Change insertfile URI to include doc key in it

From
/lool/insertfile
to
/lool/<docUrl>/insertfile

Change-Id: I63864673bc1d92a737a95b484c2f440cb5ce6605
This commit is contained in:
Pranav Kant 2016-09-29 21:12:50 +05:30
parent 12dee85ef8
commit 8c61ee3c94
2 changed files with 17 additions and 2 deletions

View file

@ -14,7 +14,8 @@ L.Map.FileInserter = L.Handler.extend({
this._toInsert = {};
var parser = document.createElement('a');
parser.href = map.options.server;
this._url = map.options.webserver + '/' + map.options.urlPrefix + '/insertfile';
this._url = map.options.webserver + '/' + map.options.urlPrefix +
'/' + encodeURIComponent(map.options.doc) + '/insertfile';
},
addHooks: function () {

View file

@ -472,7 +472,7 @@ private:
return true;
}
else if (tokens.count() >= 3 && tokens[2] == "insertfile")
else if (tokens.count() >= 4 && tokens[3] == "insertfile")
{
Log::info("Insert file request.");
response.set("Access-Control-Allow-Origin", "*");
@ -488,6 +488,20 @@ private:
const std::string formChildid(form.get("childid"));
const std::string formName(form.get("name"));
// Validate the docKey
std::unique_lock<std::mutex> docBrokersLock(docBrokersMutex);
std::string decodedUri;
URI::decode(tokens[2], decodedUri);
const auto docKey = DocumentBroker::getDocKey(DocumentBroker::sanitizeURI(decodedUri));
auto docBrokerIt = docBrokers.find(docKey);
// Maybe just free the client from sending childid in form ?
if (docBrokerIt == docBrokers.end() || docBrokerIt->second->getJailId() != formChildid)
{
throw BadRequestException("DocKey [" + docKey + "] or childid [" + formChildid + "] is invalid.");
}
docBrokersLock.unlock();
// protect against attempts to inject something funny here
if (formChildid.find('/') == std::string::npos && formName.find('/') == std::string::npos)
{