/**
* @param string $name
* @param Request $request
* @return Response
*/
public function classicAction($name, Request $request)
{
// get.
$_GET = $request->query->all();
// post.
$_POST = $request->request->all();
$rootDir = $this->get('kernel')->getRealRootDir();
//$_REQUEST = $request->request->all();
$mainPath = $rootDir . 'main/';
$fileToLoad = $mainPath . $name;
// Setting legacy values inside the container
/** @var Connection $dbConnection */
$dbConnection = $this->container->get('database_connection');
$em = $this->get('kernel')->getContainer()->get('doctrine.orm.entity_manager');
$database = new \Database($dbConnection, array());
$database->setConnection($dbConnection);
$database->setManager($em);
Container::$container = $this->container;
Container::$dataDir = $this->container->get('kernel')->getDataDir();
Container::$courseDir = $this->container->get('kernel')->getDataDir();
//Container::$configDir = $this->container->get('kernel')->getConfigDir();
$this->container->get('twig')->addGlobal('api_get_cidreq', api_get_cidreq());
//$breadcrumb = $this->container->get('chamilo_core.block.breadcrumb');
if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
// Files inside /main need this variables to be set
$is_allowed_in_course = api_is_allowed_in_course();
$is_courseAdmin = api_is_course_admin();
$is_platformAdmin = api_is_platform_admin();
$toolNameFromFile = basename(dirname($fileToLoad));
$charset = 'UTF-8';
// Default values
$_course = api_get_course_info();
$_user = api_get_user_info();
$debug = $this->container->get('kernel')->getEnvironment() == 'dev' ? true : false;
// Loading file
ob_start();
require_once $fileToLoad;
$out = ob_get_contents();
ob_end_clean();
// No browser cache when executing an exercise.
if ($name == 'exercice/exercise_submit.php') {
$responseHeaders = array('cache-control' => 'no-store, no-cache, must-revalidate');
}
$js = isset($htmlHeadXtra) ? $htmlHeadXtra : array();
// $interbreadcrumb is loaded in the require_once file.
$interbreadcrumb = isset($interbreadcrumb) ? $interbreadcrumb : null;
$template = Container::$legacyTemplate;
$defaultLayout = 'layout_one_col.html.twig';
if (!empty($template)) {
$defaultLayout = $template;
}
return $this->render('ChamiloCoreBundle::' . $defaultLayout, array('legacy_breadcrumb' => $interbreadcrumb, 'content' => $out, 'js' => $js));
} else {
// Found does not exist
throw new NotFoundHttpException();
}
}
$archive_path = api_get_path(SYS_ARCHIVE_PATH);
}
$archive_file = isset($_GET['archive']) ? $_GET['archive'] : null;
$archive_file = str_replace(array('..', '/', '\\'), '', $archive_file);
list($extension) = getextension($archive_file);
if (empty($extension) || !file_exists($archive_path . $archive_file)) {
exit;
}
$extension = strtolower($extension);
$content_type = '';
if (in_array($extension, array('xml', 'csv')) && (api_is_platform_admin(true) || api_is_drh())) {
$content_type = 'application/force-download';
} elseif ($extension == 'zip' && $_cid && (api_is_platform_admin(true) || $is_courseAdmin)) {
$content_type = 'application/force-download';
}
if (empty($content_type)) {
api_not_allowed(true);
}
if (Security::check_abs_path($archive_path . $archive_file, $archive_path)) {
header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: public');
header('Pragma: no-cache');
header('Content-Type: ' . $content_type);
header('Content-Length: ' . filesize($archive_path . $archive_file));
header('Content-Disposition: attachment; filename=' . $archive_file);
readfile($archive_path . $archive_file);
exit;
} else {
api_not_allowed(true);
}
1 => Allow learners to delete their own publications = YES
+------------------+------------------------------+----------------------------+
|Can download work?| doc visible for all = 0 | doc visible for all = 1|
+------------------+------------------------------+----------------------------+
| visibility = 0 | editor only | editor only |
| | | |
+------------------+------------------------------+----------------------------+
| visibility = 1 | editor | editor |
| | + owner of the work | + any student |
+------------------+------------------------------+----------------------------+
(editor = teacher + admin + anybody with right api_is_allowed_to_edit)
*/
$work_is_visible = $item_info['visibility'] == 1 && $row['accepted'] == 1;
$doc_visible_for_all = $course_info['show_score'] == 1;
$is_editor = api_is_allowed_to_edit(true, true, true);
$student_is_owner_of_work = user_is_author($row['id'], $row['user_id']);
if ($is_editor || $student_is_owner_of_work || $doc_visible_for_all && $work_is_visible) {
$title = str_replace(' ', '_', $row['title']);
event_download($title);
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) {
DocumentManager::file_send_for_download($full_file_name, true, $title);
}
} else {
api_not_allowed();
}
}
} else {
api_not_allowed();
}
exit;
/**
* @param array $courseInfo
* @param int $sessionId
*
* @return bool
*/
public static function downloadAllDeletedDocument($courseInfo, $sessionId)
{
// Zip library for creation of the zip file.
require api_get_path(LIBRARY_PATH) . 'pclzip/pclzip.lib.php';
$files = self::getDeletedDocuments($courseInfo, $sessionId);
if (empty($files)) {
return false;
}
$coursePath = api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/document';
// Creating a ZIP file.
