$query = "SELECT *\n\t\t\t\tFROM {$t_bug_file_table}\n\t\t\t\tWHERE id='{$c_file_id}'"; break; case 'doc': $t_project_file_table = config_get('mantis_project_file_table'); $query = "SELECT *\n\t\t\t\tFROM {$t_project_file_table}\n\t\t\t\tWHERE id='{$c_file_id}'"; break; default: access_denied(); } $result = db_query($query); $row = db_fetch_array($result); extract($row, EXTR_PREFIX_ALL, 'v'); # Check access rights switch ($f_type) { case 'bug': if (!file_can_download_bug_attachments($v_bug_id)) { access_denied(); } break; case 'doc': # Check if project documentation feature is enabled. if (OFF == config_get('enable_project_documentation')) { access_denied(); } access_ensure_project_level(config_get('view_proj_doc_threshold'), $v_project_id); break; } # flush output buffer to protect download @ob_end_clean(); # Make sure that IE can download the attachments under https. header('Pragma: public');
/** * Gets an array of attachments that are visible to the currently logged in user. * Each element of the array contains the following: * display_name - The attachment display name (i.e. file name dot extension) * size - The attachment size in bytes. * date_added - The date where the attachment was added. * can_download - true: logged in user has access to download the attachment, false: otherwise. * diskfile - The name of the file on disk. Typically this is a hash without an extension. * download_url - The download URL for the attachment (only set if can_download is true). * exists - Applicable for DISK attachments. true: file exists, otherwise false. * can_delete - The logged in user can delete the attachments. * preview - true: the attachment should be previewable, otherwise false. * type - Can be "image", "text" or empty for other types. * alt - The alternate text to be associated with the icon. * icon - array with icon information, contains 'url' and 'alt' elements. * @param integer $p_bug_id A bug identifier. * @return array */ function file_get_visible_attachments($p_bug_id) { $t_attachment_rows = bug_get_attachments($p_bug_id); $t_visible_attachments = array(); $t_attachments_count = count($t_attachment_rows); if ($t_attachments_count === 0) { return $t_visible_attachments; } $t_attachments = array(); $t_preview_text_ext = config_get('preview_text_extensions'); $t_preview_image_ext = config_get('preview_image_extensions'); $t_image_previewed = false; for ($i = 0; $i < $t_attachments_count; $i++) { $t_row = $t_attachment_rows[$i]; if (!file_can_view_bug_attachments($p_bug_id, (int) $t_row['user_id'])) { continue; } $t_id = $t_row['id']; $t_filename = $t_row['filename']; $t_filesize = $t_row['filesize']; $t_diskfile = file_normalize_attachment_path($t_row['diskfile'], bug_get_field($p_bug_id, 'project_id')); $t_date_added = $t_row['date_added']; $t_attachment = array(); $t_attachment['id'] = $t_id; $t_attachment['display_name'] = file_get_display_name($t_filename); $t_attachment['size'] = $t_filesize; $t_attachment['date_added'] = $t_date_added; $t_attachment['diskfile'] = $t_diskfile; $t_attachment['can_download'] = file_can_download_bug_attachments($p_bug_id, (int) $t_row['user_id']); $t_attachment['can_delete'] = file_can_delete_bug_attachments($p_bug_id, (int) $t_row['user_id']); if ($t_attachment['can_download']) { $t_attachment['download_url'] = 'file_download.php?file_id=' . $t_id . '&type=bug'; } if ($t_image_previewed) { $t_image_previewed = false; } $t_attachment['exists'] = config_get('file_upload_method') != DISK || file_exists($t_diskfile); $t_attachment['icon'] = file_get_icon_url($t_attachment['display_name']); $t_attachment['preview'] = false; $t_attachment['type'] = ''; $t_ext = strtolower(pathinfo($t_attachment['display_name'], PATHINFO_EXTENSION)); $t_attachment['alt'] = $t_ext; if ($t_attachment['exists'] && $t_attachment['can_download'] && $t_filesize != 0 && $t_filesize <= config_get('preview_attachments_inline_max_size')) { if (in_array($t_ext, $t_preview_text_ext, true)) { $t_attachment['preview'] = true; $t_attachment['type'] = 'text'; } else { if (in_array($t_ext, $t_preview_image_ext, true)) { $t_attachment['preview'] = true; $t_attachment['type'] = 'image'; } } } $t_attachments[] = $t_attachment; } return $t_attachments; }
