/** * @param string $name * @param Request $request * @return Response */ public function classicAction($name, Request $request) { // get. $_GET = $request->query->all(); // post. $_POST = $request->request->all(); $rootDir = $this->get('kernel')->getRealRootDir(); //$_REQUEST = $request->request->all(); $mainPath = $rootDir . 'main/'; $fileToLoad = $mainPath . $name; // Setting legacy values inside the container /** @var Connection $dbConnection */ $dbConnection = $this->container->get('database_connection'); $em = $this->get('kernel')->getContainer()->get('doctrine.orm.entity_manager'); $database = new \Database($dbConnection, array()); $database->setConnection($dbConnection); $database->setManager($em); Container::$container = $this->container; Container::$dataDir = $this->container->get('kernel')->getDataDir(); Container::$courseDir = $this->container->get('kernel')->getDataDir(); //Container::$configDir = $this->container->get('kernel')->getConfigDir(); $this->container->get('twig')->addGlobal('api_get_cidreq', api_get_cidreq()); //$breadcrumb = $this->container->get('chamilo_core.block.breadcrumb'); if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) { // Files inside /main need this variables to be set $is_allowed_in_course = api_is_allowed_in_course(); $is_courseAdmin = api_is_course_admin(); $is_platformAdmin = api_is_platform_admin(); $toolNameFromFile = basename(dirname($fileToLoad)); $charset = 'UTF-8'; // Default values $_course = api_get_course_info(); $_user = api_get_user_info(); $debug = $this->container->get('kernel')->getEnvironment() == 'dev' ? true : false; // Loading file ob_start(); require_once $fileToLoad; $out = ob_get_contents(); ob_end_clean(); // No browser cache when executing an exercise. if ($name == 'exercice/exercise_submit.php') { $responseHeaders = array('cache-control' => 'no-store, no-cache, must-revalidate'); } $js = isset($htmlHeadXtra) ? $htmlHeadXtra : array(); // $interbreadcrumb is loaded in the require_once file. $interbreadcrumb = isset($interbreadcrumb) ? $interbreadcrumb : null; $template = Container::$legacyTemplate; $defaultLayout = 'layout_one_col.html.twig'; if (!empty($template)) { $defaultLayout = $template; } return $this->render('ChamiloCoreBundle::' . $defaultLayout, array('legacy_breadcrumb' => $interbreadcrumb, 'content' => $out, 'js' => $js)); } else { // Found does not exist throw new NotFoundHttpException(); } }
$archive_path = api_get_path(SYS_ARCHIVE_PATH); } $archive_file = isset($_GET['archive']) ? $_GET['archive'] : null; $archive_file = str_replace(array('..', '/', '\\'), '', $archive_file); list($extension) = getextension($archive_file); if (empty($extension) || !file_exists($archive_path . $archive_file)) { exit; } $extension = strtolower($extension); $content_type = ''; if (in_array($extension, array('xml', 'csv')) && (api_is_platform_admin(true) || api_is_drh())) { $content_type = 'application/force-download'; } elseif ($extension == 'zip' && $_cid && (api_is_platform_admin(true) || $is_courseAdmin)) { $content_type = 'application/force-download'; } if (empty($content_type)) { api_not_allowed(true); } if (Security::check_abs_path($archive_path . $archive_file, $archive_path)) { header('Expires: Wed, 01 Jan 1990 00:00:00 GMT'); header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Cache-Control: public'); header('Pragma: no-cache'); header('Content-Type: ' . $content_type); header('Content-Length: ' . filesize($archive_path . $archive_file)); header('Content-Disposition: attachment; filename=' . $archive_file); readfile($archive_path . $archive_file); exit; } else { api_not_allowed(true); }
1 => Allow learners to delete their own publications = YES +------------------+------------------------------+----------------------------+ |Can download work?| doc visible for all = 0 | doc visible for all = 1| +------------------+------------------------------+----------------------------+ | visibility = 0 | editor only | editor only | | | | | +------------------+------------------------------+----------------------------+ | visibility = 1 | editor | editor | | | + owner of the work | + any student | +------------------+------------------------------+----------------------------+ (editor = teacher + admin + anybody with right api_is_allowed_to_edit) */ $work_is_visible = $item_info['visibility'] == 1 && $row['accepted'] == 1; $doc_visible_for_all = $course_info['show_score'] == 1; $is_editor = api_is_allowed_to_edit(true, true, true); $student_is_owner_of_work = user_is_author($row['id'], $row['user_id']); if ($is_editor || $student_is_owner_of_work || $doc_visible_for_all && $work_is_visible) { $title = str_replace(' ', '_', $row['title']); event_download($title); if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) { DocumentManager::file_send_for_download($full_file_name, true, $title); } } else { api_not_allowed(); } } } else { api_not_allowed(); } exit;