$tempZipFile = api_get_path(SYS_ARCHIVE_PATH) . api_get_unique_id() . ".zip";
$zip = new PclZip($tempZipFile);
foreach ($files as $file) {
$zip->add($coursePath . $file['path'], PCLZIP_OPT_REMOVE_PATH, $coursePath);
}
if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
DocumentManager::file_send_for_download($tempZipFile, true);
@unlink($tempZipFile);
exit;
}
}
//check if the document is in the database
if (!DocumentManager::get_document_id($_course, $_REQUEST['file'])) {
//file not found!
if ($debug > 0) {
error_log("404 " . $_REQUEST["file"]);
}
header("HTTP/1.0 404 Not Found");
$error404 = '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">';
$error404 .= '<html><head>';
$error404 .= '<title>404 Not Found</title>';
$error404 .= '</head><body>';
$error404 .= '<h1>Not Found</h1>';
$error404 .= '<p>The requested URL was not found on this server.</p>';
$error404 .= '<hr>';
$error404 .= '</body></html>';
echo $error404;
exit;
}
$doc_url = str_replace('../', '', $_REQUEST['file']);
if ($debug > 0) {
error_log($doc_url);
}
$full_file_name = $coursePath . $doc_url;
if (Security::check_abs_path($full_file_name, $coursePath . '/')) {
DocumentManager::file_send_for_download($full_file_name, false);
}
exit;
}
}
}
}
if (isset($_SESSION['oLP'])) {
$obj = $_SESSION['oLP'];
} else {
api_not_allowed();
}
//If is visible for the current user
if (!learnpath::is_lp_visible_for_student($obj->get_id(), api_get_user_id())) {
api_not_allowed();
}
$doc_url = isset($_GET['doc_url']) ? $_GET['doc_url'] : null;
// Change the '&' that got rewritten to '///' by mod_rewrite back to '&'
$doc_url = str_replace('///', '&', $doc_url);
// Still a space present? it must be a '+' (that got replaced by mod_rewrite)
$doc_url = str_replace(' ', '+', $doc_url);
$doc_url = str_replace(array('../', '\\..', '\\0', '..\\'), array('', '', '', ''), $doc_url);
//echo $doc_url;
if (strpos($doc_url, '../') or strpos($doc_url, '/..')) {
$doc_url = '';
}
$sys_course_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/scorm';
//var_dump($sys_course_path);
if (is_dir($sys_course_path . $doc_url)) {
api_not_allowed();
}
if (Security::check_abs_path($sys_course_path . $doc_url, $sys_course_path . '/')) {
$full_file_name = $sys_course_path . $doc_url;
// Launch event
Event::event_download($doc_url);
DocumentManager::file_send_for_download($full_file_name);
}
exit;
/**
* Update settings based on installation profile defined in a JSON file
* @param string $installationProfile The name of the JSON file in main/install/profiles/ folder
* @return bool false on failure (no bad consequences anyway, just ignoring profile)
*/
function installProfileSettings($installationProfile = '')
{
if (empty($installationProfile)) {
return false;
}
$jsonPath = api_get_path(SYS_PATH) . 'main/install/profiles/' . $installationProfile . '.json';
// Make sure the path to the profile is not hacked
if (!Security::check_abs_path($jsonPath, api_get_path(SYS_PATH) . 'main/install/profiles/')) {
return false;
}
if (!is_file($jsonPath)) {
return false;
}
if (!is_readable($jsonPath)) {
return false;
}
if (!function_exists('json_decode')) {
// The php-json extension is not available. Ignore profile.
