From be90bafe7e33ff25844f89d98d683055de02442d Mon Sep 17 00:00:00 2001 From: Alex Rothberg Date: Fri, 13 Dec 2024 02:25:00 -0500 Subject: [PATCH 1/9] Fix Asset exists check for files within folders when drag and dropping. (#725) * Fix Asset exists check for files within folders when drag and droppping. * fix path formation * change code flow for reading dir for request. * use default arg --- public/js/pimcore/asset/tree.js | 3 ++- src/Controller/Admin/Asset/AssetController.php | 14 +++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/public/js/pimcore/asset/tree.js b/public/js/pimcore/asset/tree.js index 8e9b289c4..15370b72e 100644 --- a/public/js/pimcore/asset/tree.js +++ b/public/js/pimcore/asset/tree.js @@ -277,7 +277,8 @@ url: Routing.generate('pimcore_admin_asset_exists'), params: { parentId: parentNode.id, - filename: file.name + filename: file.name, + dir: path }, async: false, success: function (response) { diff --git a/src/Controller/Admin/Asset/AssetController.php b/src/Controller/Admin/Asset/AssetController.php index cf0434167..29ad5e91f 100644 --- a/src/Controller/Admin/Asset/AssetController.php +++ b/src/Controller/Admin/Asset/AssetController.php @@ -401,8 +401,20 @@ public function existsAction(Request $request): JsonResponse { $parentAsset = \Pimcore\Model\Asset::getById((int)$request->get('parentId')); + $dir = $request->get('dir', ''); + if ($dir){ + // this is for uploading folders with Drag&Drop + // param "dir" contains the relative path of the file + if (strpos($dir, '..') !== false) { + throw new \Exception('not allowed'); + } + $dir = '/' . trim($dir, '/ '); + } + + $assetPath = $parentAsset->getRealFullPath() . $dir . '/' . $request->get('filename'); + return new JsonResponse([ - 'exists' => Asset\Service::pathExists($parentAsset->getRealFullPath().'/'.$request->get('filename')), + 'exists' => Asset\Service::pathExists($assetPath), ]); } From 50e6d2b3be78fe2b0c56515e854d6e0f4e13ae8b Mon Sep 17 00:00:00 2001 From: mattamon Date: Fri, 13 Dec 2024 07:25:32 +0000 Subject: [PATCH 2/9] Apply php-cs-fixer changes --- src/Controller/Admin/Asset/AssetController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Controller/Admin/Asset/AssetController.php b/src/Controller/Admin/Asset/AssetController.php index 29ad5e91f..ac0fc8244 100644 --- a/src/Controller/Admin/Asset/AssetController.php +++ b/src/Controller/Admin/Asset/AssetController.php @@ -402,7 +402,7 @@ public function existsAction(Request $request): JsonResponse $parentAsset = \Pimcore\Model\Asset::getById((int)$request->get('parentId')); $dir = $request->get('dir', ''); - if ($dir){ + if ($dir) { // this is for uploading folders with Drag&Drop // param "dir" contains the relative path of the file if (strpos($dir, '..') !== false) { From bd0130ea315d5f25a0da9c7bd1382228dbcd7593 Mon Sep 17 00:00:00 2001 From: mattamon Date: Mon, 16 Dec 2024 12:12:06 +0100 Subject: [PATCH 3/9] Fix faulty slash in condition --- src/Helper/GridHelperService.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Helper/GridHelperService.php b/src/Helper/GridHelperService.php index 45ae42b87..51ad8d82e 100644 --- a/src/Helper/GridHelperService.php +++ b/src/Helper/GridHelperService.php @@ -935,7 +935,7 @@ private function optimizedConcatLike(string $fullpath): string return '( (`path` = "' . $path . '/" AND `key` = "' . $leaf . '") OR - `path` LIKE "' . $fullpath . '/%" + `path` LIKE "' . $fullpath . '%" )'; } @@ -999,11 +999,11 @@ protected function getPermittedPathsByUser(string $type, User $user): string // the result would be like `(((path1 OR path2) AND (not_path3 AND not_path4)))` $forbiddenAndAllowedSql = '('; - if ($allowedPathSql || $forbiddenPathSql) { + if (!empty($allowedPathSql) || !empty($forbiddenPathSql)) { $forbiddenAndAllowedSql .