MDL-28501 mod_folder: make force downloading behavior configuable

moodle · Sep 7, 2020 · a0908df · aulatic · Apr 9, 2022 · a0908df
1 parent 99777d9
commit a0908df
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 16 deletions.
diff --git a/mod/folder/backup/moodle2/backup_folder_stepslib.php b/mod/folder/backup/moodle2/backup_folder_stepslib.php
@@ -38,7 +38,7 @@ protected function define_structure() {
         // Define each element separated
         $folder = new backup_nested_element('folder', array('id'), array(
             'name', 'intro', 'introformat', 'revision',
-            'timemodified', 'display', 'showexpanded'));
+            'timemodified', 'display', 'showexpanded', 'forcedownload'));
 
         // Build the tree
         // (nice mono-tree, lol)

diff --git a/mod/folder/db/access.php b/mod/folder/db/access.php
@@ -58,14 +58,13 @@
         )
     ),*/
 
-    // can manage files in the folder
+    // Can manage files in the folder.
     'mod/folder:managefiles' => array(
-        'riskbitmask' => RISK_SPAM,
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'archetypes' => array(
             'editingteacher' => CAP_ALLOW
         )
     )
 );
-
diff --git a/mod/folder/db/install.xml b/mod/folder/db/install.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<XMLDB PATH="mod/folder/db" VERSION="20130407" COMMENT="XMLDB file for Folder module"
+<XMLDB PATH="mod/folder/db" VERSION="20200213" COMMENT="XMLDB file for Folder module"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="../../../lib/xmldb/xmldb.xsd"
 >
@@ -14,8 +14,9 @@
         <FIELD NAME="revision" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="0" SEQUENCE="false" COMMENT="incremented when after each file changes, solves browser caching issues"/>
         <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="0" SEQUENCE="false"/>
         <FIELD NAME="display" TYPE="int" LENGTH="4" NOTNULL="true" DEFAULT="0" SEQUENCE="false" COMMENT="Display type of folder contents - on a separate page or inline"/>
-        <FIELD NAME="showexpanded" TYPE="int" LENGTH="1" NOTNULL="true" UNSIGNED="false" DEFAULT="1" SEQUENCE="false" COMMENT="1 = expanded, 0 = collapsed for sub-folders"/>
-        <FIELD NAME="showdownloadfolder" TYPE="int" LENGTH="1" NOTNULL="true" UNSIGNED="false" DEFAULT="1" SEQUENCE="false" COMMENT="1 = show download folder button"/>
+        <FIELD NAME="showexpanded" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = expanded, 0 = collapsed for sub-folders"/>
+        <FIELD NAME="showdownloadfolder" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = show download folder button"/>
+        <FIELD NAME="forcedownload" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = force download of individual files"/>
       </FIELDS>
       <KEYS>
         <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
@@ -25,4 +26,4 @@
       </INDEXES>
     </TABLE>
   </TABLES>
-</XMLDB>
+</XMLDB>
diff --git a/mod/folder/db/upgrade.php b/mod/folder/db/upgrade.php
@@ -45,7 +45,9 @@
 defined('MOODLE_INTERNAL') || die();
 
 function xmldb_folder_upgrade($oldversion) {
-    global $CFG;
+    global $CFG, $DB;
+
+    $dbman = $DB->get_manager(); // Loads ddl manager and xmldb classes.
 
     // Automatically generated Moodle v3.5.0 release upgrade line.
     // Put any upgrade step following this.
@@ -61,6 +63,20 @@ function xmldb_folder_upgrade($oldversion) {
 