return false;
}
$json = file_get_contents($jsonPath);
$params = json_decode($json);
if ($params === false or $params === null) {
return false;
}
$settings = $params->params;
if (!empty($params->parent)) {
$res = installProfileSettings($params->parent);
}
foreach ($settings as $id => $param) {
$sql = "UPDATE settings_current\n SET selected_value = '" . $param->selected_value . "'\n WHERE variable = '" . $param->variable . "'";
if (!empty($param->subkey)) {
$sql .= " AND subkey='" . $param->subkey . "'";
}
Database::query($sql);
}
return true;
}
// the number of /.. into the url
while (substr($cwd, -3, 3) == '/..') {
// go to parent directory
$cwd = substr($cwd, 0, -3);
if (strlen($cwd) == 0) {
$cwd = '/';
}
$nParent++;
}
for (; $nParent > 0; $nParent--) {
$cwd = strrpos($cwd, '/') > -1 ? substr($cwd, 0, strrpos($cwd, '/')) : $cwd;
}
if (strlen($cwd) == 0) {
$cwd = '/';
}
if (Security::check_abs_path($cwd, api_get_path(SYS_PATH))) {
die;
}
if ($action == 'list') {
/*==== List files ====*/
if ($debug > 0) {
error_log("sending file list", 0);
}
// get files list
$files = DocumentManager::get_all_document_data($_course, $cwd, 0, NULL, false);
// adding download link to files
foreach ($files as $k => $f) {
if ($f['filetype'] == 'file') {
//$files[$k]['download'] = api_get_path(WEB_CODE_PATH)."/document/document.php?cidReq=$cidReq&action=download&id=".urlencode($f['path']);
$files[$k]['download'] = api_get_path(WEB_COURSE_PATH) . $cidReq . "/document" . $f['path'];
}
/**
* @param Application $app
* @param string $file
* @return BinaryFileResponse
*/
public function getJavascript(Application $app, $file)
{
$mainPath = $app['paths']['sys_root'] . 'main/inc/lib/javascript/';
$fileToLoad = $mainPath . $file;
if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
return $app->sendFile($fileToLoad);
}
}
/**
* Delete a work-tool directory
* @param string Base "work" directory for this course as /var/www/chamilo/courses/ABCD/work/
* @param string The directory name as the bit after "work/", without trailing slash
* @return integer -1 on error
*/
function del_dir($id)
{
global $_course;
$id = intval($id);
$work_data = get_work_data_by_id($id);
if (empty($work_data)) {
return false;
}
$base_work_dir = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/work';
$work_data_url = $base_work_dir . $work_data['url'];
$check = Security::check_abs_path($work_data_url . '/', $base_work_dir . '/');
$table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
$course_id = api_get_course_int_id();
if (!empty($work_data['url'])) {
//Deleting all contents inside the folder
//@todo replace to parent_id
$sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND filetype = 'folder' AND id = {$id}";
$res = Database::query($sql);
$sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND parent_id = {$id}";
$res = Database::query($sql);
if ($check) {
require_once api_get_path(LIBRARY_PATH) . 'fileManage.lib.php';
$new_dir = $work_data_url . '_DELETED_' . $id;
if (api_get_setting('permanently_remove_deleted_files') == 'true') {
my_delete($work_data_url);
} else {
if (file_exists($work_data_url)) {
rename($work_data_url, $new_dir);
}
}
}
}
}
/**
* Writes the file contents into the given file path.
* @param string Urlencoded path
* @param string The file contents
* @return boolean True on success, false on security error
*/
function WriteFileCont($full_file_path, $content)
{
// Check if this is not an attack, trying to get into other directories or something like that.
global $_course;
if (Security::check_abs_path(dirname($full_file_path) . '/', api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/')) {
// Check if this is not an attack, trying to upload a php file or something like that.
if (basename($full_file_path) != Security::filter_filename(basename($full_file_path))) {
return false;
}
if (!($fp = fopen(urldecode($full_file_path), 'w'))) {
//die('Could not open Quiz input.');
}
fwrite($fp, $content);
fclose($fp);
return true;
}
return false;
}
$doc_url = substr($doc_url, 0, $dul);
}
//create the path
$document_explorer = api_get_path(WEB_COURSE_PATH) . api_get_course_path();
//redirect
header('Location: ' . $document_explorer);
}
$tbl_forum_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT);
$tbl_forum_post = Database::get_course_table(TABLE_FORUM_POST);
$course_id = api_get_course_int_id();
$courseInfo = api_get_course_info_by_id($course_id);
// launch event
Event::event_download($doc_url);
$sql = 'SELECT thread_id, forum_id,filename
FROM ' . $tbl_forum_post . ' f
INNER JOIN ' . $tbl_forum_attachment . ' a
ON a.post_id=f.post_id
WHERE
f.c_id = ' . $course_id . ' AND
a.c_id = ' . $course_id . ' AND
path LIKE BINARY "' . $doc_url . '"';
$result = Database::query($sql);
$row = Database::fetch_array($result);
$forum_thread_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM_THREAD, $row['thread_id'], api_get_session_id());
$forum_forum_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM, $row['forum_id'], api_get_session_id());
if ($forum_thread_visibility == 1 && $forum_forum_visibility == 1) {
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/upload/forum/')) {
DocumentManager::file_send_for_download($full_file_name, true, $row['filename']);
}
}
exit;
$objSkill = new Skill();
$skill = $objSkill->get($skillId);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$params = array('name' => $_POST['name'], 'description' => $_POST['description'], 'criteria' => $_POST['criteria'], 'id' => $skillId);
if (isset($_FILES['image']) && $_FILES['image']['error'] == 0) {
$dirPermissions = api_get_permissions_for_new_directories();
$fileName = sha1($_POST['name']);
$badgePath = api_get_path(SYS_UPLOAD_PATH) . 'badges/';
$existsBadgesDirectory = is_dir($badgePath);
if (!$existsBadgesDirectory) {
$existsBadgesDirectory = api_create_protected_dir('badges', api_get_path(SYS_UPLOAD_PATH));
}
if ($existsBadgesDirectory) {
if (!empty($skill['icon'])) {
$iconFileAbsolutePath = $badgePath . $skill['icon'];
if (Security::check_abs_path($iconFileAbsolutePath, $badgePath)) {
unlink($badgePath . $skill['icon']);
}
}
$skillImagePath = sprintf("%s%s.png", $badgePath, $fileName);
$skillImage = new Image($_FILES['image']['tmp_name']);
$skillImage->send_image($skillImagePath, -1, 'png');
$skillThumbPath = sprintf("%s%s-small.png", $badgePath, $fileName);
$skillImageThumb = new Image($skillImagePath);
$skillImageThumb->resize(ICON_SIZE_BIG, ICON_SIZE_BIG);
$skillImageThumb->send_image($skillThumbPath);
$params['icon'] = sprintf("%s.png", $fileName);
} else {
Session::write('errorMessage', get_lang('UplUnableToSaveFile'));
}
}
* but this code will hopefully be replaced soon by an Apache URL
* rewrite mechanism.