/** * @param array $courseInfo * @param int $sessionId * * @return bool */ public static function downloadAllDeletedDocument($courseInfo, $sessionId) { // Zip library for creation of the zip file. require api_get_path(LIBRARY_PATH) . 'pclzip/pclzip.lib.php'; $files = self::getDeletedDocuments($courseInfo, $sessionId); if (empty($files)) { return false; } $coursePath = api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/document'; // Creating a ZIP file. $tempZipFile = api_get_path(SYS_ARCHIVE_PATH) . api_get_unique_id() . ".zip"; $zip = new PclZip($tempZipFile); foreach ($files as $file) { $zip->add($coursePath . $file['path'], PCLZIP_OPT_REMOVE_PATH, $coursePath); } if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) { DocumentManager::file_send_for_download($tempZipFile, true); @unlink($tempZipFile); exit; } }
//check if the document is in the database if (!DocumentManager::get_document_id($_course, $_REQUEST['file'])) { //file not found! if ($debug > 0) { error_log("404 " . $_REQUEST["file"]); } header("HTTP/1.0 404 Not Found"); $error404 = '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'; $error404 .= '<html><head>'; $error404 .= '<title>404 Not Found</title>'; $error404 .= '</head><body>'; $error404 .= '<h1>Not Found</h1>'; $error404 .= '<p>The requested URL was not found on this server.</p>'; $error404 .= '<hr>'; $error404 .= '</body></html>'; echo $error404; exit; } $doc_url = str_replace('../', '', $_REQUEST['file']); if ($debug > 0) { error_log($doc_url); } $full_file_name = $coursePath . $doc_url; if (Security::check_abs_path($full_file_name, $coursePath . '/')) { DocumentManager::file_send_for_download($full_file_name, false); } exit; } } } }
if (isset($_SESSION['oLP'])) { $obj = $_SESSION['oLP']; } else { api_not_allowed(); } //If is visible for the current user if (!learnpath::is_lp_visible_for_student($obj->get_id(), api_get_user_id())) { api_not_allowed(); } $doc_url = isset($_GET['doc_url']) ? $_GET['doc_url'] : null; // Change the '&' that got rewritten to '///' by mod_rewrite back to '&' $doc_url = str_replace('///', '&', $doc_url); // Still a space present? it must be a '+' (that got replaced by mod_rewrite) $doc_url = str_replace(' ', '+', $doc_url); $doc_url = str_replace(array('../', '\\..', '\\0', '..\\'), array('', '', '', ''), $doc_url); //echo $doc_url; if (strpos($doc_url, '../') or strpos($doc_url, '/..')) { $doc_url = ''; } $sys_course_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/scorm'; //var_dump($sys_course_path); if (is_dir($sys_course_path . $doc_url)) { api_not_allowed(); } if (Security::check_abs_path($sys_course_path . $doc_url, $sys_course_path . '/')) { $full_file_name = $sys_course_path . $doc_url; // Launch event Event::event_download($doc_url); DocumentManager::file_send_for_download($full_file_name); } exit;
/** * Update settings based on installation profile defined in a JSON file * @param string $installationProfile The name of the JSON file in main/install/profiles/ folder * @return bool false on failure (no bad consequences anyway, just ignoring profile) */ function installProfileSettings($installationProfile = '') { if (empty($installationProfile)) { return false; } $jsonPath = api_get_path(SYS_PATH) . 'main/install/profiles/' . $installationProfile . '.json'; // Make sure the path to the profile is not hacked if (!Security::check_abs_path($jsonPath, api_get_path(SYS_PATH) . 'main/install/profiles/')) { return false; } if (!is_file($jsonPath)) { return false; } if (!is_readable($jsonPath)) { return false; } if (!function_exists('json_decode')) { // The php-json extension is not available. Ignore profile. return false; } $json = file_get_contents($jsonPath); $params = json_decode($json); if ($params === false or $params === null) { return false; } $settings = $params->params; if (!empty($params->parent)) { $res = installProfileSettings($params->parent); } foreach ($settings as $id => $param) { $sql = "UPDATE settings_current\n SET selected_value = '" . $param->selected_value . "'\n WHERE variable = '" . $param->variable . "'"; if (!empty($param->subkey)) { $sql .= " AND subkey='" . $param->subkey . "'"; } Database::query($sql); } return true; }
