From 9f045ed1cace1473cff97f943a69bda34a689e62 Mon Sep 17 00:00:00 2001 From: Christian Haschek Date: Wed, 1 Mar 2017 18:15:48 +0100 Subject: [PATCH] added MASTER_DELETE_IP to allow individual IPs or netmasks to delete images closes #22 --- inc/core.php | 15 +++++++++++++++ inc/example.config.inc.php | 11 +++++++++++ models/pictsharemodel.php | 30 +++++++++++++++++++++++++++++- 3 files changed, 55 insertions(+), 1 deletion(-) diff --git a/inc/core.php b/inc/core.php index ecdcfcc..b70f06b 100644 --- a/inc/core.php +++ b/inc/core.php @@ -394,4 +394,19 @@ function serveFile($filename, $filename_output = false, $mime = 'application/oct echo $buffer; flush(); } +} + +function cidr_match($ip, $range) +{ + list ($subnet, $bits) = explode('/', $range); + $ip = ip2long($ip); + $subnet = ip2long($subnet); + $mask = -1 << (32 - $bits); + $subnet &= $mask; # nb: in case the supplied subnet wasn't correctly aligned + return ($ip & $mask) == $subnet; +} + +function isIP($ip) +{ + return filter_var($ip, FILTER_VALIDATE_IP); } \ No newline at end of file diff --git a/inc/example.config.inc.php b/inc/example.config.inc.php index d3009cf..631c7db 100644 --- a/inc/example.config.inc.php +++ b/inc/example.config.inc.php @@ -20,6 +20,17 @@ define('JPEG_COMPRESSION', 90); // Will render one last time, if refreshed won't be on the server anymore define('MASTER_DELETE_CODE', false); +//if set, the IP, hostname or every device in the IP range (CIDR naming) will be allowed to delete images +//by supplying the parameter "delete" +//use multiple ips/hostnames/ranges: semicolon seperated +//examples: +//====== +//ip: define('MASTER_DELETE_IP', '8.8.8.8'); +//hostname: define('MASTER_DELETE_IP', 'home.example.com'); +//ip range: define('MASTER_DELETE_IP', '192.168.0.0/24'); //all IPs from 192.168.0.0 to 192.168.0.255 can delete +//multiple: define('MASTER_DELETE_IP', '192.168.0.0/24;my.home.net;4.4.2.2'); +define('MASTER_DELETE_IP', false); + //If set, upload form will only be shown on that location //eg: define('UPLOAD_FORM_LOCATION', 'secret/upload'); then the upload form will only be visible //from http://your.domain/secret/upload diff --git a/models/pictsharemodel.php b/models/pictsharemodel.php index c978da2..b5ff29f 100644 --- a/models/pictsharemodel.php +++ b/models/pictsharemodel.php @@ -102,9 +102,11 @@ class PictshareModel extends Model $data['forcesize'] = true; else if(strlen(MASTER_DELETE_CODE)>10 && $el=='delete_'.MASTER_DELETE_CODE) $data['delete'] = true; + else if($el=='delete' && $this->mayDeleteImages()===true) + $data['delete'] = true; } - + if($data['delete'] && $data['hash']) { $this->deleteImage($data['hash']); @@ -120,6 +122,32 @@ class PictshareModel extends Model return $data; } + + function mayDeleteImages() + { + if(!defined('MASTER_DELETE_IP') || !MASTER_DELETE_IP) return false; + $ip = getUserIP(); + $parts = explode(';',MASTER_DELETE_IP); + foreach($parts as $part) + { + if(strpos($part,'/')!==false) //it's a CIDR address + { + if(cidr_match($ip, $part)) + return true; + } + else if(isIP($part)) //it's an IP address + { + if($part==$ip) return true; + } + else if(gethostbyname($part)==$ip) //must be a hostname + { + return true; + } + + } + + return false; + } function deleteImage($hash) {