MDL-28501 mod_folder: make force downloading behavior configuable

mod/folder/backup/moodle2/backup_folder_stepslib.php

@@ -38,7 +38,7 @@ class backup_folder_activity_structure_step extends backup_activity_structure_st
         // Define each element separated
         $folder = new backup_nested_element('folder', array('id'), array(
             'name', 'intro', 'introformat', 'revision',
-            'timemodified', 'display', 'showexpanded'));
+            'timemodified', 'display', 'showexpanded', 'forcedownload'));
 
         // Build the tree
         // (nice mono-tree, lol)

mod/folder/db/access.php

@@ -58,9 +58,9 @@ $capabilities = array(
         )
     ),*/
 
-    // can manage files in the folder
+    // Can manage files in the folder.
     'mod/folder:managefiles' => array(
-        'riskbitmask' => RISK_SPAM,
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'archetypes' => array(
@@ -68,4 +68,3 @@ $capabilities = array(
         )
     )
 );
-

mod/folder/db/install.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<XMLDB PATH="mod/folder/db" VERSION="20130407" COMMENT="XMLDB file for Folder module"
+<XMLDB PATH="mod/folder/db" VERSION="20200213" COMMENT="XMLDB file for Folder module"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="../../../lib/xmldb/xmldb.xsd"
 >
@@ -14,8 +14,9 @@
         <FIELD NAME="revision" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="0" SEQUENCE="false" COMMENT="incremented when after each file changes, solves browser caching issues"/>
         <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="0" SEQUENCE="false"/>
         <FIELD NAME="display" TYPE="int" LENGTH="4" NOTNULL="true" DEFAULT="0" SEQUENCE="false" COMMENT="Display type of folder contents - on a separate page or inline"/>
-        <FIELD NAME="showexpanded" TYPE="int" LENGTH="1" NOTNULL="true" UNSIGNED="false" DEFAULT="1" SEQUENCE="false" COMMENT="1 = expanded, 0 = collapsed for sub-folders"/>
-        <FIELD NAME="showdownloadfolder" TYPE="int" LENGTH="1" NOTNULL="true" UNSIGNED="false" DEFAULT="1" SEQUENCE="false" COMMENT="1 = show download folder button"/>
+        <FIELD NAME="showexpanded" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = expanded, 0 = collapsed for sub-folders"/>
+        <FIELD NAME="showdownloadfolder" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = show download folder button"/>
+        <FIELD NAME="forcedownload" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = force download of individual files"/>
       </FIELDS>
       <KEYS>
         <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
@@ -25,4 +26,4 @@
       </INDEXES>
     </TABLE>
   </TABLES>
-</XMLDB>
+</XMLDB>

mod/folder/db/upgrade.php

@@ -45,7 +45,9 @@
 defined('MOODLE_INTERNAL') || die();
 
 function xmldb_folder_upgrade($oldversion) {
-    global $CFG;
+    global $CFG, $DB;
+
+    $dbman = $DB->get_manager(); // Loads ddl manager and xmldb classes.
 
     // Automatically generated Moodle v3.5.0 release upgrade line.
     // Put any upgrade step following this.
@@ -61,6 +63,20 @@ function xmldb_folder_upgrade($oldversion) {
 
     // Automatically generated Moodle v3.9.0 release upgrade line.
     // Put any upgrade step following this.
+    if ($oldversion < 2021052501) {
+
+        // Define field forcedownload to be added to folder.
+        $table = new xmldb_table('folder');
+        $field = new xmldb_field('forcedownload', XMLDB_TYPE_INTEGER, '1', null, XMLDB_NOTNULL, null, '1', 'showdownloadfolder');
+
+        // Conditionally launch add field forcedownload.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Folder savepoint reached.
+        upgrade_mod_savepoint(true, 2021052501, 'folder');
+    }
 
     return true;
 }

mod/folder/lang/en/folder.php

@@ -1,5 +1,4 @@
 <?php
-
 // This file is part of Moodle - http://moodle.org/
 //
 // Moodle is free software: you can redistribute it and/or modify
@@ -33,6 +32,8 @@ $string['folder:addinstance'] = 'Add a new folder';
 $string['folder:managefiles'] = 'Manage files in folder module';
 $string['folder:view'] = 'View folder content';
 $string['foldercontent'] = 'Files and subfolders';
+$string['forcedownload'] = 'Force download of files';
+$string['forcedownload_help'] = 'Whether certain files, such as images or HTML files, should be displayed in the browser rather than being downloaded. Note that for security reasons, the setting should only be unticked if all users with the capability to manage files in the folder are trusted users.';
 $string['indicator:cognitivedepth'] = 'Folder cognitive';
 $string['indicator:cognitivedepth_help'] = 'This indicator is based on the cognitive depth reached by the student in a Folder resource.';
 $string['indicator:cognitivedepthdef'] = 'Folder cognitive';

mod/folder/lib.php

@@ -283,9 +283,13 @@ function folder_pluginfile($course, $cm, $context, $filearea, $args, $forcedownl
         return false;
     }
 
-    // finally send the file
-    // for folder module, we force download file all the time
-    send_stored_file($file, 0, 0, true, $options);
+    // Set security posture for in-browser display.
+    if (!$forcedownload) {
+        header("Content-Security-Policy: default-src 'none'; img-src 'self'");
+    }
+
+    // Finally send the file.
+    send_stored_file($file, 0, 0, $forcedownload, $options);
 }
 
 /**

mod/folder/mod_form.php

@@ -68,6 +68,12 @@ class mod_folder_mod_form extends moodleform_mod {
         $mform->addElement('advcheckbox', 'showdownloadfolder', get_string('showdownloadfolder', 'folder'));
         $mform->addHelpButton('showdownloadfolder', 'showdownloadfolder', 'mod_folder');
         $mform->setDefault('showdownloadfolder', true);
+
+        // Adding option to enable viewing of individual files.
+        $mform->addElement('advcheckbox', 'forcedownload', get_string('forcedownload', 'folder'));
+        $mform->addHelpButton('forcedownload', 'forcedownload', 'mod_folder');
+        $mform->setDefault('forcedownload', true);
+
         //-------------------------------------------------------
         $this->standard_coursemodule_elements();
 

mod/folder/renderer.php

@@ -146,9 +146,14 @@ class mod_folder_renderer extends plugin_renderer_base {
             }
             $filename = html_writer::tag('span', $image, array('class' => 'fp-icon')).
                     html_writer::tag('span', $filenamedisplay, array('class' => 'fp-filename'));
+            $urlparams = null;
+            if ($tree->folder->forcedownload) {
+                $urlparams = ['forcedownload' => 1];
+            }
             $filename = html_writer::tag('span',
-                    html_writer::link($url->out(false, array('forcedownload' => 1)), $filename),
-                    array('class' => 'fp-filename-icon'));
+                html_writer::link($url->out(false, $urlparams), $filename),
+                ['class' => 'fp-filename-icon']
+            );
             $result .= html_writer::tag('li', $filename);
         }
         $result .= '</ul>';

mod/folder/version.php

@@ -24,7 +24,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2021052500;       // The current module version (Date: YYYYMMDDXX)
+$plugin->version   = 2021052501;       // The current module version (Date: YYYYMMDDXX)
 $plugin->requires  = 2021052500;    // Requires this Moodle version
 $plugin->component = 'mod_folder';     // Full name of the plugin (used for diagnostics)
 $plugin->cron      = 0;