Permalink
Browse files

merged from 14_STABLE -

changes:
* sesskey;
* only editing teachers can use it;
* time modified - used filemtime (consistency with files/index.php, better for Win32);
* directory sizes shown;
* removed unused "torte" action;
* updated breadcrums (active folder not linked and »);
* updated comments;
* some other fixes from files/index.php.

Please test, test, test.
  • Loading branch information...
1 parent 083eccc commit 23eb1cc518d4f769c15f0d8108ce0eba949c6e7d skodak committed Oct 26, 2004
Showing with 50 additions and 64 deletions.
  1. +50 −64 mod/resource/coursefiles.php
View
114 mod/resource/coursefiles.php
@@ -3,8 +3,7 @@
// Manage all uploaded files in a course file area
// This file is a hack to files/index.php that removes
-// the headers and adds some controls so that images
-// can be selected within the Richtext editor.
+// the headers and adds file selection capability
// All the Moodle-specific stuff is in this top section
// Configuration and access control occurs here.
@@ -14,19 +13,23 @@
require("../../config.php");
require("../../files/mimetypes.php");
- require_variable($id);
- optional_variable($file, "");
- optional_variable($wdir, "");
- optional_variable($action, "");
+ global $USER;
+
+ $id = required_param('id', PARAM_INT);
+ $file = optional_param('file', '', PARAM_PATH);
+ $wdir = optional_param('wdir', '', PARAM_PATH);
+ $action = optional_param('action', '', PARAM_ACTION);
+ $name = optional_param('name', '', PARAM_FILE);
+ $oldname = optional_param('oldname', '', PARAM_FILE);
if (! $course = get_record("course", "id", $id) ) {
error("That's an invalid course id");
}
require_login($course->id);
- if (! isteacher($course->id) ) {
- error("Only teachers can edit files");
+ if (! isteacheredit($course->id) ) {
+ error("You need to be a teacher with editing privileges");
}
function html_footer() {
@@ -50,12 +53,12 @@ function html_header($course, $wdir, $formfield=""){
$numdirs = count($dirs);
$link = "";
$navigation = "";
- for ($i=1; $i<$numdirs; $i++) {
+ for ($i=1; $i<$numdirs-1; $i++) {
$navigation .= " -> ";
$link .= "/".urlencode($dirs[$i]);
$navigation .= "<a href=\"".$ME."?id=$course->id&amp;wdir=$link\">".$dirs[$i]."</a>";
}
- $fullnav = "<a href=\"".$ME."?id=$course->id&amp;wdir=/\">$strfiles</a> $navigation";
+ $fullnav = "<a href=\"".$ME."?id=$course->id&amp;wdir=/\">$strfiles</a> $navigation -> ".$dirs[$numdirs-1];
}
print_header();
@@ -70,10 +73,11 @@ function set_value(txt) {
</script>
<?php
+ $fullnav = str_replace('->', '&raquo;', "$course->shortname -> $fullnav");
echo '<table border="0" cellpadding="3" cellspacing="0" width="100%">';
echo '<tr>';
echo '<td bgcolor="'.$THEME->cellheading.'" class="navbar">';
- echo '<font size="2"><b>'."$course->shortname -> $fullnav".'</b></font>';
+ echo '<font size="2"><b>'.$fullnav.'</b></font>';
echo '</td>';
echo '</tr>';
echo '</table>';
@@ -96,32 +100,33 @@ function set_value(txt) {
// End of configuration and access control
- $regexp="\\.\\.";
- if (ereg( $regexp, $file, $regs )| ereg( $regexp, $wdir,$regs )) {
+ if (!$wdir) {
+ $wdir="/";
+ }
+
+ if (($wdir != '/' and detect_munged_arguments($wdir, 0))
+ or ($file != '' and detect_munged_arguments($file, 0))) {
$message = "Error: Directories can not contain \"..\"";
$wdir = "/";
$action = "";
}
- if (!$wdir) {
- $wdir="/";
- }
-
switch ($action) {
case "upload":
html_header($course, $wdir);
require_once($CFG->dirroot.'/lib/uploadlib.php');
- if (!empty($save)) {
+ if (!empty($save) and confirm_sesskey()) {
$um = new upload_manager('userfile',false,false,$course,false,0);
$dir = "$basedir$wdir";
if ($um->process_file_uploads($dir)) {
notify(get_string('uploadedfile'));
}
// um will take care of error reporting.
displaydir($wdir);
+
} else {
$upload_max_filesize = get_max_upload_file_size($CFG->maxbytes);
$filesize = display_size($upload_max_filesize);
@@ -138,6 +143,7 @@ function set_value(txt) {
echo " <input type=\"hidden\" name=\"id\" value=$id />";