// the number of /.. into the url while (substr($cwd, -3, 3) == '/..') { // go to parent directory $cwd = substr($cwd, 0, -3); if (strlen($cwd) == 0) { $cwd = '/'; } $nParent++; } for (; $nParent > 0; $nParent--) { $cwd = strrpos($cwd, '/') > -1 ? substr($cwd, 0, strrpos($cwd, '/')) : $cwd; } if (strlen($cwd) == 0) { $cwd = '/'; } if (Security::check_abs_path($cwd, api_get_path(SYS_PATH))) { die; } if ($action == 'list') { /*==== List files ====*/ if ($debug > 0) { error_log("sending file list", 0); } // get files list $files = DocumentManager::get_all_document_data($_course, $cwd, 0, NULL, false); // adding download link to files foreach ($files as $k => $f) { if ($f['filetype'] == 'file') { //$files[$k]['download'] = api_get_path(WEB_CODE_PATH)."/document/document.php?cidReq=$cidReq&action=download&id=".urlencode($f['path']); $files[$k]['download'] = api_get_path(WEB_COURSE_PATH) . $cidReq . "/document" . $f['path']; }
/** * @param Application $app * @param string $file * @return BinaryFileResponse */ public function getJavascript(Application $app, $file) { $mainPath = $app['paths']['sys_root'] . 'main/inc/lib/javascript/'; $fileToLoad = $mainPath . $file; if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) { return $app->sendFile($fileToLoad); } }
/** * Delete a work-tool directory * @param string Base "work" directory for this course as /var/www/chamilo/courses/ABCD/work/ * @param string The directory name as the bit after "work/", without trailing slash * @return integer -1 on error */ function del_dir($id) { global $_course; $id = intval($id); $work_data = get_work_data_by_id($id); if (empty($work_data)) { return false; } $base_work_dir = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/work'; $work_data_url = $base_work_dir . $work_data['url']; $check = Security::check_abs_path($work_data_url . '/', $base_work_dir . '/'); $table = Database::get_course_table(TABLE_STUDENT_PUBLICATION); $course_id = api_get_course_int_id(); if (!empty($work_data['url'])) { //Deleting all contents inside the folder //@todo replace to parent_id $sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND filetype = 'folder' AND id = {$id}"; $res = Database::query($sql); $sql = "UPDATE {$table} SET active = 2 WHERE c_id = {$course_id} AND parent_id = {$id}"; $res = Database::query($sql); if ($check) { require_once api_get_path(LIBRARY_PATH) . 'fileManage.lib.php'; $new_dir = $work_data_url . '_DELETED_' . $id; if (api_get_setting('permanently_remove_deleted_files') == 'true') { my_delete($work_data_url); } else { if (file_exists($work_data_url)) { rename($work_data_url, $new_dir); } } } } }
/** * Writes the file contents into the given file path. * @param string Urlencoded path * @param string The file contents * @return boolean True on success, false on security error */ function WriteFileCont($full_file_path, $content) { // Check if this is not an attack, trying to get into other directories or something like that. global $_course; if (Security::check_abs_path(dirname($full_file_path) . '/', api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/')) { // Check if this is not an attack, trying to upload a php file or something like that. if (basename($full_file_path) != Security::filter_filename(basename($full_file_path))) { return false; } if (!($fp = fopen(urldecode($full_file_path), 'w'))) { //die('Could not open Quiz input.'); } fwrite($fp, $content); fclose($fp); return true; } return false; }
$doc_url = substr($doc_url, 0, $dul); } //create the path $document_explorer = api_get_path(WEB_COURSE_PATH) . api_get_course_path(); //redirect header('Location: ' . $document_explorer); } $tbl_forum_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT); $tbl_forum_post = Database::get_course_table(TABLE_FORUM_POST); $course_id = api_get_course_int_id(); $courseInfo = api_get_course_info_by_id($course_id); // launch event Event::event_download($doc_url); $sql = 'SELECT thread_id, forum_id,filename FROM ' . $tbl_forum_post . ' f INNER JOIN ' . $tbl_forum_attachment . ' a ON a.post_id=f.post_id WHERE f.c_id = ' . $course_id . ' AND a.c_id = ' . $course_id . ' AND path LIKE BINARY "' . $doc_url . '"'; $result = Database::query($sql); $row = Database::fetch_array($result); $forum_thread_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM_THREAD, $row['thread_id'], api_get_session_id()); $forum_forum_visibility = api_get_item_visibility($courseInfo, TOOL_FORUM, $row['forum_id'], api_get_session_id()); if ($forum_thread_visibility == 1 && $forum_forum_visibility == 1) { if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . $courseInfo['path'] . '/upload/forum/')) { DocumentManager::file_send_for_download($full_file_name, true, $row['filename']); } } exit;
