+24
-1
@@ -666,6 +666,14 @@ function handleDocuments($method, $id, $db) {
|
||||
function handleAttachments($method, $id, $db) {
|
||||
$username = $_SESSION['neptune_username'] ?? 'Unknown';
|
||||
$uploadDir = '/var/www/uploads/';
|
||||
$allowedExtensions = ['pdf', 'md', 'txt', 'xlsx', 'csv', 'pptx', 'evidence'];
|
||||
$allowedMimes = [
|
||||
'application/pdf',
|
||||
'text/markdown', 'text/x-markdown', 'text/plain',
|
||||
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
|
||||
'text/csv', 'application/csv',
|
||||
'application/vnd.openxmlformats-officedocument.presentationml.presentation',
|
||||
];
|
||||
|
||||
switch ($method) {
|
||||
case 'GET':
|
||||
@@ -693,7 +701,22 @@ function handleAttachments($method, $id, $db) {
|
||||
return;
|
||||
}
|
||||
$file = $_FILES['file'];
|
||||
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
|
||||
$ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
|
||||
|
||||
if (!in_array($ext, $allowedExtensions)) {
|
||||
http_response_code(400);
|
||||
echo json_encode(['error' => 'File type not allowed. Allowed: ' . implode(', ', $allowedExtensions)]);
|
||||
return;
|
||||
}
|
||||
|
||||
$mime = $file['type'] ?: '';
|
||||
$mimeAllowed = empty($mime) || in_array($mime, $allowedMimes);
|
||||
if (!$mimeAllowed && $ext !== 'evidence') {
|
||||
http_response_code(400);
|
||||
echo json_encode(['error' => 'Invalid file content']);
|
||||
return;
|
||||
}
|
||||
|
||||
$storedName = uniqid('att_', true) . '.' . $ext;
|
||||
$dest = $uploadDir . $storedName;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user