/**
  * @param string $name
  * @param Request $request
  * @return Response
  */
 public function classicAction($name, Request $request)
 {
     // get.
     $_GET = $request->query->all();
     // post.
     $_POST = $request->request->all();
     $rootDir = $this->get('kernel')->getRealRootDir();
     //$_REQUEST = $request->request->all();
     $mainPath = $rootDir . 'main/';
     $fileToLoad = $mainPath . $name;
     // Setting legacy values inside the container
     /** @var Connection $dbConnection */
     $dbConnection = $this->container->get('database_connection');
     $em = $this->get('kernel')->getContainer()->get('doctrine.orm.entity_manager');
     $database = new \Database($dbConnection, array());
     $database->setConnection($dbConnection);
     $database->setManager($em);
     Container::$container = $this->container;
     Container::$dataDir = $this->container->get('kernel')->getDataDir();
     Container::$courseDir = $this->container->get('kernel')->getDataDir();
     //Container::$configDir = $this->container->get('kernel')->getConfigDir();
     $this->container->get('twig')->addGlobal('api_get_cidreq', api_get_cidreq());
     //$breadcrumb = $this->container->get('chamilo_core.block.breadcrumb');
     if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
         // Files inside /main need this variables to be set
         $is_allowed_in_course = api_is_allowed_in_course();
         $is_courseAdmin = api_is_course_admin();
         $is_platformAdmin = api_is_platform_admin();
         $toolNameFromFile = basename(dirname($fileToLoad));
         $charset = 'UTF-8';
         // Default values
         $_course = api_get_course_info();
         $_user = api_get_user_info();
         $debug = $this->container->get('kernel')->getEnvironment() == 'dev' ? true : false;
         // Loading file
         ob_start();
         require_once $fileToLoad;
         $out = ob_get_contents();
         ob_end_clean();
         // No browser cache when executing an exercise.
         if ($name == 'exercice/exercise_submit.php') {
             $responseHeaders = array('cache-control' => 'no-store, no-cache, must-revalidate');
         }
         $js = isset($htmlHeadXtra) ? $htmlHeadXtra : array();
         // $interbreadcrumb is loaded in the require_once file.
         $interbreadcrumb = isset($interbreadcrumb) ? $interbreadcrumb : null;
         $template = Container::$legacyTemplate;
         $defaultLayout = 'layout_one_col.html.twig';
         if (!empty($template)) {
             $defaultLayout = $template;
         }
         return $this->render('ChamiloCoreBundle::' . $defaultLayout, array('legacy_breadcrumb' => $interbreadcrumb, 'content' => $out, 'js' => $js));
     } else {
         // Found does not exist
         throw new NotFoundHttpException();
     }
 }
Beispiel #2
0
    $archive_path = api_get_path(SYS_ARCHIVE_PATH);
}
$archive_file = isset($_GET['archive']) ? $_GET['archive'] : null;
$archive_file = str_replace(array('..', '/', '\\'), '', $archive_file);
list($extension) = getextension($archive_file);
if (empty($extension) || !file_exists($archive_path . $archive_file)) {
    exit;
}
$extension = strtolower($extension);
$content_type = '';
if (in_array($extension, array('xml', 'csv')) && (api_is_platform_admin(true) || api_is_drh())) {
    $content_type = 'application/force-download';
} elseif ($extension == 'zip' && $_cid && (api_is_platform_admin(true) || $is_courseAdmin)) {
    $content_type = 'application/force-download';
}
if (empty($content_type)) {
    api_not_allowed(true);
}
if (Security::check_abs_path($archive_path . $archive_file, $archive_path)) {
    header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
    header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
    header('Cache-Control: public');
    header('Pragma: no-cache');
    header('Content-Type: ' . $content_type);
    header('Content-Length: ' . filesize($archive_path . $archive_file));
    header('Content-Disposition: attachment; filename=' . $archive_file);
    readfile($archive_path . $archive_file);
    exit;
} else {
    api_not_allowed(true);
}
Beispiel #3
0
                                                    1 => Allow learners to delete their own publications = YES
        
        +------------------+------------------------------+----------------------------+
        |Can download work?|      doc visible for all = 0 |     doc visible for all = 1|
        +------------------+------------------------------+----------------------------+
        |  visibility = 0  | editor only                  | editor only                |
        |                  |                              |                            |
        +------------------+------------------------------+----------------------------+
        |  visibility = 1  | editor                       | editor                     |
        |                  | + owner of the work          | + any student              |
        +------------------+------------------------------+----------------------------+
        (editor = teacher + admin + anybody with right api_is_allowed_to_edit)
        */
        $work_is_visible = $item_info['visibility'] == 1 && $row['accepted'] == 1;
        $doc_visible_for_all = $course_info['show_score'] == 1;
        $is_editor = api_is_allowed_to_edit(true, true, true);
        $student_is_owner_of_work = user_is_author($row['id'], $row['user_id']);
        if ($is_editor || $student_is_owner_of_work || $doc_visible_for_all && $work_is_visible) {
            $title = str_replace(' ', '_', $row['title']);
            event_download($title);
            if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) {
                DocumentManager::file_send_for_download($full_file_name, true, $title);
            }
        } else {
            api_not_allowed();
        }
    }
} else {
    api_not_allowed();
}
exit;
Beispiel #4
0
 /**
  * @param array $courseInfo
  * @param int $sessionId
  *
  * @return bool
  */
 public static function downloadAllDeletedDocument($courseInfo, $sessionId)
 {
     // Zip library for creation of the zip file.
     require api_get_path(LIBRARY_PATH) . 'pclzip/pclzip.lib.php';
     $files = self::getDeletedDocuments($courseInfo, $sessionId);
     if (empty($files)) {
         return false;
     }
     $coursePath = api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/document';
     // Creating a ZIP file.
