bookstack/app/Uploads/Controllers/AttachmentApiController.php

<?php

namespace BookStack\Uploads\Controllers;

use BookStack\Entities\Models\Page;
use BookStack\Exceptions\FileUploadException;
use BookStack\Http\ApiController;
use BookStack\Uploads\Attachment;
use BookStack\Uploads\AttachmentService;
use Exception;
use Illuminate\Contracts\Filesystem\FileNotFoundException;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;

class AttachmentApiController extends ApiController
{
    public function __construct(
        protected AttachmentService $attachmentService
    ) {
    }

    /**
     * Get a listing of attachments visible to the user.
     * The external property indicates whether the attachment is simple a link.
     * A false value for the external property would indicate a file upload.
     */
    public function list()
    {
        return $this->apiListingResponse(Attachment::visible(), [
            'id', 'name', 'extension', 'uploaded_to', 'external', 'order', 'created_at', 'updated_at', 'created_by', 'updated_by',
        ]);
    }

    /**
     * Create a new attachment in the system.
     * An uploaded_to value must be provided containing an ID of the page
     * that this upload will be related to.
     *
     * If you're uploading a file the POST data should be provided via
     * a multipart/form-data type request instead of JSON.
     *
     * @throws ValidationException
     * @throws FileUploadException
     */
    public function create(Request $request)
    {
        $this->checkPermission('attachment-create-all');
        $requestData = $this->validate($request, $this->rules()['create']);

        $pageId = $request->get('uploaded_to');
        $page = Page::visible()->findOrFail($pageId);
        $this->checkOwnablePermission('page-update', $page);

        if ($request->hasFile('file')) {
            $uploadedFile = $request->file('file');
            $attachment = $this->attachmentService->saveNewUpload($uploadedFile, $page->id);
        } else {
            $attachment = $this->attachmentService->saveNewFromLink(
                $requestData['name'],
                $requestData['link'],
                $page->id
            );
        }

        $this->attachmentService->updateFile($attachment, $requestData);

        return response()->json($attachment);
    }

    /**
     * Get the details & content of a single attachment of the given ID.
     * The attachment link or file content is provided via a 'content' property.
     * For files the content will be base64 encoded.
     *
     * @throws FileNotFoundException
     */
    public function read(string $id)
    {
        /** @var Attachment $attachment */
        $attachment = Attachment::visible()
            ->with(['createdBy', 'updatedBy'])
            ->findOrFail($id);

        $attachment->setAttribute('links', [
            'html'     => $attachment->htmlLink(),
            'markdown' => $attachment->markdownLink(),
        ]);

        // Simply return a JSON response of the attachment for link-based attachments
        if ($attachment->external) {
            $attachment->setAttribute('content', $attachment->path);

            return response()->json($attachment);
        }

        // Build and split our core JSON, at point of content.
        $splitter = 'CONTENT_SPLIT_LOCATION_' . time() . '_' . rand(1, 40000);
        $attachment->setAttribute('content', $splitter);
        $json = $attachment->toJson();
        $jsonParts = explode($splitter, $json);
        // Get a stream for the file data from storage
        $stream = $this->attachmentService->streamAttachmentFromStorage($attachment);

        return response()->stream(function () use ($jsonParts, $stream) {
            // Output the pre-content JSON data
            echo $jsonParts[0];

            // Stream out our attachment data as base64 content
            stream_filter_append($stream, 'convert.base64-encode', STREAM_FILTER_READ);
            fpassthru($stream);
            fclose($stream);

            // Output our post-content JSON data
            echo $jsonParts[1];
        }, 200, ['Content-Type' => 'application/json']);
    }

    /**
     * Update the details of a single attachment.
     * As per the create endpoint, if a file is being provided as the attachment content
     * the request should be formatted as a multipart/form-data request instead of JSON.
     *
     * @throws ValidationException
     * @throws FileUploadException
     */
    public function update(Request $request, string $id)
    {
        $requestData = $this->validate($request, $this->rules()['update']);
        /** @var Attachment $attachment */
        $attachment = Attachment::visible()->findOrFail($id);

