Главная Обзор Помощь
Регистрация Вход
aj
/
chamilo-lms2
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: a860d6adfc
Ветки Метки
chamilo-lms2
/
main
/
messages
/
download.php

download.php 3.0 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 
  1. <?php
    2. 

  2. /* For licensing terms, see /license.txt */
    3. 

  3. 

  4. /**
    5. 

  5. *	This file is responsible for  passing requested file attachments from messages
    6. 

  6. *	Html files are parsed to fix a few problems with URLs,
    7. 

  7. *	but this code will hopefully be replaced soon by an Apache URL
    8. 

  8. *	rewrite mechanism.
    9. 

  9. *
    10. 

  10. *	@package chamilo.messages
    11. 

  11. */
    12. 

  12. 

  13. session_cache_limiter('public');
    14. 

  14. 

  15. require_once __DIR__.'/../inc/global.inc.php';
    16. 

  16. 

  17. // IMPORTANT to avoid caching of documents
    18. 

  18. header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
    19. 

  19. header('Cache-Control: public');
    20. 

  20. header('Pragma: no-cache');
    21. 

  21. 

  22. $file_url = $_GET['file'];
    23. 

  23. //change the '&' that got rewritten to '///' by mod_rewrite back to '&'
    24. 

  24. $file_url = str_replace('///', '&', $file_url);
    25. 

  25. //still a space present? it must be a '+' (that got replaced by mod_rewrite)
    26. 

  26. $file_url = str_replace(' ', '+', $file_url);
    27. 

  27. $file_url = str_replace('/..', '', $file_url); //echo $doc_url;
    28. 

  28. 

  29. $tbl_messsage = Database::get_main_table(TABLE_MESSAGE);
    30. 

  30. $tbl_messsage_attachment = Database::get_main_table(TABLE_MESSAGE_ATTACHMENT);
    31. 

  31. 

  32. $file_url = Database::escape_string($file_url);
    33. 

  33. $sql = "SELECT filename, message_id
    34. 

  34.         FROM $tbl_messsage_attachment
    35. 

  35. 		WHERE path LIKE BINARY '$file_url'";
    36. 

  36. 

  37. $result = Database::query($sql);
    38. 

  38. $row = Database::fetch_array($result, 'ASSOC');
    39. 

  39. $title = str_replace(' ', '_', $row['filename']);
    40. 

  40. $message_id = $row['message_id'];
    41. 

  41. 

  42. // allow download only for user sender and user receiver
    43. 

  43. $sql = "SELECT user_sender_id, user_receiver_id, group_id
    44. 

  44. 		FROM $tbl_messsage WHERE id = '$message_id'";
    45. 

  45. $rs = Database::query($sql);
    46. 

  46. $row_users = Database::fetch_array($rs, 'ASSOC');
    47. 

  47. $current_uid = api_get_user_id();
    48. 

  48. 

  49. // get message user id for inbox/outbox
    50. 

  50. $message_uid = '';
    51. 

  51. $message_type = array('inbox', 'outbox');
    52. 

  52. if (in_array($_GET['type'], $message_type)) {
    53. 

  53. 	if ($_GET['type'] == 'inbox') {
    54. 

  54. 		$message_uid = $row_users['user_receiver_id'];
    55. 

  55. 	} else {
    56. 

  56. 		$message_uid = $row_users['user_sender_id'];
    57. 

  57. 	}
    58. 

  58. }
    59. 

  59. 

  60. // allow to the correct user for download this file
    61. 

  61. $not_allowed_to_edit = false;
    62. 

  62. $userGroup = new UserGroup();
    63. 

  63. 

  64. if (!empty($row_users['group_id'])) {
    65. 

  65. 	$users_group = $userGroup->get_all_users_by_group($row_users['group_id']);
    66. 

  66. 	if (!in_array($current_uid, array_keys($users_group))) {
    67. 

  67. 		$not_allowed_to_edit = true;
    68. 

  68. 	}
    69. 

  69. } else {
    70. 

  70. 	if ($current_uid != $message_uid) {
    71. 

  71. 		$not_allowed_to_edit = true;
    72. 

  72. 	}
    73. 

  73. }
    74. 

  74. 

  75. if ($not_allowed_to_edit) {
    76. 

  76. 	api_not_allowed(true);
    77. 

  77. 	exit;
    78. 

  78. }
    79. 

  79. 

  80. // set the path directory file
    81. 

  81. if (!empty($row_users['group_id'])) {
    82. 

  82.     $path_user_info = $userGroup->get_group_picture_path_by_id(
    83. 

  83.         $row_users['group_id'],
    84. 

  84.         'system',
    85. 

  85.         true
    86. 

  86.     );
    87. 

  87. } else {
    88. 

  88. 	$path_user_info['dir'] = UserManager::getUserPathById($message_uid, 'system');
    89. 

  89. }
    90. 

  90. 

  91. $full_file_name = $path_user_info['dir'].'message_attachments/'.$file_url;
    92. 

  92. 

  93. if (Security::check_abs_path($full_file_name, $path_user_info['dir'].'message_attachments/')) {
    94. 

  94.     // launch event
    95. 

  95.     Event::event_download($file_url);
    96. 

  96.     $result = DocumentManager::file_send_for_download(
    97. 

  97.         $full_file_name,
    98. 

  98.         true,
    99. 

  99.         $title
    100. 

  100.     );
    101. 

  101.     if ($result === false) {
    102. 

  102.         api_not_allowed(true);
    103. 

  103.     }
    104. 

  104. }
    105. 

  105. exit;
    106.