$objSkill = new Skill(); $skill = $objSkill->get($skillId); if ($_SERVER['REQUEST_METHOD'] === 'POST') { $params = array('name' => $_POST['name'], 'description' => $_POST['description'], 'criteria' => $_POST['criteria'], 'id' => $skillId); if (isset($_FILES['image']) && $_FILES['image']['error'] == 0) { $dirPermissions = api_get_permissions_for_new_directories(); $fileName = sha1($_POST['name']); $badgePath = api_get_path(SYS_UPLOAD_PATH) . 'badges/'; $existsBadgesDirectory = is_dir($badgePath); if (!$existsBadgesDirectory) { $existsBadgesDirectory = api_create_protected_dir('badges', api_get_path(SYS_UPLOAD_PATH)); } if ($existsBadgesDirectory) { if (!empty($skill['icon'])) { $iconFileAbsolutePath = $badgePath . $skill['icon']; if (Security::check_abs_path($iconFileAbsolutePath, $badgePath)) { unlink($badgePath . $skill['icon']); } } $skillImagePath = sprintf("%s%s.png", $badgePath, $fileName); $skillImage = new Image($_FILES['image']['tmp_name']); $skillImage->send_image($skillImagePath, -1, 'png'); $skillThumbPath = sprintf("%s%s-small.png", $badgePath, $fileName); $skillImageThumb = new Image($skillImagePath); $skillImageThumb->resize(ICON_SIZE_BIG, ICON_SIZE_BIG); $skillImageThumb->send_image($skillThumbPath); $params['icon'] = sprintf("%s.png", $fileName); } else { Session::write('errorMessage', get_lang('UplUnableToSaveFile')); } }
* but this code will hopefully be replaced soon by an Apache URL * rewrite mechanism. * * @package chamilo.work */ //require_once '../inc/global.inc.php'; require_once 'work.lib.php'; // Course protection api_protect_course_script(true); $commentId = isset($_GET['comment_id']) ? intval($_GET['comment_id']) : null; if (empty($commentId)) { api_not_allowed(true); } $workData = getWorkComment($commentId); $courseInfo = api_get_course_info(); if (!empty($workData)) { if (empty($workData['file_path']) || isset($workData['file_path']) && !file_exists($workData['file_path'])) { api_not_allowed(true); } $work = get_work_data_by_id($workData['work_id']); protectWork($courseInfo, $work['parent_id']); if (user_is_author($workData['work_id']) || $courseInfo['show_score'] == 0 && $work['active'] == 1 && $work['accepted'] == 1) { if (Security::check_abs_path($workData['file_path'], api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/')) { DocumentManager::file_send_for_download($workData['file_path'], true, $workData['file_name_to_show']); } } else { api_not_allowed(true); } } else { api_not_allowed(true); }
// the session* didn't work, try it from the course (out of a // session context) $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0); } // Check whether the document is in the database if (empty($document_data)) { api_not_allowed(); } // Launch event Event::event_download($document_data['url']); // Check visibility of document and paths if (!($is_allowed_to_edit || $group_member_with_upload_rights) && !DocumentManager::is_visible_by_id($document_id, $courseInfo, $sessionId, api_get_user_id())) { api_not_allowed(true); } $full_file_name = $base_work_dir . $document_data['path']; if (Security::check_abs_path($full_file_name, $base_work_dir . '/')) { DocumentManager::file_send_for_download($full_file_name, true); } exit; break; case 'downloadfolder': if (api_get_setting('students_download_folders') == 'true' || api_is_allowed_to_edit() || api_is_platform_admin()) { // Get the document data from the ID $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, $sessionId); if ($sessionId != 0 && !$document_data) { // If there is a session defined and asking for the // document * from the session* didn't work, try it from the // course (out of a session context) $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), false, 0); } //filter when I am into shared folder, I can download only my shared folder
/** * @param $name * @param Request $request * @return Response */ public function classicAction($name, Request $request) { // get. $_GET = $request->query->all(); // post. $_POST = $request->request->all(); $rootDir = $this->get('kernel')->getRealRootDir(); //$_REQUEST = $request->request->all(); $mainPath = $rootDir . 'main/'; $fileToLoad = $mainPath . $name; // Legacy inclusions Container::setSession($request->getSession()); $dbConnection = $this->container->get('database_connection'); $database = new \Database($dbConnection, array()); Container::$urlGenerator = $this->container->get('router'); Container::$security = $this->container->get('security.context'); Container::$translator = $this->container->get('translator'); Container::$assets = $this->container->get('templating.helper.assets'); Container::$rootDir = $this->container->get('kernel')->getRealRootDir(); Container::$logDir = $this->container->get('kernel')->getLogDir(); Container::$dataDir = $this->container->get('kernel')->getDataDir(); Container::$tempDir = $this->container->get('kernel')->getCacheDir(); Container::$courseDir = $this->container->get('kernel')->getDataDir(); //Container::$configDir = $this->container->get('kernel')->getConfigDir(); Container::$htmlEditor = $this->container->get('chamilo_core.html_editor'); Container::$twig = $this->container->get('twig'); if (is_file($fileToLoad) && \Security::check_abs_path($fileToLoad, $mainPath)) { $toolNameFromFile = basename(dirname($fileToLoad)); $charset = 'UTF-8'; // Default values $_course = api_get_course_info(); $_user = api_get_user_info(); /* $text_dir = api_get_text_direction(); $is_platformAdmin = api_is_platform_admin(); $_cid = api_get_course_id();*/ $debug = $this->container->get('kernel')->getEnvironment() == 'dev' ? true : false; // Loading file ob_start(); require_once $fileToLoad; $out = ob_get_contents(); ob_end_clean(); // No browser cache when executing an exercise. if ($name == 'exercice/exercise_submit.php') { $responseHeaders = array('cache-control' => 'no-store, no-cache, must-revalidate'); } $js = isset($htmlHeadXtra) ? $htmlHeadXtra : array(); // $interbreadcrumb is loaded in the require_once file. $interbreadcrumb = isset($interbreadcrumb) ? $interbreadcrumb : null; //$this->getTemplate()->setBreadcrumb($interbreadcrumb); //$breadCrumb = $this->getTemplate()->getBreadCrumbLegacyArray(); //$menu = $this->parseLegacyBreadCrumb($breadCrumb); //$this->getTemplate()->assign('new_breadcrumb', $menu); //$this->getTemplate()->parseResources(); /*if (isset($tpl)) { $response = $app['twig']->render($app['default_layout']); } else { $this->getTemplate()->assign('content', $out); $response = $app['twig']->render($app['default_layout']); }*/ return $this->render('ChamiloCoreBundle:Legacy:index.html.twig', array('content' => $out, 'js' => $js)); } else { throw new NotFoundHttpException(); } }
/** * Delete the all the attachments from the DB and the file according to the post's id or attach id(optional) * @param post id * @param int $id_attach * @param bool $display to show or not result message * @return void * @author Julio Montoya Dokeos * @version october 2014, chamilo 1.9.8 */ function delete_attachment($post_id, $id_attach = 0, $display = true) { $_course = api_get_course_info(); $forum_table_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT); $course_id = api_get_course_int_id(); $cond = !empty($id_attach) ? " iid = " . (int) $id_attach . "" : " post_id = " . (int) $post_id . ""; $sql = "SELECT path FROM {$forum_table_attachment} WHERE c_id = {$course_id} AND {$cond}"; $res = Database::query($sql); $row = Database::fetch_array($res); $course_dir = $_course['path'] . '/upload/forum'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $course_dir; $my_path = isset($row['path']) ? $row['path'] : null; $file = $updir . '/' . $my_path; if (Security::check_abs_path($file, $updir)) { @unlink($file); } // Delete from forum_attachment table. $sql = "DELETE FROM {$forum_table_attachment} WHERE c_id = {$course_id} AND {$cond} "; $result = Database::query($sql); if ($result !== false) { $affectedRows = Database::affected_rows($result); } else { $affectedRows = 0; } // Update item_property. api_item_property_update($_course, TOOL_FORUM_ATTACH, $id_attach, 'ForumAttachmentDelete', api_get_user_id()); if (!empty($result) && !empty($id_attach) && $display) { $message = get_lang('AttachmentFileDeleteSuccess'); Display::display_confirmation_message($message); } return $affectedRows; }
} // allow to the correct user for download this file $not_allowed_to_edit = false; $userGroup = new UserGroup(); if (!empty($row_users['group_id'])) { $users_group = $userGroup->get_all_users_by_group($row_users['group_id']); if (!in_array($current_uid, array_keys($users_group))) { $not_allowed_to_edit = true; } } else { if ($current_uid != $message_uid) { $not_allowed_to_edit = true; } } if ($not_allowed_to_edit) { api_not_allowed(); exit; } // set the path directory file if (!empty($row_users['group_id'])) { $path_user_info = $userGroup->get_group_picture_path_by_id($row_users['group_id'], 'system', true); } else { $path_user_info['dir'] = UserManager::getUserPathById($message_uid, 'system'); } $full_file_name = $path_user_info['dir'] . 'message_attachments/' . $file_url; if (Security::check_abs_path($full_file_name, $path_user_info['dir'] . 'message_attachments/')) { // launch event Event::event_download($file_url); DocumentManager::file_send_for_download($full_file_name, TRUE, $title); } exit;
