Issue #3388985 by kim.pepper, Wim Leers: Make CKEditor5ImageController reuse FileUploadHandler

60a38dae · Lee Rowlands · 48a7cf12 · 60a38dae
Verified Commit 60a38dae authored 1 year ago by Lee Rowlands
--- a/core/modules/ckeditor5/src/Controller/CKEditor5ImageController.php
+++ b/core/modules/ckeditor5/src/Controller/CKEditor5ImageController.php
 <?php
-declare(strict_types = 1);
+declare(strict_types=1);
 namespace Drupal\ckeditor5\Controller;
@@ -9,20 +9,21 @@
 use Drupal\Component\Utility\Environment;
 use Drupal\Core\Access\AccessResult;
 use Drupal\Core\Controller\ControllerBase;
-use Drupal\Core\File\Event\FileUploadSanitizeNameEvent;
 use Drupal\Core\File\Exception\FileException;
 use Drupal\Core\File\FileSystemInterface;
 use Drupal\Core\Lock\LockBackendInterface;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\editor\Entity\Editor;
-use Drupal\file\Entity\File;
+use Drupal\file\Upload\FileUploadHandler;
-use Drupal\file\FileInterface;
+use Drupal\file\Upload\FormUploadedFile;
 use Drupal\file\Validation\FileValidatorInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+use Symfony\Component\Lock\Exception\LockAcquiringException;
 use Symfony\Component\Mime\MimeTypeGuesserInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
@@ -35,74 +36,62 @@
 class CKEditor5ImageController extends ControllerBase {
  /**
-   * The file system service.
+   * The default allowed image extensions.
-   *
-   * @var \Drupal\Core\File\FileSystem
-   */
-  protected $fileSystem;
-  /**
-   * The currently authenticated user.
-   *
-   * @var \Drupal\Core\Session\AccountInterface
-   */
-  protected $currentUser;
-  /**
-   * The MIME type guesser.
-   *
-   * @var \Symfony\Component\Mime\MimeTypeGuesserInterface
   */
-  protected $mimeTypeGuesser;
+  const DEFAULT_IMAGE_EXTENSIONS = 'gif png jpg jpeg';
  /**
-   * The lock service.
+   * The file system service.
-   *
-   * @var \Drupal\Core\Lock\LockBackendInterface
   */
-  protected $lock;
+  protected FileSystemInterface $fileSystem;
  /**
-   * The event dispatcher.
+   * The lock.
-   *
-   * @var \Symfony\Contracts\EventDispatcher\EventDispatcherInterface
   */
-  protected $eventDispatcher;
+  protected LockBackendInterface $lock;
  /**
-   * The file validator.
+   * The file upload handler.
-   *
-   * @var \Drupal\file\Validation\FileValidatorInterface
   */
-  protected FileValidatorInterface $fileValidator;
+  protected FileUploadHandler $fileUploadHandler;
  /**
   * Constructs a new CKEditor5ImageController.
   *
-   * @param \Drupal\Core\File\FileSystemInterface $file_system
+   * @param \Drupal\Core\File\FileSystemInterface $fileSystem
-   *   The file system service.
+   *   The file upload handler.
-   * @param \Drupal\Core\Session\AccountInterface $current_user
+   * @param \Drupal\Core\Session\AccountInterface|\Drupal\file\Upload\FileUploadHandler $fileUploadHandler
   *   The currently authenticated user.
-   * @param \Symfony\Component\Mime\MimeTypeGuesserInterface $mime_type_guesser
+   * @param \Symfony\Component\Mime\MimeTypeGuesserInterface|\Drupal\Core\Lock\LockBackendInterface $mime_type_guesser
   *   The MIME type guesser.
-   * @param \Drupal\Core\Lock\LockBackendInterface $lock
+   * @param \Drupal\Core\Lock\LockBackendInterface|null $lock
   *   The lock service.
-   * @param \Symfony\Contracts\EventDispatcher\EventDispatcherInterface $event_dispatcher
+   * @param \Symfony\Contracts\EventDispatcher\EventDispatcherInterface|null $event_dispatcher
   *   The event dispatcher.
   * @param \Drupal\file\Validation\FileValidatorInterface|null $file_validator
   *   The file validator.
