PageRenderTime 48ms CodeModel.GetById 23ms RepoModel.GetById 1ms app.codeStats 0ms

/community/www/view_file.php

https://github.com/svn2github/efront-lms
PHP | 135 lines | 98 code | 10 blank | 27 comment | 48 complexity | 596a2b1adb178c95740e8e6c50d9caf4 MD5 | raw file
Possible License(s): BSD-3-Clause, MPL-2.0-no-copyleft-exception, LGPL-3.0 
    

  1. <?php
    2. 

  2. /**
    3. 

    4. 

  4. * View file
    5. 

    6. 

  6. *
    7. 

    8. 

  8. * This file offers the user the ability to view and/or download a file.
    9. 

    10. 

  10. *
    11. 

    12. 

  12. * @package eFront
    13. 

    14. 

  14. * @version 1.0
    15. 

    16. 

  16. */
    17. 

  17. //General initialization and parameters
    18. 

  18. session_cache_limiter('none');
    19. 

  19. session_start();
    20. 

  20. $path = "../libraries/";
    21. 

  21. //Turn output buffering off, since it messes up files
    22. 

  22. define("NO_OUTPUT_BUFFERING", true);
    23. 

  23. /** Configuration file.*/
    24. 

  24. require_once $path."configuration.php";
    25. 

  25. //pr($_SERVER);
    26. 

  26. if (strpos($_SERVER['HTTP_REFERER'], "view_resource.php")){
    27. 

  27.  $bypass_check = true;
    28. 

  28. }
    29. 

  29. try {
    30. 

  30.  if(!$bypass_check) {
    31. 

  31.   $currentUser = EfrontUser :: checkUserAccess();
    32. 

  32.  }
    33. 

  33. } catch (Exception $e) {
    34. 

  34.  //header("HTTP/1.0 500");
    35. 

  35.  //echo EfrontSystem :: printErrorMessage(_RESOURCEREQUESTEDREQUIRESLOGIN);
    36. 

  36.  eF_redirect("index.php?message=".urlencode(_RESOURCEREQUESTEDREQUIRESLOGIN)."&message_type=failure");
    37. 

  37.  exit;
    38. 

  38. }
    39. 

  39. session_write_close();
    40. 

  40. //pr($_SERVER);pr($_GET);exit;
    41. 

  41. try {
    42. 

  42.  if (isset($_GET['server'])) {
    43. 

  43.   $url = $_SERVER['REQUEST_URI'];
    44. 

  44.   if (strpos($url, 'http') !== 0) { //Otherwise, depending on the QUERY_STRING, parse_url() may not work
    45. 

  45.    $url = G_PROTOCOL.'://'.$_SERVER["HTTP_HOST"].$url;
    46. 

  46.   }
    47. 

  47. 

  48.   $urlParts = parse_url($url);
    49. 

  49. 

  50.   $filePath = G_ROOTPATH.'www/'.str_replace(G_SERVERNAME, '', G_PROTOCOL.'://'.$_SERVER['HTTP_HOST'].$urlParts['path']);
    51. 

  51. 

  52.   try {
    53. 

  53.    $file = new EfrontFile(urldecode($filePath));
    54. 

  54.   } catch (Exception $e) {
    55. 

  55.    $file = new EfrontFile($filePath);
    56. 

  56.   }
    57. 

  57.  } else {
    58. 

  58.      $file = new EfrontFile($_GET['file']);
    59. 

  59.  }
    60. 

  60.  if(!$bypass_check) {
    61. 

  61.   if (preg_match("#content/lessons/(\d+)/#", $file['path'], $matches)) { //the file is a content file. Available to any user enrolled to this lesson.
    62. 

  62.    $result = eF_getTableDataFlat("lessons l, users_to_lessons ul", "id, share_folder", "l.archive=0 and l.id=ul.lessons_ID and ul.archive=0 and ul.users_LOGIN='".$currentUser->user['login']."'");
    63. 

  63.    $legalFolders = array_unique(array_merge($result['id'], $result['share_folder']));
    64. 

  64.    if ($currentUser->user['user_type'] != 'administrator' && $matches[1] && !in_array($matches[1], $legalFolders)) {
    65. 

  65.     throw new EfrontFileException(_YOUCANNOTACCESSTHEREQUESTEDRESOURCE, EfrontFileException::UNAUTHORIZED_ACTION);
    66. 

  66.    }
    67. 

  67.   } else if (preg_match("#content/lessons/scorm_uploaded_files/#", $file['path'], $matches)) { //the file is a temporary scorm exported file
    68. 

  68.    //proceed
    69. 

  69.   } else if (preg_match("#".G_UPLOADPATH."(.*)/projects/#", $file['path'], $matches) || preg_match("#".G_UPLOADPATH."(.*)/tests/#", $file['path'], $matches)) { //this is a project or test file. Check whether the current user has access to it
    70. 