*
* @package chamilo.work
*/
//require_once '../inc/global.inc.php';
require_once 'work.lib.php';
// Course protection
api_protect_course_script(true);
$commentId = isset($_GET['comment_id']) ? intval($_GET['comment_id']) : null;
if (empty($commentId)) {
api_not_allowed(true);
}
$workData = getWorkComment($commentId);
$courseInfo = api_get_course_info();
if (!empty($workData)) {
if (empty($workData['file_path']) || isset($workData['file_path']) && !file_exists($workData['file_path'])) {
api_not_allowed(true);
}
$work = get_work_data_by_id($workData['work_id']);
protectWork($courseInfo, $work['parent_id']);
if (user_is_author($workData['work_id']) || $courseInfo['show_score'] == 0 && $work['active'] == 1 && $work['accepted'] == 1) {
if (Security::check_abs_path($workData['file_path'], api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) {
DocumentManager::file_send_for_download($workData['file_path'], true, $workData['file_name_to_show']);
}
} else {
api_not_allowed(true);
}
} else {
api_not_allowed(true);
}
// the session* didn't work, try it from the course (out of a
// session context)
$document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0);
}
// Check whether the document is in the database
if (empty($document_data)) {
api_not_allowed();
}
// Launch event
Event::event_download($document_data['url']);
// Check visibility of document and paths
if (!($is_allowed_to_edit || $group_member_with_upload_rights) && !DocumentManager::is_visible_by_id($document_id, $courseInfo, $sessionId, api_get_user_id())) {
api_not_allowed(true);
}
$full_file_name = $base_work_dir . $document_data['path'];
if (Security::check_abs_path($full_file_name, $base_work_dir . '/')) {
DocumentManager::file_send_for_download($full_file_name, true);
}
exit;
break;
case 'downloadfolder':
if (api_get_setting('students_download_folders') == 'true' || api_is_allowed_to_edit() || api_is_platform_admin()) {
// Get the document data from the ID
$document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, $sessionId);
if ($sessionId != 0 && !$document_data) {
// If there is a session defined and asking for the
// document * from the session* didn't work, try it from the
// course (out of a session context)
$document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0);
}
//filter when I am into shared folder, I can download only my shared folder
/**
* @param $name
* @param Request $request
* @return Response
*/
public function classicAction($name, Request $request)
{
// get.
$_GET = $request->query->all();
// post.
$_POST = $request->request->all();
$rootDir = $this->get('kernel')->getRealRootDir();
//$_REQUEST = $request->request->all();
$mainPath = $rootDir . 'main/';
$fileToLoad = $mainPath . $name;
// Legacy inclusions
Container::setSession($request->getSession());
$dbConnection = $this->container->get('database_connection');
$database = new \Database($dbConnection, array());
Container::$urlGenerator = $this->container->get('router');
Container::$security = $this->container->get('security.context');
Container::$translator = $this->container->get('translator');
Container::$assets = $this->container->get('templating.helper.assets');
Container::$rootDir = $this->container->get('kernel')->getRealRootDir();
Container::$logDir = $this->container->get('kernel')->getLogDir();
Container::$dataDir = $this->container->get('kernel')->getDataDir();
Container::$tempDir = $this->container->get('kernel')->getCacheDir();
Container::$courseDir = $this->container->get('kernel')->getDataDir();
//Container::$configDir = $this->container->get('kernel')->getConfigDir();
Container::$htmlEditor = $this->container->get('chamilo_core.html_editor');
Container::$twig = $this->container->get('twig');
if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) {
$toolNameFromFile = basename(dirname($fileToLoad));
$charset = 'UTF-8';
// Default values
$_course = api_get_course_info();
$_user = api_get_user_info();
/*
$text_dir = api_get_text_direction();
$is_platformAdmin = api_is_platform_admin();
$_cid = api_get_course_id();*/
$debug = $this->container->get('kernel')->getEnvironment() == 'dev' ? true : false;
// Loading file
ob_start();
require_once $fileToLoad;
$out = ob_get_contents();
ob_end_clean();
// No browser cache when executing an exercise.
if ($name == 'exercice/exercise_submit.php') {
$responseHeaders = array('cache-control' => 'no-store, no-cache, must-revalidate');
}
$js = isset($htmlHeadXtra) ? $htmlHeadXtra : array();
// $interbreadcrumb is loaded in the require_once file.
