Fixing inline attachments

api/BusinessLogic/Attachments/AttachmentRetriever.php

@@ -30,6 +30,20 @@ class AttachmentRetriever {
         $this->userToTicketChecker = $userToTicketChecker;
     }
 
+    //-- TODO Test
+    function getAttachmentContentsForTrackingId($trackingId, $attachmentId, $userContext, $heskSettings) {
+        $ticket = $this->ticketGateway->getTicketByTrackingId($trackingId, $heskSettings);
+
+        if ($ticket === null) {
+            throw new ApiFriendlyException("Ticket {$trackingId} not found!", "Ticket Not Found", 404);
+        }
+
+        $attachment = $this->attachmentGateway->getAttachmentById($attachmentId, $heskSettings);
+
+        return array('meta' => $attachment,
+            'contents' => $this->fileReader->readFromFile($attachment->savedName, $heskSettings['attach_dir']));
+    }
+
     function getAttachmentContentsForTicket($ticketId, $attachmentId, $userContext, $heskSettings) {
         $ticket = $this->ticketGateway->getTicketById($ticketId, $heskSettings);
 

api/Controllers/Attachments/PublicAttachmentController.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace Controllers\Attachments;
+
+
+use BusinessLogic\Attachments\Attachment;
+use BusinessLogic\Attachments\AttachmentRetriever;
+use BusinessLogic\Exceptions\ApiFriendlyException;
+
+class PublicAttachmentController {
+    static function getRaw($trackingId, $attachmentId) {
+        global $hesk_settings, $applicationContext, $userContext;
+
+        self::verifyAttachmentsAreEnabled($hesk_settings);
+
+        /* @var $attachmentRetriever AttachmentRetriever */
+        $attachmentRetriever = $applicationContext->get[AttachmentRetriever::class];
+
+        $attachment = $attachmentRetriever->getAttachmentContentsForTrackingId($trackingId, $attachmentId, $userContext, $hesk_settings);
+
+        /* @var $metadata Attachment */
+        $metadata = $attachment['meta'];
+
+        // Send the file as an attachment to prevent malicious code from executing
+        header("Pragma: "); # To fix a bug in IE when running https
+        header("Cache-Control: "); # To fix a bug in IE when running https
+        header('Content-Description: File Transfer');
+        header('Content-Type: application/octet-stream');
+        header('Content-Length: ' . $metadata->fileSize);
+        header('Content-Disposition: attachment; filename=' . $metadata->displayName);
+        print $attachment['contents'];
+    }
+
+    private static function verifyAttachmentsAreEnabled($heskSettings) {
+        if (!$heskSettings['attachments']['use']) {
+            throw new ApiFriendlyException('Attachments are disabled on this server', 'Attachments Disabled', 404);
+        }
+    }
+}

api/index.php

@@ -20,6 +20,9 @@ function before() {
 
     if ($internalUse === 'true') {
         buildUserContextFromSession();
+    } elseif (preg_match('/\/v1\/tickets\/.+\/attachments\/\d+/', $_SERVER['PATH_INFO'])) {
+        //-- TODO Clean this up
+        return;
     } else {
         assertApiIsEnabled();
         $token = \BusinessLogic\Helpers::getHeader('X-AUTH-TOKEN');
@@ -168,13 +171,14 @@ Link::before('before');
 
 Link::all(array(
     // Categories
-    '/v1/categories' => \Controllers\Categories\CategoryController::class . '::printAllCategories',
+    '/v1/categories' => [\Controllers\Categories\CategoryController::class . '::printAllCategories'],
     '/v1/categories/{i}' => \Controllers\Categories\CategoryController::class,
     // Tickets
     '/v1/tickets' => \Controllers\Tickets\CustomerTicketController::class,
     // Tickets - Staff
     '/v1/staff/tickets/{i}' => \Controllers\Tickets\StaffTicketController::class,
     // Attachments
+    '/v1/tickets/{a}/attachments/{i}' => \Controllers\Attachments\PublicAttachmentController::class . '::getRaw',
     '/v1/staff/tickets/{i}/attachments' => \Controllers\Attachments\StaffTicketAttachmentsController::class,
     '/v1/staff/tickets/{i}/attachments/{i}' => \Controllers\Attachments\StaffTicketAttachmentsController::class,
     // Statuses

inc/common.inc.php

@@ -262,13 +262,13 @@ function hesk_load_database_functions()
 
 function hesk_load_api_database_functions()
 {
-    require(__DIR__ . '/../api/core/json_error.php');
+    require(__DIR__ . '/../api/Core/json_error.php');
     // Preferrably use the MySQLi functions
     if (function_exists('mysqli_connect')) {
-        require(__DIR__ . '/../api/core/database_mysqli.inc.php');
+        require(__DIR__ . '/../api/Core/database_mysqli.inc.php');
     } // Default to MySQL
     else {
-        require(__DIR__ . '/../api/core/database.inc.php');
+        require(__DIR__ . '/../api/Core/database.inc.php');
     }
 } // END hesk_load_database_functions()