QT/InvoiceShelf
1
0
Fork 0
mirror of https://github.com/InvoiceShelf/InvoiceShelf.git synced 2026-04-19 03:04:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Secure expense receipts by wiring Media Library to FileDisk

Browse Source 
Spatie Media Library now uses the default FileDisk (local_private) for
new uploads instead of the public disk. Expense receipts are no longer
directly web-accessible.

- AppServiceProvider configures media-library disk from FileDisk on boot
- Change media-library fallback from 'public' to 'local'
- Expense receipt URL accessor returns authenticated route instead of
  direct file URL
- Add registerMediaCollections() to Expense model
- Prevent deleting FileDisk that contains files or is a system disk
- Add media:secure command to migrate existing receipts to private disk

Fixes #187
This commit is contained in:
Darko Gjorgjijoski
2026-04-07 01:01:59 +02:00
parent 39c9179888
commit 67268ac2b7
5 changed files with 187 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
app/Console/Commands/MigrateMediaToPrivateDisk.php Normal file
View File

@@ -0,0 +1,134 @@
<?php
namespace App\Console\Commands;
use App\Models\FileDisk;
use App\Models\Setting;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\File;
class MigrateMediaToPrivateDisk extends Command
{
protected $signature = 'media:secure {--dry-run : Show what would be moved without moving}';
protected $description = 'Move sensitive media files (receipts) from the public disk to the private disk';
public function handle(): int
{
$targetDisk = $this->resolveTargetDisk();
if (! $targetDisk) {
$this->error('No target disk found. Set a default FileDisk or configure media_disk_id setting.');
return self::FAILURE;
}
$prefix = env('DYNAMIC_DISK_PREFIX', 'temp_');
$targetDiskName = $prefix.$targetDisk->driver;
$targetDisk->setConfig();
$targetRoot = config('filesystems.disks.'.$targetDiskName.'.root');
if (! $targetRoot) {
$this->error('Could not resolve target disk root path.');
return self::FAILURE;
}
$records = DB::table('media')
->where('disk', 'public')
->where(function ($query) {
$query->where('collection_name', 'receipts');
})
->get();
if ($records->isEmpty()) {
$this->info('No media files to migrate.');
return self::SUCCESS;
}
$this->info('Found '.$records->count().' file(s) to migrate.');
if ($this->option('dry-run')) {
foreach ($records as $record) {
$this->line(" Would move: media/{$record->id}/{$record->file_name}");
}
return self::SUCCESS;
}
$moved = 0;
$skipped = 0;
$publicMediaRoot = public_path('media');
$bar = $this->output->createProgressBar($records->count());
$bar->start();
foreach ($records as $record) {
$relativePath = $record->id.DIRECTORY_SEPARATOR.$record->file_name;
$sourcePath = $publicMediaRoot.DIRECTORY_SEPARATOR.$relativePath;
$destPath = $targetRoot.DIRECTORY_SEPARATOR.$relativePath;
if (! file_exists($sourcePath)) {
$skipped++;
$bar->advance();
continue;
}
$destDir = dirname($destPath);
if (! File::isDirectory($destDir)) {
File::makeDirectory($destDir, 0755, true);
}
File::move($sourcePath, $destPath);
DB::table('media')
->where('id', $record->id)
->update(['disk' => $targetDiskName]);
$moved++;
$bar->advance();
}
$bar->finish();
$this->newLine(2);
$this->info("Done. Moved: {$moved}, Skipped (missing): {$skipped}");
// Clean up empty directories in public/media
$this->cleanEmptyDirectories($publicMediaRoot);
return self::SUCCESS;
}
private function resolveTargetDisk(): ?FileDisk
{
$mediaDiskId = Setting::getSetting('media_disk_id');
if ($mediaDiskId) {
return FileDisk::find($mediaDiskId);
}
return FileDisk::where('set_as_default', true)->first();
}
private function cleanEmptyDirectories(string $path): void
{
if (! File::isDirectory($path)) {
return;
}
$directories = File::directories($path);
foreach ($directories as $dir) {
$this->cleanEmptyDirectories($dir);
if (count(File::allFiles($dir)) === 0 && count(File::directories($dir)) === 0) {
File::deleteDirectory($dir);
}
}
}
}