$interbreadcrumb = isset($interbreadcrumb) ? $interbreadcrumb : null;
//$this->getTemplate()->setBreadcrumb($interbreadcrumb);
//$breadCrumb = $this->getTemplate()->getBreadCrumbLegacyArray();
//$menu = $this->parseLegacyBreadCrumb($breadCrumb);
//$this->getTemplate()->assign('new_breadcrumb', $menu);
//$this->getTemplate()->parseResources();
/*if (isset($tpl)) {
$response = $app['twig']->render($app['default_layout']);
} else {
$this->getTemplate()->assign('content', $out);
$response = $app['twig']->render($app['default_layout']);
}*/
return $this->render('ChamiloCoreBundle:Legacy:index.html.twig', array('content' => $out, 'js' => $js));
} else {
throw new NotFoundHttpException();
}
}
/**
* Delete the all the attachments from the DB and the file according to the post's id or attach id(optional)
* @param post id
* @param int $id_attach
* @param bool $display to show or not result message
* @return void
* @author Julio Montoya Dokeos
* @version october 2014, chamilo 1.9.8
*/
function delete_attachment($post_id, $id_attach = 0, $display = true)
{
$_course = api_get_course_info();
$forum_table_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT);
$course_id = api_get_course_int_id();
$cond = !empty($id_attach) ? " iid = " . (int) $id_attach . "" : " post_id = " . (int) $post_id . "";
$sql = "SELECT path FROM {$forum_table_attachment} WHERE c_id = {$course_id} AND {$cond}";
$res = Database::query($sql);
$row = Database::fetch_array($res);
$course_dir = $_course['path'] . '/upload/forum';
$sys_course_path = api_get_path(SYS_COURSE_PATH);
$updir = $sys_course_path . $course_dir;
$my_path = isset($row['path']) ? $row['path'] : null;
$file = $updir . '/' . $my_path;
if (Security::check_abs_path($file, $updir)) {
@unlink($file);
}
// Delete from forum_attachment table.
$sql = "DELETE FROM {$forum_table_attachment} WHERE c_id = {$course_id} AND {$cond} ";
$result = Database::query($sql);
if ($result !== false) {
$affectedRows = Database::affected_rows($result);
} else {
$affectedRows = 0;
}
// Update item_property.
api_item_property_update($_course, TOOL_FORUM_ATTACH, $id_attach, 'ForumAttachmentDelete', api_get_user_id());
if (!empty($result) && !empty($id_attach) && $display) {
$message = get_lang('AttachmentFileDeleteSuccess');
Display::display_confirmation_message($message);
}
return $affectedRows;
}
}
// allow to the correct user for download this file
$not_allowed_to_edit = false;
$userGroup = new UserGroup();
if (!empty($row_users['group_id'])) {
$users_group = $userGroup->get_all_users_by_group($row_users['group_id']);
if (!in_array($current_uid, array_keys($users_group))) {
$not_allowed_to_edit = true;
}
} else {
if ($current_uid != $message_uid) {
$not_allowed_to_edit = true;
}
}
if ($not_allowed_to_edit) {
api_not_allowed();
exit;
}
// set the path directory file
if (!empty($row_users['group_id'])) {
$path_user_info = $userGroup->get_group_picture_path_by_id($row_users['group_id'], 'system', true);
} else {
$path_user_info['dir'] = UserManager::getUserPathById($message_uid, 'system');
}
$full_file_name = $path_user_info['dir'] . 'message_attachments/' . $file_url;
if (Security::check_abs_path($full_file_name, $path_user_info['dir'] . 'message_attachments/')) {
// launch event
Event::event_download($file_url);
DocumentManager::file_send_for_download($full_file_name, TRUE, $title);
}
exit;
$language_file = array('courses', 'index', 'admin');
$user_id = api_get_user_id();
if (!isset($_GET['file']) || !isset($_GET['title']) || !isset($_GET['ticket_id'])) {
api_not_allowed();
}
if (!api_is_platform_admin()) {
$ticket_id = $_GET['ticket_id'];
$table_support_messages = Database::get_main_table(TABLE_SUPPORT_MESSAGE);
$table_support_tickets = Database::get_main_table(TABLE_SUPPORT_TICKET);
$table_support_message_attachments = Database::get_main_table(TABLE_SUPPORT_MESSAGE_ATTACHMENTS);
$sql = "SELECT DISTINCT ticket.request_user FROM {$table_support_tickets} ticket, {$table_support_messages} message, {$table_support_message_attachments} attch \n\t\t\tWHERE ticket.ticket_id = message.ticket_id AND attch.message_id = message.message_id AND ticket.ticket_id = {$ticket_id}";
$rs = Database::query($sql);
$row_users = Database::fetch_array($rs, 'ASSOC');
$user_request_id = $row_users['request_user'];
if (intval($user_request_id) != $user_id) {
api_not_allowed();
}
}
$file_url = $_GET['file'];
$file_url = str_replace('///', '&', $file_url);
$file_url = str_replace(' ', '+', $file_url);