$language_file = array('courses', 'index', 'admin'); $user_id = api_get_user_id(); if (!isset($_GET['file']) || !isset($_GET['title']) || !isset($_GET['ticket_id'])) { api_not_allowed(); } if (!api_is_platform_admin()) { $ticket_id = $_GET['ticket_id']; $table_support_messages = Database::get_main_table(TABLE_SUPPORT_MESSAGE); $table_support_tickets = Database::get_main_table(TABLE_SUPPORT_TICKET); $table_support_message_attachments = Database::get_main_table(TABLE_SUPPORT_MESSAGE_ATTACHMENTS); $sql = "SELECT DISTINCT ticket.request_user FROM {$table_support_tickets} ticket, {$table_support_messages} message, {$table_support_message_attachments} attch \n\t\t\tWHERE ticket.ticket_id = message.ticket_id AND attch.message_id = message.message_id AND ticket.ticket_id = {$ticket_id}"; $rs = Database::query($sql); $row_users = Database::fetch_array($rs, 'ASSOC'); $user_request_id = $row_users['request_user']; if (intval($user_request_id) != $user_id) { api_not_allowed(); } } $file_url = $_GET['file']; $file_url = str_replace('///', '&', $file_url); $file_url = str_replace(' ', '+', $file_url); $file_url = str_replace('/..', '', $file_url); $file_url = Database::escape_string($file_url); $title = $_GET['title']; $path_attachment = api_get_path(SYS_PATH); $path_message_attach = $path_attachment . 'tck_messageattch/'; $full_file_name = $path_message_attach . $file_url; if (Security::check_abs_path($full_file_name, $path_message_attach)) { DocumentManager::file_send_for_download($full_file_name, TRUE, $title); } exit;
//echo $doc_url; $full_file_name = api_get_path(SYS_COURSE_PATH) . $course_info['path'] . '/upload/calendar/' . $doc_url; //if the rewrite rule asks for a directory, we redirect to the document explorer if (is_dir($full_file_name)) { //remove last slash if present //$doc_url = ($doc_url{strlen($doc_url)-1}=='/')?substr($doc_url,0,strlen($doc_url)-1):$doc_url; //mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (René) while ($doc_url[$dul = strlen($doc_url) - 1] == '/') { $doc_url = substr($doc_url, 0, $dul); } //create the path $document_explorer = api_get_path(WEB_COURSE_PATH) . $course_info['path']; // home course path //redirect header('Location: ' . $document_explorer); exit; } $tbl_agenda_attachment = Database::get_course_table(TABLE_AGENDA_ATTACHMENT); // launch event event_download($doc_url); $sql = 'SELECT filename FROM ' . $tbl_agenda_attachment . ' WHERE c_id = ' . $course_id . ' AND path LIKE BINARY "' . Database::escape_string($doc_url) . '"'; $result = Database::query($sql); if (Database::num_rows($result)) { $row = Database::fetch_array($result); $title = str_replace(' ', '_', $row['filename']); if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . $course_info['path'] . '/upload/calendar/')) { DocumentManager::file_send_for_download($full_file_name, TRUE, $title); } } api_not_allowed();
$allowed_to_download = true; } /* ERROR IF NOT ALLOWED TO DOWNLOAD */ if (!$allowed_to_download) { Display::display_header($nameTools, 'Dropbox'); Display::display_error_message(get_lang('YouAreNotAllowedToDownloadThisFile')); Display::display_footer(); exit; } else { /* DOWNLOAD THE FILE */ // the user is allowed to download the file $_SESSION['_seen'][$_course['id']][TOOL_DROPBOX][] = intval($_GET['id']); $work = new Dropbox_Work($_GET['id']); $path = dropbox_cnf('sysPath') . '/' . $work->filename; //path to file as stored on server if (!Security::check_abs_path($path, dropbox_cnf('sysPath') . '/')) { exit; } $file = $work->title; $mimetype = DocumentManager::file_get_mime_type(true); $fileinfo = pathinfo($file); $extension = $fileinfo['extension']; if (!empty($extension) && isset($mimetype[$extension]) && $_GET['action'] != 'download') { // give hint to browser about filetype header('Content-type: ' . $mimetype[$extension] . "\n"); } else { //no information about filetype: force a download dialog window in browser header("Content-type: application/octet-stream\n"); } header('Content-Disposition: attachment; filename=' . $file); /**
/** * Downloads all user files per user * @param int $userId * @param array $courseInfo * @return bool */ function downloadAllFilesPerUser($userId, $courseInfo) { $userInfo = api_get_user_info($userId); if (empty($userInfo) || empty($courseInfo)) { return false; } require_once api_get_path(LIBRARY_PATH).'pclzip/pclzip.lib.php'; $tempZipFile = api_get_path(SYS_ARCHIVE_PATH).api_get_unique_id().".zip"; $coursePath = api_get_path(SYS_COURSE_PATH).$courseInfo['path'].'/work/'; $zip = new PclZip($tempZipFile); $workPerUser = getWorkPerUser($userId); if (!empty($workPerUser)) { $files = array(); foreach ($workPerUser as $work) { $work = $work['work']; foreach ($work->user_results as $userResult) { if (empty($userResult['url']) || empty($userResult['contains_file'])) { continue; } $data = getFileContents($userResult['id'], $courseInfo); if (!empty($data) && isset($data['path'])) { $files[basename($data['path'])] = array( 'title' => $data['title'], 'path' => $data['path'] ); } } } if (!empty($files)) { Session::write('files', $files); foreach ($files as $data) { $zip->add( $data['path'], PCLZIP_OPT_REMOVE_PATH, $coursePath, PCLZIP_CB_PRE_ADD, 'preAddAllWorkStudentCallback' ); } } // Start download of created file $name = basename(replace_dangerous_char($userInfo['complete_name'])).'.zip'; event_download($name.'.zip (folder)'); if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) { DocumentManager::file_send_for_download($tempZipFile, true, $name); @unlink($tempZipFile); exit; } } exit; }
