/**
* Create a new document //still needs some finetuning
* @param array $_course
* @return string
*/
public function create_document($_course)
{
$course_id = api_get_course_int_id();
global $charset;
$dir = isset($_GET['dir']) ? $_GET['dir'] : $_POST['dir'];
// Please, do not modify this dirname formatting.
if (strstr($dir, '..')) {
$dir = '/';
}
if ($dir[0] == '.') {
$dir = substr($dir, 1);
}
if ($dir[0] != '/') {
$dir = '/' . $dir;
}
if ($dir[strlen($dir) - 1] != '/') {
$dir .= '/';
}
$filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document' . $dir;
if (empty($_POST['dir']) && empty($_GET['dir'])) {
//Generates folder
$result = $this->generate_lp_folder($_course);
$dir = $result['dir'];
$filepath = $result['filepath'];
}
if (!is_dir($filepath)) {
$filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/';
$dir = '/';
}
// stripslashes() before calling api_replace_dangerous_char() because $_POST['title']
// is already escaped twice when it gets here.
$title = api_replace_dangerous_char(stripslashes($_POST['title']));
$title = FileManager::disable_dangerous_file($title);
$filename = $title;
$content = $_POST['content_lp'];
$tmp_filename = $filename;
$i = 0;
while (file_exists($filepath . $tmp_filename . '.html')) {
$tmp_filename = $filename . '_' . ++$i;
}
$filename = $tmp_filename . '.html';
$content = stripslashes($content);
$content = str_replace(api_get_path(WEB_COURSE_PATH), api_get_path(REL_PATH) . 'courses/', $content);
// Change the path of mp3 to absolute.
// The first regexp deals with ../../../ urls.
$content = preg_replace("|(flashvars=\"file=)(\\.+/)+|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/', $content);
// The second regexp deals with audio/ urls.
$content = preg_replace("|(flashvars=\"file=)([^/]+)/|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/$2/', $content);
// For flv player: To prevent edition problem with firefox, we have to use a strange tip (don't blame me please).
$content = str_replace('</body>', '<style type="text/css">body{}</style></body>', $content);
if (!file_exists($filepath . $filename)) {
if ($fp = @fopen($filepath . $filename, 'w')) {
fputs($fp, $content);
fclose($fp);
$file_size = filesize($filepath . $filename);
$save_file_path = $dir . $filename;
$document_id = FileManager::add_document($_course, $save_file_path, 'file', $file_size, $tmp_filename);
if ($document_id) {
api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentAdded', api_get_user_id(), null, null, null, null, api_get_session_id());
$new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
$new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
if ($new_comment || $new_title) {
$tbl_doc = Database::get_course_table(TABLE_DOCUMENT);
$ct = '';
if ($new_comment) {
$ct .= ", comment='" . Database::escape_string($new_comment) . "'";
}
if ($new_title) {
$ct .= ", title='" . Database::escape_string(htmlspecialchars($new_title, ENT_QUOTES, $charset)) . "' ";
}
$sql_update = "UPDATE " . $tbl_doc . " SET " . substr($ct, 1) . " WHERE c_id = " . $course_id . " AND id = " . $document_id;
Database::query($sql_update);
}
}
return $document_id;
}
}
}
/**
* Check if a document width the choosen filename allready exists
*/
function document_exists($filename)
{
global $filepath;
$filename = addslashes(trim($filename));
$filename = Security::remove_XSS($filename);
$filename = api_replace_dangerous_char($filename);
$filename = FileManager::disable_dangerous_file($filename);
return !file_exists($filepath . $filename . '.html');
}
$webcamdir = $params['webcamdir'];
$webcamuserid = $params['webcamuserid'];
} else {
api_not_allowed();
die;
}
if ($webcamuserid != api_get_user_id() || api_get_user_id() == 0 || $webcamuserid == 0) {
api_not_allowed();
die;
}
//clean
$webcamname = Security::remove_XSS($webcamname);
$webcamname = Database::escape_string($webcamname);
$webcamname = addslashes(trim($webcamname));
$webcamname = api_replace_dangerous_char($webcamname, 'strict');
$webcamname = FileManager::disable_dangerous_file($webcamname);
$webcamdir = Security::remove_XSS($webcamdir);
//security extension
$ext = explode('.', $webcamname);
$ext = strtolower($ext[sizeof($ext) - 1]);
if ($ext != 'jpg') {
die;
}
//Do not use here check Fileinfo method because return: text/plain //CHECK THIS BEFORE COMMIT
$dirBaseDocuments = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document';
$saveDir = $dirBaseDocuments . $webcamdir;
$current_session_id = api_get_session_id();
$groupId = $_SESSION['_gid'];
//avoid duplicates
$webcamname_to_save = $webcamname;
$title_to_save = str_replace('_', ' ', $webcamname);
/**
This function changes the name of a certain file.
