WIP #3462 @4

diff --git a/.gitignore b/.gitignore
index 62e78209e29bfae42e2277b97af304d91d70f369..090a1f02dfe2a86c45ebc2045a23fd0b9b1009c1 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-# Created by .ignore support plugin (hsz.mobi)
-.idea
\ No newline at end of file
+.idea
+.DS_Store

diff --git a/public/upload.php b/public/upload.php
index 003edf703ec0708bf15ddd990e1f2bd03c3293ca..4106a66176dc0ad3ea894b137103b188708025e1 100644 (file)
--- a/public/upload.php
+++ b/public/upload.php
@@ -1,22 +1,61 @@
 <?php
-header('Content-Type: text/plain');
-header('Access-Control-Allow-Origin: http://yxnggys.cluster020.hosting.ovh.net');
-if (!isset($_POST['token']) || !$_POST['token']) {
-    exit;
+
+// Valid referring domains for cross-origin requests
+$whitelist = [
+    'www.ccv-montpellier.fr', // Also used as default fallback
+    'yxnggys.cluster020.hosting.ovh.net',
+    'ccv.test',
+];
+
+// Base destination path for uploads
+$destination_root = realpath(__DIR__ . '/../patients/');
+
+//=========================================
+
+// Check if referrer is in the whitelist and set CORS header accordingly
+if (isset($_SERVER['HTTP_ORIGIN'])) {
+
+    foreach ($whitelist as $domain) {
+        if (strpos($_SERVER['HTTP_ORIGIN'], $domain) !== false) {
+            $origin = $_SERVER['HTTP_ORIGIN'];
+            break;
+        }
+    }
+
+    // URL of site that will be calling
+    $allowed_origin = $origin ?? "https://{$whitelist[0]}";
+
+    header("Access-Control-Allow-Origin: $allowed_origin");
 }
 
-$root=realpath(__DIR__ . '/../patients/');
-$dir = $root.'/' . $_POST['token'] . '/';
-// Create dir if not exits
-if (!file_exists($dir)) {
-    mkdir($dir, 0777, true);
+// Token must be set!
+if (!isset($_POST['token']) || empty($_POST['token'])) {
+    exit;
 }
 
+// Final destination for uploads
+$destination = $destination_root . '/' . $_POST['token'] . '/';
+
+if (!file_exists($destination)) {
+    mkdir($destination, 0777, true);
+}
 
-// Copy all files received in the directory
+// Handle uploads
+$successful_uploads = [];
+// All successful uploads are copied into the current patient directory
 foreach ($_FILES['files']['name'] as $index => $name) {
     if ($_FILES['files']['error'][$index]) {
         continue;
     }
-    move_uploaded_file($_FILES['files']['tmp_name'][$index], $dir . $name);
-}
\ No newline at end of file
+    move_uploaded_file($_FILES['files']['tmp_name'][$index], $destination . $name);
+
+    $successful_uploads[] = $name;
+}
+
+$result = [
+    'successful_uploads' => count($successful_uploads),
+    'uploads' => $successful_uploads,
+];
+
+header('Content-Type: application/json');
+echo json_encode($result);