$file_url = str_replace('/..', '', $file_url);
$file_url = Database::escape_string($file_url);
$title = $_GET['title'];
$path_attachment = api_get_path(SYS_PATH);
$path_message_attach = $path_attachment . 'tck_messageattch/';
$full_file_name = $path_message_attach . $file_url;
if (Security::check_abs_path($full_file_name, $path_message_attach)) {
DocumentManager::file_send_for_download($full_file_name, TRUE, $title);
}
exit;
//echo $doc_url;
$full_file_name = api_get_path(SYS_COURSE_PATH) . $course_info['path'] . '/upload/calendar/' . $doc_url;
//if the rewrite rule asks for a directory, we redirect to the document explorer
if (is_dir($full_file_name)) {
//remove last slash if present
//$doc_url = ($doc_url{strlen($doc_url)-1}=='/')?substr($doc_url,0,strlen($doc_url)-1):$doc_url;
//mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (René)
while ($doc_url[$dul = strlen($doc_url) - 1] == '/') {
$doc_url = substr($doc_url, 0, $dul);
}
//create the path
$document_explorer = api_get_path(WEB_COURSE_PATH) . $course_info['path'];
// home course path
//redirect
header('Location: ' . $document_explorer);
exit;
}
$tbl_agenda_attachment = Database::get_course_table(TABLE_AGENDA_ATTACHMENT);
// launch event
event_download($doc_url);
$sql = 'SELECT filename FROM ' . $tbl_agenda_attachment . '
WHERE c_id = ' . $course_id . ' AND path LIKE BINARY "' . Database::escape_string($doc_url) . '"';
$result = Database::query($sql);
if (Database::num_rows($result)) {
$row = Database::fetch_array($result);
$title = str_replace(' ', '_', $row['filename']);
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . $course_info['path'] . '/upload/calendar/')) {
DocumentManager::file_send_for_download($full_file_name, TRUE, $title);
}
}
api_not_allowed();
$allowed_to_download = true;
}
/* ERROR IF NOT ALLOWED TO DOWNLOAD */
if (!$allowed_to_download) {
Display::display_header($nameTools, 'Dropbox');
Display::display_error_message(get_lang('YouAreNotAllowedToDownloadThisFile'));
Display::display_footer();
exit;
} else {
/* DOWNLOAD THE FILE */
// the user is allowed to download the file
$_SESSION['_seen'][$_course['id']][TOOL_DROPBOX][] = intval($_GET['id']);
$work = new Dropbox_Work($_GET['id']);
$path = dropbox_cnf('sysPath') . '/' . $work->filename;
//path to file as stored on server
if (!Security::check_abs_path($path, dropbox_cnf('sysPath') . '/')) {
exit;
}
$file = $work->title;
$mimetype = DocumentManager::file_get_mime_type(true);
$fileinfo = pathinfo($file);
$extension = $fileinfo['extension'];
if (!empty($extension) && isset($mimetype[$extension]) && $_GET['action'] != 'download') {
// give hint to browser about filetype
header('Content-type: ' . $mimetype[$extension] . "\n");
} else {
//no information about filetype: force a download dialog window in browser
header("Content-type: application/octet-stream\n");
}
header('Content-Disposition: attachment; filename=' . $file);
/**
/**
* Downloads all user files per user
* @param int $userId
* @param array $courseInfo
* @return bool
*/
function downloadAllFilesPerUser($userId, $courseInfo)
{
$userInfo = api_get_user_info($userId);
if (empty($userInfo) || empty($courseInfo)) {
return false;
}
require_once api_get_path(LIBRARY_PATH).'pclzip/pclzip.lib.php';
$tempZipFile = api_get_path(SYS_ARCHIVE_PATH).api_get_unique_id().".zip";
$coursePath = api_get_path(SYS_COURSE_PATH).$courseInfo['path'].'/work/';
$zip = new PclZip($tempZipFile);
$workPerUser = getWorkPerUser($userId);
if (!empty($workPerUser)) {
$files = array();
foreach ($workPerUser as $work) {
$work = $work['work'];
foreach ($work->user_results as $userResult) {
if (empty($userResult['url']) || empty($userResult['contains_file'])) {
continue;
}
$data = getFileContents($userResult['id'], $courseInfo);
if (!empty($data) && isset($data['path'])) {
$files[basename($data['path'])] = array(
'title' => $data['title'],
'path' => $data['path']
);
}
}
}
if (!empty($files)) {
Session::write('files', $files);
foreach ($files as $data) {
$zip->add(
$data['path'],
PCLZIP_OPT_REMOVE_PATH,
$coursePath,
PCLZIP_CB_PRE_ADD,
'preAddAllWorkStudentCallback'
);
}
}
// Start download of created file
$name = basename(replace_dangerous_char($userInfo['complete_name'])).'.zip';
event_download($name.'.zip (folder)');
if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
DocumentManager::file_send_for_download($tempZipFile, true, $name);
@unlink($tempZipFile);
exit;
}
}
exit;
}
/**
* Delete the all the attachments according the parameters.