= '('; $forbiddenAndAllowedSql .= $allowedPathSql ? '( ' . implode(' OR ', $allowedPathSql) . ' )' : ''; - if ($forbiddenPathSql) { + if (!empty($forbiddenPathSql)) { //if $allowedPathSql "implosion" is present, we need `AND` in between $forbiddenAndAllowedSql .= $allowedPathSql ? ' AND ' : ''; $forbiddenAndAllowedSql .= implode(' AND ', $forbiddenPathSql); From 0b7366ea5516dfd3db077d24168e5a48066cb069 Mon Sep 17 00:00:00 2001 From: Sebastian Blank Date: Mon, 16 Dec 2024 19:07:53 +0100 Subject: [PATCH 4/9] Fix: Video Element not working (#785) * Fix: Video Element not working * data.allowedTypes is already correct from PHP class --- public/js/pimcore/document/editables/video.js | 1 - 1 file changed, 1 deletion(-) diff --git a/public/js/pimcore/document/editables/video.js b/public/js/pimcore/document/editables/video.js index 0153d9ae3..a7074d889 100644 --- a/public/js/pimcore/document/editables/video.js +++ b/public/js/pimcore/document/editables/video.js @@ -20,7 +20,6 @@ pimcore.document.editables.video = Class.create(pimcore.document.editable, { initialize: function($super, id, name, config, data, inherited) { $super(id, name, config, data, inherited); - data.allowedTypes = config.allowedTypes; this.data = data; }, From 3d0fca204f3918e65eebd253caae766738cffc99 Mon Sep 17 00:00:00 2001 From: Christian Fasching Date: Tue, 17 Dec 2024 14:32:25 +0100 Subject: [PATCH 5/9] [Bug] Fixed permission checks in certain constellations (#798) * fixed permission checks in certain constellations * fixed style * fixed permission checks in certain constellations --- src/Helper/GridHelperService.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Helper/GridHelperService.php b/src/Helper/GridHelperService.php index 51ad8d82e..ddc46c7e4 100644 --- a/src/Helper/GridHelperService.php +++ b/src/Helper/GridHelperService.php @@ -954,7 +954,7 @@ private function optimizedConcatNotLike(string $fullpath, bool $onlyChildren = f } return '( - (`path` != "' . $path . '/" AND `key` != "' . $leaf . '") + NOT (`path` = "' . $path . '/" AND `key` = "' . $leaf . '") AND `path` NOT LIKE "' . $fullpath . '/%" )'; @@ -989,7 +989,9 @@ protected function getPermittedPathsByUser(string $type, User $user): string //if any allowed child is found, the current folder can be listed but its content is still blocked $onlyChildren = true; } - $forbiddenPathSql[] = $this->optimizedConcatNotLike($forbiddenPath, $onlyChildren) . $exceptions; + $forbiddenPathSql[] = + '(' . $this->optimizedConcatNotLike($forbiddenPath, $onlyChildren) . $exceptions . ')' + ; } foreach ($elementPaths['allowed'] as $allowedPaths) { $allowedPathSql[] = $this->optimizedConcatLike($allowedPaths); From 10815c50be0bd9d53da888c09cc17f802c637934 Mon Sep 17 00:00:00 2001 From: Lisa Lamplmair Date: Tue, 17 Dec 2024 14:47:07 +0100 Subject: [PATCH 6/9] [BUG] fix permission check in GridHelperService for wrong query column if type is asset (#793) * [BUG] fix permission check in GridHelperService for wrong query column if type is asset * add fixes for slashes and empty checks * revert / --------- Co-authored-by: Christian Fasching Co-authored-by: robertSt7 --- src/Helper/GridHelperService.php | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/Helper/GridHelperService.php b/src/Helper/GridHelperService.php index ddc46c7e4..3709913e6 