     $tempZipFile = api_get_path(SYS_ARCHIVE_PATH) . api_get_unique_id() . ".zip";
     $zip = new PclZip($tempZipFile);
     foreach ($files as $file) {
         $zip->add($coursePath . $file['path'], PCLZIP_OPT_REMOVE_PATH, $coursePath);
     }
     if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
         DocumentManager::file_send_for_download($tempZipFile, true);
         @unlink($tempZipFile);
         exit;
     }
 }
Beispiel #5
0
                //check if the document is in the database
                if (!DocumentManager::get_document_id($_course, $_REQUEST['file'])) {
                    //file not found!
                    if ($debug > 0) {
                        error_log("404 " . $_REQUEST["file"]);
                    }
                    header("HTTP/1.0 404 Not Found");
                    $error404 = '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">';
                    $error404 .= '<html><head>';
                    $error404 .= '<title>404 Not Found</title>';
                    $error404 .= '</head><body>';
                    $error404 .= '<h1>Not Found</h1>';
                    $error404 .= '<p>The requested URL was not found on this server.</p>';
                    $error404 .= '<hr>';
                    $error404 .= '</body></html>';
                    echo $error404;
                    exit;
                }
                $doc_url = str_replace('../', '', $_REQUEST['file']);
                if ($debug > 0) {
                    error_log($doc_url);
                }
                $full_file_name = $coursePath . $doc_url;
                if (Security::check_abs_path($full_file_name, $coursePath . '/')) {
                    DocumentManager::file_send_for_download($full_file_name, false);
                }
                exit;
            }
        }
    }
}
Beispiel #6
0
if (isset($_SESSION['oLP'])) {
    $obj = $_SESSION['oLP'];
} else {
    api_not_allowed();
}
//If is visible for the current user
if (!learnpath::is_lp_visible_for_student($obj->get_id(), api_get_user_id())) {
    api_not_allowed();
}
$doc_url = isset($_GET['doc_url']) ? $_GET['doc_url'] : null;
// Change the '&' that got rewritten to '///' by mod_rewrite back to '&'
$doc_url = str_replace('///', '&', $doc_url);
// Still a space present? it must be a '+' (that got replaced by mod_rewrite)
$doc_url = str_replace(' ', '+', $doc_url);
$doc_url = str_replace(array('../', '\\..', '\\0', '..\\'), array('', '', '', ''), $doc_url);
//echo $doc_url;
if (strpos($doc_url, '../') or strpos($doc_url, '/..')) {
    $doc_url = '';
}
$sys_course_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/scorm';
//var_dump($sys_course_path);
if (is_dir($sys_course_path . $doc_url)) {
    api_not_allowed();
}
if (Security::check_abs_path($sys_course_path . $doc_url, $sys_course_path . '/')) {
    $full_file_name = $sys_course_path . $doc_url;
    // Launch event
    Event::event_download($doc_url);
    DocumentManager::file_send_for_download($full_file_name);
}
exit;
Beispiel #7
0
/**
 * Update settings based on installation profile defined in a JSON file
 * @param string $installationProfile The name of the JSON file in main/install/profiles/ folder
 * @return bool false on failure (no bad consequences anyway, just ignoring profile)
 */
function installProfileSettings($installationProfile = '')
{
    if (empty($installationProfile)) {
        return false;
    }
    $jsonPath = api_get_path(SYS_PATH) . 'main/install/profiles/' . $installationProfile . '.json';
    // Make sure the path to the profile is not hacked
    if (!Security::check_abs_path($jsonPath, api_get_path(SYS_PATH) . 'main/install/profiles/')) {
        return false;
    }
    if (!is_file($jsonPath)) {
        return false;
    }
    if (!is_readable($jsonPath)) {
        return false;
    }
    if (!function_exists('json_decode')) {
        // The php-json extension is not available. Ignore profile.
