Attempt to obscure resize url's by adding in an md5 checksum.

2012-06-02 23:01:06 -04:00 · 2012-06-02 23:01:06 -04:00 · d90eb9b884
commit d90eb9b884
parent e9bd604a63
2 changed files with 7 additions and 2 deletions
--- a/3.0/modules/fotomotorw/controllers/fotomotorw.php
+++ b/3.0/modules/fotomotorw/controllers/fotomotorw.php
@ -19,7 +19,7 @@
 */
 
 class FotomotorW_Controller extends Controller {
-  public function resize($item_id) {
+  public function resize($str_checksum, $item_id) {
    // Displayed the "resized" version of an image by it's ID number.
    //  This both gives fotomoto access to resizes regardless of permissions
    //  and forces fotomoto to track images by unique id instead of file name
@ -31,6 +31,11 @@ class FotomotorW_Controller extends Controller {
      throw new Kohana_404_Exception();
    }

+    // Make sure checksum matches, if not, throw a 404 error.
+    if ($str_checksum != md5($item->created)) {
+      throw new Kohana_404_Exception();
+    }
+
    // If the resize file doesn't exist for some reason, display a 404 error.
    if (!file_exists($item->resize_path())) {
      throw new Kohana_404_Exception();
--- a/3.0/modules/fotomotorw/views/fotomotorw_block.html.php
+++ b/3.0/modules/fotomotorw/views/fotomotorw_block.html.php
@ -10,6 +10,6 @@
 </center>
 <script>
  function showFotomotoDialog(window_type) {
-    FOTOMOTO.API.showWindow(window_type, "<?= url::abs_site("fotomotorw/resize/{$item->id}"); ?>");
+    FOTOMOTO.API.showWindow(window_type, "<?= url::abs_site("fotomotorw/resize/" . md5($item->created) . "/{$item->id}"); ?>");
  }
 </script>