function file_list_attachments($p_bug_id) { $t_attachment_rows = bug_get_attachments($p_bug_id); $num_files = sizeof($t_attachment_rows); if ($num_files === 0) { return; } $t_can_download = file_can_download_bug_attachments($p_bug_id); $t_can_delete = file_can_delete_bug_attachments($p_bug_id); $image_previewed = false; for ($i = 0; $i < $num_files; $i++) { $row = $t_attachment_rows[$i]; extract($row, EXTR_PREFIX_ALL, 'v'); $t_file_display_name = file_get_display_name($v_filename); $t_filesize = number_format($v_filesize); $t_date_added = date(config_get('normal_date_format'), db_unixtimestamp($v_date_added)); if ($image_previewed) { $image_previewed = false; print '<br />'; } if ($t_can_download) { $t_href_start = "<a href=\"file_download.php?file_id={$v_id}&type=bug\">"; $t_href_end = '</a>'; $t_href_clicket = " [<a href=\"file_download.php?file_id={$v_id}&type=bug\" target=\"_blank\">^</a>]"; } else { $t_href_start = ''; $t_href_end = ''; $t_href_clicket = ''; } print $t_href_start; print_file_icon($t_file_display_name); print $t_href_end . '</a> ' . $t_href_start . $t_file_display_name . $t_href_end . "{$t_href_clicket} ({$t_filesize} bytes) <span class=\"italic\">{$t_date_added}</span>"; if ($t_can_delete) { print " [<a class=\"small\" href=\"bug_file_delete.php?file_id={$v_id}\">" . lang_get('delete_link') . '</a>]'; } if (FTP == config_get('file_upload_method') && file_exists($v_diskfile)) { print ' (' . lang_get('cached') . ')'; } if ($t_can_download && $v_filesize <= config_get('preview_attachments_inline_max_size') && $v_filesize != 0 && in_array(strtolower(file_get_extension($t_file_display_name)), array('png', 'jpg', 'jpeg', 'gif', 'bmp'), true)) { print "<br /><img src=\"file_download.php?file_id={$v_id}&type=bug\" />"; $image_previewed = true; } if ($i != $num_files - 1) { print '<br />'; } } }
break; default: access_denied(); } $result = db_query_bound($query, array($c_file_id)); $row = db_fetch_array($result); extract($row, EXTR_PREFIX_ALL, 'v'); if ($f_type == 'bug') { $t_project_id = bug_get_field($v_bug_id, 'project_id'); } else { $t_project_id = $v_project_id; } # Check access rights switch ($f_type) { case 'bug': if (!file_can_download_bug_attachments($v_bug_id, (int) $v_user_id)) { access_denied(); } break; case 'doc': # Check if project documentation feature is enabled. if (OFF == config_get('enable_project_documentation')) { access_denied(); } access_ensure_project_level(config_get('view_proj_doc_threshold'), $v_project_id); break; } # throw away output buffer contents (and disable it) to protect download while (@ob_end_clean()) { } if (ini_get('zlib.output_compression') && function_exists('ini_set')) {
function file_list_attachments($p_bug_id) { $t_attachment_rows = bug_get_attachments($p_bug_id); $num_files = sizeof($t_attachment_rows); if ($num_files === 0) { return; } $t_can_download = file_can_download_bug_attachments($p_bug_id); $t_can_delete = file_can_delete_bug_attachments($p_bug_id); $t_preview_text_ext = config_get('preview_text_extensions'); $t_preview_image_ext = config_get('preview_image_extensions'); $image_previewed = false; for ($i = 0; $i < $num_files; $i++) { $row = $t_attachment_rows[$i]; extract($row, EXTR_PREFIX_ALL, 'v'); $t_file_display_name = string_display_line(file_get_display_name($v_filename)); $t_filesize = number_format($v_filesize); $t_date_added = date(config_get('normal_date_format'), db_unixtimestamp($v_date_added)); if ($image_previewed) { $image_previewed = false; print '<br />'; } if ($t_can_download) { $t_href_start = "<a href=\"file_download.php?file_id={$v_id}&type=bug\">"; $t_href_end = '</a>'; $t_href_clicket = " [<a href=\"file_download.php?file_id={$v_id}&type=bug\" target=\"_blank\">^</a>]"; } else { $t_href_start = ''; $t_href_end = ''; $t_href_clicket = ''; } $t_exists = config_get('file_upload_method') != DISK || file_exists($v_diskfile); if (!