function check_and_create_resource_directory($repository_path, $resource_directory, $resource_directory_name) { global $permissions_for_new_directories; $resource_directory_full_path = substr($repository_path, 0, strlen($repository_path) - 1) . $resource_directory . '/'; if (!is_dir($resource_directory_full_path)) { if (@mkdir($resource_directory_full_path, $permissions_for_new_directories)) { // While we are in a course: Registering the newly created folder in the course's database. if (api_is_in_course()) { global $_course, $_user; global $group_properties, $to_group_id; $group_directory = !empty($group_properties['directory']) ? $group_properties['directory'] : ''; $doc_id = add_document($_course, $group_directory . $resource_directory, 'folder', 0, $resource_directory_name); api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'FolderCreated', $_user['user_id'], $to_group_id); } return true; } return false; } return true; }
function CreateServerFolder($folderPath, $lastFolder = null) { global $Config; $sParent = GetParentFolder($folderPath); // Ensure the folder path has no double-slashes, or mkdir may fail on certain platforms while (strpos($folderPath, '//') !== false) { $folderPath = str_replace('//', '/', $folderPath); } // Check if the parent exists, or create it. if (!empty($sParent) && !file_exists($sParent)) { //prevents agains infinite loop when we can't create root folder if (!is_null($lastFolder) && $lastFolder === $sParent) { return "Can't create {$folderPath} directory"; } $sErrorMsg = CreateServerFolder($sParent, $folderPath); if ($sErrorMsg != '') { return $sErrorMsg; } } if (!file_exists($folderPath)) { // Turn off all error reporting. error_reporting(0); $php_errormsg = ''; // Enable error tracking to catch the error. ini_set('track_errors', '1'); if (isset($Config['ChmodOnFolderCreate']) && !$Config['ChmodOnFolderCreate']) { mkdir($folderPath); } else { $permissions = 0777; // $permissions = 0770 ; if (isset($Config['ChmodOnFolderCreate'])) { $permissions = $Config['ChmodOnFolderCreate']; } // To create the folder with 0777 permissions, we need to set umask to zero. //$oldumask = umask(0) ; mkdir($folderPath, $permissions); //umask( $oldumask ) ; } // While we are in a course: Registering the newly created folder in the course's database. if (api_is_in_course()) { global $_course, $_user; $repository_path = api_get_path(REL_COURSE_PATH) . api_get_course_path() . '/document/'; $to_group_id = 0; if (api_is_in_group()) { global $group_properties; $to_group_id = $group_properties['id']; } $folder_path = preg_replace("/^.*" . TOOL_DOCUMENT . "/", "", $folderPath); // $folder_path = preg_replace("/\\/\$/", "", $folder_path); // should be done in 1 regexp I guess ... // $folder_path = substr($folderPath, strpos($folderPath, $repository_path) + strlen($repository_path) - 1); $folder_name = explode('/', $folder_path); $folder_name = $folder_name[count($folder_name) - 1]; $doc_id = add_document($_course, $folder_path, 'folder', 0, $folder_name); api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'FolderCreated', $_user['user_id'], $to_group_id); } $sErrorMsg = $php_errormsg; // Restore the configurations. ini_restore('track_errors'); ini_restore('error_reporting'); return $sErrorMsg; } else { return ''; } }
function FileUpload($resourceType, $currentFolder, $sCommand) { if (!isset($_FILES)) { global $_FILES; } $sErrorNumber = '0'; $sFileName = ''; if (isset($_FILES['NewFile']) && !is_null($_FILES['NewFile']['tmp_name'])) { global $Config; $oFile = $_FILES['NewFile']; // Map the virtual path to the local server path. $sServerDir = ServerMapFolder($resourceType, $currentFolder, $sCommand); // Get the uploaded file name. $sFileName = $oFile['name']; $sFileName = SanitizeFileName($sFileName, $oFile['type']); $sOriginalFileName = $sFileName; // Get the extension. $sExtension = substr($sFileName, strrpos($sFileName, '.') + 1); $sExtension = strtolower($sExtension); if (isset($Config['SecureImageUploads'])) { if (($isImageValid = IsImageValid($oFile['tmp_name'], $sExtension)) === false) { $sErrorNumber = '202'; } } if (isset($Config['HtmlExtensions'])) { if (!IsHtmlExtension($sExtension, $Config['HtmlExtensions']) && ($detectHtml = DetectHtml($oFile['tmp_name'])) === true) { $sErrorNumber = '202'; } } // Check if it is an allowed extension. if (!$sErrorNumber && IsAllowedExt($sExtension, $resourceType)) { $iCounter = 0; while (true) { $sFilePath = $sServerDir . $sFileName; if (is_file($sFilePath)) { $iCounter++; $sFileName = RemoveExtension($sOriginalFileName) . '(' . $iCounter . ').' . $sExtension; $sErrorNumber = '0'; // Change $sErrorNumber '201' to '0' to allow create record files renamed } else { move_uploaded_file($oFile['tmp_name'], $sFilePath); if (is_file($sFilePath)) { if (isset($Config['ChmodOnUpload']) && !