echo " <input type=\"hidden\" name=\"wdir\" value=$wdir />";
echo " <input type=\"hidden\" name=\"action\" value=\"upload\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " </td><tr><td width=\"10\">";
echo " <input type=\"submit\" name=\"save\" value=\"$struploadthisfile\" />";
echo "</form>";
@@ -154,7 +160,7 @@ function set_value(txt) {
break;
case "delete":
- if (!empty($confirm)) {
+ if (!empty($confirm) and confirm_sesskey()) {
html_header($course, $wdir);
foreach ($USER->filelist as $file) {
$fullfile = $basedir.$file;
@@ -175,7 +181,7 @@ function set_value(txt) {
print_simple_box_end();
echo "<br />";
notice_yesno (get_string("deletecheckfiles"),
- "".basename($ME)."?id=$id&amp;wdir=$wdir&amp;action=delete&amp;confirm=1",
+ "".basename($ME)."?id=$id&amp;wdir=$wdir&amp;action=delete&amp;confirm=1&amp;sesskey=$USER->sesskey",
"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;action=cancel");
} else {
displaydir($wdir);
@@ -186,7 +192,7 @@ function set_value(txt) {
case "move":
html_header($course, $wdir);
- if ($count = setfilelist($_POST)) {
+ if (($count = setfilelist($_POST)) and confirm_sesskey()) {
$USER->fileop = $action;
$USER->filesource = $wdir;
echo "<p align=\"center\">";
@@ -199,7 +205,7 @@ function set_value(txt) {
case "paste":
html_header($course, $wdir);
- if (isset($USER->fileop) and $USER->fileop == "move") {
+ if (isset($USER->fileop) and ($USER->fileop == "move") and confirm_sesskey()) {
foreach ($USER->filelist as $file) {
$shortfile = basename($file);
$oldfile = $basedir.$file;
@@ -215,10 +221,9 @@ function set_value(txt) {
break;
case "rename":
- if (!empty($name)) {
+ if (!empty($name) and confirm_sesskey()) {
html_header($course, $wdir);
$name = clean_filename($name);
- $oldname = clean_filename($oldname);
if (file_exists($basedir.$wdir."/".$name)) {
echo "Error: $name already exists!";
} else if (!rename($basedir.$wdir."/".$oldname, $basedir.$wdir."/".$name)) {
@@ -239,6 +244,7 @@ function set_value(txt) {
echo " <input type=\"hidden\" name=\"action\" value=\"rename\" />";
echo " <input type=\"hidden\" name=\"oldname\" value=\"$file\" />";
echo " <input type=\"text\" name=\"name\" size=\"35\" value=\"$file\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " <input type=\"submit\" value=\"$strrename\" />";
echo "</form>";
echo "</td><td>";
@@ -254,7 +260,7 @@ function set_value(txt) {
break;
case "mkdir":
- if (!empty($name)) {
+ if (!empty($name) and confirm_sesskey()) {
html_header($course, $wdir);
$name = clean_filename($name);
if (file_exists("$basedir$wdir/$name")) {
@@ -276,6 +282,7 @@ function set_value(txt) {
echo " <input type=\"hidden\" name=\"wdir\" value=$wdir />";
echo " <input type=\"hidden\" name=\"action\" value=\"mkdir\" />";
echo " <input type=\"text\" name=\"name\" size=\"35\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " <input type=\"submit\" value=\"$strcreate\" />";
echo "</form>";
echo "</td><td>";
@@ -292,7 +299,7 @@ function set_value(txt) {
case "edit":
html_header($course, $wdir);
- if (isset($text)) {
+ if (isset($text) and confirm_sesskey()) {
$fileptr = fopen($basedir.$file,"w");
fputs($fileptr, stripslashes($text));
fclose($fileptr);
@@ -324,6 +331,7 @@ function set_value(txt) {
echo " <input type=\"hidden\" name=\"wdir\" value=\"$wdir\" />";
echo " <input type=\"hidden\" name=\"file\" value=\"$file\" />";
echo " <input type=\"hidden\" name=\"action\" value=\"edit\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
print_textarea($usehtmleditor, 25, 80, 680, 400, "text", $contents);
echo "</td></tr><tr><td>";
echo " <input type=\"submit\" value=\"".get_string("savechanges")."\" />";
@@ -347,7 +355,7 @@ function set_value(txt) {
break;
case "zip":
- if (!empty($name)) {
+ if (!empty($name) and confirm_sesskey()) {
html_header($course, $wdir);
$name = clean_filename($name);
@@ -399,7 +407,7 @@ function set_value(txt) {
case "unzip":
html_header($course, $wdir);
- if (!empty($file)) {
+ if (!empty($file) and confirm_sesskey()) {
$strok = get_string("ok");