   */
-  public function __construct(FileSystemInterface $file_system, AccountInterface $current_user, MimeTypeGuesserInterface $mime_type_guesser, LockBackendInterface $lock, EventDispatcherInterface $event_dispatcher, FileValidatorInterface $file_validator = NULL) {
+  public function __construct(FileSystemInterface $fileSystem, AccountInterface | FileUploadHandler $fileUploadHandler, MimeTypeGuesserInterface | LockBackendInterface $mime_type_guesser, LockBackendInterface $lock = NULL, EventDispatcherInterface $event_dispatcher = NULL, FileValidatorInterface $file_validator = NULL) {
-    $this->fileSystem = $file_system;
+    $this->fileSystem = $fileSystem;
-    $this->currentUser = $current_user;
+    if ($fileUploadHandler instanceof AccountInterface) {
-    $this->mimeTypeGuesser = $mime_type_guesser;
+      @trigger_error('Calling ' . __METHOD__ . '() with the $current_user argument is deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. See https://www.drupal.org/node/3388990', E_USER_DEPRECATED);
-    $this->lock = $lock;
+      $fileUploadHandler = \Drupal::service('file.upload_handler');
-    $this->eventDispatcher = $event_dispatcher;
+    }
-    if (!$file_validator) {
+    $this->fileUploadHandler = $fileUploadHandler;
-      @trigger_error('Calling ' . __METHOD__ . '() without the $file_validator argument is deprecated in drupal:10.2.0 and is required in drupal:11.0.0. See https://www.drupal.org/node/3363700', E_USER_DEPRECATED);
+    if ($mime_type_guesser instanceof MimeTypeGuesserInterface) {
-      $file_validator = \Drupal::service('file.validator');
+      @trigger_error('Calling ' . __METHOD__ . '() with the $mime_type_guesser argument is deprecated in drupal:10.3.0 and is replaced with $lock from drupal:11.0.0. See https://www.drupal.org/node/3388990', E_USER_DEPRECATED);
+      $mime_type_guesser = \Drupal::service('lock');
+    }
+    $this->lock = $mime_type_guesser;
+    if ($lock) {
+      @trigger_error('Calling ' . __METHOD__ . '() with the $lock argument in position 4 is deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. See https://www.drupal.org/node/3388990', E_USER_DEPRECATED);
+    }
+    if ($event_dispatcher) {
+      @trigger_error('Calling ' . __METHOD__ . '() with the $event_dispatcher argument is deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. See https://www.drupal.org/node/3388990', E_USER_DEPRECATED);
+    }
+    if ($file_validator) {
+      @trigger_error('Calling ' . __METHOD__ . '() with the $file_validator argument is deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. See https://www.drupal.org/node/3388990', E_USER_DEPRECATED);
    }
-    $this->fileValidator = $file_validator;
  }
  /**
@@ -111,11 +100,8 @@ public function __construct(FileSystemInterface $file_system, AccountInterface $
  public static function create(ContainerInterface $container) {
    return new static(
      $container->get('file_system'),
-      $container->get('current_user'),
+      $container->get('file.upload_handler'),
-      $container->get('file.mime_type.guesser'),
+      $container->get('lock')
-      $container->get('lock'),
-      $container->get('event_dispatcher'),
-      $container->get('file.validator')
    );
  }
@@ -132,52 +118,26 @@ public static function create(ContainerInterface $container) {
   *   Thrown when file system errors occur.
   * @throws \Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException
   *   Thrown when validation errors occur.
-   * @throws \Drupal\Core\Entity\EntityStorageException
-   *   Thrown when file entity could not be saved.
   */
-  public function upload(Request $request) {
+  public function upload(Request $request): Response {
    // Getting the UploadedFile directly from the request.
+    /** @var \Symfony\Component\HttpFoundation\File\UploadedFile $upload */
    $upload = $request->files->get('upload');
    $filename = $upload->getClientOriginalName();
+    /** @var \Drupal\editor\EditorInterface $editor */
    $editor = $request->attributes->get('editor');
-    $image_upload = $editor->getImageUploadSettings();
+    $settings = $editor->getImageUploadSettings();
-    $destination = $image_upload['scheme'] . '://' . $image_upload['directory'];
+    $destination = $settings['scheme'] . '://' . $settings['directory'];
    // Check the destination file path is writable.
    if (!$this->fileSystem->prepareDirectory($destination, FileSystemInterface::CREATE_DIRECTORY)) {
      throw new HttpException(500, 'Destination file path is not writable');
    }
-    $max_filesize = min(Bytes::toNumber($image_upload['max_size']), Environment::getUploadMaxSize());
+    $validators = $this->getImageUploadValidators($settings);
-    if (!empty($image_upload['max_dimensions']['width']) || !empty($image_upload['max_dimensions']['height'])) {
-      $max_dimensions = $image_upload['max_dimensions']['width'] . 'x' . $image_upload['max_dimensions']['height'];
-    }
-    else {
-      $max_dimensions = 0;
-    }
-    $allowed_extensions = 'gif png jpg jpeg';
-    $validators = [
-      'FileExtension' => [
-        'extensions' => $allowed_extensions,
-      ],
-      'FileSizeLimit' => [
-        'fileLimit' => $max_filesize,
-      ],
-      'FileImageDimensions' => [
-        'maxDimensions' => $max_dimensions,
-      ],
-    ];
-    $prepared_filename = $this->prepareFilename($filename, $allowed_extensions);
-    // Create the file.
