dropbox_submit.php 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287
  1. <?php
  2. /* For licensing terms, see /license.txt */
  3. /*
  4. * PREVENT RESUBMITING
  5. * This part checks if the $dropbox_unid var has the same ID
  6. * as the session var $dropbox_uniqueid that was registered as a session
  7. * var before.
  8. * The resubmit prevention only works with GET requests, because it gives some annoying
  9. * behaviours with POST requests.
  10. */
  11. /**
  12. * FORM SUBMIT
  13. * - VALIDATE POSTED DATA
  14. * - UPLOAD NEW FILE
  15. */
  16. if (isset($_POST['submitWork'])) {
  17. require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
  18. $error = false;
  19. $errormsg = '';
  20. /**
  21. * FORM SUBMIT : VALIDATE POSTED DATA
  22. */
  23. // the author or description field is empty
  24. if (!isset($_POST['authors']) || !isset( $_POST['description'])) {
  25. $error = true;
  26. $errormsg = get_lang('BadFormData');
  27. } elseif (!isset( $_POST['recipients']) || count( $_POST['recipients']) <= 0) {
  28. $error = true;
  29. $errormsg = get_lang('NoUserSelected');
  30. } else {
  31. $thisIsAMailing = false;
  32. $thisIsJustUpload = false;
  33. foreach ($_POST['recipients'] as $rec) {
  34. if ($rec == 'mailing') {
  35. $thisIsAMailing = true;
  36. } elseif ($rec == 'upload') {
  37. $thisIsJustUpload = true;
  38. } elseif (strpos($rec, 'user_') === 0 && !isCourseMember(substr($rec, strlen('user_')))) {
  39. echo '401';
  40. die(get_lang('BadFormData').' (code 401)');
  41. } elseif (strpos($rec, 'group_') !== 0 && strpos($rec, 'user_') !== 0) {
  42. echo '402';
  43. die(get_lang('BadFormData').' (code 402)');
  44. }
  45. }
  46. // we are doing a mailing but an additional recipient is selected
  47. if ($thisIsAMailing && ( count($_POST['recipients']) != 1)) {
  48. $error = true;
  49. $errormsg = get_lang('MailingSelectNoOther');
  50. }
  51. // we are doing a just upload but an additional recipient is selected.
  52. elseif ( $thisIsJustUpload && ( count($_POST['recipients']) != 1)) {
  53. $error = true;
  54. $errormsg = get_lang('MailingJustUploadSelectNoOther');
  55. } elseif (empty($_FILES['file']['name'])) {
  56. $error = true;
  57. $errormsg = get_lang('NoFileSpecified');
  58. }
  59. }
  60. //check if $_POST['cb_overwrite'] is true or false
  61. $dropbox_overwrite = false;
  62. if (isset($_POST['cb_overwrite']) && $_POST['cb_overwrite']) {
  63. $dropbox_overwrite = true;
  64. }
  65. /**
  66. * FORM SUBMIT : UPLOAD NEW FILE
  67. */
  68. if (!$error) {
  69. $dropbox_filename = $_FILES['file']['name'];
  70. $dropbox_filesize = $_FILES['file']['size'];
  71. $dropbox_filetype = $_FILES['file']['type'];
  72. $dropbox_filetmpname = $_FILES['file']['tmp_name'];
  73. if ($dropbox_filesize <= 0 || $dropbox_filesize > dropbox_cnf('maxFilesize')) {
  74. $errormsg = get_lang('TooBig'); // TODO: The "too big" message does not fit in the case of uploading zero-sized file.
  75. $error = true;
  76. } elseif (!is_uploaded_file($dropbox_filetmpname)) { // check user fraud : no clean error msg.
