check file types before saving #2766

cf2/Exception.php

@@ -0,0 +1,56 @@
+<?php
+
+
+namespace calderawp\calderaforms\cf2;
+
+
+class Exception extends \Exception
+{
+    /**
+     * @param array $data
+     * @return \WP_Error
+     */
+    public function toWpError(array $data = [])
+    {
+        return new \WP_Error($this->getCode(), $this->getMessage(), $data);
+    }
+
+    /**
+     * @param array $data
+     * @param array $headers
+     * @return \WP_REST_Response
+     */
+    public function toResponse(array $data = [], array $headers = [])
+    {
+        $data = array_merge($data, ['message' => $this->getMessage()]);
+        return new \WP_REST_Response($data, absint($this->getCode() ? $this->getCode() : 500), $headers);
+    }
+
+    /**
+     * Convert any Exception to this type of Exception
+     *
+     * @param \Exception $exception
+     * @return Exception
+     */
+    public static function formOtherException(\Exception $exception)
+    {
+        return new static(
+            $exception->getMessage(),
+            $exception->getCode(),
+            $exception
+        );
+    }
+
+    /**
+     * Convert a WP_Error object to an Exception
+     * @param \WP_Error $error
+     * @return Exception
+     */
+    public static function fromWpError(\WP_Error $error)
+    {
+        return new static(
+            $error->get_error_message(),
+            $error->get_error_code()
+        );
+    }
+}

cf2/Fields/Handlers/FileFieldHandler.php

@@ -0,0 +1,10 @@
+<?php
+
+
+namespace calderawp\calderaforms\cf2\Fields\Handlers;
+
+
+class FileFieldHandler
+{
+
+}

cf2/Fields/Handlers/FileHandlerContract.php

@@ -0,0 +1,12 @@
+<?php
+
+
+namespace calderawp\calderaforms\cf2\Fields\Handlers;
+
+
+interface FileHandlerContract
+{
+
+
+
+}

cf2/Fields/Handlers/FileUpload.php

@@ -2,6 +2,7 @@
 
 
 namespace calderawp\calderaforms\cf2\Fields\Handlers;
+use calderawp\calderaforms\cf2\Exception;
 use calderawp\calderaforms\cf2\Fields\FieldTypes\FileFieldType;
 use calderawp\calderaforms\cf2\Transients\TransientApiContract;
 
@@ -42,15 +43,6 @@ public function processFiles(array $files,array $hashes  ){
         foreach ($files as  $file) {
             $isPrivate = \Caldera_Forms_Files::is_private($this->field);
 
-
-                $uploadArgs = array(
-                    'private' => true,
-                    'field_id' => $this->field['ID'],
-                    'form_id' => $this->form['ID']
-                );
-
-
-
             $expected = $hashes[$i];
             $actual      = md5_file( $file['tmp_name'] );
 
@@ -66,7 +58,9 @@ public function processFiles(array $files,array $hashes  ){
                     $isPrivate
             );
 
-
+            if( ! $this->isAllowedType( $file ) ){
+                throw new Exception(  __('This file type is not allowed. Please try another.', 'caldera-forms'), 415 );
+            }
             $upload = wp_handle_upload($file, array( 'test_form' => false, 'action' => 'foo' ) );
             $this->uploader->removeFilter();
             if( !empty( $field['config']['media_lib'] ) ){
@@ -83,4 +77,37 @@ public function processFiles(array $files,array $hashes  ){
 
         return $uploads;
     }
+
+    /**
+     * Check if file type if allowed for this field
+     *
+     * @since 1.8.0
+     *
+     * @param $file
+     * @return bool
+     * @throws Exception
+     */
+    public function isAllowedType($file){
+        if( empty( $this->field['config']['allowed'] )){
+            return true;
+        }
+        $filetype = wp_check_filetype( basename( $file['tmp_name'] ), null );
+       return in_array( strtolower( $filetype['ext'] ), $this->getAllowedTypes() );
+    }
+
+    /**
+     * Get allowed file types for file field
+     *
+     * @since 1.8.0
+     *
+     * @return array
+     */
+    public function getAllowedTypes()
+    {
+        $types = ! empty( $this->field['config']['allowed'] ) ? $this->field['config']['allowed'] : [];
+        if( ! is_array( $types ) ){
+            $types = explode(',', $types );
+        }
+        return $types;
+    }
 }

tests/Integration/FileUploadTest.php

@@ -2,6 +2,7 @@
 
 namespace calderawp\calderaforms\Tests\IntegrationFields\Handlers;
 
+use calderawp\calderaforms\cf2\Exception;
 use calderawp\calderaforms\cf2\Fields\Handlers\Cf1FileUploader;
 use calderawp\calderaforms\cf2\Fields\Handlers\FileUpload;
 use calderawp\calderaforms\cf2\Transients\Cf1TransientsApi;
@@ -110,4 +111,186 @@ public function testFilterDirectoryForUpload(){
         $this->assertNotFalse( strpos($uploads[0], 'form-uploads'), $uploads[0]);
 
