FriendsOfFlarum upload, the intelligent file attachment extension

orschiro post your fof upload settings, it's likely a mimetype/regex issue.

@luceos see below, thanks!

davwheat same issue, sadly.

Failed to load resource: the server responded with a status of 500 ()???

I am currently in the process of migrating an old SMF Forum to Flarum - with fof-upload enabled. Is there a way to upload old SMF-Attachments via API to Flarum in this migration process?

I managed to solve this for User-Avatars (see below) but i am somewhat at a loss to solve this for attachments to a post in Flarum. As Flarum needs fof-upload to upload images to posts, i guessed it had to be done via the plugins upload URL /api/fof/upload. Looking at the network traffic from /api/fof/upload it seems, that the only thing sent with the POST-request is the image itself, but no User-ID, filename or such things. And at least the User-ID might be necessary to populate actor_id in the table fof_upload_files correctly.

Maybe somebody can point me in the right direction...

// Avatar Migration
$avatar = array();
$avatar = $smf->query('SELECT * FROM `smf_attachments` WHERE ID_MEMBER = '.$userId)->fetchAll();
// Buggy Avatar Picture for SMF user with id 739
if (count($avatar) > 0 && $userId != 739) {
    // echo $userId."\n";
    // var_dump($avatar);
    $avatarUrl = smf_url."index.php?action=dlattach;attach=".$avatar[0]['ID_ATTACH'].";type=avatar";

    if (file_put_contents('/tmp/avatarmigration', fopen($avatarUrl, 'r'))) {
        $response = $api->request(
            'POST',
            'users/' . $userId . '/avatar',
            [
                'multipart' => [
                    [
                        'name' => 'avatar',
                        'contents' => fopen('/tmp/avatarmigration', 'r'),
                        'filename' => 'avatar-migrated-from-smf.png'
                    ]
                ]
            ]
        );
        // var_dump(json_decode($response->getBody(), true));
    }
}

I guess i figured it out. This seems to work:

if (file_put_contents('/tmp/attachmentmigration', fopen($attachmentUrl, 'r'))) {
    $response = $api->request(
        'POST',
        'fof/upload',
        [
            'multipart' => [
                [
                    'name' => 'files[]',
                    'filename' => $attachment['filename'],
                    'contents' => fopen('/tmp/attachmentmigration', 'r'),
                ]
            ]
        ]
    );
    $fofUploadResponse = json_decode($response->getBody(), true);
    // print_r($fofUploadResponse);

    // update actor_id / user_id for file-attachment in database
    $fla->query("UPDATE fof_upload_files SET actor_id = ".$post->fla_id." WHERE id = ".$fofUploadResponse['data'][0]['id']);

    // prepare BBCode to attach at end of Post
    $fileAttachmentBBCode = $fileAttachmentBBCode."\n\n".$fofUploadResponse['data'][0]['attributes']['bbcode'];
}

All the migrations I have done in the past were "offline" migrations, where I directly populated the database with new records. You could create the uploaded file in the correct folder than directly insert the new line in the fof_upload_files table.

Using the Flarum REST API is another solution, and your code seems to do the job.

To provide an actor to the REST API you can either create a user access token and pass that token as a header during the request, or when using the internal API Client class like you do, you can use the ->withActor($actor) chain method https://github.com/flarum/core/blob/master/src/Api/Client.php#L61

I don't think FoF Upload has any rate limiting so this method should work fine. It would have been more complicated to use the REST API if there were upload limits per user.

There doesn't seem to be any risk here as long as you trust $post->fla_id, but beware of SQL injections when using ->query() method without SQL bindings. $fofUploadResponse['data'][0]['id'] can be trusted to always be a string if the server isn't compromised. You could build the same request using Laravel's query builder, or by using bindings with the values passed as a second parameter.

Thanks for your feedback. As security should always be a concern, the migration-script will run one (final) time on the CLI and i trust the script and data so far.

I'm also switching servers and the forums subdomain in the process. Therefore to download the attachments from the old server and insert it via API seems to be the "smoother" approach. I am currently testing with a complete dataset (_336k posts with "only" ₅₃₀ attachments) to see if there are some issues or rate limits.

clarkwinkelmann To provide an actor to the REST API you can either create a user access token and pass that token as a header during the request, or when using the internal API Client class like you do, you can use the ->withActor($actor) chain method https://github.com/flarum/core/blob/master/src/Api/Client.php#L61

Thanks for the hint. But i am not sure, if i understand it correctly? What do you mean with "internal API Client"? I use $api = new GuzzleHttp\Client([...]) in my migration-script to connect to the API of Flarum. Adding $response = $api->request(...)->withActor($actor) results in an error. Besides $actor needs to be a User-Object and i only have the ID of the Post-User when looping over the individual posts.

wolfman oops, sorry. I had assumed your code was using Flarum\Api\Client, which is a class available to Flarum extensions to perform requests to REST endpoints without actually making any real HTTP request. If your script is not a Flarum extension, it won't have access to that feature.

Actually, access tokens probably aren't a realistic approach here. But an API Key might be a solution because you can specify which actor you want while using a single global key. Maybe you are already using an API key in the part of your code that's not visible (Guzzle client constructor parameters)? In the Authorization header you can specify the user ID with ;userId=1 at the end when passing an API key.

Unfortunately it's not well documented at the moment. Some info about access tokens and API keys can be found here flarum/docs44 I can give more details if needed.

wolfman Edit: I just checked tha database and api_keys.user_id can be NULL. So i guess there is no need for different API-Keys for each user, which makes this a cleaner approach.

That's exactly it. If you leave the value null in the database, then you are allowed to provide any userId during usage.

Is it possible to add a reverse proxy setting to imgur, changing http://i.imgur.com to http://proxy.xxx.com/proxy/http://i.imgur.com . I would really like to solve this problem, thank you!

cloudclassml there is currently no option for this in the extension. We can consider it. Someone could also submit a PR.

If you don't need to use one of the FoF Upload bbcodes (image preview, file download, etc.) but only use the markdown or [img] bbcode, then this could also be implemented as a separate extension that would replace all imgur links in a post rather than FoF Upload URLs prior to insertion in the post content.

davwheat luceos added myself to FriendsOfFlarum/upload269. Hope that's the correct way!