Check();
    return ($ipCheck && $requestCheck);
 }
+
+function executeUploadPermission()
+{
+    if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET ))
+    {
+        http_response_code(403);
+        exit(json_encode(array('status'=>'err','reason'=> 'Access denied')));
+    }
+}