        $page = $attachment->page;
        if ($requestData['uploaded_to'] ?? false) {
            $pageId = $request->get('uploaded_to');
            $page = Page::visible()->findOrFail($pageId);
            $attachment->uploaded_to = $requestData['uploaded_to'];
        }

        $this->checkOwnablePermission('page-view', $page);
        $this->checkOwnablePermission('page-update', $page);
        $this->checkOwnablePermission('attachment-update', $attachment);

        if ($request->hasFile('file')) {
            $uploadedFile = $request->file('file');
            $attachment = $this->attachmentService->saveUpdatedUpload($uploadedFile, $attachment);
        }

        $this->attachmentService->updateFile($attachment, $requestData);

        return response()->json($attachment);
    }

    /**
     * Delete an attachment of the given ID.
     *
     * @throws Exception
     */
    public function delete(string $id)
    {
        /** @var Attachment $attachment */
        $attachment = Attachment::visible()->findOrFail($id);
        $this->checkOwnablePermission('attachment-delete', $attachment);

        $this->attachmentService->deleteFile($attachment);

        return response('', 204);
    }

    protected function rules(): array
    {
        return [
            'create' => [
                'name'        => ['required', 'min:1', 'max:255', 'string'],
                'uploaded_to' => ['required', 'integer', 'exists:pages,id'],
                'file'        => array_merge(['required_without:link'], $this->attachmentService->getFileValidationRules()),
                'link'        => ['required_without:file', 'min:1', 'max:2000', 'safe_url'],
            ],
            'update' => [
                'name'        => ['min:1', 'max:255', 'string'],
                'uploaded_to' => ['integer', 'exists:pages,id'],
                'file'        => $this->attachmentService->getFileValidationRules(),
                'link'        => ['min:1', 'max:2000', 'safe_url'],
            ],
        ];
    }
}
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`<?php`

Played around with a new app structure 2023-05-18 00:56:55 +08:00			`namespace BookStack\Uploads\Controllers;`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00
			`use BookStack\Entities\Models\Page;`
			`use BookStack\Exceptions\FileUploadException;`
Cleaned up namespacing in routes Also moved home controller and moved controllers up a level in http. 2023-05-19 03:53:39 +08:00			`use BookStack\Http\ApiController;`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`use BookStack\Uploads\Attachment;`
			`use BookStack\Uploads\AttachmentService;`
			`use Exception;`
			`use Illuminate\Contracts\Filesystem\FileNotFoundException;`
			`use Illuminate\Http\Request;`
			`use Illuminate\Validation\ValidationException;`

			`class AttachmentApiController extends ApiController`
			`{`
Increased attachment link limit from 192 to 2k Added test to cover. Did attempt a 64k limit, but values over 2k significantly increase chance of other issues since this URL may be used in redirect headers. Would rather catch issues in-app. For #4044 2023-02-20 21:05:23 +08:00			`public function __construct(`
			`protected AttachmentService $attachmentService`
			`) {`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`}`

			`/**`
			`* Get a listing of attachments visible to the user.`
			`* The external property indicates whether the attachment is simple a link.`
			`* A false value for the external property would indicate a file upload.`
			`*/`
			`public function list()`
			`{`
			`return $this->apiListingResponse(Attachment::visible(), [`
			`'id', 'name', 'extension', 'uploaded_to', 'external', 'order', 'created_at', 'updated_at', 'created_by', 'updated_by',`
			`]);`
			`}`

			`/**`
			`* Create a new attachment in the system.`
			`* An uploaded_to value must be provided containing an ID of the page`
			`* that this upload will be related to.`
			`*`
Added attachment API examples during manual testing 2021-10-20 17:43:03 +08:00			`* If you're uploading a file the POST data should be provided via`
			`* a multipart/form-data type request instead of JSON.`
			`*`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`* @throws ValidationException`
			`* @throws FileUploadException`
			`*/`
			`public function create(Request $request)`
			`{`
			`$this->checkPermission('attachment-create-all');`
Added an env configurable file upload size limit Replaces the old suggestion of setting JS head 'window.uploadLimit' variable. This new env option will be used by back-end validation and front-end libs/logic too. Limits already likely exist within prod environments at a PHP and webserver level but this allows an app-level limit and centralises the option on the BookStack side into the .env Closes #3033 2021-11-15 06:03:22 +08:00			`$requestData = $this->validate($request, $this->rules()['create']);`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00
			`$pageId = $request->get('uploaded_to');`
			`$page = Page::visible()->findOrFail($pageId);`
			`$this->checkOwnablePermission('page-update', $page);`