        return false;
    }
    $json = file_get_contents($jsonPath);
    $params = json_decode($json);
    if ($params === false or $params === null) {
        return false;
    }
    $settings = $params->params;
    if (!empty($params->parent)) {
        $res = installProfileSettings($params->parent);
    }
    foreach ($settings as $id => $param) {
        $sql = "UPDATE settings_current\n                SET selected_value = '" . $param->selected_value . "'\n                WHERE variable = '" . $param->variable . "'";
        if (!empty($param->subkey)) {
            $sql .= " AND subkey='" . $param->subkey . "'";
        }
        Database::query($sql);
    }
    return true;
}
Beispiel #8
0
// the number of /.. into the url
while (substr($cwd, -3, 3) == '/..') {
    // go to parent directory
    $cwd = substr($cwd, 0, -3);
    if (strlen($cwd) == 0) {
        $cwd = '/';
    }
    $nParent++;
}
for (; $nParent > 0; $nParent--) {
    $cwd = strrpos($cwd, '/') > -1 ? substr($cwd, 0, strrpos($cwd, '/')) : $cwd;
}
if (strlen($cwd) == 0) {
    $cwd = '/';
}
if (Security::check_abs_path($cwd, api_get_path(SYS_PATH))) {
    die;
}
if ($action == 'list') {
    /*==== List files ====*/
    if ($debug > 0) {
        error_log("sending file list", 0);
    }
    // get files list
    $files = DocumentManager::get_all_document_data($_course, $cwd, 0, NULL, false);
    // adding download link to files
    foreach ($files as $k => $f) {
        if ($f['filetype'] == 'file') {
            //$files[$k]['download'] = api_get_path(WEB_CODE_PATH)."/document/document.php?cidReq=$cidReq&action=download&id=".urlencode($f['path']);
            $files[$k]['download'] = api_get_path(WEB_COURSE_PATH) . $cidReq . "/document" . $f['path'];
        }
 /**
  * @param Application $app
  * @param string $file
  * @return BinaryFileResponse
  */
 public function getJavascript(Application $app, $file)
 {
     $mainPath = $app['paths']['sys_root'] . 'main/inc/lib/javascript/';
     $fileToLoad = $mainPath . $file;
     if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
         return $app->sendFile($fileToLoad);
     }
 }
Beispiel #10
0
/**
 * Delete a work-tool directory
 * @param	string	Base "work" directory for this course as /var/www/chamilo/courses/ABCD/work/
 * @param	string	The directory name as the bit after "work/", without trailing slash
 * @return	integer	-1 on error
 */
function del_dir($id)
{
    global $_course;
    $id = intval($id);
    $work_data = get_work_data_by_id($id);
    if (empty($work_data)) {
        return false;
    }
    $base_work_dir = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/work';
    $work_data_url = $base_work_dir . $work_data['url'];
    $check = Security::check_abs_path($work_data_url . '/', $base_work_dir . '/');
    $table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
    $course_id = api_get_course_int_id();
    if (!empty($work_data['url'])) {
        //Deleting all contents inside the folder
        //@todo replace to parent_id
        $sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND filetype = 'folder'  AND id =  {$id}";
        $res = Database::query($sql);
        $sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND parent_id =  {$id}";
        $res = Database::query($sql);
        if ($check) {
            require_once api_get_path(LIBRARY_PATH) . 'fileManage.lib.php';
            $new_dir = $work_data_url . '_DELETED_' . $id;
            if (api_get_setting('permanently_remove_deleted_files') == 'true') {
                my_delete($work_data_url);
            } else {
                if (file_exists($work_data_url)) {
                    rename($work_data_url, $new_dir);
                }
            }
        }
    }
}
/**
 * Writes the file contents into the given file path.
 * @param    string    Urlencoded path
 * @param    string    The file contents
 * @return   boolean   True on success, false on security error
 */
function WriteFileCont($full_file_path, $content)
{
    // Check if this is not an attack, trying to get into other directories or something like that.
    global $_course;
    if (Security::check_abs_path(dirname($full_file_path) . '/', api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/')) {
        // Check if this is not an attack, trying to upload a php file or something like that.
        if (basename($full_file_path) != Security::filter_filename(basename($full_file_path))) {
            return false;
        }
        if (!($fp = fopen(urldecode($full_file_path), 'w'))) {
            //die('Could not open Quiz input.');
        }
        fwrite($fp, $content);
        fclose($fp);
        return true;
    }
    return false;
}
Beispiel #12
0
        $doc_url = substr($doc_url, 0, $dul);
    }
    //create the path
    $document_explorer = api_get_path(WEB_COURSE_PATH) . api_get_course_path();
    //redirect
    header('Location: ' . $document_explorer);
}
$tbl_forum_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT);
$tbl_forum_post = Database::get_course_table(TABLE_FORUM_POST);
$course_id = api_get_course_int_id();
$courseInfo = api_get_course_info_by_id($course_id);
// launch event
Event::event_download($doc_url);
$sql = 'SELECT thread_id, forum_id,filename
        FROM ' . $tbl_forum_post . '  f
        INNER JOIN ' . $tbl_forum_attachment . ' a
        ON a.post_id=f.post_id
        WHERE
            f.c_id = ' . $course_id . ' AND
            a.c_id = ' . $course_id . ' AND
            path LIKE BINARY "' . $doc_url . '"';
$result = Database::query($sql);
$row = Database::fetch_array($result);
$forum_thread_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM_THREAD, $row['thread_id'], api_get_session_id());
$forum_forum_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM, $row['forum_id'], api_get_session_id());
if ($forum_thread_visibility == 1 && $forum_forum_visibility == 1) {
    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/upload/forum/')) {
        DocumentManager::file_send_for_download($full_file_name, true, $row['filename']);
    }
}
exit;
$objSkill = new Skill();
$skill = $objSkill->get($skillId);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $params = array('name' => $_POST['name'], 'description' => $_POST['description'], 'criteria' => $_POST['criteria'], 'id' => $skillId);
    if (isset($_FILES['image']) && $_FILES['image']['error'] == 0) {
        $dirPermissions = api_get_permissions_for_new_directories();
        $fileName = sha1($_POST['name']);
        $badgePath = api_get_path(SYS_UPLOAD_PATH) . 'badges/';
        $existsBadgesDirectory = is_dir($badgePath);
        if (!$existsBadgesDirectory) {
            $existsBadgesDirectory = api_create_protected_dir('badges', api_get_path(SYS_UPLOAD_PATH));
        }
        if ($existsBadgesDirectory) {
            if (!empty($skill['icon'])) {
                $iconFileAbsolutePath = $badgePath . $skill['icon'];
                if (Security::check_abs_path($iconFileAbsolutePath, $badgePath)) {
                    unlink($badgePath . $skill['icon']);
                }
            }
            $skillImagePath = sprintf("%s%s.png", $badgePath, $fileName);
            $skillImage = new Image($_FILES['image']['tmp_name']);
            $skillImage->send_image($skillImagePath, -1, 'png');
            $skillThumbPath = sprintf("%s%s-small.png", $badgePath, $fileName);
            $skillImageThumb = new Image($skillImagePath);
            $skillImageThumb->resize(ICON_SIZE_BIG, ICON_SIZE_BIG);
            $skillImageThumb->send_image($skillThumbPath);
            $params['icon'] = sprintf("%s.png", $fileName);
        } else {
            Session::write('errorMessage', get_lang('UplUnableToSaveFile'));
        }
    }
 *	but this code will hopefully be replaced soon by an Apache URL
 *	rewrite mechanism.
