question/file.php

   1 <?php
   2       // This script fetches files from the dataroot/questionattempt directory
   3       // It is based on the top-level file.php
   4       //
   5       // On a module-by-module basis (currently only implemented for quiz), it checks
   6       // whether the user has permission to view the file.
   7       //
   8       // Syntax:      question/file.php/attemptid/questionid/filename.ext
   9       // Workaround:  question/file.php?file=/attemptid/questionid/filename.ext
  10
  11 // disable moodle specific debug messages and any errors in output
  12 define('NO_DEBUG_DISPLAY', true);
  13
  14     require_once('../config.php');
  15     require_once('../lib/filelib.php');
  16
  17     $relativepath = get_file_argument();
  18     // force download for any student-submitted files to prevent XSS attacks.
  19     $forcedownload = 1;
  20
  21     // relative path must start with '/', because of backup/restore!!!
  22     if (!$relativepath) {
  23         print_error('invalidarguments');
  24     } else if ($relativepath{0} != '/') {
  25         print_error('pathdoesnotstartslash');
  26     }
  27
  28     $pathname = $CFG->dataroot.'/questionattempt'.$relativepath;
  29
  30     // extract relative path components
  31     $args = explode('/', trim($relativepath, '/'));
  32
  33     // check for the right number of directories in the path
  34     if (count($args) != 3) {
  35         print_error('invalidarguments');
  36     }
  37
  38     // security: require login
  39     require_login();
  40
  41     // security: do not return directory node!
  42     if (is_dir($pathname)) {
  43         question_attempt_not_found();
  44     }
  45
  46     $lifetime = 0;  // do not cache because students may reupload files
  47
  48     // security: check that the user has permission to access this file
  49     $haspermission = false;
  50     if ($attempt = $DB->get_record("question_attempts", array("id" => $args[0]))) {
  51         $modfile = $CFG->dirroot .'/mod/'. $attempt->modulename .'/lib.php';
  52         $modcheckfileaccess = $attempt->modulename .'_check_file_access';
  53         if (file_exists($modfile)) {
  54             @require_once($modfile);
  55             if (function_exists($modcheckfileaccess)) {
  56                 $haspermission = $modcheckfileaccess($args[0], $args[1]);
  57             }
  58         }
  59     } else if ($args[0][0] == 0) {
  60         global $USER;
  61         $list = explode('_', $args[0]);
  62         if ($list[1] == $USER->id) {
  63             $haspermission = true;
  64         }
  65     }
  66
  67     if ($haspermission) {
  68         // check that file exists
  69         if (!file_exists($pathname)) {
  70             question_attempt_not_found();
  71         }
  72
  73         // send the file
  74         session_get_instance()->write_close(); // unlock session during fileserving
  75         $filename = $args[count($args)-1];
  76         send_file($pathname, $filename, $lifetime, $CFG->filteruploadedfiles, false, $forcedownload);
  77     } else {
  78         question_attempt_not_found();
  79     }
  80
  81     function question_attempt_not_found() {
  82         global $CFG;
  83         header('HTTP/1.0 404 not found');
  84         print_error('filenotfound', 'error', $CFG->wwwroot); //this is not displayed on IIS??
  85     }
  86