/** * Delete the all the attachments according the parameters. * @param the blog's id * @param the post's id * @param the comment's id * @author Julio Montoya Dokeos * @version avril 2008, dokeos 1.8.5 */ function delete_all_blog_attachment($blog_id, $post_id = null, $comment_id = null) { $_course = api_get_course_info(); $blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT); $blog_id = intval($blog_id); $comment_id = intval($comment_id); $post_id = intval($post_id); $course_id = api_get_course_int_id(); $where = null; // delete files in DB if (!empty($post_id) && is_numeric($post_id)) { $where .= ' AND post_id ="' . $post_id . '" '; } if (!empty($comment_id) && is_numeric($comment_id)) { if (!empty($post_id)) { $where .= ' AND '; } $where .= ' comment_id ="' . $comment_id . '" '; } // delete all files in directory $courseDir = $_course['path'] . '/upload/blog'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $courseDir; $sql = 'SELECT path FROM ' . $blog_table_attachment . ' WHERE c_id = ' . $course_id . ' AND blog_id ="' . intval($blog_id) . '" ' . $where; $result = Database::query($sql); while ($row = Database::fetch_row($result)) { $file = $updir . '/' . $row[0]; if (Security::check_abs_path($file, $updir)) { @unlink($file); } } $sql = 'DELETE FROM ' . $blog_table_attachment . ' WHERE c_id = ' . $course_id . ' AND blog_id ="' . intval($blog_id) . '" ' . $where; Database::query($sql); }
} $full_file_name = api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/' . $doc_url; //if the rewrite rule asks for a directory, we redirect to the document explorer if (is_dir($full_file_name)) { //remove last slash if present //$doc_url = ($doc_url{strlen($doc_url)-1}=='/')?substr($doc_url,0,strlen($doc_url)-1):$doc_url; //mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (René) while ($doc_url[$dul = strlen($doc_url) - 1] == '/') { $doc_url = substr($doc_url, 0, $dul); } //create the path $document_explorer = api_get_path(WEB_COURSE_PATH) . api_get_course_path(); // home course path //redirect header('Location: ' . $document_explorer); } $tbl_announcement_attachment = Database::get_course_table(TABLE_ANNOUNCEMENT_ATTACHMENT); // launch event Event::event_download($doc_url); $course_id = api_get_course_int_id(); $doc_url = Database::escape_string($doc_url); $sql = "SELECT filename FROM {$tbl_announcement_attachment}\n \t \tWHERE c_id = {$course_id} AND path LIKE BINARY '{$doc_url}'"; $result = Database::query($sql); if (Database::num_rows($result) > 0) { $row = Database::fetch_array($result); $title = str_replace(' ', '_', $row['filename']); if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/')) { DocumentManager::file_send_for_download($full_file_name, true, $title); } } exit;
if (api_is_multiple_url_enabled()) { $accessUrlId = api_get_current_access_url_id(); if ($accessUrlId == -1) { die; } $urlInfo = api_get_access_url($accessUrlId); $url = api_remove_trailing_slash(preg_replace('/https?:\\/\\//i', '', $urlInfo['url'])); $cleanUrl = str_replace('/', '-', $url); $newUrlDir = api_get_path(SYS_APP_PATH) . "home/{$cleanUrl}/admin/"; } else { $newUrlDir = api_get_path(SYS_APP_PATH) . "home/admin/"; } if (!file_exists($newUrlDir)) { die; } if (!Security::check_abs_path("{$newUrlDir}{$blockName}_extra.html", $newUrlDir)) { die; } if (!file_exists("{$newUrlDir}{$blockName}_extra.html")) { die; } echo file_get_contents("{$newUrlDir}{$blockName}_extra.html"); break; } /** * Displays either the text for the registration or the message that the installation is (not) up to date * * @return string html code * @author Patrick Cool <*****@*****.**>, Ghent University * @version august 2006 * @todo have a 6 monthly re-registration
/** * @param int $id */ public static function deleteIcon($id) { $table = Database::get_course_table(TABLE_TOOL_LIST); $tool = self::getTool($id); if ($tool && !empty($tool['custom_icon'])) { $file = self::getCustomSysIconPath() . $tool['custom_icon']; $fileInfo = pathinfo($file); $fileGray = $fileInfo['filename'] . '_na.' . $fileInfo['extension']; $fileGray = self::getCustomSysIconPath() . $fileGray; if (file_exists($file) && is_file($file)) { if (Security::check_abs_path($file, self::getCustomSysIconPath())) { unlink($file); } } if (file_exists($fileGray) && is_file($fileGray)) { if (Security::check_abs_path($fileGray, self::getCustomSysIconPath())) { unlink($fileGray); } } $params = ['custom_icon' => '']; Database::update($table, $params, [' iid = ?' => [$id]]); } }