-    $file_uri = "{$destination}/{$prepared_filename}";
-    // Using the UploadedFile method instead of streamUploadData.
-    $temp_file_path = $upload->getRealPath();
+    $file_uri = "{$destination}/{$filename}";
    $file_uri = $this->fileSystem->getDestinationFilename($file_uri, FileSystemInterface::EXISTS_RENAME);
    // Lock based on the prepared file URI.
@@ -187,31 +147,23 @@ public function upload(Request $request) {
      throw new HttpException(503, sprintf('File "%s" is already locked for writing.', $file_uri), NULL, ['Retry-After' => 1]);
    }
-    // Begin building file entity.
-    $file = File::create([]);
-    $file->setOwnerId($this->currentUser->id());
-    $file->setFilename($prepared_filename);
-    $file->setMimeType($this->mimeTypeGuesser->guessMimeType($prepared_filename));
-    $file->setFileUri($file_uri);
-    $file->setSize(@filesize($temp_file_path));
-    $violations = $this->validate($file, $validators);
-    if ($violations->count() > 0) {
-      throw new UnprocessableEntityHttpException($violations->__toString());
-    }
    try {
-      $this->fileSystem->move($temp_file_path, $file_uri, FileSystemInterface::EXISTS_ERROR);
+      $uploadedFile = new FormUploadedFile($upload);
+      $uploadResult = $this->fileUploadHandler->handleFileUpload($uploadedFile, $validators, $destination, FileSystemInterface::EXISTS_RENAME, FALSE);
+      if ($uploadResult->hasViolations()) {
+        throw new UnprocessableEntityHttpException((string) $uploadResult->getViolations());
+      }
    }
    catch (FileException $e) {
-      throw new HttpException(500, 'Temporary file could not be moved to file location');
+      throw new HttpException(500, 'File could not be saved');
+    }
+    catch (LockAcquiringException $e) {
+      throw new HttpException(503, sprintf('File "%s" is already locked for writing.', $upload->getClientOriginalName()), NULL, ['Retry-After' => 1]);
    }
-    $file->save();
    $this->lock->release($lock_id);
+    $file = $uploadResult->getFile();
    return new JsonResponse([
      'url' => $file->createFileUrl(),
      'uuid' => $file->uuid(),
@@ -219,6 +171,28 @@ public function upload(Request $request) {
    ], 201);
  }
+  /**
+   * Gets the image upload validators.
+   */
+  protected function getImageUploadValidators(array $settings): array {
+    $max_filesize = min(Bytes::toNumber($settings['max_size']), Environment::getUploadMaxSize());
+    $max_dimensions = 0;
+    if (!empty($settings['max_dimensions']['width']) || !empty($settings['max_dimensions']['height'])) {
+      $max_dimensions = $settings['max_dimensions']['width'] . 'x' . $settings['max_dimensions']['height'];
+    }
+    return [
+      'FileExtension' => [
+        'extensions' => self::DEFAULT_IMAGE_EXTENSIONS,
+      ],
+      'FileSizeLimit' => [
+        'fileLimit' => $max_filesize,
+      ],
+      'FileImageDimensions' => [
+        'maxDimensions' => $max_dimensions,
+      ],
+    ];
+  }
  /**
   * Access check based on whether image upload is enabled or not.
   *
@@ -239,48 +213,6 @@ public function imageUploadEnabledAccess(Editor $editor) {
    return AccessResult::allowed();
  }
-  /**
-   * Validates the file.
-   *
-   * @param \Drupal\file\FileInterface $file
-   *   The file entity to validate.
-   * @param array $validators
-   *   An array of upload validators to pass to the FileValidator.
-   *
-   * @return \Drupal\Core\Entity\EntityConstraintViolationListInterface
-   *   The list of constraint violations, if any.
-   */
-  protected function validate(FileInterface $file, array $validators) {
-    $violations = $file->validate();
-    // Remove violations of inaccessible fields as they cannot stem from our
-    // changes.
-    $violations->filterByFieldAccess();
-    // Validate the file based on the field definition configuration.
-    $violations->addAll($this->fileValidator->validate($file, $validators));
-    return $violations;
-  }
-  /**
-   * Prepares the filename to strip out any malicious extensions.
-   *
-   * @param string $filename
-   *   The file name.
-   * @param string $allowed_extensions
-   *   The allowed extensions.
-   *
-   * @return string
-   *   The prepared/munged filename.
-   */
-  protected function prepareFilename(string $filename, string $allowed_extensions): string {
-    $event = new FileUploadSanitizeNameEvent($filename, $allowed_extensions);
-    $this->eventDispatcher->dispatch($event);
-    return $event->getFilename();
-  }
  /**
   * Generates a lock ID based on the file URI.
   *