* @param the blog's id
* @param the post's id
* @param the comment's id
* @author Julio Montoya Dokeos
* @version avril 2008, dokeos 1.8.5
*/
function delete_all_blog_attachment($blog_id, $post_id = null, $comment_id = null)
{
$_course = api_get_course_info();
$blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
$blog_id = intval($blog_id);
$comment_id = intval($comment_id);
$post_id = intval($post_id);
$course_id = api_get_course_int_id();
$where = null;
// delete files in DB
if (!empty($post_id) && is_numeric($post_id)) {
$where .= ' AND post_id ="' . $post_id . '" ';
}
if (!empty($comment_id) && is_numeric($comment_id)) {
if (!empty($post_id)) {
$where .= ' AND ';
}
$where .= ' comment_id ="' . $comment_id . '" ';
}
// delete all files in directory
$courseDir = $_course['path'] . '/upload/blog';
$sys_course_path = api_get_path(SYS_COURSE_PATH);
$updir = $sys_course_path . $courseDir;
$sql = 'SELECT path FROM ' . $blog_table_attachment . '
WHERE c_id = ' . $course_id . ' AND blog_id ="' . intval($blog_id) . '" ' . $where;
$result = Database::query($sql);
while ($row = Database::fetch_row($result)) {
$file = $updir . '/' . $row[0];
if (Security::check_abs_path($file, $updir)) {
@unlink($file);
}
}
$sql = 'DELETE FROM ' . $blog_table_attachment . ' WHERE c_id = ' . $course_id . ' AND blog_id ="' . intval($blog_id) . '" ' . $where;
Database::query($sql);
}
}
$full_file_name = api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/' . $doc_url;
//if the rewrite rule asks for a directory, we redirect to the document explorer
if (is_dir($full_file_name)) {
//remove last slash if present
//$doc_url = ($doc_url{strlen($doc_url)-1}=='/')?substr($doc_url,0,strlen($doc_url)-1):$doc_url;
//mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (René)
while ($doc_url[$dul = strlen($doc_url) - 1] == '/') {
$doc_url = substr($doc_url, 0, $dul);
}
//create the path
$document_explorer = api_get_path(WEB_COURSE_PATH) . api_get_course_path();
// home course path
//redirect
header('Location: ' . $document_explorer);
}
$tbl_announcement_attachment = Database::get_course_table(TABLE_ANNOUNCEMENT_ATTACHMENT);
// launch event
Event::event_download($doc_url);
$course_id = api_get_course_int_id();
$doc_url = Database::escape_string($doc_url);
$sql = "SELECT filename FROM {$tbl_announcement_attachment}\n \t \tWHERE c_id = {$course_id} AND path LIKE BINARY '{$doc_url}'";
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
$row = Database::fetch_array($result);
$title = str_replace(' ', '_', $row['filename']);
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/')) {
DocumentManager::file_send_for_download($full_file_name, true, $title);
}
}
exit;
if (api_is_multiple_url_enabled()) {
$accessUrlId = api_get_current_access_url_id();
if ($accessUrlId == -1) {
die;
}
$urlInfo = api_get_access_url($accessUrlId);
$url = api_remove_trailing_slash(preg_replace('/https?:\\/\\//i', '', $urlInfo['url']));
$cleanUrl = str_replace('/', '-', $url);
$newUrlDir = api_get_path(SYS_APP_PATH) . "home/{$cleanUrl}/admin/";
} else {
$newUrlDir = api_get_path(SYS_APP_PATH) . "home/admin/";
}
if (!file_exists($newUrlDir)) {
die;
}
if (!Security::check_abs_path("{$newUrlDir}{$blockName}_extra.html", $newUrlDir)) {
die;
}
if (!file_exists("{$newUrlDir}{$blockName}_extra.html")) {
die;
}
echo file_get_contents("{$newUrlDir}{$blockName}_extra.html");
break;
}
/**
* Displays either the text for the registration or the message that the installation is (not) up to date
*
* @return string html code
* @author Patrick Cool <*****@*****.**>, Ghent University
* @version august 2006
* @todo have a 6 monthly re-registration
/**
* @param int $id
*/
public static function deleteIcon($id)
{
$table = Database::get_course_table(TABLE_TOOL_LIST);
$tool = self::getTool($id);
if ($tool && !empty($tool['custom_icon'])) {
$file = self::getCustomSysIconPath() . $tool['custom_icon'];
$fileInfo = pathinfo($file);
$fileGray = $fileInfo['filename'] . '_na.' . $fileInfo['extension'];
$fileGray = self::getCustomSysIconPath() . $fileGray;
if (file_exists($file) && is_file($file)) {
if (Security::check_abs_path($file, self::getCustomSysIconPath())) {
unlink($file);
}
}
if (file_exists($fileGray) && is_file($fileGray)) {
if (Security::check_abs_path($fileGray, self::getCustomSysIconPath())) {
unlink($fileGray);
}
}
$params = ['custom_icon' => ''];
Database::update($table, $params, [' iid = ?' => [$id]]);
}
}
