2004-12-14 18:57:51 +00:00
|
|
|
<?php // $Id$
|
|
|
|
|
// This script fetches files from the dataroot directory
|
|
|
|
|
// Syntax: file.php/courseid/dir/dir/dir/filename.ext
|
2005-07-12 08:05:42 +00:00
|
|
|
// file.php/courseid/dir/dir/dir/filename.ext?forcedownload=1 (download instead of inline)
|
2004-12-14 18:57:51 +00:00
|
|
|
// file.php/courseid/dir (returns index.html from dir)
|
|
|
|
|
// Workaround: file.php?file=/courseid/dir/dir/dir/filename.ext
|
2005-02-26 20:43:30 +00:00
|
|
|
// Test: file.php/testslasharguments
|
2004-12-14 18:57:51 +00:00
|
|
|
|
2004-09-29 18:19:39 +00:00
|
|
|
require_once('config.php');
|
2005-03-07 11:34:16 +00:00
|
|
|
require_once('lib/filelib.php');
|
2001-11-22 06:23:56 +00:00
|
|
|
|
2004-04-01 02:32:04 +00:00
|
|
|
if (empty($CFG->filelifetime)) {
|
2004-12-14 18:57:51 +00:00
|
|
|
$lifetime = 86400; // Seconds for files to remain in caches
|
2003-01-12 06:53:25 +00:00
|
|
|
} else {
|
2004-12-14 18:57:51 +00:00
|
|
|
$lifetime = $CFG->filelifetime;
|
2006-09-14 09:08:07 +00:00
|
|
|
}
|
2002-08-26 09:48:00 +00:00
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
$relativepath = get_file_argument('file.php');
|
2005-07-12 08:05:42 +00:00
|
|
|
$forcedownload = optional_param('forcedownload', 0, PARAM_BOOL);
|
2004-12-14 18:57:51 +00:00
|
|
|
|
|
|
|
|
// relative path must start with '/', because of backup/restore!!!
|
|
|
|
|
if (!$relativepath) {
|
|
|
|
|
error('No valid arguments supplied or incorrect server configuration');
|
|
|
|
|
} else if ($relativepath{0} != '/') {
|
|
|
|
|
error('No valid arguments supplied, path does not start with slash!');
|
2001-11-22 06:23:56 +00:00
|
|
|
}
|
|
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
$pathname = $CFG->dataroot.$relativepath;
|
2003-11-27 17:23:36 +00:00
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
// extract relative path components
|
|
|
|
|
$args = explode('/', trim($relativepath, '/'));
|
|
|
|
|
if (count($args) == 0) { // always at least courseid, may search for index.html in course root
|
2004-09-29 18:19:39 +00:00
|
|
|
error('No valid arguments supplied');
|
2002-09-05 11:56:20 +00:00
|
|
|
}
|
|
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
// security: limit access to existing course subdirectories
|
|
|
|
|
// note: course ID must be specified
|
|
|
|
|
// note: the lang field is needed for the course language switching hack in weblib.php
|
|
|
|
|
if (!$course = get_record_sql("SELECT id, lang FROM {$CFG->prefix}course WHERE id='".(int)$args[0]."'")) {
|
|
|
|
|
error('Invalid course ID');
|
2004-03-16 07:20:00 +00:00
|
|
|
}
|
|
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
// security: prevent access to "000" or "1 something" directories
|
|
|
|
|
if ($args[0] != $course->id) {
|
2004-09-29 18:19:39 +00:00
|
|
|
error('Invalid course ID');
|
2004-09-07 14:13:19 +00:00
|
|
|
}
|
2001-11-25 15:48:24 +00:00
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
// security: login to course if necessary
|
|
|
|
|
if ($course->id != SITEID) {
|
|
|
|
|
require_login($course->id);
|
2004-05-28 01:17:37 +00:00
|
|
|
} else if ($CFG->forcelogin) {
|
|
|
|
|
require_login();
|
2001-11-22 06:23:56 +00:00
|
|
|
}
|
|
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
// security: only editing teachers can access backups
|
2006-09-05 08:50:23 +00:00
|
|
|
if ((!has_capability('moodle/site:backup', get_context_instance(CONTEXT_COURSE, $course->id)))
|
2004-12-14 18:57:51 +00:00
|
|
|
and (count($args) >= 2)
|
|
|
|
|
and (strtolower($args[1]) == 'backupdata')) {
|
2001-11-22 06:23:56 +00:00
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
error('Access not allowed');
|
|
|
|
|
}
|
2001-11-22 06:23:56 +00:00
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
if (is_dir($pathname)) {
|
|
|
|
|
if (file_exists($pathname.'/index.html')) {
|
|
|
|
|
$pathname = rtrim($pathname, '/').'/index.html';
|
|
|
|
|
$args[] = 'index.html';
|
|
|
|
|
} else if (file_exists($pathname.'/index.htm')) {
|
|
|
|
|
$pathname = rtrim($pathname, '/').'/index.htm';
|
|
|
|
|
$args[] = 'index.htm';
|
|
|
|
|
} else if (file_exists($pathname.'/Default.htm')) {
|
|
|
|
|
$pathname = rtrim($pathname, '/').'/Default.htm';
|
|
|
|
|
$args[] = 'Default.htm';
|
|
|
|
|
} else {
|
|
|
|
|
// security: do not return directory node!
