function wfu_edit_filedetails($file_code) { global $wpdb; $table_name2 = $wpdb->prefix . "wfu_userdata"; $user = wp_get_current_user(); $is_admin = current_user_can('manage_options'); //check if user is allowed to view file details if (!$is_admin) { return; } $file_code = wfu_sanitize_code($file_code); $dec_file = wfu_get_filepath_from_safe($file_code); if ($dec_file === false) { return; } $dec_file = wfu_path_rel2abs(wfu_flatten_path($dec_file)); //check if user is allowed to perform this action if (!wfu_current_user_owes_file($dec_file)) { return; } //get file data from database with user data $filedata = wfu_get_file_rec($dec_file, true); if ($filedata == null) { return; } if (isset($_POST['submit'])) { if ($_POST['submit'] == "Update") { //check for errors $is_error = false; foreach ($filedata->userdata as $userdata) { if (!isset($_POST['wfu_filedetails_userdata_' . $userdata->propkey])) { $is_error = true; break; } } if (!$is_error) { $now_date = date('Y-m-d H:i:s'); $userdata_count = 0; foreach ($filedata->userdata as $userdata) { $userdata_count++; //make existing userdata record obsolete $wpdb->update($table_name2, array('date_to' => $now_date), array('uploadid' => $userdata->uploadid, 'propkey' => $userdata->propkey), array('%s'), array('%s', '%s')); //insert new userdata record $wpdb->insert($table_name2, array('uploadid' => $userdata->uploadid, 'property' => $userdata->property, 'propkey' => $userdata->propkey, 'propvalue' => $_POST['wfu_filedetails_userdata_' . $userdata->propkey], 'date_from' => $now_date, 'date_to' => 0), array('%s', '%s', '%d', '%s', '%s', '%s')); } if ($userdata_count > 0) { wfu_log_action('modify:' . $now_date, $dec_file, $user->ID, '', 0, 0, '', null); } } } } return true; }
function wfu_ajax_action_download_file_invoker() { $file_code = isset($_POST['file']) ? $_POST['file'] : (isset($_GET['file']) ? $_GET['file'] : ''); $nonce = isset($_POST['nonce']) ? $_POST['nonce'] : (isset($_GET['nonce']) ? $_GET['nonce'] : ''); if ($file_code == '' || $nonce == '') { die; } //security check to avoid CSRF attacks if (!wp_verify_nonce($nonce, 'wfu_download_file_invoker')) { die; } //check if user is allowed to download files if (!current_user_can('manage_options')) { die; } // $filepath = wfu_plugin_decode_string($file_code); $file_code = wfu_sanitize_code($file_code); $filepath = wfu_get_filepath_from_safe($file_code); if ($filepath === false) { die; } $filepath = wfu_path_rel2abs(wfu_flatten_path($filepath)); //check if user is allowed to perform this action on this file if (!wfu_current_user_owes_file($filepath)) { die; } //generate download unique id to monitor this download $download_id = wfu_create_random_string(16); //store download status of this download $_SESSION['wfu_download_status_' . $download_id] = 'starting'; //generate download ticket which expires in 30sec and store it in session //it will be used as security measure for the downloader script, which runs outside Wordpress environment $_SESSION['wfu_download_ticket_' . $download_id] = time() + 30; //generate download monitor ticket which expires in 30sec and store it in session //it will be used as security measure for the monitor script that will check download status $_SESSION['wfu_download_monitor_ticket_' . $download_id] = time() + 30; //this routine returns a dynamically created iframe element, that will call the actual download script; //the actual download script runs outside Wordpress environment in order to ensure that no php warnings //or echo from other plugins is generated, that could scramble the downloaded file; //a ticket, similar to nonces, is passed to the download script to check that it is not a CSRF attack; moreover,the ticket is destroyed //by the time it is consumed by the download script, so it cannot be used again $response = '<iframe src="' . WFU_DOWNLOADER_URL . '?file=' . $file_code . '&ticket=' . $download_id . '" style="display: none;"></iframe>'; die('wfu_ajax_action_download_file_invoker:wfu_download_id;' . $download_id . ':' . $response); }
function wfu_ajax_action_download_file_invoker() { $file_code = isset($_POST['file']) ? $_POST['file'] : (isset($_GET['file']) ? $_GET['file'] : ''); $nonce = isset($_POST['nonce']) ? $_POST['nonce'] : (isset($_GET['nonce']) ? $_GET['nonce'] : ''); if ($file_code == '' || $nonce == '') { die; } //security check to avoid CSRF attacks if (!wp_verify_nonce($nonce, 'wfu_download_file_invoker')) { die; } //check if user is allowed to download files if (!current_user_can('manage_options')) { die; } $file_code = wfu_sanitize_code($file_code); //if file_code is exportdata, then export of data has been requested and //we need to create a file with export data and recreate file_code if ($file_code == "exportdata" && current_user_can('manage_options')) { $filepath = wfu_export_uploaded_files(null); if ($filepath === false) { die; } $file_code = "exportdata" . wfu_safe_store_filepath($filepath); } else { $filepath = wfu_get_filepath_from_safe($file_code); if ($filepath === false) { die; } $filepath = wfu_path_rel2abs(wfu_flatten_path($filepath)); //for front-end browser apply wfu_browser_check_file_action filter to allow or restrict the download if (isset($_POST['browser'])) { $changable_data["error_message"] = ""; $filerec = wfu_get_file_rec($filepath, true); $userdata = array(); foreach ($filerec->userdata as $data) { array_push($userdata, array("label" => $data->property, "value" => propvalue)); } $additional_data = array("file_action" => "download", "filepath" => $filepath, "uploaduser" => $filerec->uploaduserid, "userdata" => $userdata); $changable_data = apply_filters("wfu_browser_check_file_action", $changable_data, $additional_data); if ($changable_data["error_message"] != "") { die('wfu_ajax_action_download_file_invoker:not_allowed:' . $changable_data["error_message"]); } } //for back-end browser check if user is allowed to perform this action on this file if (!wfu_current_user_owes_file($filepath)) { die; } } //generate download unique id to monitor this download $download_id = wfu_create_random_string(16); //store download status of this download $_SESSION['wfu_download_status_' . $download_id] = 'starting'; //generate download ticket which expires in 30sec and store it in session //it will be used as security measure for the downloader script, which runs outside Wordpress environment $_SESSION['wfu_download_ticket_' . $download_id] = time() + 30; //generate download monitor ticket which expires in 30sec and store it in session //it will be used as security measure for the monitor script that will check download status $_SESSION['wfu_download_monitor_ticket_' . $download_id] = time() + 30; //this routine returns a dynamically created iframe element, that will call the actual download script; //the actual download script runs outside Wordpress environment in order to ensure that no php warnings //or echo from other plugins is generated, that could scramble the downloaded file; //a ticket, similar to nonces, is passed to the download script to check that it is not a CSRF attack; moreover,the ticket is destroyed //by the time it is consumed by the download script, so it cannot be used again $response = '<iframe src="' . WFU_DOWNLOADER_URL . '?file=' . $file_code . '&ticket=' . $download_id . '" style="display: none;"></iframe>'; die('wfu_ajax_action_download_file_invoker:wfu_download_id;' . $download_id . ':' . $response); }