100644 --- a/src/Helper/GridHelperService.php +++ b/src/Helper/GridHelperService.php @@ -315,8 +315,8 @@ public function getFilterCondition(string $filterJson, ClassDefinition $class, ? $fieldConditions = []; foreach ($filter['value'] as $filterValue) { $brickCondition = '(' . $brickField->getFilterCondition($filterValue, $operator, - ['brickPrefix' => $brickPrefix] - ) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; + ['brickPrefix' => $brickPrefix] + ) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; $fieldConditions[] = $brickCondition; } @@ -325,7 +325,7 @@ public function getFilterCondition(string $filterJson, ClassDefinition $class, ? } } else { $brickCondition = '(' . $brickField->getFilterCondition($filter['value'], $operator, - ['brickPrefix' => $brickPrefix]) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; + ['brickPrefix' => $brickPrefix]) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; $conditionPartsFilters[] = $brickCondition; } } elseif ($field instanceof ClassDefinition\Data\UrlSlug) { @@ -926,14 +926,15 @@ public function createXlsxExportFile(FilesystemOperator $storage, string $fileHa /** * A more performant alternative to "CONCAT(`path`,`key`) LIKE $fullpath" */ - private function optimizedConcatLike(string $fullpath): string + private function optimizedConcatLike(string $fullpath, string $type = 'object'): string { $pathParts = explode('/', $fullpath); $leaf = array_pop($pathParts); $path = implode('/', $pathParts); + $queryColumn = $type === 'asset' ? '`filename`' : '`key`'; return '( - (`path` = "' . $path . '/" AND `key` = "' . $leaf . '") + (`path` = "' . $path . '/" AND ' . $queryColumn . ' = "' . $leaf . '") OR `path` LIKE "' . $fullpath . '%" )'; @@ -943,18 +944,23 @@ private function optimizedConcatLike(string $fullpath): string * A more performant alternative to "CONCAT(`path`,`key`) NOT LIKE $fullpath" * Set $onlyChildren to true when you want to exclude the folder/element itself */ - private function optimizedConcatNotLike(string $fullpath, bool $onlyChildren = false): string + private function optimizedConcatNotLike( + string $fullpath, + bool $onlyChildren = false, + string $type = 'object' + ): string { $pathParts = explode('/', $fullpath); $leaf = array_pop($pathParts); $path = implode('/', $pathParts); + $queryColumn = $type === 'asset' ? '`filename`' : '`key`'; if ($onlyChildren) { return '`path` NOT LIKE "' . $fullpath . '/%"'; } return '( - NOT (`path` = "' . $path . '/" AND `key` = "' . $leaf . '") + NOT (`path` = "' . $path . '/" AND ' . $queryColumn . ' = "' . $leaf . '") AND `path` NOT LIKE "' . $fullpath . '/%" )'; @@ -983,18 +989,18 @@ protected function getPermittedPathsByUser(string $type, User $user): string if ($exceptionsConcat !== '') { $exceptionsConcat.= ' OR '; } - $exceptionsConcat.= $this->optimizedConcatLike($path); + $exceptionsConcat.= $this->optimizedConcatLike($path, $type); } $exceptions = ' OR (' . $exceptionsConcat . ')'; //if any allowed child is found, the current folder can be listed but its content is still blocked $onlyChildren = true; } $forbiddenPathSql[] = - '(' . $this->optimizedConcatNotLike($forbiddenPath, $onlyChildren) . $exceptions . ')' + '(' . $this->optimizedConcatNotLike($forbiddenPath, $onlyChildren, $type) . $exceptions . ')' ; } foreach ($elementPaths['allowed'] as $allowedPaths) { - $allowedPathSql[] = $this->optimizedConcatLike($allowedPaths); + $allowedPathSql[] = $this->optimizedConcatLike($allowedPaths, $type); } // this is to avoid query error when implode is empty. From 2626a8562dc7aa72ef6fe8a3016a02e80598dd9c Mon Sep 17 00:00:00 2001 From: robertSt7 Date: Tue, 17 Dec 2024 13:47:34 +0000 Subject: [PATCH 7/9] Apply php-cs-fixer changes --- src/Helper/GridHelperService.