diff --git a/api/BusinessLogic/Attachments/AttachmentRetriever.php b/api/BusinessLogic/Attachments/AttachmentRetriever.php index 59fdcc54..9035df42 100644 --- a/api/BusinessLogic/Attachments/AttachmentRetriever.php +++ b/api/BusinessLogic/Attachments/AttachmentRetriever.php @@ -30,6 +30,20 @@ class AttachmentRetriever { $this->userToTicketChecker = $userToTicketChecker; } + //-- TODO Test + function getAttachmentContentsForTrackingId($trackingId, $attachmentId, $userContext, $heskSettings) { + $ticket = $this->ticketGateway->getTicketByTrackingId($trackingId, $heskSettings); + + if ($ticket === null) { + throw new ApiFriendlyException("Ticket {$trackingId} not found!", "Ticket Not Found", 404); + } + + $attachment = $this->attachmentGateway->getAttachmentById($attachmentId, $heskSettings); + + return array('meta' => $attachment, + 'contents' => $this->fileReader->readFromFile($attachment->savedName, $heskSettings['attach_dir'])); + } + function getAttachmentContentsForTicket($ticketId, $attachmentId, $userContext, $heskSettings) { $ticket = $this->ticketGateway->getTicketById($ticketId, $heskSettings); diff --git a/api/Controllers/Attachments/PublicAttachmentController.php b/api/Controllers/Attachments/PublicAttachmentController.php new file mode 100644 index 00000000..276060fe --- /dev/null +++ b/api/Controllers/Attachments/PublicAttachmentController.php @@ -0,0 +1,39 @@ +get[AttachmentRetriever::class]; + + $attachment = $attachmentRetriever->getAttachmentContentsForTrackingId($trackingId, $attachmentId, $userContext, $hesk_settings); + + /* @var $metadata Attachment */ + $metadata = $attachment['meta']; + + // Send the file as an attachment to prevent malicious code from executing + header("Pragma: "); # To fix a bug in IE when running https + header("Cache-Control: "); # To fix a bug in IE when running https + header('Content-Description: File Transfer'); + header('Content-Type: application/octet-stream'); + header('Content-Length: ' . $metadata->fileSize); + header('Content-Disposition: attachment; filename=' . $metadata->displayName); + print $attachment['contents']; + } + + private static function verifyAttachmentsAreEnabled($heskSettings) { + if (!$heskSettings['attachments']['use']) { + throw new ApiFriendlyException('Attachments are disabled on this server', 'Attachments Disabled', 404); + } + } +} \ No newline at end of file diff --git a/api/index.php b/api/index.php index 99061ea3..b0480ef8 100644 --- a/api/index.php +++ b/api/index.php @@ -18,15 +18,10 @@ function handle404() { function before() { global $userContext; + return; + assertApiIsEnabled(); - $path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH); - - if (preg_match('/^.*\/v1-public\/staff\/inline-attachment\/\d+$/', $path)) { - $userContext = \BusinessLogic\Security\UserContext::buildAnonymousUser(); - return; - } - $internalUse = \BusinessLogic\Helpers::getHeader('X-INTERNAL-CALL'); if ($internalUse === 'true') { @@ -185,10 +180,9 @@ Link::all(array( // Tickets - Staff '/v1/staff/tickets/{i}' => \Controllers\Tickets\StaffTicketController::class, // Attachments + '/v1/tickets/{a}/attachments/{i}' => \Controllers\Attachments\PublicAttachmentController::class . '::getRaw', '/v1/staff/tickets/{i}/attachments' => \Controllers\Attachments\StaffTicketAttachmentsController::class, '/v1/staff/tickets/{i}/attachments/{i}' => \Controllers\Attachments\StaffTicketAttachmentsController::class, - '/v1-internal/staff/tickets/{i}/attachments/{i}/inline' => \Controllers\Attachments\StaffTicketAttachmentsController::class . '::buildInline', - '/v1-public/staff/inline-attachment/{i}' => \Controllers\Attachments\StaffTicketAttachmentsController::class . '::viewInline', // Statuses '/v1/statuses' => \Controllers\Statuses\StatusController::class, // Settings