Force JSON request for getting paste data

2017-04-11 16:34:13 +02:00
parent ab2e789aee
commit 183ebe518b
8 changed files with 159 additions and 80 deletions
--- a/lib/Model/Paste.php
+++ b/lib/Model/Paste.php
@@ -158,7 +158,7 @@ class Paste extends AbstractModel
     *
     * The token is the hmac of the pastes ID signed with the server salt.
     * The paste can be deleted by calling:
-     * http://example.com/privatebin/?pasteid=<pasteid>&deletetoken=<deletetoken>
+     * https://example.com/privatebin/?pasteid=<pasteid>&deletetoken=<deletetoken>
     *
     * @access public
     * @return string
--- a/lib/PrivateBin.php
+++ b/lib/PrivateBin.php
@@ -147,7 +147,10 @@ class PrivateBin
                );
                break;
            case 'read':
-                $this->_read($this->_request->getParam('pasteid'));
+                // reading paste is disallowed in HTML display
+                if ($this->_request->isJsonApiCall()) {
+                    $this->_read($this->_request->getParam('pasteid'));
+                }
                break;
            case 'jsonld':
                $this->_jsonld($this->_request->getParam('jsonld'));
@@ -328,10 +331,10 @@ class PrivateBin
                // deleted if it has already expired
                $burnafterreading = $paste->isBurnafterreading();
                if (
-                    ($burnafterreading && $deletetoken == 'burnafterreading') ||
-                    Filter::slowEquals($deletetoken, $paste->getDeleteToken())
+                    ($burnafterreading && $deletetoken == 'burnafterreading') || // either we burn-after it has been read //@TODO: not needed anymore now?
+                    Filter::slowEquals($deletetoken, $paste->getDeleteToken()) // or we manually delete it with this secret token
                ) {
-                    // Paste exists and deletion token is valid: Delete the paste.
+                    // Paste exists and deletion token (if required) is valid: Delete the paste.
                    $paste->delete();
                    $this->_status = 'Paste was properly deleted.';
                } else {
@@ -373,6 +376,11 @@ class PrivateBin
                    unset($data->meta->salt);
                }
                $this->_data = json_encode($data);
+
+                // If the paste was meant to be read only once, delete it.
+                if ($paste->isBurnafterreading()) {
+                    $paste->delete();
+                }
            } else {
                $this->_error = self::GENERIC_ERROR;
            }