  70.    if ($matches[1] == $_SESSION['s_login']) {
    71. 

  71.     //continue if a user is trying to view his/her own file
    72. 

  72.    } else if ($_SESSION['s_lesson_user_type'] != 'professor' || !$_SESSION['s_lessons_ID']) {
    73. 

  73.     throw new EfrontFileException(_YOUCANNOTACCESSTHEREQUESTEDRESOURCE, EfrontFileException::UNAUTHORIZED_ACTION);
    74. 

  74.    } else if (!eF_checkParameter($matches[1], 'login')) {
    75. 

  75.     throw new EfrontFileException(_YOUCANNOTACCESSTHEREQUESTEDRESOURCE, EfrontFileException::UNAUTHORIZED_ACTION);
    76. 

  76.    } else {
    77. 

  77.     $professorLessons = eF_getTableDataFlat("lessons l, users_to_lessons ul", "id", "l.archive=0 and l.id=ul.lessons_ID and ul.archive=0 and ul.users_LOGIN='".$currentUser->user['login']."'");
    78. 

  78.     $userLessons = eF_getTableDataFlat("lessons l, users_to_lessons ul", "id", "l.archive=0 and l.id=ul.lessons_ID and ul.archive=0 and ul.users_LOGIN='".$matches[1]."'");
    79. 

  79.     if (!in_array($_SESSION['s_lessons_ID'], array_intersect($professorLessons['id'], $userLessons['id']))) {
    80. 

  80.      throw new EfrontFileException(_YOUCANNOTACCESSTHEREQUESTEDRESOURCE, EfrontFileException::UNAUTHORIZED_ACTION);
    81. 

  81.     }
    82. 

  82.    }
    83. 

  83.   } else if (preg_match("#".G_UPLOADPATH."(.*)/avatars/#", $file['path'], $matches) || mb_strpos($file['path'], G_SYSTEMAVATARSPATH) !== false ) {
    84. 

  84.      //proceed
    85. 

  85.   } else if ( mb_strpos($file['path'], G_UPLOADPATH) !== false && mb_strpos($file['path'], G_UPLOADPATH.$currentUser->user['login']) === false) {
    86. 

  86.    throw new EfrontFileException(_YOUCANNOTACCESSTHEREQUESTEDRESOURCE, EfrontFileException::UNAUTHORIZED_ACTION);
    87. 

  87.   }
    88. 

  88.  }
    89. 

  89.   if (strpos($file['path'], G_ROOTPATH.'libraries') !== false && strpos($file['path'], G_ROOTPATH.'libraries/language') === false && $file['mime_type'] != "application/inc") {
    90. 

  90.   throw new EfrontFileException(_ILLEGALPATH.': '.$file['path'], EfrontFileException :: ILLEGAL_PATH);
    91. 

  91.  }
    92. 

  92. 

  93.     if (isset($_GET['action']) && $_GET['action'] == 'download') {
    94. 

  94.      $file -> sendFile(true);
    95. 

  95.     } else {
    96. 

  96.   cacheHeaders(lastModificationTime(filemtime($file['path'])));
    97. 

  97. 

  98.      $file -> sendFile(false);
    99. 

  99.     }
    100. 

  100. } catch (EfrontFileException $e) {
    101. 

  101.  if ($e->getCode() == EfrontFileException::FILE_NOT_EXIST) {
    102. 

  102.   header("HTTP/1.0 404");
    103. 

  103.  }
    104. 

  104.     echo EfrontSystem :: printErrorMessage($e -> getMessage());
    105. 

  105. }
    106. 

  106. 

  107. 

  108. function cacheHeaders($lastModifiedDate) {
    109. 

  109.  if ($lastModifiedDate) {
    110. 

  110.   if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) && strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) >= $lastModifiedDate) {
    111. 

  111.    if (php_sapi_name()=='CGI') {
    112. 

  112.     Header("Status: 304 Not Modified");
    113. 

  113.    } else {
    114. 

  114.     Header("HTTP/1.0 304 Not Modified");
    115. 

  115.    }
    116. 

  116.    exit;
    117. 

  117.   } else {
    118. 

  118.    $gmtDate = gmdate("D, d M Y H:i:s \G\M\T",$lastModifiedDate);
    119. 

  119.    header('Last-Modified: '.$gmtDate);
    120. 

  120.   }
    121. 

  121.  }
    122. 

  122. }
    123. 

  123. 

  124. // This function uses a static variable to track the most recent
    125. 

  125. // last modification time
    126. 

  126. function lastModificationTime($time=0) {
    127. 

  127.  static $last_mod ;
    128. 

  128.  if (!isset($last_mod) || $time > $last_mod) {
    129. 

  129.   $last_mod = $time ;
    130. 

  130.  }
    131. 

  131.  return $last_mod ;
    132. 

  132. }
    133. 

  133. 

  134. 

  135. ?>
    136. 

  136.