$Config['ChmodOnUpload']) { break; } $permissions = 0777; if (isset($Config['ChmodOnUpload']) && $Config['ChmodOnUpload']) { $permissions = $Config['ChmodOnUpload']; } //$oldumask = umask(0) ; chmod($sFilePath, $permissions); //umask( $oldumask ) ; } break; } } if (file_exists($sFilePath)) { //previous checks failed, try once again if (isset($isImageValid) && $isImageValid === -1 && IsImageValid($sFilePath, $sExtension) === false) { @unlink($sFilePath); $sErrorNumber = '202'; } else { if (isset($detectHtml) && $detectHtml === -1 && DetectHtml($sFilePath) === true) { @unlink($sFilePath); $sErrorNumber = '202'; } } } } else { $sErrorNumber = '202'; } } else { $sErrorNumber = '202'; } if ($sErrorNumber == '0') { // While we are in a course: Registering the newly uploaded file in the course's database. if (api_is_in_course()) { global $_course, $_user; $repository_path = api_get_path(REL_COURSE_PATH) . api_get_course_path() . '/document/'; $to_group_id = 0; if (api_is_in_group()) { global $group_properties; $to_group_id = $group_properties['id']; } if (file_exists($sFilePath)) { $file_path = substr($sFilePath, strpos($sFilePath, $repository_path) + strlen($repository_path) - 1); $path = explode('/', $file_path); $file_name = $path[count($path) - 1]; $path[count($path) - 1] = ''; $folder_path = '/' + implode('/', $path); $file_size = @filesize($sFilePath); $doc_id = add_document($_course, $file_path, 'file', $file_size, $file_name); api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $to_group_id); item_property_update_on_folder($_course, $folder_path, $_user['user_id']); } } } $sFileUrl = CombinePaths(GetResourceTypePath($resourceType, $sCommand), $currentFolder); $sFileUrl = CombinePaths($sFileUrl, $sFileName); SendUploadResults($sErrorNumber, $sFileUrl, $sFileName); exit; }
It can be protected via .htaccess on apache or directory permissions on IIS, check you web server documentation for futher information on directory protection If this directory needs to be publicly accessiable, remove scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We only want to store assets in this directory and its subdirectories. */ $language_file = array('document'); require_once '../../../../../../inc/global.inc.php'; api_block_anonymous_users(); // Disabling access for anonymous users. api_block_anonymous_users(); // Initialization of the repositories. require_once api_get_path(LIBRARY_PATH) . 'fckeditor/repository.php'; $userId = api_get_user_id(); // Choosing the repository to be used. if (api_is_in_course()) { if (!api_is_in_group()) { // 1. We are inside a course and not in a group. if (api_is_allowed_to_edit()) { // 1.1. Teacher $IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/document/'; $IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH) . api_get_course_path() . '/document/'; } else { // 1.2. Student $sessionId = api_get_session_id(); if ($sessionId == 0) { $IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/document/shared_folder/sf_user_' . $userId . '/'; $IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH) . api_get_course_path() . '/document/shared_folder/sf_user_' . $userId . '/'; } else { $IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/document/shared_folder_session_' . $sessionId . '/sf_user_' . $userId . '/'; $IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH) . api_get_course_path() . '/document/shared_folder_session_' . $sessionId . '/sf_user_' . $userId . '/';
/** * This method returns default configuration for document repository that is to be used by the editor. * @return array */ private function &get_repository_configuration() { // Disabling access for anonymous users. $isAnonymous = api_is_anonymous(); if ($isAnonymous) { return array(); } // Preliminary calculations for assembling required paths. $base_path = $this->BasePath; $script_name = substr($_SERVER['PHP_SELF'], strlen(api_get_path(REL_PATH))); $script_path = explode('/', $script_name); $script_path[count($script_path) - 1] = ''; if (api_is_in_course()) { $relative_path_prefix = str_repeat('../', count($script_path) - 1); } else { $relative_path_prefix = str_repeat('../', count($script_path) - 2); } $script_path = implode('/', $script_path); $script_path = api_get_path(WEB_PATH) . $script_path; $use_advanced_filemanager = api_get_setting('advanced_filemanager') == 'true'; // Let javascripts "know" which file manager has been chosen. $config['AdvancedFileManager'] = $use_advanced_filemanager; if (api_is_in_course()) { if (!api_is_in_group()) { // 1. We are inside a course and not in a group. if (api_is_allowed_to_edit()) { // 1.1. Teacher (tutor and coach are not authorized to change anything in the "content creation" tools) $config['CreateDocumentWebDir'] = api_get_path(WEB_COURSE_PATH) . api_get_course_path() . '/document/'; $config['CreateDocumentDir'] = $relative_path_prefix . 'courses/' . api_get_course_path() . '/document/'; $config['BaseHref'] = $script_path; } else { // 1.2. Student $current_session_id = api_get_session_id(); if ($current_session_id == 0) { $config['CreateDocumentWebDir'] = api_get_path(WEB_COURSE_PATH) . api_get_course_path() . '/document/shared_folder/sf_user_' . api_get_user_id() . '/'; $config['CreateDocumentDir'] = $relative_path_prefix . 