  77. die(get_lang('BadFormData').' (code 403)');
  78. }
  79. if (!$error) {
  80. // Try to add an extension to the file if it hasn't got one
  81. $dropbox_filename = add_ext_on_mime($dropbox_filename, $dropbox_filetype);
  82. // Replace dangerous characters
  83. $dropbox_filename = replace_dangerous_char($dropbox_filename);
  84. // Transform any .php file in .phps fo security
  85. $dropbox_filename = php2phps($dropbox_filename);
  86. if (!filter_extension($dropbox_filename)) {
  87. $error = true;
  88. $errormsg = get_lang('UplUnableToSaveFileFilteredExtension');
  89. } else {
  90. // set title
  91. $dropbox_title = $dropbox_filename;
  92. // set author
  93. if ($_POST['authors'] == '') {
  94. $_POST['authors'] = getUserNameFromId($_user['user_id']);
  95. }
  96. if ($dropbox_overwrite) {
  97. $dropbox_person = new Dropbox_Person($_user['user_id'], $is_courseAdmin, $is_courseTutor);
  98. foreach ($dropbox_person->sentWork as $w) {
  99. if ($w->title == $dropbox_filename) {
  100. if (($w->recipients[0]['id'] > dropbox_cnf('mailingIdBase')) xor $thisIsAMailing) {
  101. $error = true;
  102. $errormsg = get_lang('MailingNonMailingError');
  103. }
  104. if (($w->recipients[0]['id'] == $_user['user_id']) xor $thisIsJustUpload) {
  105. $error = true;
  106. $errormsg = get_lang('MailingJustUploadSelectNoOther');
  107. }
  108. $dropbox_filename = $w->filename;
  109. $found = true;
  110. break;
  111. }
  112. }
  113. } else {
  114. // rename file to login_filename_uniqueId format
  115. $dropbox_filename = getLoginFromId( $_user['user_id']) . '_' . $dropbox_filename . '_'.uniqid('');
  116. }
  117. if (!is_dir(dropbox_cnf('sysPath'))) {
  118. //The dropbox subdir doesn't exist yet so make it and create the .htaccess file
  119. mkdir(dropbox_cnf('sysPath'), api_get_permissions_for_new_directories()) or die(get_lang('ErrorCreatingDir').' (code 404)');
  120. $fp = fopen(dropbox_cnf('sysPath').'/.htaccess', 'w') or die(get_lang('ErrorCreatingDir').' (code 405)');
  121. fwrite($fp, "AuthName AllowLocalAccess
  122. AuthType Basic
  123. order deny,allow
  124. deny from all
  125. php_flag zlib.output_compression off") or die(get_lang('ErrorCreatingDir').' (code 406)');
  126. }
  127. if ($error) {
  128. } elseif ($thisIsAMailing) {
  129. if (preg_match(dropbox_cnf('mailingZipRegexp'), $dropbox_title)) {
  130. $newWorkRecipients = dropbox_cnf('mailingIdBase');
  131. } else {
  132. $error = true;
  133. $errormsg = $dropbox_title . ': ' . get_lang('MailingWrongZipfile');
  134. }
  135. } elseif ($thisIsJustUpload) {
  136. $newWorkRecipients = array();
  137. } else {
  138. // Creating the array that contains all the users who will receive the file
  139. $newWorkRecipients = array();
  140. foreach ($_POST['recipients'] as $rec) {
  141. if (strpos($rec, 'user_') === 0) {
  142. $newWorkRecipients[] = substr($rec, strlen('user_'));
  143. } elseif (strpos($rec, 'group_') === 0) {
  144. $userList = GroupManager::get_subscribed_users(substr($rec, strlen('group_')));
  145. foreach ($userList as $usr) {
  146. if (!in_array($usr['user_id'], $newWorkRecipients) && $usr['user_id'] != $_user['user_id']) {
  147. $newWorkRecipients[] = $usr['user_id'];
  148. }
  149. }
  150. }
  151. }
  152. }
  153. // After uploading the file, create the db entries
  154. if (!$error) {
  155. @move_uploaded_file($dropbox_filetmpname, dropbox_cnf('sysPath') . '/' . $dropbox_filename)
  156. or die(get_lang('UploadError').' (code 407)');
  157. new Dropbox_SentWork($_user['user_id'], $dropbox_title, $_POST['description'], strip_tags($_POST['authors']), $dropbox_filename, $dropbox_filesize, $newWorkRecipients);
  158. }
  159. }
  160. }
  161. } //end if(!$error)
  162. /**