//Convert texts in html files if ($not_deleted_file['contains_file'] == 0) { $filename = trim($filename) . ".html"; $work_temp = api_get_path(SYS_ARCHIVE_PATH) . api_get_unique_id() . '_' . $filename; file_put_contents($work_temp, $not_deleted_file['description']); $files[basename($work_temp)] = $filename; $zip_folder->add($work_temp, PCLZIP_OPT_REMOVE_PATH, api_get_path(SYS_ARCHIVE_PATH), PCLZIP_CB_PRE_ADD, 'my_pre_add_callback'); @unlink($work_temp); } } if (!empty($files)) { //logging event_download(basename($work_data['title']) . '.zip (folder)'); //start download of created file $name = basename($work_data['title']) . '.zip'; if (Security::check_abs_path($temp_zip_file, api_get_path(SYS_ARCHIVE_PATH))) { DocumentManager::file_send_for_download($temp_zip_file, true, $name); @unlink($temp_zip_file); exit; } } else { exit; } /* Extra function (only used here) */ function my_pre_add_callback($p_event, &$p_header) { global $files; if (isset($files[basename($p_header['stored_filename'])])) { $p_header['stored_filename'] = $files[basename($p_header['stored_filename'])]; return 1; }
/** * check if such document is allowed to shown on the list * * @param string $path the path to the document * @return boolean */ function isListingDocument($path) { global $PathChamiloAjaxFileManager; $file = basename($path); $filePath = realpath($path); $allowedPath = realpath($PathChamiloAjaxFileManager); $check = Security::check_abs_path($filePath, $allowedPath); if ($check == false) { return false; } if (CONFIG_SYS_PATTERN_FORMAT == 'list') { // comma delimited vague file/folder name if (is_dir($path)) { $includeDir = trimlrm(CONFIG_SYS_INC_DIR_PATTERN); $excludeDir = trimlrm(CONFIG_SYS_EXC_DIR_PATTERN); $found_includeDir = strpos($includeDir, $file); $found_excludeDir = strpos($excludeDir, $file); if ((!CONFIG_SYS_INC_DIR_PATTERN || !($found_includeDir === FALSE)) && (!CONFIG_SYS_EXC_DIR_PATTERN || $found_excludeDir === FALSE)) { return true; } else { return false; } } elseif (is_file($path)) { $includeFile = trimlrm(CONFIG_SYS_INC_FILE_PATTERN); $excludeFile = trimlrm(CONFIG_SYS_EXC_FILE_PATTERN); $found_includeFile = strpos($includeFile, $file); $found_excludeFile = strpos($excludeFile, $file); if ((!CONFIG_SYS_INC_FILE_PATTERN || !($found_includeFile === FALSE)) && (!CONFIG_SYS_EXC_FILE_PATTERN || $found_excludeFile === FALSE)) { return true; } else { return false; } } } elseif (CONFIG_SYS_PATTERN_FORMAT == 'csv') { //comma delimited file/folder name if (is_dir($path)) { $includeDir = trimlrm(CONFIG_SYS_INC_DIR_PATTERN); $excludeDir = trimlrm(CONFIG_SYS_EXC_DIR_PATTERN); if (!empty($includeDir) && !empty($excludeDir)) { $validDir = explode(',', $includeDir); $invalidDir = explode(",", $excludeDir); if (array_search(basename($path), $validDir) !== false && array_search(basename($path), $invalidDir) === false) { return true; } else { return false; } } elseif (!empty($includeDir)) { $validDir = explode(',', $includeDir); if (array_search(basename($path), $validDir) !== false) { return true; } else { return false; } } elseif (!empty($excludeFile)) { $invalidDir = explode(",", $excludeDir); if (array_search(basename($path), $invalidDir) === false) { return true; } else { return false; } } return true; } elseif (is_file($path)) { $includeFile = trimlrm(CONFIG_SYS_INC_FILE_PATTERN); $excludeFile = trimlrm(CONFIG_SYS_EXC_FILE_PATTERN); if (!empty($includeFile) && !empty($excludeFile)) { $validFile = explode(',', $includeFile); $invalidFile = explode(',', $excludeFile); if (array_search(basename($path), $validFile) !== false && array_search(basename($path), $invalidFile) === false) { return true; } else { return false; } } elseif (!empty($includeFile)) { $validFile = explode(',', $includeFile); if (array_search(basename($path), $validFile) !== false) { return true; } else { return false; } } elseif (!empty($excludeFile)) { $invalidFile = explode(',', $excludeFile); if (array_search(basename($path), $invalidFile) === false) { return true; } else { return false; } } return true; } } else { //regular expression if (is_dir($path)) { if (isValidPattern(CONFIG_SYS_INC_DIR_PATTERN, $path) && !isInvalidPattern(CONFIG_SYS_EXC_DIR_PATTERN, $path)) { return true; } else { return false; } } elseif (is_file($path)) { if (isValidPattern(CONFIG_SYS_INC_FILE_PATTERN, $path) && !isInvalidPattern(CONFIG_SYS_EXC_FILE_PATTERN, $path)) { return true; } else { return false; } } } return false; }