mirror of
synced 2025-02-20 16:46:16 +00:00
GET routes are not protected against CSRF. This commit changes the needed URLs to POST and replace simple links with forms. Thanks @fdb-hiroshima for noticing it!
117 lines
4.1 KiB
117 lines
4.1 KiB
use guid_create::GUID;
use multipart::server::{Multipart, save::{SavedData, SaveResult}};
use rocket::{Data, http::ContentType, response::{NamedFile, Redirect}};
use rocket_contrib::Template;
use serde_json;
use std::{fs, path::{Path, PathBuf}};
use plume_models::{db_conn::DbConn, medias::*, users::User};
fn list(user: User, conn: DbConn) -> Template {
let medias = Media::for_user(&*conn, user.id);
Template::render("medias/index", json!({
"account": user.to_json(&*conn),
"medias": medias.into_iter().map(|m| m.to_json(&*conn)).collect::<Vec<serde_json::Value>>()
fn new(user: User, conn: DbConn) -> Template {
Template::render("medias/new", json!({
"account": user.to_json(&*conn),
"form": {},
"errors": {}
#[post("/medias/new", data = "<data>")]
fn upload(user: User, data: Data, ct: &ContentType, conn: DbConn) -> Redirect {
if ct.is_form_data() {
let (_, boundary) = ct.params().find(|&(k, _)| k == "boundary").expect("No boundary");
match Multipart::with_body(data.open(), boundary).save().temp() {
SaveResult::Full(entries) => {
let fields = entries.fields;
let filename = fields.get(&"file".to_string()).unwrap().into_iter().next().unwrap().headers
.unwrap_or("x.png".to_string()); // PNG by default
let ext = filename.rsplitn(2, ".")
let dest = format!("media/{}.{}", GUID::rand().to_string(), ext);
if let SavedData::Bytes(ref bytes) = fields[&"file".to_string()][0].data {
fs::write(&dest, bytes).expect("Couldn't save upload");
} else {
if let SavedData::File(ref path, _) = fields[&"file".to_string()][0].data {
fs::copy(path, &dest).expect("Couldn't copy temp upload");
} else {
println!("not file");
return Redirect::to(uri!(new));
let has_cw = read(&fields[&"cw".to_string()][0].data).len() > 0;
let media = Media::insert(&*conn, NewMedia {
file_path: dest,
alt_text: read(&fields[&"alt".to_string()][0].data),
is_remote: false,
remote_url: None,
sensitive: has_cw,
content_warning: if has_cw {
} else {
owner_id: user.id
Redirect::to(uri!(details: id = media.id))
SaveResult::Partial(_, _) | SaveResult::Error(_) => {
println!("partial err");
} else {
println!("not form data");
fn read(data: &SavedData) -> String {
if let SavedData::Text(s) = data {
} else {
panic!("Field is not a string")
fn details(id: i32, user: User, conn: DbConn) -> Template {
let media = Media::get(&*conn, id);
Template::render("medias/details", json!({
"account": user.to_json(&*conn),
"media": media.map(|m| m.to_json(&*conn))
fn delete(id: i32, _user: User, conn: DbConn) -> Redirect {
let media = Media::get(&*conn, id).expect("Media to delete not found");
fn set_avatar(id: i32, user: User, conn: DbConn) -> Redirect {
let media = Media::get(&*conn, id).expect("Media to delete not found");
user.set_avatar(&*conn, media.id);
Redirect::to(uri!(details: id = id))
#[get("/static/media/<file..>", rank = 1)]
fn static_files(file: PathBuf) -> Option<NamedFile> {