download.php 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. <?php
  2. /* For licensing terms, see /license.txt */
  3. /**
  4. * This file is responsible for passing requested file attachments from messages
  5. * Html files are parsed to fix a few problems with URLs,
  6. * but this code will hopefully be replaced soon by an Apache URL
  7. * rewrite mechanism.
  8. *
  9. * @package chamilo.messages
  10. */
  11. session_cache_limiter('public');
  12. require_once __DIR__.'/../inc/global.inc.php';
  13. $file_url = isset($_GET['file']) ? $_GET['file'] : '';
  14. if (empty($file_url)) {
  15. api_not_allowed();
  16. }
  17. // IMPORTANT to avoid caching of documents
  18. header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
  19. header('Cache-Control: public');
  20. header('Pragma: no-cache');
  21. //change the '&' that got rewritten to '///' by mod_rewrite back to '&'
  22. $file_url = str_replace('///', '&', $file_url);
  23. //still a space present? it must be a '+' (that got replaced by mod_rewrite)
  24. $file_url = str_replace(' ', '+', $file_url);
  25. $file_url = str_replace('/..', '', $file_url); //echo $doc_url;
  26. $tbl_messsage = Database::get_main_table(TABLE_MESSAGE);
  27. $tbl_messsage_attachment = Database::get_main_table(TABLE_MESSAGE_ATTACHMENT);
  28. $file_url = Database::escape_string($file_url);
  29. $sql = "SELECT filename, message_id
  30. FROM $tbl_messsage_attachment
  31. WHERE path LIKE BINARY '$file_url'";
  32. $result = Database::query($sql);
  33. $row = Database::fetch_array($result, 'ASSOC');
  34. $title = str_replace(' ', '_', $row['filename']);
  35. $message_id = $row['message_id'];
  36. // allow download only for user sender and user receiver
  37. $sql = "SELECT user_sender_id, user_receiver_id, group_id
  38. FROM $tbl_messsage WHERE id = '$message_id'";
  39. $rs = Database::query($sql);
  40. $row_users = Database::fetch_array($rs, 'ASSOC');
  41. $current_uid = api_get_user_id();
  42. // get message user id for inbox/outbox
  43. $message_uid = '';
  44. $message_type = ['inbox', 'outbox'];
  45. if (in_array($_GET['type'], $message_type)) {
  46. if ($_GET['type'] == 'inbox') {
  47. $message_uid = $row_users['user_receiver_id'];
  48. } else {
  49. $message_uid = $row_users['user_sender_id'];
  50. }
  51. }
  52. // allow to the correct user for download this file
  53. $not_allowed_to_edit = false;
  54. $userGroup = new UserGroup();
  55. if (!empty($row_users['group_id'])) {
  56. $users_group = $userGroup->get_all_users_by_group($row_users['group_id']);
  57. if (!in_array($current_uid, array_keys($users_group))) {
  58. $not_allowed_to_edit = true;
  59. }
  60. } else {
  61. if ($current_uid != $message_uid) {
  62. $not_allowed_to_edit = true;
  63. }
  64. }
  65. if ($not_allowed_to_edit) {
  66. api_not_allowed(true);
  67. exit;
  68. }
  69. // set the path directory file
  70. if (!empty($row_users['group_id'])) {
  71. $path_user_info = $userGroup->get_group_picture_path_by_id(
  72. $row_users['group_id'],
  73. 'system',
  74. true
  75. );
  76. } else {
  77. $path_user_info['dir'] = UserManager::getUserPathById($message_uid, 'system');
  78. }
  79. $full_file_name = $path_user_info['dir'].'message_attachments/'.$file_url;
  80. if (Security::check_abs_path($full_file_name, $path_user_info['dir'].'message_attachments/')) {
  81. // launch event
  82. Event::event_download($file_url);
  83. $result = DocumentManager::file_send_for_download(
  84. $full_file_name,
  85. true,
  86. $title
  87. );
  88. if ($result === false) {
  89. api_not_allowed(true);
  90. }
  91. }
  92. exit;