 *
 *	@package chamilo.work
 */
//require_once '../inc/global.inc.php';
require_once 'work.lib.php';
// Course protection
api_protect_course_script(true);
$commentId = isset($_GET['comment_id']) ? intval($_GET['comment_id']) : null;
if (empty($commentId)) {
    api_not_allowed(true);
}
$workData = getWorkComment($commentId);
$courseInfo = api_get_course_info();
if (!empty($workData)) {
    if (empty($workData['file_path']) || isset($workData['file_path']) && !file_exists($workData['file_path'])) {
        api_not_allowed(true);
    }
    $work = get_work_data_by_id($workData['work_id']);
    protectWork($courseInfo, $work['parent_id']);
    if (user_is_author($workData['work_id']) || $courseInfo['show_score'] == 0 && $work['active'] == 1 && $work['accepted'] == 1) {
        if (Security::check_abs_path($workData['file_path'], api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) {
            DocumentManager::file_send_for_download($workData['file_path'], true, $workData['file_name_to_show']);
        }
    } else {
        api_not_allowed(true);
    }
} else {
    api_not_allowed(true);
}
Beispiel #15
0
         // the session* didn't work, try it from the course (out of a
         // session context)
         $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0);
     }
     // Check whether the document is in the database
     if (empty($document_data)) {
         api_not_allowed();
     }
     // Launch event
     Event::event_download($document_data['url']);
     // Check visibility of document and paths
     if (!($is_allowed_to_edit || $group_member_with_upload_rights) && !DocumentManager::is_visible_by_id($document_id, $courseInfo, $sessionId, api_get_user_id())) {
         api_not_allowed(true);
     }
     $full_file_name = $base_work_dir . $document_data['path'];
     if (Security::check_abs_path($full_file_name, $base_work_dir . '/')) {
         DocumentManager::file_send_for_download($full_file_name, true);
     }
     exit;
     break;
 case 'downloadfolder':
     if (api_get_setting('students_download_folders') == 'true' || api_is_allowed_to_edit() || api_is_platform_admin()) {
         // Get the document data from the ID
         $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, $sessionId);
         if ($sessionId != 0 && !$document_data) {
             // If there is a session defined and asking for the
             // document * from the session* didn't work, try it from the
             // course (out of a session context)
             $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0);
         }
         //filter when I am into shared folder, I can download only my shared folder
 /**
  * @param $name
  * @param Request $request
  * @return Response
  */
 public function classicAction($name, Request $request)
 {
     // get.
     $_GET = $request->query->all();
     // post.
     $_POST = $request->request->all();
     $rootDir = $this->get('kernel')->getRealRootDir();
     //$_REQUEST = $request->request->all();
     $mainPath = $rootDir . 'main/';
     $fileToLoad = $mainPath . $name;
     // Legacy inclusions
     Container::setSession($request->getSession());
     $dbConnection = $this->container->get('database_connection');
     $database = new \Database($dbConnection, array());
     Container::$urlGenerator = $this->container->get('router');
     Container::$security = $this->container->get('security.context');
     Container::$translator = $this->container->get('translator');
     Container::$assets = $this->container->get('templating.helper.assets');
     Container::$rootDir = $this->container->get('kernel')->getRealRootDir();
     Container::$logDir = $this->container->get('kernel')->getLogDir();
     Container::$dataDir = $this->container->get('kernel')->getDataDir();
     Container::$tempDir = $this->container->get('kernel')->getCacheDir();
     Container::$courseDir = $this->container->get('kernel')->getDataDir();
     //Container::$configDir = $this->container->get('kernel')->getConfigDir();
     Container::$htmlEditor = $this->container->get('chamilo_core.html_editor');
     Container::$twig = $this->container->get('twig');
     if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
         $toolNameFromFile = basename(dirname($fileToLoad));
         $charset = 'UTF-8';
         // Default values
         $_course = api_get_course_info();
         $_user = api_get_user_info();
         /*
                     $text_dir = api_get_text_direction();
                     $is_platformAdmin = api_is_platform_admin();
                     $_cid = api_get_course_id();*/
         $debug = $this->container->get('kernel')->getEnvironment() == 'dev' ? true : false;
         // Loading file
         ob_start();
         require_once $fileToLoad;
         $out = ob_get_contents();
         ob_end_clean();
         // No browser cache when executing an exercise.
         if ($name == 'exercice/exercise_submit.php') {
             $responseHeaders = array('cache-control' => 'no-store, no-cache, must-revalidate');
         }
         $js = isset($htmlHeadXtra) ? $htmlHeadXtra : array();
         // $interbreadcrumb is loaded in the require_once file.