|
|
|
|
|
not_found($course->id);
|
|
|
|
|
}
|
|
|
|
|
}
|
2004-03-11 02:14:15 +00:00
|
|
|
|
2005-02-22 23:36:20 +00:00
|
|
|
// security: teachers can view all assignments, students only their own
|
|
|
|
|
if ((count($args) >= 3)
|
|
|
|
|
and (strtolower($args[1]) == 'moddata')
|
|
|
|
|
and (strtolower($args[2]) == 'assignment')) {
|
|
|
|
|
|
|
|
|
|
$lifetime = 0; // do not cache assignments, students may reupload them
|
2006-09-05 08:50:23 +00:00
|
|
|
if ((!has_capability('mod/assignment:grade', get_context_instance(CONTEXT_COURSE, $course->id))) && (count($args) != 6 || $args[4] != $USER->id)) {
|
2005-02-22 23:36:20 +00:00
|
|
|
error('Access not allowed');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2005-07-12 08:05:42 +00:00
|
|
|
// security: force download of all attachments submitted by students
|
|
|
|
|
if ((count($args) >= 3)
|
|
|
|
|
and (strtolower($args[1]) == 'moddata')
|
|
|
|
|
and ((strtolower($args[2]) == 'forum')
|
|
|
|
|
or (strtolower($args[2]) == 'assignment')
|
2006-07-30 22:44:50 +00:00
|
|
|
or (strtolower($args[2]) == 'data')
|
2005-07-12 08:05:42 +00:00
|
|
|
or (strtolower($args[2]) == 'glossary')
|
|
|
|
|
or (strtolower($args[2]) == 'wiki')
|
|
|
|
|
or (strtolower($args[2]) == 'exercise')
|
|
|
|
|
or (strtolower($args[2]) == 'workshop')
|
|
|
|
|
)) {
|
|
|
|
|
$forcedownload = 1; // force download of all attachments
|
|
|
|
|
}
|
|
|
|
|
|
2005-02-22 23:36:20 +00:00
|
|
|
// security: some protection of hidden resource files
|
|
|
|
|
// warning: it may break backwards compatibility
|
|
|
|
|
if ((!empty($CFG->preventaccesstohiddenfiles))
|
|
|
|
|
and (count($args) >= 2)
|
2006-09-14 06:43:01 +00:00
|
|
|
and (!has_capability('moodle/course:viewhiddenactivities', get_context_instance(CONTEXT_COURSE, $course->id)))) {
|
2005-02-22 23:36:20 +00:00
|
|
|
|
|
|
|
|
$reference = ltrim($relativepath, "/{$args[0]}/");
|
|
|
|
|
|
|
|
|
|
$sql = "SELECT COUNT(r.id) " .
|
|
|
|
|
"FROM {$CFG->prefix}resource r, " .
|
|
|
|
|
"{$CFG->prefix}course_modules cm, " .
|
|
|
|
|
"{$CFG->prefix}modules m " .
|
|
|
|
|
"WHERE r.course = '{$course->id}' " .
|
|
|
|
|
"AND m.name = 'resource' " .
|
|
|
|
|
"AND cm.module = m.id " .
|
|
|
|
|
"AND cm.instance = r.id " .
|
|
|
|
|
"AND cm.visible = 0 " .
|
|
|
|
|
"AND r.type = 'file' " .
|
|
|
|
|
"AND r.reference = '{$reference}'";
|
|
|
|
|
if (count_records_sql($sql)) {
|
|
|
|
|
error('Access not allowed');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
// check that file exists
|
|
|
|
|
if (!file_exists($pathname)) {
|
|
|
|
|
not_found($course->id);
|
|
|
|
|
}
|
2004-04-26 03:41:45 +00:00
|
|
|
|
2004-12-14 18:57:51 +00:00
|
|
|
// extra security: keep symbolic links inside dataroot/courseid if required
|
|
|
|
|
/*if (!empty($CFG->checksymlinks)) {
|
|
|
|
|
$realpath = realpath($pathname);
|
|
|
|
|
$realdataroot = realpath($CFG->dataroot.'/'.$course->id);
|
|
|
|
|
if (strpos($realpath, $realdataroot) !== 0) {
|
|
|
|
|
not_found($course->id);
|
2004-03-09 06:28:01 +00:00
|
|
|
}
|
2004-12-14 18:57:51 +00:00
|
|
|
}*/
|
|
|
|
|
|
|
|
|
|
// ========================================
|
|
|
|
|
// finally send the file
|
|
|
|
|
// ========================================
|
2005-05-17 01:00:48 +00:00
|
|
|
session_write_close(); // unlock session during fileserving
|
2004-12-14 18:57:51 +00:00
|
|
|
$filename = $args[count($args)-1];
|
2006-02-21 12:54:24 +00:00
|
|
|
send_file($pathname, $filename, $lifetime, $CFG->filteruploadedfiles, false, $forcedownload);
|
2004-12-14 18:57:51 +00:00
|
|
|
|
|
|
|
|
function not_found($courseid) {
|
|
|
|
|
global $CFG;
|
2004-09-29 18:19:39 +00:00
|
|
|
header('HTTP/1.0 404 not found');
|
2004-12-14 18:57:51 +00:00
|
|
|
error(get_string('filenotfound', 'error'), $CFG->wwwroot.'/course/view.php?id='.$courseid); //this is not displayed on IIS??
|
2001-11-22 06:23:56 +00:00
|
|
|
}
|
2004-12-14 18:57:51 +00:00
|
|
|
?>
|