20
app/Http/Controllers/Admin/Settings/DiskController.php
View File

@@ -11,6 +11,7 @@ use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
use Illuminate\Support\Facades\DB;
class DiskController extends Controller
{
@@ -158,8 +159,23 @@ class DiskController extends Controller
{
$this->authorize('manage file disk');
if ($disk->setAsDefault() && $disk->type === 'SYSTEM') {
return respondJson('not_allowed', 'Not Allowed');
if ($disk->type === 'SYSTEM') {
return respondJson('not_allowed', 'System disks cannot be deleted.');
}
if ($disk->setAsDefault()) {
return respondJson('not_allowed', 'The default disk cannot be deleted.');
}
$prefix = env('DYNAMIC_DISK_PREFIX', 'temp_');
$diskName = $prefix.$disk->driver;
$mediaCount = DB::table('media')
->where('disk', $diskName)
->orWhere('disk', $disk->driver)
->count();
if ($mediaCount > 0) {
return respondJson('disk_has_files', 'Cannot delete this disk — it contains '.$mediaCount.' file(s). Migrate files first.');
}
$disk->delete();

7
app/Models/Expense.php
View File

@@ -42,6 +42,11 @@ class Expense extends Model implements HasMedia
];
}
public function registerMediaCollections(): void
{
$this->addMediaCollection('receipts');
}
public function category(): BelongsTo
{
return $this->belongsTo(ExpenseCategory::class, 'expense_category_id');
@@ -92,7 +97,7 @@ class Expense extends Model implements HasMedia
if ($media) {
return [
'url' => $media->getFullUrl(),
'url' => '/reports/expenses/'.$this->id.'/receipt',
'type' => $media->type,
];
}

28
app/Providers/AppServiceProvider.php
View File

@@ -2,6 +2,8 @@
namespace App\Providers;
use App\Models\FileDisk;
use App\Models\Setting;
use App\Policies\CompanyPolicy;
use App\Policies\CustomerPolicy;
use App\Policies\DashboardPolicy;
@@ -57,6 +59,7 @@ class AppServiceProvider extends ServiceProvider
if (InstallUtils::isDbCreated()) {
$this->addMenus();
$this->configureMediaDisk();
}
Gate::policy(Role::class, RolePolicy::class);
@@ -166,4 +169,29 @@ class AppServiceProvider extends ServiceProvider
{
Broadcast::routes(['middleware' => 'api.auth']);
}
/**
* Configure Spatie Media Library to use the FileDisk system.
*
* Resolves the media disk from the `media_disk_id` setting,
* falling back to the default FileDisk. This ensures media
* uploads go to a private disk by default.
*/
private function configureMediaDisk(): void
{
try {
$mediaDiskId = Setting::getSetting('media_disk_id');
$disk = $mediaDiskId
? FileDisk::find($mediaDiskId)
: FileDisk::where('set_as_default', true)->first();
if ($disk) {
$disk->setConfig();
$prefix = env('DYNAMIC_DISK_PREFIX', 'temp_');
config(['media-library.disk_name' => $prefix.$disk->driver]);
}
} catch (\Exception $e) {
// DB not yet migrated or settings table missing — use config default
}
}
}

2
config/media-library.php
View File

@@ -31,7 +31,7 @@ return [
* The disk on which to store added files and derived images by default. Choose
* one or more of the disks you've configured in config/filesystems.php.
*/
'disk_name' => env('MEDIA_DISK', 'public'),
'disk_name' => env('MEDIA_DISK', 'local'),
/*
* The maximum file size of an item in bytes.