84 lines
1.6 KiB
PHP
84 lines
1.6 KiB
PHP
<?php
|
|
require '_sql.php';
|
|
require '_func.php';
|
|
|
|
/**
|
|
* Eingaben prüfen
|
|
*/
|
|
$fileId = isset($_GET['id']) ? (int)$_GET['id'] : 0;
|
|
$uuid = $_GET['uuid'] ?? null;
|
|
|
|
if ($fileId <= 0 || !$uuid) {
|
|
http_response_code(400);
|
|
exit('Ungültige Anfrage');
|
|
}
|
|
|
|
/**
|
|
* Token validieren
|
|
*/
|
|
$token = $sql->single(
|
|
"SELECT id, identity_id
|
|
FROM access_tokens
|
|
WHERE uuid = ?
|
|
AND (expires_at IS NULL OR expires_at > NOW())",
|
|
"s",
|
|
[$uuid]
|
|
);
|
|
|
|
if (!$token) {
|
|
http_response_code(403);
|
|
exit('Kein Zugriff');
|
|
}
|
|
|
|
/**
|
|
* Datei laden & Berechtigung prüfen
|
|
*/
|
|
$file = $sql->single(
|
|
"SELECT *
|
|
FROM files
|
|
WHERE id = ?
|
|
AND identity_id = ?
|
|
AND (token_id IS NULL OR token_id = ?)",
|
|
"iii",
|
|
[$fileId, $token['identity_id'], $token['id']]
|
|
);
|
|
|
|
if (!$file) {
|
|
http_response_code(404);
|
|
exit('Datei nicht gefunden');
|
|
}
|
|
|
|
/**
|
|
* Dateipfad
|
|
*/
|
|
$basePath = '/var/www/files/';
|
|
$path = realpath($basePath . $file['stored_name']);
|
|
|
|
if (!$path || !str_starts_with($path, $basePath) || !is_file($path)) {
|
|
http_response_code(404);
|
|
exit('Datei fehlt');
|
|
}
|
|
|
|
/**
|
|
* Saubere Ausgabe
|
|
*/
|
|
$filename = $file['filename'];
|
|
$mime = $file['mime_type'] ?: 'application/octet-stream';
|
|
$size = filesize($path);
|
|
|
|
header('Content-Description: File Transfer');
|
|
header('Content-Type: ' . $mime);
|
|
header('Content-Disposition: attachment; filename="' . basename($filename) . '"');
|
|
header('Content-Length: ' . $size);
|
|
header('X-Content-Type-Options: nosniff');
|
|
header('Cache-Control: private, no-store, no-cache, must-revalidate');
|
|
header('Pragma: no-cache');
|
|
header('Expires: 0');
|
|
|
|
while (ob_get_level()) {
|
|
ob_end_clean();
|
|
}
|
|
|
|
readfile($path);
|
|
exit;
|