Maxim Dolgolyov
53e996e2e0
/api/files/:id/download требует Bearer-заголовок, поэтому <img>, переход по
ссылке и «Скачать» для сохранённых картинок ломались (битое изображение,
клик не открывал). Теперь личные картинки складываются в uploads/materials и
отдаются статикой (как flashcards): POST /api/files/personal возвращает
{ url:'/uploads/materials/<file>' }. board-clip, material-save, textbook-clip
и рисовалка в my-materials сохраняют этот публичный url.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
100 lines
5.5 KiB
JavaScript
100 lines
5.5 KiB
JavaScript
const router = require('express').Router();
|
|
const multer = require('multer');
|
|
const path = require('path');
|
|
const { v4: uuidv4 } = require('crypto').randomUUID ? { v4: () => require('crypto').randomBytes(16).toString('hex') } : {};
|
|
const { authMiddleware, requireRole, requirePermission } = require('../middleware/auth');
|
|
const ctrl = require('../controllers/fileController');
|
|
const { fixUtf8Name } = require('../utils/fixUtf8');
|
|
|
|
/* ── multer config ─────────────────────────────────────────────────────── */
|
|
const UPLOADS_DIR = path.join(__dirname, '../../uploads');
|
|
const ALLOWED = ['application/pdf','image/png','image/jpeg','image/gif','image/webp',
|
|
'application/msword',
|
|
'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
|
|
'application/vnd.ms-powerpoint',
|
|
'application/vnd.openxmlformats-officedocument.presentationml.presentation',
|
|
'application/vnd.ms-excel',
|
|
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
|
|
'text/plain'];
|
|
|
|
const storage = multer.diskStorage({
|
|
destination: UPLOADS_DIR,
|
|
filename: (_req, file, cb) => {
|
|
const ext = path.extname(file.originalname);
|
|
const name = require('crypto').randomBytes(16).toString('hex') + ext;
|
|
cb(null, name);
|
|
},
|
|
});
|
|
|
|
const SAFE_EXTS = new Set(['.pdf','.png','.jpg','.jpeg','.gif','.webp','.doc','.docx','.ppt','.pptx','.xls','.xlsx','.txt']);
|
|
|
|
const upload = multer({
|
|
storage,
|
|
limits: { fileSize: 50 * 1024 * 1024 }, // 50 MB
|
|
fileFilter: (_req, file, cb) => {
|
|
if (!ALLOWED.includes(file.mimetype)) return cb(null, false);
|
|
// Reject double extensions (.php.jpg, .exe.pdf, etc.)
|
|
const name = file.originalname;
|
|
const parts = name.split('.');
|
|
if (parts.length > 2) {
|
|
const inner = '.' + parts[parts.length - 2].toLowerCase();
|
|
if (['.php','.exe','.sh','.bat','.cmd','.ps1','.js','.html','.htm'].includes(inner)) return cb(null, false);
|
|
}
|
|
// Verify file extension is allowed
|
|
const ext = path.extname(name).toLowerCase();
|
|
if (ext && !SAFE_EXTS.has(ext)) return cb(null, false);
|
|
cb(null, true);
|
|
},
|
|
});
|
|
|
|
/* Personal image upload (Мои материалы): image-only, no library permission.
|
|
* Stored in uploads/materials and served statically (public) so the saved
|
|
* <img>/open/download URL works without an auth header — these are personal
|
|
* study clips (board crops, drawings, textbook regions), not gated files. */
|
|
const MATERIALS_DIR = path.join(UPLOADS_DIR, 'materials');
|
|
try { require('fs').mkdirSync(MATERIALS_DIR, { recursive: true }); } catch (e) { /* exists */ }
|
|
const IMG_MIME = ['image/png','image/jpeg','image/gif','image/webp'];
|
|
const IMG_EXT = new Set(['.png','.jpg','.jpeg','.gif','.webp']);
|
|
const materialStorage = multer.diskStorage({
|
|
destination: MATERIALS_DIR,
|
|
filename: (_req, file, cb) => {
|
|
const ext = path.extname(file.originalname || '') || '.png';
|
|
cb(null, require('crypto').randomBytes(16).toString('hex') + ext);
|
|
},
|
|
});
|
|
const imageUpload = multer({
|
|
storage: materialStorage,
|
|
limits: { fileSize: 20 * 1024 * 1024 }, // 20 MB
|
|
fileFilter: (_req, file, cb) => {
|
|
const ext = path.extname(file.originalname || '').toLowerCase();
|
|
cb(null, IMG_MIME.includes(file.mimetype) && (IMG_EXT.has(ext) || ext === ''));
|
|
},
|
|
});
|
|
|
|
/* ── routes ─────────────────────────────────────────────────────────────── */
|
|
router.use(authMiddleware);
|
|
|
|
router.get('/', ctrl.listFiles);
|
|
router.post('/', requireRole('teacher','admin'), requirePermission('library.upload'), upload.single('file'), fixUtf8Name, ctrl.uploadFile);
|
|
// Personal materials upload — any authenticated user (covered by router-level authMiddleware)
|
|
router.post('/personal', imageUpload.single('file'), ctrl.uploadPersonalFile);
|
|
|
|
/* ── folder routes (must be before /:id to avoid conflicts) ── */
|
|
router.get('/folders', ctrl.listFolders);
|
|
router.post('/folders', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.createFolder);
|
|
router.put('/folders/:id',requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.renameFolder);
|
|
router.delete('/folders/:id', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.deleteFolder);
|
|
router.get('/folders/:id/access', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.getFolderAccess);
|
|
router.delete('/folders/:id/access', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.clearFolderAccess);
|
|
router.post('/folders/:id/assign', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.assignFolder);
|
|
router.delete('/folders/:id/assign/:type/:targetId', requireRole('teacher','admin'), requirePermission('library.folders'), ctrl.unassignFolder);
|
|
|
|
router.patch('/:id/move', requireRole('teacher','admin'), ctrl.moveFile);
|
|
router.get('/:id/download', ctrl.downloadFile);
|
|
router.delete('/:id', requireRole('teacher','admin'), ctrl.deleteFile);
|
|
router.get('/:id/access', requireRole('teacher','admin'), ctrl.getFileAccess);
|
|
router.post('/:id/assign', requireRole('teacher','admin'), ctrl.assignFile);
|
|
router.delete('/:id/assign/:type/:targetId', requireRole('teacher','admin'), ctrl.unassignFile);
|
|
|
|
module.exports = router;
|