if($PHORUM["max_file_size"]>0 && $_FILES["newfile"]["size"]>$PHORUM["max_file_size"]*1024){ $error_msg = true; $PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["FileTooLarge"]; } if(!empty($PHORUM["file_types"])){ $ext=strtolower(substr($_FILES["newfile"]["name"], strrpos($_FILES["newfile"]["name"], ".")+1)); $allowed_exts=explode(";", $PHORUM["file_types"]); if(!in_array($ext, $allowed_exts)){ $error_msg = true; $PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["FileWrongType"]; } } if($PHORUM["file_space_quota"]>0 && phorum_db_get_user_filesize_total($PHORUM["user"]["user_id"])+$_FILES["newfile"]["size"]>=$PHORUM["file_space_quota"]*1024){ $error_msg = true; $PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["FileOverQuota"]; } if(empty($error_msg)){ // read in the file $fp=fopen($_FILES["newfile"]["tmp_name"], "r"); $buffer=base64_encode(fread($fp, $_FILES["newfile"]["size"])); fclose($fp); $file_id=phorum_db_file_save($PHORUM["user"]["user_id"], $_FILES["newfile"]["name"], $_FILES["newfile"]["size"], $buffer); }
/** * Check if the active user has permissions to store a personal * file or a message attachment. * * Note that the checks for message attachments aren't all checks that are * done by Phorum. The attachment posting script does run some additional * checks on the message level (e.g. to see if the maximum cumulative * attachment size is not exceeded). * * @example file_store.php Store a personal file. * * @param array $file * This is an array, containing information about the * file that will be uploaded. The array should contain at least the * "link" field. That field will be used to handle checking for personal * uploaded files in the control center (PHORUM_LINK_USER) or message * attachments (PHORUM_LINK_MESSAGE). Next to that, interesting file * fields to pass to this function are "filesize" (to check maximum size) * and "filename" (to check allowed file type extensions). A "user_id" * field can either be provided or the user_id of the active Phorum * user will be used. * * @return array * If access is allowed, then TRUE will be returned. If access is denied, * then FALSE will be returned. The functions {@link phorum_api_strerror()} * and {@link phorum_api_errno()} can be used to retrieve information * about the error which occurred. */ function phorum_api_file_check_write_access($file) { $PHORUM = $GLOBALS["PHORUM"]; // Reset error storage. $GLOBALS["PHORUM"]["API"]["errno"] = NULL; $GLOBALS["PHORUM"]["API"]["error"] = NULL; if (!isset($file["link"])) { trigger_error("phorum_api_file_check_write_access(): \$file parameter needs a " . "\"link\" field.", E_USER_ERROR); } if (empty($file["user_id"])) { $file["user_id"] = $PHORUM["user"]["user_id"]; } // --------------------------------------------------------------------- // Handle write access checks for uploading user files. // --------------------------------------------------------------------- if ($file["link"] == PHORUM_LINK_USER) { // If file uploads are enabled, then access is granted. Access // is always granted to administrator users. if (!$PHORUM["file_uploads"] && !$PHORUM["user"]["admin"]) { return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["UploadNotAllowed"]); } // Check if the file doesn't exceed the maximum allowed file size. if (isset($file["filesize"]) && $PHORUM["max_file_size"] > 0 && $file["filesize"] > $PHORUM["max_file_size"] * 1024) { return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["FileTooLarge"]); } // Check if the user won't exceed the file quota when storing the file. if (isset($file["filesize"]) && $PHORUM["file_space_quota"] > 0) { $sz = phorum_db_get_user_filesize_total($PHORUM["user"]["user_id"]); $sz += $file["filesize"]; if ($sz > $PHORUM["file_space_quota"] * 1024) { return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["FileOverQuota"]); } } // Check if the file type is allowed. if (isset($file["filename"]) && isset($PHORUM["file_types"]) && trim($PHORUM["file_types"]) != '') { // Determine the file extension for the file. $pos = strrpos($file["filename"], "."); if ($pos !== FALSE) { $ext = strtolower(substr($file["filename"], $pos + 1)); } else { $ext = strtolower($file["filename"]); } // Create an array of allowed file extensions. $allowed_exts = explode(";", strtolower($PHORUM["file_types"])); // Check if the extension for the file is an allowed extension. if (!in_array($ext, $allowed_exts)) { return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["FileWrongType"]); } } } elseif ($file["link"] == PHORUM_LINK_EDITOR || $file["link"] == PHORUM_LINK_MESSAGE) { // Check if the file doesn't exceed the maximum allowed file size // for the active forum. if (isset($file["filesize"])) { // Find the maximum allowed attachment size. This depends on // both the settings for the current forum and the limits // that are enforced by the system. require_once './include/upload_functions.php'; $max_upload = phorum_get_system_max_upload(); $max_forum = $PHORUM["max_attachment_size"] * 1024; if ($max_forum > 0 && $max_forum < $max_upload) { $max_upload = $max_forum; } // Check if the file doesn't exceed the maximum allowed size. if ($max_upload > 0 && $file["filesize"] > $max_upload) { return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, str_replace('%size%', phorum_filesize($max_upload), $PHORUM["DATA"]["LANG"]["AttachFileSize"])); } } // Check if the file type is allowed for the active forum. if (isset($file["filename"]) && isset($PHORUM["allow_attachment_types"]) && trim($PHORUM["allow_attachment_types"]) != '') { // Determine the file extension for the file. $pos = strrpos($file["filename"], "."); if ($pos !== FALSE) { $ext = strtolower(substr($file["filename"], $pos + 1)); } else { $ext = strtolower($file["filename"]); } // Create an array of allowed file extensions. $allowed_exts = explode(";", strtolower($PHORUM["allow_attachment_types"])); // Check if the extension for the file is an allowed extension. if (!in_array($ext, $allowed_exts)) { return phorum_api_error_set(PHORUM_ERRNO_NOACCESS, $PHORUM["DATA"]["LANG"]["AttachInvalidType"] . " " . str_replace('%types%', implode(", ", $allowed_exts), $PHORUM["DATA"]["LANG"]["AttachFileTypes"])); } } } return TRUE; }