It needs no global variables, it takes all info from parameters.
It returns nothing.
@todo check if this function is used
*/
function change_name($base_work_dir, $source_file, $rename_to, $dir, $doc)
{
$file_name_for_change = $base_work_dir . $dir . $source_file;
//api_display_debug_info("call FileManager::my_rename: params $file_name_for_change, $rename_to");
$rename_to = FileManager::disable_dangerous_file($rename_to);
// Avoid renaming to .htaccess file
$rename_to = FileManager::my_rename($file_name_for_change, stripslashes($rename_to));
// fileManage API
if ($rename_to) {
if (isset($dir) && $dir != '') {
$source_file = $dir . $source_file;
$new_full_file_name = dirname($source_file) . '/' . $rename_to;
} else {
$source_file = '/' . $source_file;
$new_full_file_name = '/' . $rename_to;
}
FileManager::update_db_info('update', $source_file, $new_full_file_name);
// fileManage API
$name_changed = get_lang('ElRen');
$info_message = get_lang('fileModified');
$GLOBALS['file_name'] = $rename_to;
$GLOBALS['doc'] = $rename_to;
return $info_message;
} else {
$dialogBox = get_lang('FileExists');
// TODO: This variable is not used.
/* Return to step 1 */
$rename = $source_file;
unset($source_file);
}
}
//Only teacher and all users into their group and any user into his/her shared folder
if ($is_allowed_to_edit || $group_member_with_upload_rights || is_my_shared_folder(api_get_user_id(), $curdirpath, $session_id)) {
// Create directory with $_POST data
if (isset($_POST['create_dir']) && $_POST['dirname'] != '') {
// Needed for directory creation
$post_dir_name = $_POST['dirname'];
if ($post_dir_name == '../' || $post_dir_name == '.' || $post_dir_name == '..') {
Display::display_error_message(get_lang('CannotCreateDir'));
} else {
if (!empty($_POST['dir_id'])) {
$document_data = DocumentManager::get_document_data_by_id($_POST['dir_id'], api_get_course_id());
$curdirpath = $document_data['path'];
}
$added_slash = $curdirpath == '/' ? '' : '/';
$dir_name = $curdirpath . $added_slash . api_replace_dangerous_char($post_dir_name);
$dir_name = FileManager::disable_dangerous_file($dir_name);
$dir_check = $base_work_dir . $dir_name;
if (!is_dir($dir_check)) {
$created_dir = FileManager::create_unexisting_directory($_course, api_get_user_id(), api_get_session_id(), $to_group_id, $to_user_id, $base_work_dir, $dir_name, $post_dir_name);
if ($created_dir) {
Display::display_confirmation_message('<span title="' . $created_dir . '">' . get_lang('DirCr') . '</span>', false);
// Uncomment if you want to enter the created dir
//$curdirpath = $created_dir;
//$curdirpathurl = urlencode($curdirpath);
} else {
Display::display_error_message(get_lang('CannotCreateDir'));
}
} else {
Display::display_error_message(get_lang('CannotCreateDir'));
}
}
$wamidir = $params['wamidir'];
$wamiuserid = $params['wamiuserid'];
} else {
api_not_allowed();
die;
}
if ($wamiuserid != api_get_user_id() || api_get_user_id() == 0 || $wamiuserid == 0) {
api_not_allowed();
die;
}
//clean
$waminame = Security::remove_XSS($waminame);
$waminame = Database::escape_string($waminame);
$waminame = addslashes(trim($waminame));
$waminame = api_replace_dangerous_char($waminame, 'strict');
$waminame = FileManager::disable_dangerous_file($waminame);
$wamidir = Security::remove_XSS($wamidir);
$content = file_get_contents('php://input');
//security extension
$ext = explode('.', $waminame);
