soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Harden tenant admin auth and photo moderation
Some checks failed
linter / quality (push) Has been cancelled
Details
tests / ci (push) Has been cancelled
Details
tests / ui (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Codex Agent
2026-01-30 14:53:51 +01:00
parent d45cb6a087
commit 916b204688
7 changed files with 220 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
app/Http/Controllers/Api/Tenant/PhotoController.php
View File

@@ -20,6 +20,7 @@ use App\Support\WatermarkConfigResolver;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
use Illuminate\Http\UploadedFile;
use Illuminate\Support\Arr;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Log;
@@ -115,6 +116,7 @@ class PhotoController extends Controller
$event = Event::where('slug', $eventSlug)
->where('tenant_id', $tenantId)
->firstOrFail();
TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:moderate');
if ($photo->event_id !== $event->id) {
return ApiError::response(
@@ -321,7 +323,7 @@ class PhotoController extends Controller
$disk = $this->eventStorageManager->getHotDiskForEvent($event);
// Generate unique filename
$extension = $file->getClientOriginalExtension();
$extension = $this->resolvePhotoExtension($file);
$filename = Str::uuid().'.'.$extension;
$path = "events/{$eventSlug}/photos/{$filename}";
@@ -563,6 +565,7 @@ class PhotoController extends Controller
$event = Event::where('slug', $eventSlug)
->where('tenant_id', $tenantId)
->firstOrFail();
TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:moderate');
if ($photo->event_id !== $event->id) {
return ApiError::response(
@@ -779,6 +782,7 @@ class PhotoController extends Controller
$event = Event::where('slug', $eventSlug)
->where('tenant_id', $tenantId)
->firstOrFail();
TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:moderate');
$photos = Photo::where('event_id', $event->id)
->where('status', 'pending')
@@ -1043,4 +1047,23 @@ class PhotoController extends Controller
return array_values(array_unique(array_filter($candidates)));
}
private function resolvePhotoExtension(UploadedFile $file): string
{
$extension = strtolower((string) $file->extension());
if (! in_array($extension, ['jpg', 'jpeg', 'png', 'webp'], true)) {
$extension = strtolower((string) $file->getClientOriginalExtension());
}
if (! in_array($extension, ['jpg', 'jpeg', 'png', 'webp'], true)) {
$extension = match ($file->getMimeType()) {
'image/png' => 'png',
'image/webp' => 'webp',
default => 'jpg',
};
}
return $extension === 'jpeg' ? 'jpg' : $extension;
}
}

17
app/Http/Controllers/Auth/AuthenticatedSessionController.php
View File

@@ -157,6 +157,10 @@ class AuthenticatedSessionController extends Controller
return null;
}
if (str_starts_with($candidate, '//')) {
return null;
}
if (str_starts_with($candidate, '/')) {
return $candidate;
}
@@ -170,7 +174,7 @@ class AuthenticatedSessionController extends Controller
$appHost = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
if ($appHost && ! Str::endsWith($targetHost, $appHost)) {
if (! $appHost || ! $this->isAllowedReturnHost($targetHost, $appHost)) {
return null;
}
@@ -222,7 +226,7 @@ class AuthenticatedSessionController extends Controller
$scheme = $parsed['scheme'] ?? null;
$requestHost = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
if ($scheme && $host && $requestHost && ! Str::endsWith($host, $requestHost)) {
if ($scheme && $host && $requestHost && ! $this->isAllowedReturnHost($host, $requestHost)) {
return '/event-admin/dashboard';
}
@@ -265,6 +269,15 @@ class AuthenticatedSessionController extends Controller
return $decoded;
}
private function isAllowedReturnHost(string $targetHost, string $appHost): bool
{
if ($targetHost === $appHost) {
return true;
}
return Str::endsWith($targetHost, '.'.$appHost);
}
private function rememberTenantAdminTarget(Request $request, ?string $target): void
{
$user = Auth::user();

19
app/Http/Controllers/TenantAdminFacebookController.php
View File

@@ -100,13 +100,30 @@ class TenantAdminFacebookController extends Controller
return null;
}
if (str_starts_with($decoded, '//')) {
return null;
}
if (str_starts_with($decoded, '/')) {
return $decoded;
}
$targetHost = parse_url($decoded, PHP_URL_HOST);
$appHost = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
if ($targetHost && $appHost && ! Str::endsWith($targetHost, $appHost)) {
if (! $targetHost || ! $appHost || ! $this->isAllowedReturnHost($targetHost, $appHost)) {
return null;
}
return $decoded;
}
private function isAllowedReturnHost(string $targetHost, string $appHost): bool
{
if ($targetHost === $appHost) {
return true;
}
return Str::endsWith($targetHost, '.'.$appHost);
}
}

19
app/Http/Controllers/TenantAdminGoogleController.php
View File

@@ -100,13 +100,30 @@ class TenantAdminGoogleController extends Controller
return null;
}
if (str_starts_with($decoded, '//')) {
return null;
}
if (str_starts_with($decoded, '/')) {
return $decoded;
}
$targetHost = parse_url($decoded, PHP_URL_HOST);
$appHost = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
if ($targetHost && $appHost && ! Str::endsWith($targetHost, $appHost)) {
if (! $targetHost || ! $appHost || ! $this->isAllowedReturnHost($targetHost, $appHost)) {
return null;
}
return $decoded;
}
private function isAllowedReturnHost(string $targetHost, string $appHost): bool
{
if ($targetHost === $appHost) {
return true;
}
return Str::endsWith($targetHost, '.'.$appHost);
}
}