From ae78e793dd3d026e376def042d2b88fbec9ecd80 Mon Sep 17 00:00:00 2001
From: Chirag Aggarwal <chiragaggarwal5k@gmail.com>
Date: Wed, 26 Feb 2025 08:52:06 +0000
Subject: [PATCH] chore: added blocking to file preview endpoint

---
 app/config/errors.php             |  5 +++++
 app/controllers/api/storage.php   | 18 ++++++++++--------
 src/Appwrite/Extend/Exception.php |  1 +
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/app/config/errors.php b/app/config/errors.php
index 7c7f6dc9ec..d8a5c798d3 100644
--- a/app/config/errors.php
+++ b/app/config/errors.php
@@ -480,6 +480,11 @@ return [
         'description' => 'The requested file is not publicly readable.',
         'code' => 403,
     ],
+    Exception::STORAGE_FILE_PREVIEW_BLOCKED => [
+        'name' => Exception::STORAGE_FILE_PREVIEW_BLOCKED,
+        'description' => 'File preview is not available on your pricing current tier.',
+        'code' => 403,
+    ],
 
     /** VCS */
     Exception::INSTALLATION_NOT_FOUND => [
diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php
index 972232167b..38e74ad2ee 100644
--- a/app/controllers/api/storage.php
+++ b/app/controllers/api/storage.php
@@ -935,15 +935,13 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview')
     ->param('rotation', 0, new Range(-360, 360), 'Preview image rotation in degrees. Pass an integer between -360 and 360.', true)
     ->param('background', '', new HexColor(), 'Preview image background color. Only works with transparent images (png). Use a valid HEX color, no # is needed for prefix.', true)
     ->param('output', '', new WhiteList(\array_keys(Config::getParam('storage-outputs')), true), 'Output format type (jpeg, jpg, png, gif and webp).', true)
-    ->inject('request')
     ->inject('response')
-    ->inject('project')
+    ->inject('plan')
     ->inject('dbForProject')
-    ->inject('mode')
     ->inject('deviceForFiles')
     ->inject('deviceForLocal')
     ->inject('queueForStatsUsage')
-    ->action(function (string $bucketId, string $fileId, int $width, int $height, string $gravity, int $quality, int $borderWidth, string $borderColor, int $borderRadius, float $opacity, int $rotation, string $background, string $output, Request $request, Response $response, Document $project, Database $dbForProject, string $mode, Device $deviceForFiles, Device $deviceForLocal, StatsUsage $queueForStatsUsage) {
+    ->action(function (string $bucketId, string $fileId, int $width, int $height, string $gravity, int $quality, int $borderWidth, string $borderColor, int $borderRadius, float $opacity, int $rotation, string $background, string $output, Response $response, array $plan, Database $dbForProject, Device $deviceForFiles, Device $deviceForLocal, StatsUsage $queueForStatsUsage) {
 
         if (!\extension_loaded('imagick')) {
             throw new Exception(Exception::GENERAL_SERVER_ERROR, 'Imagick extension is missing');
@@ -965,6 +963,12 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview')
             throw new Exception(Exception::USER_UNAUTHORIZED);
         }
 
+        if (isset($plan['imageTransformations'])) {
+            if ($plan['imageTransformations'] === -1) {
+                throw new Exception(Exception::STORAGE_FILE_PREVIEW_BLOCKED);
+            }
+        }
+
         if ($fileSecurity && !$valid) {
             $file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId);
         } else {
@@ -1073,8 +1077,7 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview')
 
         $queueForStatsUsage
             ->addMetric(METRIC_FILES_TRANSFORMATIONS, 1)
-            ->addMetric(str_replace('{bucketInternalId}', $bucket->getInternalId(), METRIC_BUCKET_ID_FILES_TRANSFORMATIONS), 1)
-        ;
+            ->addMetric(str_replace('{bucketInternalId}', $bucket->getInternalId(), METRIC_BUCKET_ID_FILES_TRANSFORMATIONS), 1);
 
         $transformedAt = $file->getAttribute('transformedAt', '');
         if (DateTime::formatTz(DateTime::addSeconds(new \DateTime(), -APP_PROJECT_ACCESS)) > $transformedAt) {
@@ -1085,8 +1088,7 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview')
         $response
             ->addHeader('Cache-Control', 'private, max-age=2592000') // 30 days
             ->setContentType($contentType)
-            ->file($data)
-        ;
+            ->file($data);
 
         unset($image);
     });
diff --git a/src/Appwrite/Extend/Exception.php b/src/Appwrite/Extend/Exception.php
index d4f47ca177..7f601018fe 100644
--- a/src/Appwrite/Extend/Exception.php
+++ b/src/Appwrite/Extend/Exception.php
@@ -143,6 +143,7 @@ class Exception extends \Exception
     public const STORAGE_INVALID_RANGE             = 'storage_invalid_range';
     public const STORAGE_INVALID_APPWRITE_ID       = 'storage_invalid_appwrite_id';
     public const STORAGE_FILE_NOT_PUBLIC           = 'storage_file_not_public';
+    public const STORAGE_FILE_PREVIEW_BLOCKED      = 'storage_file_preview_blocked';
 
     /** VCS */
     public const INSTALLATION_NOT_FOUND            = 'installation_not_found';