			`if ($request->hasFile('file')) {`
			`$uploadedFile = $request->file('file');`
			`$attachment = $this->attachmentService->saveNewUpload($uploadedFile, $page->id);`
			`} else {`
			`$attachment = $this->attachmentService->saveNewFromLink(`
Applied latest changes from styleCI 2021-10-20 17:49:45 +08:00			`$requestData['name'],`
			`$requestData['link'],`
			`$page->id`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`);`
			`}`

			`$this->attachmentService->updateFile($attachment, $requestData);`
Applied latest changes from styleCI 2021-10-20 17:49:45 +08:00
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`return response()->json($attachment);`
			`}`

			`/**`
			`* Get the details & content of a single attachment of the given ID.`
			`* The attachment link or file content is provided via a 'content' property.`
			`* For files the content will be base64 encoded.`
			`*`
			`* @throws FileNotFoundException`
			`*/`
			`public function read(string $id)`
			`{`
			`/** @var Attachment $attachment */`
Added TestCase for attachments API methods 2021-10-20 07:58:56 +08:00			`$attachment = Attachment::visible()`
			`->with(['createdBy', 'updatedBy'])`
			`->findOrFail($id);`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00
			`$attachment->setAttribute('links', [`
			`'html' => $attachment->htmlLink(),`
			`'markdown' => $attachment->markdownLink(),`
			`]);`

Added streaming support to API attachment read responses Required some special handling due to the content being base64-encoded within a JSON response. 2022-04-03 02:20:59 +08:00			`// Simply return a JSON response of the attachment for link-based attachments`
			`if ($attachment->external) {`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`$attachment->setAttribute('content', $attachment->path);`
Updated composer deps, applied latest StyleCI changes 2022-04-25 01:22:40 +08:00
Added streaming support to API attachment read responses Required some special handling due to the content being base64-encoded within a JSON response. 2022-04-03 02:20:59 +08:00			`return response()->json($attachment);`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`}`

Added streaming support to API attachment read responses Required some special handling due to the content being base64-encoded within a JSON response. 2022-04-03 02:20:59 +08:00			`// Build and split our core JSON, at point of content.`
			`$splitter = 'CONTENT_SPLIT_LOCATION_' . time() . '_' . rand(1, 40000);`
			`$attachment->setAttribute('content', $splitter);`
			`$json = $attachment->toJson();`
			`$jsonParts = explode($splitter, $json);`
			`// Get a stream for the file data from storage`
			`$stream = $this->attachmentService->streamAttachmentFromStorage($attachment);`

			`return response()->stream(function () use ($jsonParts, $stream) {`
			`// Output the pre-content JSON data`
			`echo $jsonParts[0];`

			`// Stream out our attachment data as base64 content`
			`stream_filter_append($stream, 'convert.base64-encode', STREAM_FILTER_READ);`
			`fpassthru($stream);`
			`fclose($stream);`

			`// Output our post-content JSON data`
			`echo $jsonParts[1];`
			`}, 200, ['Content-Type' => 'application/json']);`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`}`

			`/**`
			`* Update the details of a single attachment.`
Added attachment API examples during manual testing 2021-10-20 17:43:03 +08:00			`* As per the create endpoint, if a file is being provided as the attachment content`
			`* the request should be formatted as a multipart/form-data request instead of JSON.`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`*`
			`* @throws ValidationException`
			`* @throws FileUploadException`
			`*/`
			`public function update(Request $request, string $id)`
			`{`
Added an env configurable file upload size limit Replaces the old suggestion of setting JS head 'window.uploadLimit' variable. This new env option will be used by back-end validation and front-end libs/logic too. Limits already likely exist within prod environments at a PHP and webserver level but this allows an app-level limit and centralises the option on the BookStack side into the .env Closes #3033 2021-11-15 06:03:22 +08:00			`$requestData = $this->validate($request, $this->rules()['update']);`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`/** @var Attachment $attachment */`
			`$attachment = Attachment::visible()->findOrFail($id);`