$t_exists) { print_file_icon($t_file_display_name); print ' <span class="strike">' . $t_file_display_name . '</span> (attachment missing)'; } else { print $t_href_start; print_file_icon($t_file_display_name); print $t_href_end . ' ' . $t_href_start . $t_file_display_name . $t_href_end . "{$t_href_clicket} ({$t_filesize} bytes) <span class=\"italic\">{$t_date_added}</span>"; if ($t_can_delete) { print " [<a class=\"small\" href=\"bug_file_delete.php?file_id={$v_id}\">" . lang_get('delete_link') . '</a>]'; } if (FTP == config_get('file_upload_method') && file_exists($v_diskfile)) { print ' (' . lang_get('cached') . ')'; } if ($t_can_download && $v_filesize <= config_get('preview_attachments_inline_max_size') && $v_filesize != 0 && in_array(strtolower(file_get_extension($t_file_display_name)), $t_preview_text_ext, true)) { $c_id = db_prepare_int($v_id); $t_bug_file_table = config_get('mantis_bug_file_table'); echo "<script type=\"text/javascript\" language=\"JavaScript\">\r\n<!--\r\nfunction swap_content( span ) {\r\ndisplayType = ( document.getElementById( span ).style.display == 'none' ) ? '' : 'none';\r\ndocument.getElementById( span ).style.display = displayType;\r\n}\r\n\r\n -->\r\n </script>"; print " <span id=\"hideSection_{$c_id}\">[<a class=\"small\" href='#' id='attmlink_" . $c_id . "' onclick='swap_content(\"hideSection_" . $c_id . "\");swap_content(\"showSection_" . $c_id . "\");return false;'>" . lang_get('show_content') . "</a>]</span>"; print " <span style='display:none' id=\"showSection_{$c_id}\">[<a class=\"small\" href='#' id='attmlink_" . $c_id . "' onclick='swap_content(\"hideSection_" . $c_id . "\");swap_content(\"showSection_" . $c_id . "\");return false;'>" . lang_get('hide_content') . "</a>]"; print "<pre>"; switch (config_get('file_upload_method')) { case DISK: if (file_exists($v_diskfile)) { $v_content = file_get_contents($v_diskfile); } break; case FTP: if (file_exists($v_diskfile)) { file_get_contents($v_diskfile); } else { $ftp = file_ftp_connect(); file_ftp_get($ftp, $v_diskfile, $v_diskfile); file_ftp_disconnect($ftp); $v_content = file_get_contents($v_diskfile); } break; default: $query = "SELECT *\r\n\t \t\t\t\t\t\tFROM {$t_bug_file_table}\r\n\t\t\t\t \t\t\tWHERE id='{$c_id}'"; $result = db_query($query); $row = db_fetch_array($result); $v_content = $row['content']; } echo htmlspecialchars($v_content); print "</pre></span>\n"; } if ($t_can_download && $v_filesize <= config_get('preview_attachments_inline_max_size') && $v_filesize != 0 && in_array(strtolower(file_get_extension($t_file_display_name)), $t_preview_image_ext, true)) { $t_preview_style = 'border: 0;'; $t_max_width = config_get('preview_max_width'); if ($t_max_width > 0) { $t_preview_style .= ' max-width:' . $t_max_width . 'px;'; } $t_max_height = config_get('preview_max_height'); if ($t_max_height > 0) { $t_preview_style .= ' max-height:' . $t_max_height . 'px;'; } $t_preview_style = 'style="' . $t_preview_style . '"'; $t_title = file_get_field($v_id, 'title'); print "\n<br />{$t_href_start}<img alt=\"{$t_title}\" {$t_preview_style} src=\"file_download.php?file_id={$v_id}&type=bug\" />{$t_href_end}"; $image_previewed = true; } } if ($i != $num_files - 1) { print "<br />\n"; } } }