file.php

   1 <?php // $Id$
   2       // This script fetches files from the dataroot directory
   3       // Syntax:      file.php/courseid/dir/dir/dir/filename.ext
   4       //              file.php/courseid/dir (returns index.html from dir)
   5       // Workaround:  file.php?file=/courseid/dir/dir/dir/filename.ext
   6       // Test:        file.php/testslasharguments
   7
   8     require_once('config.php');
   9     require_once('lib/filelib.php');
  10
  11     if (empty($CFG->filelifetime)) {
  12         $lifetime = 86400;     // Seconds for files to remain in caches
  13     } else {
  14         $lifetime = $CFG->filelifetime;
  15     }
  16
  17
  18     $relativepath = get_file_argument('file.php');
  19
  20     // relative path must start with '/', because of backup/restore!!!
  21     if (!$relativepath) {
  22         error('No valid arguments supplied or incorrect server configuration');
  23     } else if ($relativepath{0} != '/') {
  24         error('No valid arguments supplied, path does not start with slash!');
  25     }
  26
  27     $pathname = $CFG->dataroot.$relativepath;
  28
  29     // extract relative path components
  30     $args = explode('/', trim($relativepath, '/'));
  31     if (count($args) == 0) { // always at least courseid, may search for index.html in course root
  32         error('No valid arguments supplied');
  33     }
  34
  35     // security: limit access to existing course subdirectories
  36     // note: course ID must be specified
  37     // note: the lang field is needed for the course language switching hack in weblib.php
  38     if (!$course = get_record_sql("SELECT id, lang FROM {$CFG->prefix}course WHERE id='".(int)$args[0]."'")) {
  39         error('Invalid course ID');
  40     }
  41
  42     // security: prevent access to "000" or "1 something" directories
  43     if ($args[0] != $course->id) {
  44         error('Invalid course ID');
  45     }
  46
  47     // security: login to course if necessary
  48     if ($course->id != SITEID) {
  49         require_login($course->id);
  50     } else if ($CFG->forcelogin) {
  51         require_login();
  52     }
  53
  54     // security: only editing teachers can access backups
  55     if ((!isteacheredit($course->id))
  56         and (count($args) >= 2)
  57         and (strtolower($args[1]) == 'backupdata')) {
  58
  59         error('Access not allowed');
  60     }
  61
  62     if (is_dir($pathname)) {
  63         if (file_exists($pathname.'/index.html')) {
  64             $pathname = rtrim($pathname, '/').'/index.html';
  65             $args[] = 'index.html';
  66         } else if (file_exists($pathname.'/index.htm')) {
  67             $pathname = rtrim($pathname, '/').'/index.htm';
  68             $args[] = 'index.htm';
  69         } else if (file_exists($pathname.'/Default.htm')) {
  70             $pathname = rtrim($pathname, '/').'/Default.htm';
  71             $args[] = 'Default.htm';
  72         } else {
  73             // security: do not return directory node!
  74             not_found($course->id);
  75         }
  76     }
  77
  78     // security: teachers can view all assignments, students only their own
  79     if ((count($args) >= 3)
  80         and (strtolower($args[1]) == 'moddata')
  81         and (strtolower($args[2]) == 'assignment')) {
  82
  83         $lifetime = 0;  // do not cache assignments, students may reupload them
  84         if ((!isteacher($course->id)) && (count($args) != 6 || $args[4] != $USER->id)) {
  85            error('Access not allowed');
  86         }
  87     }
  88
  89     // security: some protection of hidden resource files
  90     // warning: it may break backwards compatibility
  91     // TODO: case sensitive in PostgresQL, case insensitive in MySQL (ok?)
  92     // TODO: should we protect directories too?
  93     if ((!empty($CFG->preventaccesstohiddenfiles))
  94         and (count($args) >= 2)
  95         and (!isteacher($course->id))) {
  96
  97         $reference = ltrim($relativepath, "/{$args[0]}/");
  98
  99         $sql = "SELECT COUNT(r.id) " .
 100                  "FROM {$CFG->prefix}resource r, " .
 101                       "{$CFG->prefix}course_modules cm, " .
 102                       "{$CFG->prefix}modules m " .
 103                  "WHERE r.course    = '{$course->id}' " .
 104                    "AND m.name      = 'resource' " .
 105                    "AND cm.module   = m.id " .
 106                    "AND cm.instance = r.id " .
 107                    "AND cm.visible  = 0 " .
 108                    "AND r.type      = 'file' " .
 109                    "AND r.reference = '{$reference}'";
 110         if (count_records_sql($sql)) {
 111            error('Access not allowed');
 112         }
 113     }
 114
 115     // check that file exists
 116     if (!file_exists($pathname)) {
 117         not_found($course->id);
 118     }
 119
 120     // extra security: keep symbolic links inside dataroot/courseid if required
 121     /*if (!empty($CFG->checksymlinks)) {
 122         $realpath = realpath($pathname);
 123         $realdataroot = realpath($CFG->dataroot.'/'.$course->id);
 124         if (strpos($realpath, $realdataroot) !== 0) {
 125             not_found($course->id);
 126         }
 127     }*/
 128
 129     // ========================================
 130     // finally send the file
 131     // ========================================
 132     session_write_close(); // unlock session during fileserving
 133     $filename = $args[count($args)-1];
 134     send_file($pathname, $filename, $lifetime, !empty($CFG->filteruploadedfiles));
 135
 136     function not_found($courseid) {
 137         global $CFG;
 138         header('HTTP/1.0 404 not found');
 139         error(get_string('filenotfound', 'error'), $CFG->wwwroot.'/course/view.php?id='.$courseid); //this is not displayed on IIS??
 140     }
 141 ?>