WebAPP/app/Http/Controllers/Admin/FileController.php

<?php

namespace App\Http\Controllers\Admin;

use App\Http\Controllers\Controller;
use App\Models\ActivityLog;
use App\Models\File;
use App\Models\FileCategory;
use App\Models\Setting;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Storage;
use Illuminate\Support\Str;
use Illuminate\View\View;

class FileController extends Controller
{
    public function index(Request $request): View
    {
        if (!Setting::isFeatureVisibleFor('files', auth()->user())) {
            abort(403);
        }

        $categories = FileCategory::ordered()->withCount('files')->get();
        $activeCategory = $request->query('category');

        $query = File::with(['category', 'uploader'])->latest();

        if ($activeCategory) {
            $query->whereHas('category', fn ($q) => $q->where('slug', $activeCategory));
        }

        $files = $query->paginate(25)->withQueryString();

        return view('admin.files.index', compact('categories', 'files', 'activeCategory'));
    }

    public function create(): View
    {
        if (!Setting::isFeatureVisibleFor('files', auth()->user())) {
            abort(403);
        }

        $categories = FileCategory::active()->ordered()->get();
        return view('admin.files.create', compact('categories'));
    }

    public function store(Request $request): RedirectResponse
    {
        if (!Setting::isFeatureVisibleFor('files', auth()->user())) {
            abort(403);
        }

        $request->validate([
            'file' => ['required', 'file', 'max:10240', 'mimes:pdf,docx,xlsx,jpg,jpeg,png,gif,webp'],
            'file_category_id' => ['required', 'exists:file_categories,id'],
        ]);

        $uploadedFile = $request->file('file');
        $extension = $uploadedFile->guessExtension();
        $storedName = Str::uuid() . '.' . $extension;

        Storage::disk('local')->putFileAs('files', $uploadedFile, $storedName);

        $file = new File([
            'file_category_id' => $request->file_category_id,
            'original_name' => $uploadedFile->getClientOriginalName(),
            'mime_type' => $uploadedFile->getClientMimeType(),
            'size' => $uploadedFile->getSize(),
        ]);
        $file->stored_name = $storedName;
        $file->disk = 'private';
        $file->uploaded_by = auth()->id();
        $file->save();

        ActivityLog::logWithChanges('uploaded', __('admin.log_file_uploaded', ['name' => $file->original_name]), 'File', $file->id, null, ['name' => $file->original_name, 'category' => $file->category->name ?? '']);

        return redirect()->route('admin.files.index')
            ->with('success', __('admin.file_uploaded'));
    }

    public function destroy(File $file): RedirectResponse
    {
        if (!Setting::isFeatureVisibleFor('files', auth()->user())) {
            abort(403);
        }

        // Path-Traversal-Schutz (V15)
        if (str_contains($file->stored_name, '..') || str_contains($file->stored_name, '/')) {
            abort(403);
        }

        ActivityLog::logWithChanges('deleted', __('admin.log_file_deleted', ['name' => $file->original_name]), 'File', $file->id, ['name' => $file->original_name, 'category' => $file->category->name ?? ''], null);

        Storage::disk('local')->delete('files/' . $file->stored_name);
        $file->delete();

        return back()->with('success', __('admin.file_deleted'));
    }
}