'courses/' . api_get_course_path() . '/document/shared_folder/sf_user_' . api_get_user_id() . '/'; $config['BaseHref'] = $script_path; } else { $config['CreateDocumentWebDir'] = api_get_path(WEB_COURSE_PATH) . api_get_course_path() . '/document/shared_folder_session_' . $current_session_id . '/sf_user_' . api_get_user_id() . '/'; $config['CreateDocumentDir'] = $relative_path_prefix . 'courses/' . api_get_course_path() . '/document/shared_folder_session_' . $current_session_id . '/sf_user_' . api_get_user_id() . '/'; $config['BaseHref'] = $script_path; } } } else { // 2. Inside a course and inside a group. global $group_properties; $config['CreateDocumentWebDir'] = api_get_path(WEB_COURSE_PATH) . api_get_course_path() . '/document' . $group_properties['directory'] . '/'; $config['CreateDocumentDir'] = $relative_path_prefix . 'courses/' . api_get_course_path() . '/document' . $group_properties['directory'] . '/'; $config['BaseHref'] = $script_path; } } else { if (api_is_platform_admin() && isset($_SESSION['this_section']) && $_SESSION['this_section'] == 'platform_admin') { // 3. Platform administration activities. $config['CreateDocumentWebDir'] = api_get_path(WEB_PATH) . 'home/default_platform_document/'; $config['CreateDocumentDir'] = api_get_path(WEB_PATH) . 'home/default_platform_document/'; // A side-effect is in use here. $config['BaseHref'] = api_get_path(WEB_PATH) . 'home/default_platform_document/'; } else { // 4. The user is outside courses. $my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(), 'system'); $config['CreateDocumentWebDir'] = $my_path['dir'] . 'my_files/'; $my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(), 'rel'); $config['CreateDocumentDir'] = $my_path['dir'] . 'my_files/'; $config['BaseHref'] = $script_path; } } // URLs for opening the file browser for different resource types (file types): if ($use_advanced_filemanager) { // Double slashes within the following URLs for the advanced file manager are put intentionally. Please, keep them. // for images $config['ImageBrowserURL'] = $base_path . '/editor/plugins/ajaxfilemanager/ajaxfilemanager.php'; // for flash $config['FlashBrowserURL'] = $base_path . '/editor/plugins/ajaxfilemanager/ajaxfilemanager.php'; // for audio files (mp3) $config['MP3BrowserURL'] = $base_path . '/editor/plugins/ajaxfilemanager/ajaxfilemanager.php'; // for video $config['VideoBrowserURL'] = $base_path . '/editor/plugins/ajaxfilemanager/ajaxfilemanager.php'; // for video (flv) $config['MediaBrowserURL'] = $base_path . '/editor/plugins/ajaxfilemanager/ajaxfilemanager.php'; // for links (any resource type) $config['LinkBrowserURL'] = $base_path . '/editor/plugins/ajaxfilemanager/ajaxfilemanager.php'; } else { // for images $config['ImageBrowserURL'] = $base_path . 'editor/filemanager/browser/default/browser.html?Type=Images&Connector=' . $base_path . 'editor/filemanager/connectors/php/connector.php'; // for flash $config['FlashBrowserURL'] = $base_path . 'editor/filemanager/browser/default/browser.html?Type=Flash&Connector=' . $base_path . 'editor/filemanager/connectors/php/connector.php'; // for audio files (mp3) $config['MP3BrowserURL'] = $base_path . 'editor/filemanager/browser/default/browser.html?Type=MP3&Connector=' . $base_path . 'editor/filemanager/connectors/php/connector.php'; // for video $config['VideoBrowserURL'] = $base_path . 'editor/filemanager/browser/default/browser.html?Type=Video&Connector=' . $base_path . 'editor/filemanager/connectors/php/connector.php'; // for video (flv) $config['MediaBrowserURL'] = $base_path . 'editor/filemanager/browser/default/browser.html?Type=Video/flv&Connector=' . $base_path . 'editor/filemanager/connectors/php/connector.php'; // for links (any resource type) $config['LinkBrowserURL'] = $base_path . 'editor/filemanager/browser/default/browser.html?Type=File&Connector=' . $base_path . 'editor/filemanager/connectors/php/connector.php'; } // URLs for making quick uplods for different resource types (file types). // These URLs are used by the dialogs' quick upload tabs: // for images $config['ImageUploadURL'] = $base_path . 'editor/filemanager/connectors/php/upload.php?Type=Images'; // for flash $config['FlashUploadURL'] = $base_path . 'editor/filemanager/connectors/php/upload.php?Type=Flash'; // for audio files (mp3) $config['MP3UploadURL'] = $base_path . 'editor/filemanager/connectors/php/upload.php?Type=MP3'; // for video $config['VideoUploadURL'] = $base_path . 'editor/filemanager/connectors/php/upload.php?Type=Video'; // for video (flv) $config['MediaUploadURL'] = $base_path . 'editor/filemanager/connectors/php/upload.php?Type=Video/flv'; // for links (any resource type) $config['LinkUploadURL'] = $base_path . 'editor/filemanager/connectors/php/upload.php?Type=File'; return $config; }