			`$page = $attachment->page;`
			`if ($requestData['uploaded_to'] ?? false) {`
			`$pageId = $request->get('uploaded_to');`
			`$page = Page::visible()->findOrFail($pageId);`
			`$attachment->uploaded_to = $requestData['uploaded_to'];`
			`}`

			`$this->checkOwnablePermission('page-view', $page);`
			`$this->checkOwnablePermission('page-update', $page);`
			`$this->checkOwnablePermission('attachment-update', $attachment);`

			`if ($request->hasFile('file')) {`
			`$uploadedFile = $request->file('file');`
Added TestCase for attachments API methods 2021-10-20 07:58:56 +08:00			`$attachment = $this->attachmentService->saveUpdatedUpload($uploadedFile, $attachment);`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`}`

			`$this->attachmentService->updateFile($attachment, $requestData);`
Applied latest changes from styleCI 2021-10-20 17:49:45 +08:00
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`return response()->json($attachment);`
			`}`

			`/**`
			`* Delete an attachment of the given ID.`
			`*`
			`* @throws Exception`
			`*/`
			`public function delete(string $id)`
			`{`
			`/** @var Attachment $attachment */`
			`$attachment = Attachment::visible()->findOrFail($id);`
			`$this->checkOwnablePermission('attachment-delete', $attachment);`

			`$this->attachmentService->deleteFile($attachment);`

			`return response('', 204);`
			`}`
Added an env configurable file upload size limit Replaces the old suggestion of setting JS head 'window.uploadLimit' variable. This new env option will be used by back-end validation and front-end libs/logic too. Limits already likely exist within prod environments at a PHP and webserver level but this allows an app-level limit and centralises the option on the BookStack side into the .env Closes #3033 2021-11-15 06:03:22 +08:00
			`protected function rules(): array`
			`{`
			`return [`
			`'create' => [`
			`'name' => ['required', 'min:1', 'max:255', 'string'],`
			`'uploaded_to' => ['required', 'integer', 'exists:pages,id'],`
			`'file' => array_merge(['required_without:link'], $this->attachmentService->getFileValidationRules()),`
Increased attachment link limit from 192 to 2k Added test to cover. Did attempt a 64k limit, but values over 2k significantly increase chance of other issues since this URL may be used in redirect headers. Would rather catch issues in-app. For #4044 2023-02-20 21:05:23 +08:00			`'link' => ['required_without:file', 'min:1', 'max:2000', 'safe_url'],`
Added an env configurable file upload size limit Replaces the old suggestion of setting JS head 'window.uploadLimit' variable. This new env option will be used by back-end validation and front-end libs/logic too. Limits already likely exist within prod environments at a PHP and webserver level but this allows an app-level limit and centralises the option on the BookStack side into the .env Closes #3033 2021-11-15 06:03:22 +08:00			`],`
			`'update' => [`
			`'name' => ['min:1', 'max:255', 'string'],`
			`'uploaded_to' => ['integer', 'exists:pages,id'],`
			`'file' => $this->attachmentService->getFileValidationRules(),`
Increased attachment link limit from 192 to 2k Added test to cover. Did attempt a 64k limit, but values over 2k significantly increase chance of other issues since this URL may be used in redirect headers. Would rather catch issues in-app. For #4044 2023-02-20 21:05:23 +08:00			`'link' => ['min:1', 'max:2000', 'safe_url'],`
Added an env configurable file upload size limit Replaces the old suggestion of setting JS head 'window.uploadLimit' variable. This new env option will be used by back-end validation and front-end libs/logic too. Limits already likely exist within prod environments at a PHP and webserver level but this allows an app-level limit and centralises the option on the BookStack side into the .env Closes #3033 2021-11-15 06:03:22 +08:00			`],`
			`];`
			`}`
Build out core attachments API controller Related to #2942 2021-10-19 00:46:55 +08:00			`}`