CV upload updates

56bba840 · Simon · 281a7493 · 56bba840 · 56bba840 · 56bba840
Commit 56bba840 authored Jun 09, 2019 by Simon
6 changed files
--- a/nginx/redirects/biuro.ee.conf
+++ b/nginx/redirects/biuro.ee.conf
@@ -10,6 +10,14 @@ location ^~ /wp-content/uploads/2019/ {
    }
 }

+location ^~ /wp-content/uploads/additional/ {
+    try_files $uri $uri/ /index.php?$args;
+
+    if ($http_referer !~* .*livas.biuro.ee.*) {
+        return 403;
+    }
+}
+
 # ----------------------------------------------------------------------
 # 301 biuro.ee redirects
 # ----------------------------------------------------------------------

--- a/nginx/redirects/biuro.lt.conf
+++ b/nginx/redirects/biuro.lt.conf
@@ -10,6 +10,14 @@ location ^~ /wp-content/uploads/2019/ {
    }
 }

+location ^~ /wp-content/uploads/additional/ {
+    try_files $uri $uri/ /index.php?$args;
+
+    if ($http_referer !~* .*livas.biuro.lt.*) {
+        return 403;
+    }
+}
+
 # ----------------------------------------------------------------------
 # 301 biuro.lt redirects
 # ----------------------------------------------------------------------

--- a/nginx/redirects/biuro.lv.conf
+++ b/nginx/redirects/biuro.lv.conf
@@ -10,6 +10,14 @@ location ^~ /wp-content/uploads/2019/ {
    }
 }

+location ^~ /wp-content/uploads/additional/ {
+    try_files $uri $uri/ /index.php?$args;
+
+    if ($http_referer !~* .*livas.biuro.lv.*) {
+        return 403;
+    }
+}
+
 # ----------------------------------------------------------------------
 # 301 biuro.lv redirects
 # ----------------------------------------------------------------------

--- a/wp-content/plugins/biuro-contacts/public/class-biuro-contacts-public.php
+++ b/wp-content/plugins/biuro-contacts/public/class-biuro-contacts-public.php
@@ -301,6 +301,23 @@ class Biuro_Contacts_Public {
        return $output;
    } // employees_form()

+    function change_upload_dir( $dir ) {
+        return array(
+            'path'   => $dir['basedir'] . '/additional',
+            'url'    => $dir['baseurl'] . '/additional',
+            'subdir' => '/additional',
+        ) + $dir;
+    }
+
+    function change_upload_filename( $filename ) {
+        $length = 24;
+        $info = pathinfo( $filename );
+        $ext  = empty( $info['extension'] ) ? '' : '.' . $info['extension'];
+        $name = basename( $filename, $ext );
+
+        return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length) . '-' . $name.$ext;
+    }
+
    public function employees_post() {

        $nonce = $_POST['_wpnonce'];
@@ -331,6 +348,21 @@ class Biuro_Contacts_Public {
                'updated' => current_time('Y-m-d H:i:s')
            ];

+            $allowed_file_types = array('application/pdf', 'application/doc', 'application/docx', 'application/rtf', 'application/txt', 'application/odf', 'application/msword', 'image/jpg', 'image/jpeg', 'image/png');
+            // Check file types
+            foreach( $_FILES as $file ) {
+                // Get the type of the uploaded file. This is returned as "type/extension"
+                $arr_file_type = wp_check_filetype( basename( $file['name'] ) );
+                $uploaded_file_type = $arr_file_type['type'];
+                if( ! in_array( $uploaded_file_type, $allowed_file_types ) ) {
+                    wp_redirect( $referer );
+                    exit;
+                }
+            }
+
+            add_filter( 'upload_dir', array( $this, 'change_upload_dir' ) );
+            add_filter( 'sanitize_file_name', array( $this, 'change_upload_filename' ), 10 );
+
            # upload file
            if($_FILES) {
                # gali nusirody: 'mimes' => array('csv' => 'text/csv')
@@ -346,6 +378,9 @@ class Biuro_Contacts_Public {
                }
            }