         $interbreadcrumb = isset($interbreadcrumb) ? $interbreadcrumb : null;
         //$this->getTemplate()->setBreadcrumb($interbreadcrumb);
         //$breadCrumb = $this->getTemplate()->getBreadCrumbLegacyArray();
         //$menu = $this->parseLegacyBreadCrumb($breadCrumb);
         //$this->getTemplate()->assign('new_breadcrumb', $menu);
         //$this->getTemplate()->parseResources();
         /*if (isset($tpl)) {
               $response = $app['twig']->render($app['default_layout']);
           } else {
               $this->getTemplate()->assign('content', $out);
               $response = $app['twig']->render($app['default_layout']);
           }*/
         return $this->render('ChamiloCoreBundle:Legacy:index.html.twig', array('content' => $out, 'js' => $js));
     } else {
         throw new NotFoundHttpException();
     }
 }
/**
 * Delete the all the attachments from the DB and the file according to the post's id or attach id(optional)
 * @param post id
 * @param int $id_attach
 * @param bool $display to show or not result message
 * @return void
 * @author Julio Montoya Dokeos
 * @version october 2014, chamilo 1.9.8
 */
function delete_attachment($post_id, $id_attach = 0, $display = true)
{
    $_course = api_get_course_info();
    $forum_table_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT);
    $course_id = api_get_course_int_id();
    $cond = !empty($id_attach) ? " iid = " . (int) $id_attach . "" : " post_id = " . (int) $post_id . "";
    $sql = "SELECT path FROM {$forum_table_attachment} WHERE c_id = {$course_id} AND {$cond}";
    $res = Database::query($sql);
    $row = Database::fetch_array($res);
    $course_dir = $_course['path'] . '/upload/forum';
    $sys_course_path = api_get_path(SYS_COURSE_PATH);
    $updir = $sys_course_path . $course_dir;
    $my_path = isset($row['path']) ? $row['path'] : null;
    $file = $updir . '/' . $my_path;
    if (Security::check_abs_path($file, $updir)) {
        @unlink($file);
    }
    // Delete from forum_attachment table.
    $sql = "DELETE FROM {$forum_table_attachment} WHERE c_id = {$course_id} AND {$cond} ";
    $result = Database::query($sql);
    if ($result !== false) {
        $affectedRows = Database::affected_rows($result);
    } else {
        $affectedRows = 0;
    }
    // Update item_property.
    api_item_property_update($_course, TOOL_FORUM_ATTACH, $id_attach, 'ForumAttachmentDelete', api_get_user_id());
    if (!empty($result) && !empty($id_attach) && $display) {
        $message = get_lang('AttachmentFileDeleteSuccess');
        Display::display_confirmation_message($message);
    }
    return $affectedRows;
}
Beispiel #18
0
}
// allow to the correct user for download this file
$not_allowed_to_edit = false;
$userGroup = new UserGroup();
if (!empty($row_users['group_id'])) {
    $users_group = $userGroup->get_all_users_by_group($row_users['group_id']);
    if (!in_array($current_uid, array_keys($users_group))) {
        $not_allowed_to_edit = true;
    }
} else {
    if ($current_uid != $message_uid) {
        $not_allowed_to_edit = true;
    }
}
if ($not_allowed_to_edit) {
    api_not_allowed();
    exit;
}
// set the path directory file
if (!empty($row_users['group_id'])) {
    $path_user_info = $userGroup->get_group_picture_path_by_id($row_users['group_id'], 'system', true);
} else {
    $path_user_info['dir'] = UserManager::getUserPathById($message_uid, 'system');
}
$full_file_name = $path_user_info['dir'] . 'message_attachments/' . $file_url;
if (Security::check_abs_path($full_file_name, $path_user_info['dir'] . 'message_attachments/')) {
    // launch event
    Event::event_download($file_url);
    DocumentManager::file_send_for_download($full_file_name, TRUE, $title);
}
exit;
Beispiel #19
0
$language_file = array('courses', 'index', 'admin');
$user_id = api_get_user_id();
if (!isset($_GET['file']) || !isset($_GET['title']) || !isset($_GET['ticket_id'])) {
    api_not_allowed();
}
if (!api_is_platform_admin()) {
    $ticket_id = $_GET['ticket_id'];
    $table_support_messages = Database::get_main_table(TABLE_SUPPORT_MESSAGE);
    $table_support_tickets = Database::get_main_table(TABLE_SUPPORT_TICKET);
    $table_support_message_attachments = Database::get_main_table(TABLE_SUPPORT_MESSAGE_ATTACHMENTS);
    $sql = "SELECT DISTINCT  ticket.request_user FROM  {$table_support_tickets} ticket, {$table_support_messages} message,  {$table_support_message_attachments} attch \n\t\t\tWHERE ticket.ticket_id = message.ticket_id  AND attch.message_id = message.message_id  AND ticket.ticket_id = {$ticket_id}";
    $rs = Database::query($sql);
    $row_users = Database::fetch_array($rs, 'ASSOC');
    $user_request_id = $row_users['request_user'];
    if (intval($user_request_id) != $user_id) {
        api_not_allowed();
    }
}
$file_url = $_GET['file'];
$file_url = str_replace('///', '&', $file_url);
$file_url = str_replace(' ', '+', $file_url);
$file_url = str_replace('/..', '', $file_url);
$file_url = Database::escape_string($file_url);
$title = $_GET['title'];
$path_attachment = api_get_path(SYS_PATH);
$path_message_attach = $path_attachment . 'tck_messageattch/';