  163. * SUBMIT FORM RESULTMESSAGE
  164. */
  165. if (!$error) {
  166. $return_message = get_lang('FileUploadSucces');
  167. } else {
  168. $return_message = $errormsg;
  169. }
  170. }
  171. /**
  172. * DELETE RECEIVED OR SENT FILES - EDIT FEEDBACK
  173. * - DELETE ALL RECEIVED FILES
  174. * - DELETE 1 RECEIVED FILE
  175. * - DELETE ALL SENT FILES
  176. * - DELETE 1 SENT FILE
  177. * - EDIT FEEDBACK
  178. */
  179. if (isset($_GET['deleteReceived']) || isset($_GET['deleteSent'])
  180. || isset( $_GET['showFeedback']) || isset( $_GET['editFeedback'])) {
  181. if ($_GET['mailing']) {
  182. getUserOwningThisMailing($_GET['mailing'], $_user['user_id'], '408');
  183. $dropbox_person = new Dropbox_Person($_GET['mailing'], $is_courseAdmin, $is_courseTutor);
  184. } else {
  185. $dropbox_person = new Dropbox_Person($_user['user_id'], $is_courseAdmin, $is_courseTutor);
  186. }
  187. if (isset($_SESSION['sentOrder'])) {
  188. $dropbox_person->orderSentWork($_SESSION['sentOrder']);
  189. }
  190. if (isset($_SESSION['receivedOrder'])) {
  191. $dropbox_person->orderReceivedWork($_SESSION['receivedOrder']);
  192. }
  193. /*if (!$dropbox_person->isCourseAdmin || ! $dropbox_person->isCourseTutor) {
  194. die(get_lang('GeneralError').' (code 408)');
  195. }*/
  196. $tellUser = get_lang('FileDeleted');
  197. if (isset($_GET['deleteReceived'])) {
  198. if ($_GET['deleteReceived'] == 'all') {
  199. $dropbox_person->deleteAllReceivedWork();
  200. } elseif (is_numeric($_GET['deleteReceived'])) {
  201. $dropbox_person->deleteReceivedWork( $_GET['deleteReceived']);
  202. } else {
  203. die(get_lang('GeneralError').' (code 409)');
  204. }
  205. } elseif (isset( $_GET['deleteSent'])) {
  206. if ($_GET['deleteSent'] == 'all') {
  207. $dropbox_person->deleteAllSentWork( );
  208. } elseif (is_numeric($_GET['deleteSent'])) {
  209. $dropbox_person->deleteSentWork($_GET['deleteSent']);
  210. } else {
  211. die(get_lang('GeneralError').' (code 410)');
  212. }
  213. } elseif (isset($_GET['showFeedback'])) {
  214. $w = new Dropbox_SentWork($id = $_GET['showFeedback']);
  215. if ($w->uploader_id != $_user['user_id']) {
  216. getUserOwningThisMailing($w->uploader_id, $_user['user_id'], '411');
  217. }
  218. foreach ($w -> recipients as $r) {
  219. if (($fb = $r['feedback'])) {
  220. $fbarray[$r['feedback_date'].$r['name']] = $r['name'].' '.get_lang('SentOn', '').' '.$r['feedback_date'].":\n".$fb;
  221. }
  222. }
  223. if ($fbarray) {
  224. krsort($fbarray);
  225. echo '<textarea class="dropbox_feedbacks">',
  226. htmlspecialchars(implode("\n\n", $fbarray), ENT_QUOTES, api_get_system_encoding()), '</textarea>', "\n";
  227. } else {
  228. echo '<textarea class="dropbox_feedbacks">&nbsp;</textarea>', "\n";
  229. }
  230. $tellUser = get_lang('ShowFeedback');
  231. } else { // if ( isset( $_GET['editFeedback'])) {
  232. $id = $_GET['editFeedback'];
  233. $found = false;
  234. foreach ($dropbox_person->receivedWork as $w) {
  235. if ($w->id == $id) {
  236. $found = true;
  237. break;
  238. }
  239. }
  240. if (!$found) die(get_lang('GeneralError').' (code 415)');
  241. echo '<form method="post" action="index.php">', "\n",
  242. '<input type="hidden" name="feedbackid" value="',
  243. $id, '"/>', "\n",
  244. '<textarea name="feedbacktext" class="dropbox_feedbacks">',
  245. htmlspecialchars($w->feedback, ENT_QUOTES, api_get_system_encoding()), '</textarea>', "<br />\n",
  246. '<input type="submit" name="feedbacksubmit" value="', get_lang('Ok', ''), '"/>', "\n",
  247. '</form>', "\n";
  248. $tellUser = get_lang('GiveFeedback');
  249. }
  250. /**
  251. * RESULTMESSAGE FOR DELETE FILE OR EDIT FEEDBACK
  252. */
  253. $return_message = get_lang('BackList');
  254. }