course))) { error("Supplied quiz $quiz->name does not belong to a valid course"); } require_login($course->id); if (!isteacher($course->id) and !quiz_get_user_attempt_unfinished($quiz->id, $USER->id) and ! ($quiz->review && time() > $quiz->timeclose) || !quiz_get_user_attempts($quiz->id, $USER->id) ) { error("Logged-in user is not allowed to view this quiz"); } /////////////////////////////////////////////////// // The logged-in user has the right to view material on this quiz! // Now verify the consistency between $quiz, $question, its category and $relativepathname /////////////////////////////////////////////////// // For now, let's not worry about this. The following check doesn't // work for randomly selected questions and it gets complicated //if (!in_array($question->id, explode(',', $quiz->questions), FALSE)) { // error("Specified question is not on the specified quiz"); //} if (! ($questioncategory = get_record('quiz_categories', 'id', $question->category))) { error("Question category is not valid"); } // For the moment - questions can reference datafiles through image only if (! ($question->image == $relativefilepath)) { error("The specified file path is not on the specified question"); } /////////////////////////////////////////// // All security stuff is now taken care of. // Specified file can now be returned... ////////////////////////////////////////// $pathname = "$CFG->dataroot/$questioncategory->course/$relativefilepath"; // $filename has already been extracted ///////////////////////////////////////////////////////////////// // The remaining code is identical to the final lines of file.php // If you ask me - this stuff should be separated into a separate // function for conviency. // That function would find itself very in comfortable in the // file mimetypes.php ////////////////////////////////// $mimetype = mimeinfo("type", $filename); if (file_exists($pathname)) { $lastmodified = filemtime($pathname); header("Last-Modified: " . gmdate("D, d M Y H:i:s", $lastmodified) . " GMT"); header("Expires: " . gmdate("D, d M Y H:i:s", time() + $lifetime) . " GMT"); header("Cache-control: max_age = $lifetime"); // a day header("Pragma: "); header("Content-disposition: inline; filename=$filename"); header("Content-length: ".filesize($pathname)); header("Content-type: $mimetype"); readfile("$pathname"); } else { error("Sorry, but the file you are looking for was not found ($pathname)", "course/view.php?id=$courseid"); } exit; ?>