From eaa621841f04c1dfcc5ce98edf357d5a0d8cedfa Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@nebulon.de>
Date: Sat, 27 Jun 2015 16:07:25 +0200
Subject: Ensure directories

---
 src/files.js | 43 +++++++++++++++++++++++++------------------
 1 file changed, 25 insertions(+), 18 deletions(-)

(limited to 'src')

diff --git a/src/files.js b/src/files.js
index 55e8978..3812d21 100644
--- a/src/files.js
+++ b/src/files.js
@@ -4,6 +4,7 @@ var fs = require('fs'),
     path = require('path'),
     ejs = require('ejs'),
     rimraf = require('rimraf'),
+    mkdirp = require('mkdirp'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess;
 
@@ -19,28 +20,33 @@ var FILE_BASE = path.resolve(__dirname, '../files');
 function copyFile(source, target, cb) {
     var cbCalled = false;
 
-    var rd = fs.createReadStream(source);
-        rd.on("error", function(err) {
-        done(err);
-    });
+    // ensure directory
+    mkdirp(path.dirname(target), function (error) {
+        if (error) return cb(error);
 
-    var wr = fs.createWriteStream(target);
-        wr.on("error", function(err) {
-        done(err);
-    });
+        var rd = fs.createReadStream(source);
+            rd.on("error", function(err) {
+            done(err);
+        });
 
-    wr.on("close", function(ex) {
-        done();
-    });
+        var wr = fs.createWriteStream(target);
+            wr.on("error", function(err) {
+            done(err);
+        });
 
-    rd.pipe(wr);
+        wr.on("close", function(ex) {
+            done();
+        });
+
+        rd.pipe(wr);
 
-    function done(err) {
-        if (!cbCalled) {
-            cb(err);
-            cbCalled = true;
+        function done(err) {
+            if (!cbCalled) {
+                cb(err);
+                cbCalled = true;
+            }
         }
-    }
+    });
 }
 
 function render(view, options) {
@@ -99,7 +105,8 @@ function put(req, res, next) {
 function del(req, res, next) {
     var filePath = req.params[0];
     var absoluteFilePath = getAbsolutePath(filePath);
-    if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed'));
+    if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
+    if (absoluteFilePath.slice(FILE_BASE.length) === '') return next(new HttpError(403, 'Forbidden'));
 
     fs.stat(absoluteFilePath, function (error, result) {
         if (error) return next(new HttpError(404, error));
-- 
cgit v1.2.3