$strunpacking = get_string("unpacking", "", $file);
@@ -426,7 +434,7 @@ function set_value(txt) {
case "listzip":
html_header($course, $wdir);
- if (!empty($file)) {
+ if (!empty($file) and confirm_sesskey()) {
$strname = get_string("name");
$strsize = get_string("size");
$strmodified = get_string("modified");
@@ -437,8 +445,8 @@ function set_value(txt) {
$file = basename($file);
include_once($CFG->libdir.'/pclzip/pclzip.lib.php');
- $archive = new PclZip("$basedir/$wdir/$file");
- if (!$list = $archive->listContent("$basedir/$wdir")) {
+ $archive = new PclZip(cleardoubleslashes("$basedir/$wdir/$file"));
+ if (!$list = $archive->listContent(cleardoubleslashes("$basedir/$wdir"))) {
notify($archive->errorInfo(true));
} else {
@@ -471,34 +479,6 @@ function set_value(txt) {
html_footer();
break;
- case "torte":
- if($_POST)
- {
- while(list($key, $val) = each($_POST))
- {
- if(ereg("file([0-9]+)", $key, $regs))
- {
- $file = $val;
- }
- }
- if(@filetype($CFG->dataroot ."/". $course->id . $file) == "file")
- {
- if(mimeinfo("icon", $file) == "image.gif")
- {
- $url = $CFG->wwwroot ."/file.php?file=/" .$course->id . $file;
- runjavascript($url);
- }
- else
- {
- print "File is not a image!";
- }
- }
- else
- {
- print "You cannot insert FOLDER into richtext editor!!!";
- }
- }
- break;
case "cancel";
clearfilelist();
@@ -555,7 +535,10 @@ function setfilelist($VARS) {
foreach ($VARS as $key => $val) {
if (substr($key,0,4) == "file") {
$count++;
- $USER->filelist[] = rawurldecode($val);
+ $val = rawurldecode($val);
+ if (!detect_munged_arguments($val, 0)) {
+ $USER->filelist[] = $val;
+ }
}
}
return $count;
@@ -667,7 +650,8 @@ function displaydir ($wdir) {
$filename = $fullpath."/".$dir;
$fileurl = rawurlencode($wdir."/".$dir);
$filesafe = rawurlencode($dir);
- $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p");
+ $filesize = display_size(get_directory_size("$fullpath/$dir"));
+ $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p");
echo "<tr>";
@@ -692,7 +676,7 @@ function displaydir ($wdir) {
$fileurl = "$wdir/$file";
$filesafe = rawurlencode($file);
$fileurlsafe = rawurlencode($fileurl);
- $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p");
+ $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p");
if (substr($fileurl,0,1) == '/') {
$selectfile = substr($fileurl,1);
@@ -726,8 +710,8 @@ function displaydir ($wdir) {
if ($icon == "text.gif" || $icon == "html.gif") {
$edittext .= "<a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$fileurl&amp;action=edit\">$stredit</a>";
} else if ($icon == "zip.gif") {
- $edittext .= "<a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$fileurl&amp;action=unzip\">$strunzip</a>&nbsp;";
- $edittext .= "<a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$fileurl&amp;action=listzip\">$strlist</a> ";
+ $edittext .= "<a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$fileurl&amp;action=unzip&amp;sesskey=$USER->sesskey\">$strunzip</a>&nbsp;";
+ $edittext .= "<a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$fileurl&amp;action=listzip&amp;sesskey=$USER->sesskey\">$strlist</a> ";
}
print_cell("right", "$edittext <a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$filesafe&amp;action=rename\">$strrename</a>");
@@ -746,6 +730,7 @@ function displaydir ($wdir) {
echo "<tr><td>";
echo "<input type=\"hidden\" name=\"id\" value=\"$id\" />";
echo "<input type=\"hidden\" name=\"wdir\" value=\"$wdir\" /> ";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
$options = array (
"move" => "$strmovetoanotherfolder",
"delete" => "$strdeletecompletely",
@@ -762,6 +747,7 @@ function displaydir ($wdir) {
echo " <input type=\"hidden\" name=\"id\" value=$id />";
echo " <input type=\"hidden\" name=\"wdir\" value=\"$wdir\" />";
echo " <input type=\"hidden\" name=\"action\" value=\"paste\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " <input type=\"submit\" value=\"$strmovefilestohere\" />";
echo "</form>";
}

0 comments on commit 23eb1cc

Please sign in to comment.