$full_file_name = $path_message_attach . $file_url;
if (Security::check_abs_path($full_file_name, $path_message_attach)) {
    DocumentManager::file_send_for_download($full_file_name, TRUE, $title);
}
exit;
Beispiel #20
0
//echo $doc_url;
$full_file_name = api_get_path(SYS_COURSE_PATH) . $course_info['path'] . '/upload/calendar/' . $doc_url;
//if the rewrite rule asks for a directory, we redirect to the document explorer
if (is_dir($full_file_name)) {
    //remove last slash if present
    //$doc_url = ($doc_url{strlen($doc_url)-1}=='/')?substr($doc_url,0,strlen($doc_url)-1):$doc_url;
    //mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (René)
    while ($doc_url[$dul = strlen($doc_url) - 1] == '/') {
        $doc_url = substr($doc_url, 0, $dul);
    }
    //create the path
    $document_explorer = api_get_path(WEB_COURSE_PATH) . $course_info['path'];
    // home course path
    //redirect
    header('Location: ' . $document_explorer);
    exit;
}
$tbl_agenda_attachment = Database::get_course_table(TABLE_AGENDA_ATTACHMENT);
// launch event
event_download($doc_url);
$sql = 'SELECT filename FROM ' . $tbl_agenda_attachment . '
  	  WHERE c_id = ' . $course_id . ' AND path LIKE BINARY "' . Database::escape_string($doc_url) . '"';
$result = Database::query($sql);
if (Database::num_rows($result)) {
    $row = Database::fetch_array($result);
    $title = str_replace(' ', '_', $row['filename']);
    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . $course_info['path'] . '/upload/calendar/')) {
        DocumentManager::file_send_for_download($full_file_name, TRUE, $title);
    }
}
api_not_allowed();
Beispiel #21
0
    $allowed_to_download = true;
}
/*		ERROR IF NOT ALLOWED TO DOWNLOAD */
if (!$allowed_to_download) {
    Display::display_header($nameTools, 'Dropbox');
    Display::display_error_message(get_lang('YouAreNotAllowedToDownloadThisFile'));
    Display::display_footer();
    exit;
} else {
    /*      DOWNLOAD THE FILE */
    // the user is allowed to download the file
    $_SESSION['_seen'][$_course['id']][TOOL_DROPBOX][] = intval($_GET['id']);
    $work = new Dropbox_Work($_GET['id']);
    $path = dropbox_cnf('sysPath') . '/' . $work->filename;
    //path to file as stored on server
    if (!Security::check_abs_path($path, dropbox_cnf('sysPath') . '/')) {
        exit;
    }
    $file = $work->title;
    $mimetype = DocumentManager::file_get_mime_type(true);
    $fileinfo = pathinfo($file);
    $extension = $fileinfo['extension'];
    if (!empty($extension) && isset($mimetype[$extension]) && $_GET['action'] != 'download') {
        // give hint to browser about filetype
        header('Content-type: ' . $mimetype[$extension] . "\n");
    } else {
        //no information about filetype: force a download dialog window in browser
        header("Content-type: application/octet-stream\n");
    }
    header('Content-Disposition: attachment; filename=' . $file);
    /**
Beispiel #22
0
/**
 * Downloads all user files per user
 * @param int $userId
 * @param array $courseInfo
 * @return bool
 */
function downloadAllFilesPerUser($userId, $courseInfo)
{
    $userInfo = api_get_user_info($userId);

    if (empty($userInfo) || empty($courseInfo)) {
        return false;
    }

    require_once api_get_path(LIBRARY_PATH).'pclzip/pclzip.lib.php';
    $tempZipFile = api_get_path(SYS_ARCHIVE_PATH).api_get_unique_id().".zip";
    $coursePath = api_get_path(SYS_COURSE_PATH).$courseInfo['path'].'/work/';

    $zip  = new PclZip($tempZipFile);

    $workPerUser = getWorkPerUser($userId);

    if (!empty($workPerUser)) {
        $files = array();
        foreach ($workPerUser as $work) {
            $work = $work['work'];
            foreach ($work->user_results as $userResult) {
                if (empty($userResult['url']) || empty($userResult['contains_file'])) {
                    continue;
                }
                $data = getFileContents($userResult['id'], $courseInfo);
                if (!empty($data) && isset($data['path'])) {
                    $files[basename($data['path'])] = array(
                        'title' => $data['title'],
                        'path' => $data['path']
                    );
                }
            }
        }

        if (!empty($files)) {
            Session::write('files', $files);
            foreach ($files as $data) {
                $zip->add(
                    $data['path'],
                    PCLZIP_OPT_REMOVE_PATH,
                    $coursePath,
                    PCLZIP_CB_PRE_ADD,
                    'preAddAllWorkStudentCallback'
                );
            }
        }

        // Start download of created file
        $name = basename(replace_dangerous_char($userInfo['complete_name'])).'.zip';
        event_download($name.'.zip (folder)');
        if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
            DocumentManager::file_send_for_download($tempZipFile, true, $name);
            @unlink($tempZipFile);
            exit;
        }
    }
    exit;
}
Beispiel #23
0
/**
 * Delete the all the attachments according the parameters.