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/Helper/GridHelperService.php b/src/Helper/GridHelperService.php index 3709913e6..2f5cc959d 100644 --- a/src/Helper/GridHelperService.php +++ b/src/Helper/GridHelperService.php @@ -315,8 +315,8 @@ public function getFilterCondition(string $filterJson, ClassDefinition $class, ? $fieldConditions = []; foreach ($filter['value'] as $filterValue) { $brickCondition = '(' . $brickField->getFilterCondition($filterValue, $operator, - ['brickPrefix' => $brickPrefix] - ) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; + ['brickPrefix' => $brickPrefix] + ) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; $fieldConditions[] = $brickCondition; } @@ -325,7 +325,7 @@ public function getFilterCondition(string $filterJson, ClassDefinition $class, ? } } else { $brickCondition = '(' . $brickField->getFilterCondition($filter['value'], $operator, - ['brickPrefix' => $brickPrefix]) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; + ['brickPrefix' => $brickPrefix]) . ' AND ' . $brickType . '.fieldname = ' . $db->quote($brickFilterField) . ')'; $conditionPartsFilters[] = $brickCondition; } } elseif ($field instanceof ClassDefinition\Data\UrlSlug) { @@ -948,8 +948,7 @@ private function optimizedConcatNotLike( string $fullpath, bool $onlyChildren = false, string $type = 'object' - ): string - { + ): string { $pathParts = explode('/', $fullpath); $leaf = array_pop($pathParts); $path = implode('/', $pathParts); From 0e3a8e14cb2399e348f4ab88e7147d37b76bbdd6 Mon Sep 17 00:00:00 2001 From: Christian Fasching Date: Tue, 17 Dec 2024 14:47:58 +0100 Subject: [PATCH 8/9] optimize permission concat (#799) --- src/Helper/GridHelperService.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/Helper/GridHelperService.php b/src/Helper/GridHelperService.php index 2f5cc959d..8b6beffb6 100644 --- a/src/Helper/GridHelperService.php +++ b/src/Helper/GridHelperService.php @@ -928,6 +928,11 @@ public function createXlsxExportFile(FilesystemOperator $storage, string $fileHa */ private function optimizedConcatLike(string $fullpath, string $type = 'object'): string { + //special case for the root folder + if($fullpath === '/') { + return '`path` LIKE "/%"'; + } + $pathParts = explode('/', $fullpath); $leaf = array_pop($pathParts); $path = implode('/', $pathParts); @@ -936,7 +941,7 @@ private function optimizedConcatLike(string $fullpath, string $type = 'object'): return '( (`path` = "' . $path . '/" AND ' . $queryColumn . ' = "' . $leaf . '") OR - `path` LIKE "' . $fullpath . '%" + `path` LIKE "' . $fullpath . '/%" )'; } From 38bc0b2e9ce5896a6942a9e6f40e2e4ba6df52d0 Mon Sep 17 00:00:00 2001 From: robertSt7 Date: Tue, 17 Dec 2024 13:48:25 +0000 Subject: [PATCH 9/9] Apply php-cs-fixer changes --- src/Helper/GridHelperService.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Helper/GridHelperService.php b/src/Helper/GridHelperService.php index 8b6beffb6..9bab4b4d0 100644 --- a/src/Helper/GridHelperService.php +++ b/src/Helper/GridHelperService.php @@ -929,7 +929,7 @@ public function createXlsxExportFile(FilesystemOperator $storage, string $fileHa private function optimizedConcatLike(string $fullpath, string $type = 'object'): string { //special case for the root folder - if($fullpath === '/') { + if ($fullpath === '/') { return '`path` LIKE "/%"'; }