re-arrange oekaki bits for better permissions

2012-06-26 19:47:40 +01:00 · 2012-06-26 19:47:40 +01:00 · 80673b73ec
commit 80673b73ec
parent 756de7b023
1 changed files with 33 additions and 33 deletions
--- a/ext/oekaki/main.php
+++ b/ext/oekaki/main.php
@ -10,40 +10,9 @@ class Oekaki extends Extension {
 		global $user, $page;

 		if($event->page_matches("oekaki")) {
-			if($event->get_arg(0) == "create" and $user->can("create_image")){
+			if($user->can("create_image")) {
+				if($event->get_arg(0) == "create") {
 					$this->theme->display_page();
-			}else{
-				$this->theme->display_permission_denied();
-			}
-			if($event->get_arg(0) == "upload") {
-				// FIXME: this allows anyone to upload anything to /data ...
-				// hardcoding the ext to .png should stop the obvious exploit,
-				// but more checking may be wise
-				if(isset($_FILES["picture"])) {
-					header('Content-type: text/plain');
-
-					$file = $_FILES['picture']['name'];
-					$ext = (strpos($file, '.') === FALSE) ? '' : substr($file, strrpos($file, '.'));
-					$uploadname = $_SERVER['REMOTE_ADDR'] . "." . time();
-					$uploadfile = data_path('oekaki_unclaimed/'.$uploadname);
-
-					log_info("oekaki", "Uploading file [$uploadname]");
-
-					$success = TRUE;
-					if (isset($_FILES["chibifile"]))
-						$success = $success && move_uploaded_file($_FILES['chibifile']['tmp_name'], $uploadfile . ".chi");
-
-					// hardcode the ext, so nobody can upload "foo.php"
-					$success = $success && move_uploaded_file($_FILES['picture']['tmp_name'], $uploadfile . ".png"); # $ext);
-					if ($success) {
-						echo "CHIBIOK\n";
-					} else {
-						echo "CHIBIERROR\n";
-					}
-				}
-				else {
-					echo "CHIBIERROR No Data\n";
-				}
 				}
 				if($event->get_arg(0) == "claim") {
 					// FIXME: move .chi to data/oekaki/$ha/$hash mirroring images and thumbs
@ -75,6 +44,37 @@ class Oekaki extends Extension {
 					}
 				}
 			}
+			if($event->get_arg(0) == "upload") {
+				// FIXME: this allows anyone to upload anything to /data ...
+				// hardcoding the ext to .png should stop the obvious exploit,
+				// but more checking may be wise
+				if(isset($_FILES["picture"])) {
+					header('Content-type: text/plain');
+
+					$file = $_FILES['picture']['name'];
+					$ext = (strpos($file, '.') === FALSE) ? '' : substr($file, strrpos($file, '.'));
+					$uploadname = $_SERVER['REMOTE_ADDR'] . "." . time();
+					$uploadfile = data_path('oekaki_unclaimed/'.$uploadname);
+
+					log_info("oekaki", "Uploading file [$uploadname]");
+
+					$success = TRUE;
+					if (isset($_FILES["chibifile"]))
+						$success = $success && move_uploaded_file($_FILES['chibifile']['tmp_name'], $uploadfile . ".chi");
+
+					// hardcode the ext, so nobody can upload "foo.php"
+					$success = $success && move_uploaded_file($_FILES['picture']['tmp_name'], $uploadfile . ".png"); # $ext);
+					if ($success) {
+						echo "CHIBIOK\n";
+					} else {
+						echo "CHIBIERROR\n";
+					}
+				}
+				else {
+					echo "CHIBIERROR No Data\n";
+				}
+			}
+		}
 	}

 	// FIXME: "edit this image" button on existing images?