restrictAccess(Auth::isManager())
->setPageTitle(WT_I18N::translate('Upload media files'));
$action = WT_Filter::post('action');
if ($action == "upload") {
for ($i=1; $i<6; $i++) {
if (!empty($_FILES['mediafile'.$i]["name"]) || !empty($_FILES['thumbnail'.$i]["name"])) {
$folder = WT_Filter::post('folder' . $i);
// Validate the media folder
$folderName = str_replace('\\', '/', $folder);
$folderName = trim($folderName, '/');
if ($folderName == '.') {
$folderName = '';
}
if ($folderName) {
$folderName .= '/';
// Not allowed to use “../”
if (strpos('/' . $folderName, '/../')!==false) {
WT_FlashMessages::addMessage('Folder names are not allowed to include “../”');
break;
}
}
// Make sure the media folder exists
if (!is_dir(WT_DATA_DIR . $MEDIA_DIRECTORY)) {
if (WT_File::mkdir(WT_DATA_DIR . $MEDIA_DIRECTORY)) {
WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s was created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . ''));
} else {
WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s does not exist, and it could not be created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . ''));
break;
}
}
// Managers can create new media paths (subfolders). Users must use existing folders.
if ($folderName && !is_dir(WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName)) {
if (WT_USER_GEDCOM_ADMIN) {
if (WT_File::mkdir(WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName)) {
WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s was created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName . ''));
} else {
WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s does not exist, and it could not be created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName . ''));
break;
}
} else {
// Regular users should not have seen this option - so no need for an error message.
break;
}
}
// The media folder exists. Now create a thumbnail folder to match it.
if (!is_dir(WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName)) {
if (!WT_File::mkdir(WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName)) {
WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s does not exist, and it could not be created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName . ''));
break;
}
}
// A thumbnail file with no main image?
if (!empty($_FILES['thumbnail' . $i]['name']) && empty($_FILES['mediafile' . $i]['name'])) {
// Assume the user used the wrong field, and treat this as a main image
$_FILES['mediafile' . $i] = $_FILES['thumbnail' . $i];
unset($_FILES['thumbnail' . $i]);
}
// Thumbnail files must contain images.
if (!empty($_FILES['thumbnail' . $i]['name']) && !preg_match('/^image\/(png|gif|jpeg)/', $_FILES['thumbnail' . $i]['type'])) {
WT_FlashMessages::addMessage(WT_I18N::translate('Thumbnail files must contain images.'));
break;
}
// User-specified filename?
$filename = WT_Filter::post('filename' . $i);
// Use the name of the uploaded file?
if (!$filename && !empty($_FILES['mediafile' . $i]['name'])) {
$filename = $_FILES['mediafile' . $i]['name'];
}
// Validate the media path and filename
if (preg_match('/([\/\\\\<>])/', $filename, $match)) {
// Local media files cannot contain certain special characters
WT_FlashMessages::addMessage(WT_I18N::translate('Filenames are not allowed to contain the character “%s”.', $match[1]));
$filename = '';
break;
} elseif (preg_match('/(\.(php|pl|cgi|bash|sh|bat|exe|com|htm|html|shtml))$/i', $filename, $match)) {
// Do not allow obvious script files.
WT_FlashMessages::addMessage(WT_I18N::translate('Filenames are not allowed to have the extension “%s”.', $match[1]));
$filename = '';
break;
} elseif (!$filename) {
WT_FlashMessages::addMessage(WT_I18N::translate('No media file was provided.'));
break;
} else {
$fileName = $filename;
}
// Now copy the file to the correct location.
if (!empty($_FILES['mediafile' . $i]['name'])) {
$serverFileName = WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName . $fileName;
if (file_exists($serverFileName)) {
WT_FlashMessages::addMessage(WT_I18N::translate('The file %s already exists. Use another filename.', $folderName . $fileName));
$filename = '';
break;
}
if (move_uploaded_file($_FILES['mediafile' . $i]['tmp_name'], $serverFileName)) {
WT_FlashMessages::addMessage(WT_I18N::translate('The file %s was uploaded.', '' . $serverFileName . ''));
Log::addMediaLog('Media file ' . $serverFileName . ' uploaded');
} else {
WT_FlashMessages::addMessage(
WT_I18N::translate('There was an error uploading your file.') .
'
' .
file_upload_error_text($_FILES['mediafile' . $i]['error'])
);
$filename = '';
break;
}
// Now copy the (optional thumbnail)
if (!empty($_FILES['thumbnail' . $i]['name']) && preg_match('/^image\/(png|gif|jpeg)/', $_FILES['thumbnail' . $i]['type'], $match)) {
$extension = $match[1];
$thumbFile = preg_replace('/\.[a-z0-9]{3,5}$/', '.' . $extension, $fileName);
$serverFileName = WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName . $thumbFile;
if (move_uploaded_file($_FILES['thumbnail' . $i]['tmp_name'], $serverFileName)) {
WT_FlashMessages::addMessage(WT_I18N::translate('The file %s was uploaded.', '' . $serverFileName . ''));
Log::addMediaLog('Thumbnail file ' . $serverFileName . ' uploaded');
}
}
}
}
}
}
$controller->pageHeader();
$mediaFolders = WT_Query_Media::folderListAll();
// Determine file size limit
// TODO: do we need to check post_max_size size too?
$filesize = ini_get('upload_max_filesize');
if (empty($filesize)) $filesize = "2M";
// Print the form
echo '