if($PHORUM["max_file_size"]>0 && $_FILES["newfile"]["size"]>$PHORUM["max_file_size"]*1024){
$error_msg = true;
$PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["FileTooLarge"];
}
if(!empty($PHORUM["file_types"])){
$ext=strtolower(substr($_FILES["newfile"]["name"], strrpos($_FILES["newfile"]["name"], ".")+1));
$allowed_exts=explode(";", $PHORUM["file_types"]);
if(!in_array($ext, $allowed_exts)){
$error_msg = true;
$PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["FileWrongType"];
}
}
if($PHORUM["file_space_quota"]>0 && phorum_db_get_user_filesize_total($PHORUM["user"]["user_id"])+$_FILES["newfile"]["size"]>=$PHORUM["file_space_quota"]*1024){
$error_msg = true;
$PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["FileOverQuota"];
}
if(empty($error_msg)){
// read in the file
$fp=fopen($_FILES["newfile"]["tmp_name"], "r");
$buffer=base64_encode(fread($fp, $_FILES["newfile"]["size"]));
fclose($fp);
$file_id=phorum_db_file_save($PHORUM["user"]["user_id"], $_FILES["newfile"]["name"], $_FILES["newfile"]["size"], $buffer);
}
/**
* Check if the active user has permissions to store a personal
* file or a message attachment.
*
* Note that the checks for message attachments aren't all checks that are
* done by Phorum. The attachment posting script does run some additional
* checks on the message level (e.g. to see if the maximum cumulative
* attachment size is not exceeded).
*
* @example file_store.php Store a personal file.
*
* @param array $file
* This is an array, containing information about the
* file that will be uploaded. The array should contain at least the
* "link" field. That field will be used to handle checking for personal
* uploaded files in the control center (PHORUM_LINK_USER) or message
* attachments (PHORUM_LINK_MESSAGE). Next to that, interesting file
* fields to pass to this function are "filesize" (to check maximum size)
* and "filename" (to check allowed file type extensions). A "user_id"
* field can either be provided or the user_id of the active Phorum
* user will be used.
*
* @return array
* If access is allowed, then TRUE will be returned. If access is denied,
* then FALSE will be returned. The functions {@link phorum_api_strerror()}
* and {@link phorum_api_errno()} can be used to retrieve information
* about the error which occurred.
*/
function phorum_api_file_check_write_access($file)
{
$PHORUM = $GLOBALS["PHORUM"];
// Reset error storage.
$GLOBALS["PHORUM"]["API"]["errno"] = NULL;
$GLOBALS["PHORUM"]["API"]["error"] = NULL;
if (!isset($file["link"])) {
trigger_error("phorum_api_file_check_write_access(): \$file parameter needs a " . "\"link\" field.", E_USER_ERROR);
}
if (empty($file["user_id"])) {
$file["user_id"] = $PHORUM["user"]["user_id"];
}
// ---------------------------------------------------------------------
// Handle write access checks for uploading user files.
// ---------------------------------------------------------------------
if ($file["link"] == PHORUM_LINK_USER) {
// If file uploads are enabled, then access is granted. Access
// is always granted to administrator users.
if (!$PHORUM["file_uploads"] && !$PHORUM["user"]["admin"]) {
return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["UploadNotAllowed"]);
}
// Check if the file doesn't exceed the maximum allowed file size.
if (isset($file["filesize"]) && $PHORUM["max_file_size"] > 0 && $file["filesize"] > $PHORUM["max_file_size"] * 1024) {
return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["FileTooLarge"]);
}
// Check if the user won't exceed the file quota when storing the file.
if (isset($file["filesize"]) && $PHORUM["file_space_quota"] > 0) {
$sz = phorum_db_get_user_filesize_total($PHORUM["user"]["user_id"]);
$sz += $file["filesize"];
if ($sz > $PHORUM["file_space_quota"] * 1024) {
return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["FileOverQuota"]);
}
}
// Check if the file type is allowed.
if (isset($file["filename"]) && isset($PHORUM["file_types"]) && trim($PHORUM["file_types"]) != '') {
// Determine the file extension for the file.
$pos = strrpos($file["filename"], ".");
if ($pos !== FALSE) {
$ext = strtolower(substr($file["filename"], $pos + 1));
} else {
$ext = strtolower($file["filename"]);
}
// Create an array of allowed file extensions.
$allowed_exts = explode(";", strtolower($PHORUM["file_types"]));
// Check if the extension for the file is an allowed extension.
if (!in_array($ext, $allowed_exts)) {
return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["FileWrongType"]);
}
}
} elseif ($file["link"] == PHORUM_LINK_EDITOR || $file["link"] == PHORUM_LINK_MESSAGE) {
// Check if the file doesn't exceed the maximum allowed file size
// for the active forum.
if (isset($file["filesize"])) {
// Find the maximum allowed attachment size. This depends on
// both the settings for the current forum and the limits
// that are enforced by the system.
require_once './include/upload_functions.php';
$max_upload = phorum_get_system_max_upload();
$max_forum = $PHORUM["max_attachment_size"] * 1024;
if ($max_forum > 0 && $max_forum < $max_upload) {
$max_upload = $max_forum;
}
// Check if the file doesn't exceed the maximum allowed size.
if ($max_upload > 0 && $file["filesize"] > $max_upload) {
return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, str_replace('%size%', phorum_filesize($max_upload), $PHORUM["DATA"]["LANG"]["AttachFileSize"]));
}
}
// Check if the file type is allowed for the active forum.
if (isset($file["filename"]) && isset($PHORUM["allow_attachment_types"]) && trim($PHORUM["allow_attachment_types"]) != '') {
// Determine the file extension for the file.
$pos = strrpos($file["filename"], ".");
if ($pos !== FALSE) {
$ext = strtolower(substr($file["filename"], $pos + 1));
} else {
$ext = strtolower($file["filename"]);
}
// Create an array of allowed file extensions.
$allowed_exts = explode(";", strtolower($PHORUM["allow_attachment_types"]));
// Check if the extension for the file is an allowed extension.
if (!in_array($ext, $allowed_exts)) {
return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["AttachInvalidType"] . " " . str_replace('%types%', implode(", ", $allowed_exts), $PHORUM["DATA"]["LANG"]["AttachFileTypes"]));
}
}
}
return TRUE;
}
