diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/UploadAction.java b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/UploadAction.java index db24b5b..1208fb2 100644 --- a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/UploadAction.java +++ b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/UploadAction.java @@ -33,12 +33,14 @@ import org.apache.velocity.VelocityContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.xwiki.configuration.ConfigurationSource; import com.xpn.xwiki.XWikiContext; import com.xpn.xwiki.XWikiException; import com.xpn.xwiki.doc.XWikiAttachment; import com.xpn.xwiki.doc.XWikiDocument; import com.xpn.xwiki.plugin.fileupload.FileUploadPlugin; +import com.xpn.xwiki.user.api.XWikiRightService; /** * Action that handles uploading document attachments. It saves all the uploaded files whose fieldname start with @@ -57,6 +59,18 @@ /** The prefix of the corresponding filename input field name. */ private static final String FILENAME_FIELD_NAME = "filename"; + /** + * The configuration parameter (xwiki.properties) that holds the list of file types (media types) the users are + * allowed to store. + */ + public static final String WHITELIST_PROPERTY = "attachment.store.whitelist"; + + /** + * The configuration parameter (xwiki.properties) that holds the list of file types (media types) the users are not + * allowed to store. + */ + public static final String BLACKLIST_PROPERTY = "attachment.store.blacklist"; + @Override public boolean action(XWikiContext context) throws XWikiException { @@ -107,6 +121,8 @@ public boolean action(XWikiContext context) throws XWikiException for (Entry file : fileNames.entrySet()) { try { + String mediaType = fileupload.getFile(file.getValue(), context).getContentType(); + checkIfMediaTypeIsAllowed(mediaType, context); uploadAttachment(file.getValue(), file.getKey(), fileupload, doc, context); } catch (Exception ex) { LOGGER.warn("Saving uploaded file failed", ex); @@ -258,6 +274,49 @@ protected String getFileName(String fieldName, FileUploadPlugin fileupload, XWik return filename; } + /** + * Checks if the current user is allowed to store files of the specified media type. + * + * @param mediaType the media type of the file the current user has uploaded + * @param context the XWiki context + * @throws XWikiException if the current user is not allowed to store files of the specified media type + */ + private void checkIfMediaTypeIsAllowed(String mediaType, XWikiContext context) throws XWikiException + { + // Determine whether the current user has Programming Rights or not. + boolean hasPR = false; + try { + XWikiRightService rightsService = context.getWiki().getRightService(); + hasPR = rightsService.hasAccessLevel("programming", context.getUser(), "XWiki.XWikiPreferences", context); + } catch (Exception e) { + // Ignore. + } + + if (!hasPR && !isAllowedMediaType(mediaType)) { + String message = "You are not allowed to store files of type: " + mediaType; + throw new XWikiException(XWikiException.MODULE_XWIKI_APP, + XWikiException.ERROR_XWIKI_APP_UPLOAD_FILE_EXCEPTION, message); + } + } + + /** + * @param mediaType an attachment media type + * @return {@code true} if the given media type can be stored, {@code false} otherwise + */ + private boolean isAllowedMediaType(String mediaType) + { + ConfigurationSource configuration = Utils.getComponent(ConfigurationSource.class, "xwikiproperties"); + if (configuration.containsKey(WHITELIST_PROPERTY)) { + List whiteList = configuration.getProperty(WHITELIST_PROPERTY); + return whiteList.contains(mediaType); + } else if (configuration.containsKey(BLACKLIST_PROPERTY)) { + List blackList = configuration.getProperty(BLACKLIST_PROPERTY); + return !blackList.contains(mediaType); + } else { + return true; + } + } + @Override public String render(XWikiContext context) throws XWikiException {