Added an env configurable file upload size limit

Replaces the old suggestion of setting JS head 'window.uploadLimit' variable. This new env option will be used by back-end validation and front-end libs/logic too. Limits already likely exist within prod environments at a PHP and webserver level but this allows an app-level limit and centralises the option on the BookStack side into the .env Closes #3033
2025-06-05 09:34:37 +08:00 · 2021-11-14 22:03:22 +00:00
parent f910738a80
commit 85154fff69
10 changed files with 54 additions and 22 deletions
--- a/app/Http/Controllers/Api/ApiController.php
+++ b/app/Http/Controllers/Api/ApiController.php
@ -24,9 +24,14 @@ abstract class ApiController extends Controller

    /**
     * Get the validation rules for this controller.
+     * Defaults to a $rules property but can be a rules() method.
     */
    public function getValdationRules(): array
    {
+        if (method_exists($this, 'rules')) {
+            return $this->rules();
+        }
+
        return $this->rules;
    }
 }
--- a/app/Http/Controllers/Api/AttachmentApiController.php
+++ b/app/Http/Controllers/Api/AttachmentApiController.php
@ -15,21 +15,6 @@ class AttachmentApiController extends ApiController
 {
    protected $attachmentService;

-    protected $rules = [
-        'create' => [
-            'name'        => ['required', 'min:1', 'max:255', 'string'],
-            'uploaded_to' => ['required', 'integer', 'exists:pages,id'],
-            'file'        => ['required_without:link', 'file'],
-            'link'        => ['required_without:file', 'min:1', 'max:255', 'safe_url'],
-        ],
-        'update' => [
-            'name'        => ['min:1', 'max:255', 'string'],
-            'uploaded_to' => ['integer', 'exists:pages,id'],
-            'file'        => ['file'],
-            'link'        => ['min:1', 'max:255', 'safe_url'],
-        ],
-    ];
-
    public function __construct(AttachmentService $attachmentService)
    {
        $this->attachmentService = $attachmentService;
@ -61,7 +46,7 @@ class AttachmentApiController extends ApiController
    public function create(Request $request)
    {
        $this->checkPermission('attachment-create-all');
-        $requestData = $this->validate($request, $this->rules['create']);
+        $requestData = $this->validate($request, $this->rules()['create']);

        $pageId = $request->get('uploaded_to');
        $page = Page::visible()->findOrFail($pageId);
@ -122,7 +107,7 @@ class AttachmentApiController extends ApiController
     */
    public function update(Request $request, string $id)
    {
-        $requestData = $this->validate($request, $this->rules['update']);
+        $requestData = $this->validate($request, $this->rules()['update']);
        /** @var Attachment $attachment */
        $attachment = Attachment::visible()->findOrFail($id);

@ -162,4 +147,22 @@ class AttachmentApiController extends ApiController

        return response('', 204);
    }
+
+    protected function rules(): array
+    {
+        return [
+            'create' => [
+                'name'        => ['required', 'min:1', 'max:255', 'string'],
+                'uploaded_to' => ['required', 'integer', 'exists:pages,id'],
+                'file'        => array_merge(['required_without:link'], $this->attachmentService->getFileValidationRules()),
+                'link'        => ['required_without:file', 'min:1', 'max:255', 'safe_url'],
+            ],
+            'update' => [
+                'name'        => ['min:1', 'max:255', 'string'],
+                'uploaded_to' => ['integer', 'exists:pages,id'],
+                'file'        => $this->attachmentService->getFileValidationRules(),
+                'link'        => ['min:1', 'max:255', 'safe_url'],
+            ],
+        ];
+    }
 }
--- a/app/Http/Controllers/AttachmentController.php
+++ b/app/Http/Controllers/AttachmentController.php
@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment;
 use BookStack\Uploads\AttachmentService;
 use Exception;
 use Illuminate\Contracts\Filesystem\FileNotFoundException;
+use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
 use Illuminate\Http\Request;
 use Illuminate\Support\MessageBag;
 use Illuminate\Validation\ValidationException;
@ -37,7 +38,7 @@ class AttachmentController extends Controller
    {
        $this->validate($request, [
            'uploaded_to' => ['required', 'integer', 'exists:pages,id'],
-            'file'        => ['required', 'file'],
+            'file'        => array_merge(['required'], $this->attachmentService->getFileValidationRules()),
        ]);

        $pageId = $request->get('uploaded_to');
@ -65,7 +66,7 @@ class AttachmentController extends Controller
    public function uploadUpdate(Request $request, $attachmentId)
    {
        $this->validate($request, [
-            'file' => ['required', 'file'],
+            'file' => array_merge(['required'], $this->attachmentService->getFileValidationRules()),
        ]);

        /** @var Attachment $attachment */
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@ -165,7 +165,7 @@ abstract class Controller extends BaseController
    /**
     * Log an activity in the system.
     *
-     * @param $detail string|Loggable
+     * @param string|Loggable $detail
     */
    protected function logActivity(string $type, $detail = ''): void
    {
@ -177,6 +177,6 @@ abstract class Controller extends BaseController
     */
    protected function getImageValidationRules(): array
    {
-        return ['image_extension', 'mimes:jpeg,png,gif,webp'];
+        return ['image_extension', 'mimes:jpeg,png,gif,webp', 'max:' . (config('app.upload_limit') * 1000)];
    }
 }