first commit

app/Http/Controllers/Admin/StorageController.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Http\Controllers\Admin;
+
+use App\Http\Controllers\Controller;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Facades\Response;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class StorageController extends Controller
+{
+    public function serve(Request $request, $file_path)
+    {
+        $allowed_directory = 'uploads';
+        $file_path = str_replace(['../', '..\\'], '', $file_path);
+        $full_path = storage_path("app/{$allowed_directory}/{$file_path}");
+
+        if (is_dir($full_path)) {
+            throw new NotFoundHttpException('檔案不存在');
+        }
+        
+        if (!Storage::disk('local')->exists("{$allowed_directory}/{$file_path}")) {
+            throw new NotFoundHttpException('檔案不存在');
+        }
+        
+        $real_path = realpath($full_path);
+        $allowed_base_path = realpath(storage_path("app/{$allowed_directory}"));
+        if (!$real_path || strpos($real_path, $allowed_base_path) !== 0) {
+            throw new AccessDeniedHttpException('無權訪問該檔案');
+        }
+        $mime_type = mime_content_type($full_path) ?: 'application/octet-stream';
+        return Response::file($full_path, [
+            'Content-Type' => $mime_type,
+            'Content-Disposition' => 'inline; filename="' . basename($file_path) . '"',
+            'X-Frame-Options' => 'SAMEORIGIN', // Allow same-origin framing
+            'Content-Security-Policy' => "frame-ancestors 'self'", // Allow iframe on same domain
+        ]);
+    }
+}