123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358 |
- <?php
- /* For licensing terms, see /license.txt */
- /*
- * PREVENT RESUBMITING
- * This part checks if the $dropbox_unid var has the same ID
- * as the session var $dropbox_uniqueid that was registered as a session
- * var before.
- * The resubmit prevention only works with GET requests, because it gives some annoying
- * behaviours with POST requests.
- */
- /**
- * FORM SUBMIT
- * - VALIDATE POSTED DATA
- * - UPLOAD NEW FILE
- */
- if (isset($_POST['submitWork'])) {
- $error = false;
- $errormsg = '';
- /**
- * FORM SUBMIT : VALIDATE POSTED DATA
- */
- // the author or description field is empty
- if (!isset($_POST['authors']) || !isset($_POST['description'])) {
- $error = true;
- $errormsg = get_lang('BadFormData');
- } elseif (!isset($_POST['recipients']) || count($_POST['recipients']) <= 0) {
- $error = true;
- $errormsg = get_lang('NoUserSelected');
- } else {
- $thisIsAMailing = false;
- $thisIsJustUpload = false;
- foreach ($_POST['recipients'] as $rec) {
- if ($rec == 'mailing') {
- $thisIsAMailing = true;
- } elseif ($rec == 'upload') {
- $thisIsJustUpload = true;
- } elseif (strpos($rec, 'user_') === 0 && !isCourseMember(substr($rec, strlen('user_')))) {
- echo '401';
- die(get_lang('BadFormData').' (code 401)');
- } elseif (strpos($rec, 'group_') !== 0 && strpos($rec, 'user_') !== 0) {
- echo '402';
- die(get_lang('BadFormData').' (code 402)');
- }
- }
- // we are doing a mailing but an additional recipient is selected
- if ($thisIsAMailing && (count($_POST['recipients']) != 1)) {
- $error = true;
- $errormsg = get_lang('MailingSelectNoOther');
- } // we are doing a just upload but an additional recipient is selected.
- elseif ($thisIsJustUpload && (count($_POST['recipients']) != 1)) {
- $error = true;
- $errormsg = get_lang('MailingJustUploadSelectNoOther');
- } elseif (empty($_FILES['file']['name'])) {
- $error = true;
- $errormsg = get_lang('NoFileSpecified');
- }
- }
- //check if $_POST['cb_overwrite'] is true or false
- $dropbox_overwrite = false;
- if (isset($_POST['cb_overwrite']) && $_POST['cb_overwrite']) {
- $dropbox_overwrite = true;
- }
- /**
- * FORM SUBMIT : UPLOAD NEW FILE
- */
- if (!$error) {
- $dropbox_filename = $_FILES['file']['name'];
- $dropbox_filesize = $_FILES['file']['size'];
- $dropbox_filetype = $_FILES['file']['type'];
- $dropbox_filetmpname = $_FILES['file']['tmp_name'];
- if ($dropbox_filesize <= 0 || $dropbox_filesize > dropbox_cnf('maxFilesize')) {
- $errormsg = get_lang(
- 'TooBig'
- ); // TODO: The "too big" message does not fit in the case of uploading zero-sized file.
- $error = true;
- } elseif (!is_uploaded_file($dropbox_filetmpname)) { // check user fraud : no clean error msg.