//Convert texts in html files
if ($not_deleted_file['contains_file'] == 0) {
$filename = trim($filename) . ".html";
$work_temp = api_get_path(SYS_ARCHIVE_PATH) . api_get_unique_id() . '_' . $filename;
file_put_contents($work_temp, $not_deleted_file['description']);
$files[basename($work_temp)] = $filename;
$zip_folder->add($work_temp, PCLZIP_OPT_REMOVE_PATH, api_get_path(SYS_ARCHIVE_PATH), PCLZIP_CB_PRE_ADD, 'my_pre_add_callback');
@unlink($work_temp);
}
}
if (!empty($files)) {
//logging
event_download(basename($work_data['title']) . '.zip (folder)');
//start download of created file
$name = basename($work_data['title']) . '.zip';
if (Security::check_abs_path($temp_zip_file, api_get_path(SYS_ARCHIVE_PATH))) {
DocumentManager::file_send_for_download($temp_zip_file, true, $name);
@unlink($temp_zip_file);
exit;
}
} else {
exit;
}
/* Extra function (only used here) */
function my_pre_add_callback($p_event, &$p_header)
{
global $files;
if (isset($files[basename($p_header['stored_filename'])])) {
$p_header['stored_filename'] = $files[basename($p_header['stored_filename'])];
return 1;
}
/**
* check if such document is allowed to shown on the list
*
* @param string $path the path to the document
* @return boolean
*/
function isListingDocument($path)
{
global $PathChamiloAjaxFileManager;
$file = basename($path);
$filePath = realpath($path);
$allowedPath = realpath($PathChamiloAjaxFileManager);
$check = Security::check_abs_path($filePath, $allowedPath);
if ($check == false) {
return false;
}
if (CONFIG_SYS_PATTERN_FORMAT == 'list') {
// comma delimited vague file/folder name
if (is_dir($path)) {
$includeDir = trimlrm(CONFIG_SYS_INC_DIR_PATTERN);
$excludeDir = trimlrm(CONFIG_SYS_EXC_DIR_PATTERN);
$found_includeDir = strpos($includeDir, $file);
$found_excludeDir = strpos($excludeDir, $file);
if ((!CONFIG_SYS_INC_DIR_PATTERN || !($found_includeDir === FALSE)) && (!CONFIG_SYS_EXC_DIR_PATTERN || $found_excludeDir === FALSE)) {
return true;
} else {
return false;
}
} elseif (is_file($path)) {
$includeFile = trimlrm(CONFIG_SYS_INC_FILE_PATTERN);
$excludeFile = trimlrm(CONFIG_SYS_EXC_FILE_PATTERN);
$found_includeFile = strpos($includeFile, $file);
$found_excludeFile = strpos($excludeFile, $file);
if ((!CONFIG_SYS_INC_FILE_PATTERN || !($found_includeFile === FALSE)) && (!CONFIG_SYS_EXC_FILE_PATTERN || $found_excludeFile === FALSE)) {
return true;
} else {
return false;
}
}
} elseif (CONFIG_SYS_PATTERN_FORMAT == 'csv') {
//comma delimited file/folder name
if (is_dir($path)) {
$includeDir = trimlrm(CONFIG_SYS_INC_DIR_PATTERN);
$excludeDir = trimlrm(CONFIG_SYS_EXC_DIR_PATTERN);
if (!empty($includeDir) && !empty($excludeDir)) {
$validDir = explode(',', $includeDir);
$invalidDir = explode(",", $excludeDir);
if (array_search(basename($path), $validDir) !== false && array_search(basename($path), $invalidDir) === false) {
return true;
} else {
return false;
}
} elseif (!empty($includeDir)) {
$validDir = explode(',', $includeDir);
if (array_search(basename($path), $validDir) !== false) {
return true;
} else {
return false;
}
} elseif (!empty($excludeFile)) {
$invalidDir = explode(",", $excludeDir);
if (array_search(basename($path), $invalidDir) === false) {
return true;
} else {
return false;
}
}
return true;
} elseif (is_file($path)) {
$includeFile = trimlrm(CONFIG_SYS_INC_FILE_PATTERN);
$excludeFile = trimlrm(CONFIG_SYS_EXC_FILE_PATTERN);
if (!empty($includeFile) && !empty($excludeFile)) {
$validFile = explode(',', $includeFile);
$invalidFile = explode(',', $excludeFile);
if (array_search(basename($path), $validFile) !== false && array_search(basename($path), $invalidFile) === false) {
return true;
} else {
return false;
}
} elseif (!empty($includeFile)) {
$validFile = explode(',', $includeFile);
if (array_search(basename($path), $validFile) !== false) {
return true;
} else {
return false;
}
} elseif (!empty($excludeFile)) {
$invalidFile = explode(',', $excludeFile);
if (array_search(basename($path), $invalidFile) === false) {
return true;
} else {
return false;
}
}
return true;
}
} else {
//regular expression
if (is_dir($path)) {
if (isValidPattern(CONFIG_SYS_INC_DIR_PATTERN, $path) && !isInvalidPattern(CONFIG_SYS_EXC_DIR_PATTERN, $path)) {
return true;
} else {
return false;
}
} elseif (is_file($path)) {
if (isValidPattern(CONFIG_SYS_INC_FILE_PATTERN, $path) && !isInvalidPattern(CONFIG_SYS_EXC_FILE_PATTERN, $path)) {
return true;
} else {
return false;
}
}
}
return false;
}