$ext = strtolower($ext[sizeof($ext) - 1]);
if ($ext != 'wav') {
die;
}
//Do not use here check Fileinfo method because return: text/plain
$dirBaseDocuments = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document';
$saveDir = $dirBaseDocuments . $wamidir;
$current_session_id = api_get_session_id();
$groupId = $_SESSION['_gid'];
//avoid duplicates
$waminame_to_save = $waminame;
// Create the audio folder if it does not exist yet.
$_course = api_get_course_info();
$filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/';
if (!is_dir($filepath . 'audio')) {
mkdir($filepath . 'audio', api_get_permissions_for_new_directories());
$audio_id = FileManager::add_document($_course, '/audio', 'folder', 0, 'audio');
api_item_property_update($_course, TOOL_DOCUMENT, $audio_id, 'FolderCreated', api_get_user_id(), null, null, null, null, api_get_session_id());
}
// Check if file already exits into document/audio/
$file_name = $_FILES[$key]['name'];
$file_name = stripslashes($file_name);
// Add extension to files without one (if possible).
$file_name = FileManager::add_ext_on_mime($file_name, $_FILES[$key]['type']);
$clean_name = api_replace_dangerous_char($file_name);
// No "dangerous" files.
$clean_name = FileManager::disable_dangerous_file($clean_name);
$check_file_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/audio/' . $clean_name;
// If the file exists we generate a new name.
if (file_exists($check_file_path)) {
$filename_components = explode('.', $clean_name);
// Gettting the extension of the file.
$file_extension = $filename_components[count($filename_components) - 1];
// Adding something random to prevent overwriting.
$filename_components[count($filename_components) - 1] = time();
// Reconstructing the new filename.
$clean_name = implode($filename_components) . '.' . $file_extension;
// Using the new name in the $_FILES superglobal.
$_FILES[$key]['name'] = $clean_name;
}
// Upload the file in the documents tool
$file_path = FileManager::handle_uploaded_document($_course, $_FILES[$key], api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document', '/audio', api_get_user_id(), '', '', '', '', false);
/**
* Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in
* a non-executable form (for PHP and htaccess, this is still vulnerable to
* other languages' files extensions)
* @param string Unfiltered filename
* @param string Filtered filename
*/
public static function filter_filename($filename)
{
return FileManager::disable_dangerous_file($filename);
}
/**
* Upload a submitted user production.
*
* @param $user_id User id
* @return The filename of the new production or FALSE if the upload has failed
*/
function upload_user_production($user_id)
{
$image_path = UserManager::get_user_picture_path_by_id($user_id, 'system', true);
$production_repository = $image_path['dir'] . $user_id . '/';
if (!file_exists($production_repository)) {
@mkdir($production_repository, api_get_permissions_for_new_directories(), true);
}
$filename = api_replace_dangerous_char($_FILES['production']['name']);
$filename = FileManager::disable_dangerous_file($filename);
if (FileManager::filter_extension($filename)) {
if (@move_uploaded_file($_FILES['production']['tmp_name'], $production_repository . $filename)) {
return $filename;
}
}
return false;
// this should be returned if anything went wrong with the upload
}