- die(get_lang('BadFormData').' (code 403)');
- }
- if (!$error) {
- // Try to add an extension to the file if it hasn't got one
- $dropbox_filename = FileManager::add_ext_on_mime($dropbox_filename, $dropbox_filetype);
- // Replace dangerous characters
- $dropbox_filename = api_replace_dangerous_char($dropbox_filename);
- // Transform any .php file in .phps fo security
- $dropbox_filename = FileManager::php2phps($dropbox_filename);
- if (!FileManager::filter_extension($dropbox_filename)) {
- $error = true;
- $errormsg = get_lang('UplUnableToSaveFileFilteredExtension');
- } else {
- // set title
- $dropbox_title = $dropbox_filename;
- // set author
- if ($_POST['authors'] == '') {
- $_POST['authors'] = getUserNameFromId($_user['user_id']);
- }
- if ($dropbox_overwrite) {
- $dropbox_person = new Dropbox_Person($_user['user_id'], api_is_course_admin(), $is_courseTutor);
- foreach ($dropbox_person->sentWork as $w) {
- if ($w->title == $dropbox_filename) {
- if (($w->recipients[0]['id'] > dropbox_cnf('mailingIdBase')) xor $thisIsAMailing) {
- $error = true;
- $errormsg = get_lang('MailingNonMailingError');
- }
- if (($w->recipients[0]['id'] == $_user['user_id']) xor $thisIsJustUpload) {
- $error = true;
- $errormsg = get_lang('MailingJustUploadSelectNoOther');
- }
- $dropbox_filename = $w->filename;
- $found = true;
- break;
- }
- }
- } else {
- // rename file to login_filename_uniqueId format
- $dropbox_filename = getLoginFromId($_user['user_id']).'_'.$dropbox_filename.'_'.uniqid('');
- }
- if (!is_dir(dropbox_cnf('sysPath'))) {
- //The dropbox subdir doesn't exist yet so make it and create the .htaccess file
- mkdir(dropbox_cnf('sysPath'), api_get_permissions_for_new_directories()) or die(get_lang(
- 'ErrorCreatingDir'
- ).' (code 404)');
- $fp = fopen(dropbox_cnf('sysPath').'/.htaccess', 'w') or die(get_lang(
- 'ErrorCreatingDir'
- ).' (code 405)');
- fwrite(
- $fp,
- "AuthName AllowLocalAccess
- AuthType Basic
- order deny,allow
- deny from all
- php_flag zlib.output_compression off"
- ) or die(get_lang('ErrorCreatingDir').' (code 406)');
- }
- if ($error) {
- } elseif ($thisIsAMailing) {
- if (preg_match(dropbox_cnf('mailingZipRegexp'), $dropbox_title)) {
- $newWorkRecipients = dropbox_cnf('mailingIdBase');
- } else {
- $error = true;
- $errormsg = $dropbox_title.': '.get_lang('MailingWrongZipfile');
- }
- } elseif ($thisIsJustUpload) {
- $newWorkRecipients = array();
- } else {
- // Creating the array that contains all the users who will receive the file
- $newWorkRecipients = array();
- foreach ($_POST['recipients'] as $rec) {
- if (strpos($rec, 'user_') === 0) {
- $newWorkRecipients[] = substr($rec, strlen('user_'));
- } elseif (strpos($rec, 'group_') === 0) {
- $userList = GroupManager::get_subscribed_users(substr($rec, strlen('group_')));
- foreach ($userList as $usr) {
- if (!in_array(
- $usr['user_id'],
- $newWorkRecipients
- ) && $usr['user_id'] != $_user['user_id']
- ) {
- $newWorkRecipients[] = $usr['user_id'];
- }
- }
- }
- }
- }
- // After uploading the file, create the db entries
- if (!$error) {
- @move_uploaded_file($dropbox_filetmpname, dropbox_cnf('sysPath').'/'.$dropbox_filename)
- or die(get_lang('UploadError').' (code 407)');
- new Dropbox_SentWork($_user['user_id'], $dropbox_title, $_POST['description'], strip_tags(
- $_POST['authors']
- ), $dropbox_filename, $dropbox_filesize, $newWorkRecipients);
- }
- }
- }
- } //end if(!$error)
- /**
- * SUBMIT FORM RESULTMESSAGE
- */
- if (!$error) {
- $return_message = get_lang('FileUploadSucces');
- } else {
- $return_message = $errormsg;
- }
- } // end if ( isset( $_POST['submitWork']))
- function findRecipient($thisFile)
- {
- // string result = error message, array result = [user_id, lastname, firstname, status]
- global $nameParts, $preFix, $preLen, $postFix, $postLen;
- if (preg_match(dropbox_cnf('mailingFileRegexp'), $thisFile, $matches)) {
- $thisName = $matches[1];
- if (api_substr($thisName, 0, $preLen) == $preFix) {
- if ($postLen == 0 || api_substr($thisName, -$postLen) == $postFix) {
- $thisRecip = api_substr($thisName, $preLen, api_strlen($thisName) - $preLen - $postLen);