     }
+
+    /**
+     * @since 1.8.0
+     *
+     * @covers \calderawp\calderaforms\cf2\Fields\Handlers\FileUpload::isAllowedType()
+     *
+     * @group now
+     * @group cf2
+     * @group file
+     * @group field
+     * @group cf2_file
+     *
+     * @throws \calderawp\calderaforms\cf2\Exception
+     */
+    public function testAllTypesAllowedWhenNotSpecified()
+    {
+        $formId = 'cf2_file';
+        $fieldId = 'cf2_file_1';
+        $form = \Caldera_Forms_Forms::get_form( $formId );
+        $field = \Caldera_Forms_Field_Util::get_field($fieldId,$form);
+
+        $files = [
+            [
+                'file' => file_get_contents($this->test_file),
+                'name' => 'screenshot.jpeg',
+                'size' => filesize($this->test_file),
+                'tmp_name' => $this->test_file,
+            ]
+        ];
+
+        $handler = new FileUpload(
+            $field,
+            $field,
+            new Cf1FileUploader()
+        );
+
+        $this->assertTrue( $handler->isAllowedType( $files[0] ) );
+
+    }
+
+    /**
+     * @since 1.8.0
+     *
+     * @covers \calderawp\calderaforms\cf2\Fields\Handlers\FileUpload::isAllowedType()
+     *
+     * @group cf2
+     * @group file
+     * @group field
+     * @group cf2_file
+     *
+     * @throws \calderawp\calderaforms\cf2\Exception
+     */
+    public function testTypesAllowedWhenSpecified()
+    {
+        $formId = 'cf2_file';
+        $fieldId = 'cf2_file_2';
+        $form = \Caldera_Forms_Forms::get_form( $formId );
+        $field = \Caldera_Forms_Field_Util::get_field($fieldId,$form);
+        $this->assertFalse(  \Caldera_Forms_Files::is_private($field) );
+
+        $files = [
+            [
+                'file' => file_get_contents($this->test_file),
+                'name' => 'screenshot.png',
+                'size' => filesize($this->test_file),
+                'tmp_name' => $this->test_file,
+            ]
+        ];
+
+        $handler = new FileUpload(
+            $field,
+            $field,
+            new Cf1FileUploader()
+        );
+
+        $this->assertTrue( $handler->isAllowedType( $files[0] ) );
+
+    }
+
+
+    /**
+     * @since 1.8.0
+     *
+     * @covers \calderawp\calderaforms\cf2\Fields\Handlers\FileUpload::getAllowedTypes()
+     *
+     * @group cf2
+     * @group file
+     * @group field
+     * @group cf2_file
+     *
+     */
+    public function testGetAllowedTypes(){
+        $formId = 'cf2_file';
+        $fieldId = 'cf2_file_2';
+        $form = \Caldera_Forms_Forms::get_form( $formId );
+        $field = \Caldera_Forms_Field_Util::get_field($fieldId,$form);
+        $handler = new FileUpload(
+            $field,
+            $field,
+            new Cf1FileUploader()
+        );
+        $this->assertTrue(is_array( $handler->getAllowedTypes() ) );
+        $this->assertTrue( in_array( 'png', $handler->getAllowedTypes() ) );
+        $this->assertTrue( in_array( 'jpg', $handler->getAllowedTypes() ) );
+    }
+
+    /**
+     * @since 1.8.0
+     *
+     * @covers \calderawp\calderaforms\cf2\Fields\Handlers\FileUpload::isAllowedType()
+     *
+     * @group cf2
+     * @group file
+     * @group field
+     * @group cf2_file
+     *
+     * @throws \calderawp\calderaforms\cf2\Exception
+     */
+    public function testTypesNotAllowedWhenNotSpecified()
+    {
+        $formId = 'cf2_file';
+        $fieldId = 'cf2_file_2';
+        $form = \Caldera_Forms_Forms::get_form( $formId );
+        $field = \Caldera_Forms_Field_Util::get_field($fieldId,$form);
+        $this->assertFalse(  \Caldera_Forms_Files::is_private($field) );
+
+        $files = [
+            [
+                'file' => file_get_contents($this->test_file),
+                'name' => 'screenshot.gif',
+                'size' => filesize($this->test_file),
+                'tmp_name' => '/tmp/screenshot.gif',
+            ]
+        ];
+
+        $handler = new FileUpload(
+            $field,
+            $field,
+            new Cf1FileUploader()
+        );
+        $this->assertFalse( $handler->isAllowedType( $files[0] ) );
+
+    }
+
+    /**
+     * @since 1.8.0
+     *
+     * @covers \calderawp\calderaforms\cf2\Fields\Handlers\FileUpload::isAllowedType()
+     * @covers \calderawp\calderaforms\cf2\Fields\Handlers\FileUpload::processFiles()
+     *
+     * @group cf2
+     * @group file
+     * @group field
+     * @group cf2_file
+     *
+     */
+    public function testProcessInvalidTypeThrowsException()
+    {
+        $this->expectException(Exception::class);
+        $formId = 'cf2_file';
+        $fieldId = 'cf2_file_3';
+        $form = \Caldera_Forms_Forms::get_form( $formId );
+        $field = \Caldera_Forms_Field_Util::get_field($fieldId,$form);
+        $this->assertFalse(  \Caldera_Forms_Files::is_private($field) );
+
+        $files = [
+            [
+                'file' => file_get_contents($this->test_file),
+                'name' => 'screenshot.jpeg',
+                'size' => filesize($this->test_file),
+                'tmp_name' => $this->test_file,
+            ]
+        ];
+
+        $handler = new FileUpload(
+            $field,
+            $field,
+            new Cf1FileUploader()
+        );
+        $handler->processFiles($files, [md5_file($this->test_file)]);
+    }
+
 }