 * @param the blog's id
 * @param the post's id
 * @param the comment's id
 * @author Julio Montoya Dokeos
 * @version avril 2008, dokeos 1.8.5
 */
function delete_all_blog_attachment($blog_id, $post_id = null, $comment_id = null)
{
    $_course = api_get_course_info();
    $blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
    $blog_id = intval($blog_id);
    $comment_id = intval($comment_id);
    $post_id = intval($post_id);
    $course_id = api_get_course_int_id();
    $where = null;
    // delete files in DB
    if (!empty($post_id) && is_numeric($post_id)) {
        $where .= ' AND post_id ="' . $post_id . '" ';
    }
    if (!empty($comment_id) && is_numeric($comment_id)) {
        if (!empty($post_id)) {
            $where .= ' AND ';
        }
        $where .= ' comment_id ="' . $comment_id . '" ';
    }
    // delete all files in directory
    $courseDir = $_course['path'] . '/upload/blog';
    $sys_course_path = api_get_path(SYS_COURSE_PATH);
    $updir = $sys_course_path . $courseDir;
    $sql = 'SELECT path FROM ' . $blog_table_attachment . '
	        WHERE c_id = ' . $course_id . ' AND blog_id ="' . intval($blog_id) . '"  ' . $where;
    $result = Database::query($sql);
    while ($row = Database::fetch_row($result)) {
        $file = $updir . '/' . $row[0];
        if (Security::check_abs_path($file, $updir)) {
            @unlink($file);
        }
    }
    $sql = 'DELETE FROM ' . $blog_table_attachment . ' WHERE c_id = ' . $course_id . ' AND  blog_id ="' . intval($blog_id) . '"  ' . $where;
    Database::query($sql);
}
Beispiel #24
0
}
$full_file_name = api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/' . $doc_url;
//if the rewrite rule asks for a directory, we redirect to the document explorer
if (is_dir($full_file_name)) {
    //remove last slash if present
    //$doc_url = ($doc_url{strlen($doc_url)-1}=='/')?substr($doc_url,0,strlen($doc_url)-1):$doc_url;
    //mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (René)
    while ($doc_url[$dul = strlen($doc_url) - 1] == '/') {
        $doc_url = substr($doc_url, 0, $dul);
    }
    //create the path
    $document_explorer = api_get_path(WEB_COURSE_PATH) . api_get_course_path();
    // home course path
    //redirect
    header('Location: ' . $document_explorer);
}
$tbl_announcement_attachment = Database::get_course_table(TABLE_ANNOUNCEMENT_ATTACHMENT);
// launch event
Event::event_download($doc_url);
$course_id = api_get_course_int_id();
$doc_url = Database::escape_string($doc_url);
$sql = "SELECT filename FROM {$tbl_announcement_attachment}\n  \t  \tWHERE c_id = {$course_id} AND path LIKE BINARY '{$doc_url}'";
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
    $row = Database::fetch_array($result);
    $title = str_replace(' ', '_', $row['filename']);
    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/')) {
        DocumentManager::file_send_for_download($full_file_name, true, $title);
    }
}
exit;
Beispiel #25
0
        if (api_is_multiple_url_enabled()) {
            $accessUrlId = api_get_current_access_url_id();
            if ($accessUrlId == -1) {
                die;
            }
            $urlInfo = api_get_access_url($accessUrlId);
            $url = api_remove_trailing_slash(preg_replace('/https?:\\/\\//i', '', $urlInfo['url']));
            $cleanUrl = str_replace('/', '-', $url);
            $newUrlDir = api_get_path(SYS_APP_PATH) . "home/{$cleanUrl}/admin/";
        } else {
            $newUrlDir = api_get_path(SYS_APP_PATH) . "home/admin/";
        }
        if (!file_exists($newUrlDir)) {
            die;
        }
        if (!Security::check_abs_path("{$newUrlDir}{$blockName}_extra.html", $newUrlDir)) {
            die;
        }
        if (!file_exists("{$newUrlDir}{$blockName}_extra.html")) {
            die;
        }
        echo file_get_contents("{$newUrlDir}{$blockName}_extra.html");
        break;
}
/**
 * Displays either the text for the registration or the message that the installation is (not) up to date
 *
 * @return string html code
 * @author Patrick Cool <*****@*****.**>, Ghent University
 * @version august 2006
 * @todo have a 6 monthly re-registration
Beispiel #26
0
 /**
  * @param int $id
  */
 public static function deleteIcon($id)
 {
     $table = Database::get_course_table(TABLE_TOOL_LIST);
     $tool = self::getTool($id);
     if ($tool && !empty($tool['custom_icon'])) {
         $file = self::getCustomSysIconPath() . $tool['custom_icon'];
         $fileInfo = pathinfo($file);
         $fileGray = $fileInfo['filename'] . '_na.' . $fileInfo['extension'];
         $fileGray = self::getCustomSysIconPath() . $fileGray;
         if (file_exists($file) && is_file($file)) {
             if (Security::check_abs_path($file, self::getCustomSysIconPath())) {
                 unlink($file);
             }
         }
         if (file_exists($fileGray) && is_file($fileGray)) {
             if (Security::check_abs_path($fileGray, self::getCustomSysIconPath())) {
                 unlink($fileGray);
             }
         }
         $params = ['custom_icon' => ''];
         Database::update($table, $params, [' iid = ?' => [$id]]);
     }
 }
    //Convert texts in html files
    if ($not_deleted_file['contains_file'] == 0) {
        $filename = trim($filename) . ".html";
        $work_temp = api_get_path(SYS_ARCHIVE_PATH) . api_get_unique_id() . '_' . $filename;
        file_put_contents($work_temp, $not_deleted_file['description']);
        $files[basename($work_temp)] = $filename;