+            remove_filter( 'sanitize_file_name', array( $this, 'change_upload_filename' ), 10 );
+            remove_filter( 'upload_dir', array( $this, 'change_upload_dir' ) );
+
            $data['referer'] = ($_SESSION['referer'] !== null) ? $_SESSION['referer'] : null;

            static::update_row_in_db($data, $_SESSION['employees--id'], ['%s', '%d', '%s', '%d', '%s', '%s', '%s', ]);
@@ -696,6 +731,21 @@ class Biuro_Contacts_Public {

                unset($_SESSION['position--step']);

+                $allowed_file_types = array('application/pdf', 'application/doc', 'application/docx', 'application/rtf', 'application/txt', 'application/odf', 'application/msword', 'image/jpg', 'image/jpeg', 'image/png');
+                // Check file types
+                foreach( $_FILES as $file ) {
+                    // Get the type of the uploaded file. This is returned as "type/extension"
+                    $arr_file_type = wp_check_filetype( basename( $file['name'] ) );
+                    $uploaded_file_type = $arr_file_type['type'];
+                    if( ! in_array( $uploaded_file_type, $allowed_file_types ) ) {
+                        wp_redirect( $referer );
+                        exit;
+                    }
+                }
+
+                add_filter( 'upload_dir', array( $this, 'change_upload_dir' ) );
+                add_filter( 'sanitize_file_name', array( $this, 'change_upload_filename' ), 10 );
+
                # upload file
                if($_FILES) {
                    # gali nusirody: 'mimes' => array('csv' => 'text/csv')
@@ -712,6 +762,9 @@ class Biuro_Contacts_Public {
                    }
                }

+                remove_filter( 'sanitize_file_name', array( $this, 'change_upload_filename' ), 10 );
+                remove_filter( 'upload_dir', array( $this, 'change_upload_dir' ) );
+
                $data['referer'] = ($_SESSION['referer'] !== null) ? $_SESSION['referer'] : null;

                $insert_id = static::insert_row_to_db($data, array( '%s', '%s', '%s', '%s', '%s', '%s', '%d', '%s', '%d', '%d', '%s', '%s' ));

--- a/wp-content/plugins/biuro-contacts/public/partials/biuro-contacts-public--employees--step-2.php
+++ b/wp-content/plugins/biuro-contacts/public/partials/biuro-contacts-public--employees--step-2.php
@@ -36,7 +36,7 @@ if ( ! defined( 'WPINC' ) ) die;
    <div class="c-form--row">
        <label class="c-form--label" for="form-cv"><?php _e('CV', 'biuro-contacts'); ?></label>
        <div class="c-form--input-wrap">
-            <input type="file" class="c-form--input" id="form-cv" name="cv" value="">
+            <input type="file" class="c-form--input" id="form-cv" name="cv" value="" accept="application/pdf, application/doc, application/docx, application/rtf, application/txt, application/odf, application/msword, image/jpg, image/jpeg, image/png">
        </div>
    </div><!-- .c-form--row -->


--- a/wp-content/plugins/biuro-contacts/public/partials/biuro-contacts-public--position--step-2.php
+++ b/wp-content/plugins/biuro-contacts/public/partials/biuro-contacts-public--position--step-2.php
@@ -113,7 +113,7 @@ if ( ! defined( 'WPINC' ) ) die;
    <div class="c-form--row">
        <label class="c-form--label" for="form-cv"><?php _e('CV', 'biuro-contacts'); ?></label>
        <div class="c-form--input-wrap">
-            <input type="file" class="c-form--input" id="form-cv" name="cv" value="">
+            <input type="file" class="c-form--input" id="form-cv" name="cv" value="" accept="application/pdf, application/doc, application/docx, application/rtf, application/txt, application/odf, application/msword, image/jpg, image/jpeg, image/png">
        </div>
    </div><!-- .c-form--row -->