     // Automatically generated Moodle v3.9.0 release upgrade line.
     // Put any upgrade step following this.
+    if ($oldversion < 2021052501) {
+
+        // Define field forcedownload to be added to folder.
+        $table = new xmldb_table('folder');
+        $field = new xmldb_field('forcedownload', XMLDB_TYPE_INTEGER, '1', null, XMLDB_NOTNULL, null, '1', 'showdownloadfolder');
+
+        // Conditionally launch add field forcedownload.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Folder savepoint reached.
+        upgrade_mod_savepoint(true, 2021052501, 'folder');
+    }
 
     return true;
 }
diff --git a/mod/folder/lang/en/folder.php b/mod/folder/lang/en/folder.php
@@ -1,5 +1,4 @@
 <?php
-
 // This file is part of Moodle - http://moodle.org/
 //
 // Moodle is free software: you can redistribute it and/or modify
@@ -33,6 +32,8 @@
 $string['folder:managefiles'] = 'Manage files in folder module';
 $string['folder:view'] = 'View folder content';
 $string['foldercontent'] = 'Files and subfolders';
+$string['forcedownload'] = 'Force download of files';
+$string['forcedownload_help'] = 'Whether certain files, such as images or HTML files, should be displayed in the browser rather than being downloaded. Note that for security reasons, the setting should only be unticked if all users with the capability to manage files in the folder are trusted users.';
 $string['indicator:cognitivedepth'] = 'Folder cognitive';
 $string['indicator:cognitivedepth_help'] = 'This indicator is based on the cognitive depth reached by the student in a Folder resource.';
 $string['indicator:cognitivedepthdef'] = 'Folder cognitive';

diff --git a/mod/folder/lib.php b/mod/folder/lib.php
@@ -283,9 +283,13 @@ function folder_pluginfile($course, $cm, $context, $filearea, $args, $forcedownl
         return false;
     }
 
-    // finally send the file
-    // for folder module, we force download file all the time
-    send_stored_file($file, 0, 0, true, $options);
+    // Set security posture for in-browser display.
+    if (!$forcedownload) {
+        header("Content-Security-Policy: default-src 'none'; img-src 'self'");
+    }
+
+    // Finally send the file.
+    send_stored_file($file, 0, 0, $forcedownload, $options);
 }
 
 /**

diff --git a/mod/folder/mod_form.php b/mod/folder/mod_form.php
@@ -68,6 +68,12 @@ function definition() {
         $mform->addElement('advcheckbox', 'showdownloadfolder', get_string('showdownloadfolder', 'folder'));
         $mform->addHelpButton('showdownloadfolder', 'showdownloadfolder', 'mod_folder');
         $mform->setDefault('showdownloadfolder', true);
+
+        // Adding option to enable viewing of individual files.
+        $mform->addElement('advcheckbox', 'forcedownload', get_string('forcedownload', 'folder'));
+        $mform->addHelpButton('forcedownload', 'forcedownload', 'mod_folder');
+        $mform->setDefault('forcedownload', true);
+
         //-------------------------------------------------------
         $this->standard_coursemodule_elements();
 

diff --git a/mod/folder/renderer.php b/mod/folder/renderer.php
@@ -146,9 +146,14 @@ protected function htmllize_tree($tree, $dir) {
             }
             $filename = html_writer::tag('span', $image, array('class' => 'fp-icon')).
                     html_writer::tag('span', $filenamedisplay, array('class' => 'fp-filename'));
+            $urlparams = null;
+            if ($tree->folder->forcedownload) {
+                $urlparams = ['forcedownload' => 1];
+            }
             $filename = html_writer::tag('span',
-                    html_writer::link($url->out(false, array('forcedownload' => 1)), $filename),
-                    array('class' => 'fp-filename-icon'));
+                html_writer::link($url->out(false, $urlparams), $filename),
+                ['class' => 'fp-filename-icon']
+            );
             $result .= html_writer::tag('li', $filename);
         }
         $result .= '</ul>';

diff --git a/mod/folder/version.php b/mod/folder/version.php
@@ -24,7 +24,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2021052500;       // The current module version (Date: YYYYMMDDXX)
+$plugin->version   = 2021052501;       // The current module version (Date: YYYYMMDDXX)
 $plugin->requires  = 2021052500;    // Requires this Moodle version
 $plugin->component = 'mod_folder';     // Full name of the plugin (used for diagnostics)
 $plugin->cron      = 0;