- if ($thisRecip) {
- return getUser($thisRecip);
- }
- return ' <'.get_lang('MailingFileNoRecip', '').'>';
- } else {
- return ' <'.get_lang('MailingFileNoPostfix', '').$postFix.'>';
- }
- } else {
- return ' <'.get_lang('MailingFileNoPrefix', '').$preFix.'>';
- }
- } else {
- return ' <'.get_lang('MailingFileFunny', '').'>';
- }
- }
- function getUser($thisRecip)
- {
- // string result = error message, array result = [user_id, lastname, firstname]
- global $var, $sel;
- if (isset($students)) {
- unset($students);
- }
- $result = Database::query($sel.$thisRecip."'");
- while (($res = Database::fetch_array($result))) {
- $students[] = $res;
- }
- Database::free_result($result);
- if (count($students) == 1) {
- return ($students[0]);
- } elseif (count($students) > 1) {
- return ' <'.get_lang('MailingFileRecipDup', '').$var."= $thisRecip>";
- } else {
- return ' <'.get_lang('MailingFileRecipNotFound', '').$var."= $thisRecip>";
- }
- }
- /**
- * DELETE RECEIVED OR SENT FILES - EDIT FEEDBACK
- * - DELETE ALL RECEIVED FILES
- * - DELETE 1 RECEIVED FILE
- * - DELETE ALL SENT FILES
- * - DELETE 1 SENT FILE
- * - EDIT FEEDBACK
- */
- if (isset($_GET['deleteReceived']) || isset($_GET['deleteSent'])
- || isset($_GET['showFeedback']) || isset($_GET['editFeedback'])
- ) {
- if ($_GET['mailing']) {
- getUserOwningThisMailing($_GET['mailing'], $_user['user_id'], '408');
- $dropbox_person = new Dropbox_Person($_GET['mailing'], api_is_course_admin(), $is_courseTutor);
- } else {
- $dropbox_person = new Dropbox_Person($_user['user_id'], api_is_course_admin(), $is_courseTutor);
- }
- if (isset($_SESSION['sentOrder'])) {
- $dropbox_person->orderSentWork($_SESSION['sentOrder']);
- }
- if (isset($_SESSION['receivedOrder'])) {
- $dropbox_person->orderReceivedWork($_SESSION['receivedOrder']);
- }
- /*if (!$dropbox_person->isCourseAdmin || ! $dropbox_person->isCourseTutor) {
- die(get_lang('GeneralError').' (code 408)');
- }*/
- $tellUser = get_lang('FileDeleted');
- if (isset($_GET['deleteReceived'])) {
- if ($_GET['deleteReceived'] == 'all') {
- $dropbox_person->deleteAllReceivedWork();
- } elseif (is_numeric($_GET['deleteReceived'])) {
- $dropbox_person->deleteReceivedWork($_GET['deleteReceived']);
- } else {
- die(get_lang('GeneralError').' (code 409)');
- }
- } elseif (isset($_GET['deleteSent'])) {
- if ($_GET['deleteSent'] == 'all') {
- $dropbox_person->deleteAllSentWork();
- } elseif (is_numeric($_GET['deleteSent'])) {
- $dropbox_person->deleteSentWork($_GET['deleteSent']);
- } else {
- die(get_lang('GeneralError').' (code 410)');
- }
- } elseif (isset($_GET['showFeedback'])) {
- $w = new Dropbox_SentWork($id = $_GET['showFeedback']);
- if ($w->uploader_id != $_user['user_id']) {
- getUserOwningThisMailing($w->uploader_id, $_user['user_id'], '411');
- }
- foreach ($w->recipients as $r) {
- if (($fb = $r['feedback'])) {
- $fbarray[$r['feedback_date'].$r['name']] = $r['name'].' '.get_lang(
- 'SentOn',
- ''
- ).' '.$r['feedback_date'].":\n".$fb;
- }
- }
- if ($fbarray) {
- krsort($fbarray);
- echo '<textarea class="dropbox_feedbacks">',
- htmlspecialchars(implode("\n\n", $fbarray), ENT_QUOTES, api_get_system_encoding()), '</textarea>', "\n";
- } else {
- echo '<textarea class="dropbox_feedbacks"> </textarea>', "\n";
- }
- $tellUser = get_lang('ShowFeedback');
- } else { // if ( isset( $_GET['editFeedback'])) {
- $id = $_GET['editFeedback'];
- $found = false;
- foreach ($dropbox_person->receivedWork as $w) {
- if ($w->id == $id) {
- $found = true;
- break;
- }
- }
- if (!$found) {
- die(get_lang('GeneralError').' (code 415)');
- }
- echo '<form method="post" action="index.php">', "\n",
- '<input type="hidden" name="feedbackid" value="',
- $id, '"/>', "\n",
- '<textarea name="feedbacktext" class="dropbox_feedbacks">',
- htmlspecialchars($w->feedback, ENT_QUOTES, api_get_system_encoding()), '</textarea>', "<br />\n",
- '<input type="submit" name="feedbacksubmit" value="', get_lang('Ok', ''), '"/>', "\n",
- '</form>', "\n";
- $tellUser = get_lang('GiveFeedback');
- }
- /**
- * RESULTMESSAGE FOR DELETE FILE OR EDIT FEEDBACK
- */
- $return_message = get_lang('BackList');
- }
|