        $zip_folder->add($work_temp, PCLZIP_OPT_REMOVE_PATH, api_get_path(SYS_ARCHIVE_PATH), PCLZIP_CB_PRE_ADD, 'my_pre_add_callback');
        @unlink($work_temp);
    }
}
if (!empty($files)) {
    //logging
    event_download(basename($work_data['title']) . '.zip (folder)');
    //start download of created file
    $name = basename($work_data['title']) . '.zip';
    if (Security::check_abs_path($temp_zip_file, api_get_path(SYS_ARCHIVE_PATH))) {
        DocumentManager::file_send_for_download($temp_zip_file, true, $name);
        @unlink($temp_zip_file);
        exit;
    }
} else {
    exit;
}
/*	Extra function (only used here) */
function my_pre_add_callback($p_event, &$p_header)
{
    global $files;
    if (isset($files[basename($p_header['stored_filename'])])) {
        $p_header['stored_filename'] = $files[basename($p_header['stored_filename'])];
        return 1;
    }
/**
 * check if such document is allowed to shown on the list
 *
 * @param string $path the path to the document
 * @return boolean
 */
function isListingDocument($path)
{
    global $PathChamiloAjaxFileManager;
    $file = basename($path);
    $filePath = realpath($path);
    $allowedPath = realpath($PathChamiloAjaxFileManager);
    $check = Security::check_abs_path($filePath, $allowedPath);
    if ($check == false) {
        return false;
    }
    if (CONFIG_SYS_PATTERN_FORMAT == 'list') {
        // comma delimited vague file/folder name
        if (is_dir($path)) {
            $includeDir = trimlrm(CONFIG_SYS_INC_DIR_PATTERN);
            $excludeDir = trimlrm(CONFIG_SYS_EXC_DIR_PATTERN);
            $found_includeDir = strpos($includeDir, $file);
            $found_excludeDir = strpos($excludeDir, $file);
            if ((!CONFIG_SYS_INC_DIR_PATTERN || !($found_includeDir === FALSE)) && (!CONFIG_SYS_EXC_DIR_PATTERN || $found_excludeDir === FALSE)) {
                return true;
            } else {
                return false;
            }
        } elseif (is_file($path)) {
            $includeFile = trimlrm(CONFIG_SYS_INC_FILE_PATTERN);
            $excludeFile = trimlrm(CONFIG_SYS_EXC_FILE_PATTERN);
            $found_includeFile = strpos($includeFile, $file);
            $found_excludeFile = strpos($excludeFile, $file);
            if ((!CONFIG_SYS_INC_FILE_PATTERN || !($found_includeFile === FALSE)) && (!CONFIG_SYS_EXC_FILE_PATTERN || $found_excludeFile === FALSE)) {
                return true;
            } else {
                return false;
            }
        }
    } elseif (CONFIG_SYS_PATTERN_FORMAT == 'csv') {
        //comma delimited file/folder name
        if (is_dir($path)) {
            $includeDir = trimlrm(CONFIG_SYS_INC_DIR_PATTERN);
            $excludeDir = trimlrm(CONFIG_SYS_EXC_DIR_PATTERN);
            if (!empty($includeDir) && !empty($excludeDir)) {
                $validDir = explode(',', $includeDir);
                $invalidDir = explode(",", $excludeDir);
                if (array_search(basename($path), $validDir) !== false && array_search(basename($path), $invalidDir) === false) {
                    return true;
                } else {
                    return false;
                }
            } elseif (!empty($includeDir)) {
                $validDir = explode(',', $includeDir);
                if (array_search(basename($path), $validDir) !== false) {
                    return true;
                } else {
                    return false;
                }
            } elseif (!empty($excludeFile)) {
                $invalidDir = explode(",", $excludeDir);
                if (array_search(basename($path), $invalidDir) === false) {
                    return true;
                } else {
                    return false;
                }
            }
            return true;
        } elseif (is_file($path)) {
            $includeFile = trimlrm(CONFIG_SYS_INC_FILE_PATTERN);
            $excludeFile = trimlrm(CONFIG_SYS_EXC_FILE_PATTERN);
            if (!empty($includeFile) && !empty($excludeFile)) {
                $validFile = explode(',', $includeFile);
                $invalidFile = explode(',', $excludeFile);
                if (array_search(basename($path), $validFile) !== false && array_search(basename($path), $invalidFile) === false) {
                    return true;
                } else {
                    return false;
                }
            } elseif (!empty($includeFile)) {
                $validFile = explode(',', $includeFile);
                if (array_search(basename($path), $validFile) !== false) {
                    return true;
                } else {
                    return false;
                }
            } elseif (!empty($excludeFile)) {
                $invalidFile = explode(',', $excludeFile);
                if (array_search(basename($path), $invalidFile) === false) {
                    return true;
                } else {
                    return false;
                }
            }
            return true;
        }
    } else {
        //regular expression
        if (is_dir($path)) {
            if (isValidPattern(CONFIG_SYS_INC_DIR_PATTERN, $path) && !isInvalidPattern(CONFIG_SYS_EXC_DIR_PATTERN, $path)) {
                return true;
            } else {
                return false;
            }
        } elseif (is_file($path)) {
            if (isValidPattern(CONFIG_SYS_INC_FILE_PATTERN, $path) && !isInvalidPattern(CONFIG_SYS_EXC_FILE_PATTERN, $path)) {
                return true;
            } else {
                return false;
            }
        }
    }
    return false;
}