Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

changes:

* sesskey;
* only editing teachers can use it;
* time modified - used filemtime (consistency with files/index.php, better for Win32);
* directory sizes shown;
* removed unused "torte" action;
* updated breadcrums (active folder not linked and »);
* updated comments;
* some other fixes from files/index.php.

Please test, test, test.
  • Loading branch information...
commit 5dcda7b86f57804b292e1a4043c70794bdf184bd 1 parent 1a8b956
skodak authored

Showing 1 changed file with 51 additions and 66 deletions. Show diff stats Hide diff stats

  1. +51 66 mod/resource/coursefiles.php
117 mod/resource/coursefiles.php
@@ -3,8 +3,7 @@
3 3 // Manage all uploaded files in a course file area
4 4
5 5 // This file is a hack to files/index.php that removes
6   -// the headers and adds some controls so that images
7   -// can be selected within the Richtext editor.
  6 +// the headers and adds file selection capability
8 7
9 8 // All the Moodle-specific stuff is in this top section
10 9 // Configuration and access control occurs here.
@@ -14,10 +13,14 @@
14 13 require("../../config.php");
15 14 require("../../files/mimetypes.php");
16 15
17   - require_variable($id);
18   - optional_variable($file, "");
19   - optional_variable($wdir, "");
20   - optional_variable($action, "");
  16 + global $USER;
  17 +
  18 + $id = required_param('id', PARAM_INT);
  19 + $file = optional_param('file', '', PARAM_PATH);
  20 + $wdir = optional_param('wdir', '', PARAM_PATH);
  21 + $action = optional_param('action', '', PARAM_ACTION);
  22 + $name = optional_param('name', '', PARAM_FILE);
  23 + $oldname = optional_param('oldname', '', PARAM_FILE);
21 24
22 25 if (! $course = get_record("course", "id", $id) ) {
23 26 error("That's an invalid course id");
@@ -25,8 +28,8 @@
25 28
26 29 require_login($course->id);
27 30
28   - if (! isteacher($course->id) ) {
29   - error("Only teachers can edit files");
  31 + if (! isteacheredit($course->id) ) {
  32 + error("You need to be a teacher with editing privileges");
30 33 }
31 34
32 35 function html_footer() {
@@ -54,12 +57,12 @@ function html_header($course, $wdir, $formfield=""){
54 57 $numdirs = count($dirs);
55 58 $link = "";
56 59 $navigation = "";
57   - for ($i=1; $i<$numdirs; $i++) {
  60 + for ($i=1; $i<$numdirs-1; $i++) {
58 61 $navigation .= " -> ";
59 62 $link .= "/".urlencode($dirs[$i]);
60 63 $navigation .= "<a href=\"".$ME."?id=$course->id&wdir=$link\">".$dirs[$i]."</a>";
61 64 }
62   - $fullnav = "<a href=\"".$ME."?id=$course->id&wdir=/\">$strfiles</a> $navigation";
  65 + $fullnav = "<a href=\"".$ME."?id=$course->id&wdir=/\">$strfiles</a> $navigation -> ".$dirs[$numdirs-1];
63 66 }
64 67
65 68 print_header();
@@ -74,10 +77,11 @@ function set_value(txt) {
74 77 </script>
75 78 <?php
76 79
  80 + $fullnav = str_replace('->', '&raquo;', "$course->shortname -> $fullnav");
77 81 echo '<table border="0" cellpadding="3" cellspacing="0" width="100%">';
78 82 echo '<tr>';
79 83 echo '<td bgcolor="'.$THEME->cellheading.'" class="navbar">';
80   - echo '<font size="2"><b>'."$course->shortname -> $fullnav".'</b></font>';
  84 + echo '<font size="2"><b>'.$fullnav.'</b></font>';
81 85 echo '</td>';
82 86 echo '</tr>';
83 87 echo '</table>';
@@ -100,17 +104,17 @@ function set_value(txt) {
100 104 // End of configuration and access control
101 105
102 106
103   - $regexp="\\.\\.";
104   - if (ereg( $regexp, $file, $regs )| ereg( $regexp, $wdir,$regs )) {
  107 + if (!$wdir) {
  108 + $wdir="/";
  109 + }
  110 +
  111 + if (($wdir != '/' and detect_munged_arguments($wdir, 0))
  112 + or ($file != '' and detect_munged_arguments($file, 0))) {
105 113 $message = "Error: Directories can not contain \"..\"";
106 114 $wdir = "/";
107 115 $action = "";
108 116 }
109 117
110   - if (!$wdir) {
111   - $wdir="/";
112   - }
113   -
114 118
115 119 switch ($action) {
116 120
@@ -122,7 +126,7 @@ function set_value(txt) {
122 126 } else {
123 127 $save = false;
124 128 }
125   - if (!empty($save)) {
  129 + if (!empty($save) and confirm_sesskey()) {
126 130 if (!is_uploaded_file($userfile['tmp_name']) or $userfile['size'] == 0) {
127 131 notify(get_string("uploadnofilefound"));
128 132 } else {
@@ -158,6 +162,7 @@ function set_value(txt) {
158 162 echo " <INPUT TYPE=hidden NAME=id VALUE=$id>";
159 163 echo " <INPUT TYPE=hidden NAME=wdir VALUE=$wdir>";
160 164 echo " <INPUT TYPE=hidden NAME=action VALUE=upload>";
  165 + echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
161 166 echo " <INPUT NAME=\"userfile\" TYPE=\"file\" size=\"60\">";
162 167 echo " </TD><TR><TD WIDTH=10>";
163 168 echo " <INPUT TYPE=submit NAME=save VALUE=\"$struploadthisfile\">";
@@ -175,7 +180,7 @@ function set_value(txt) {
175 180 break;
176 181
177 182 case "delete":
178   - if (!empty($confirm)) {
  183 + if (!empty($confirm) and confirm_sesskey()) {
179 184 html_header($course, $wdir);
180 185 foreach ($USER->filelist as $file) {
181 186 $fullfile = $basedir.$file;
@@ -196,7 +201,7 @@ function set_value(txt) {
196 201 print_simple_box_end();
197 202 echo "<br />";
198 203 notice_yesno (get_string("deletecheckfiles"),
199   - "".basename($ME)."?id=$id&wdir=$wdir&action=delete&confirm=1",
  204 + "".basename($ME)."?id=$id&amp;wdir=$wdir&amp;action=delete&amp;confirm=1&amp;sesskey=$USER->sesskey",
200 205 "".basename($ME)."?id=$id&wdir=$wdir&action=cancel");
201 206 } else {
202 207 displaydir($wdir);
@@ -207,7 +212,7 @@ function set_value(txt) {
207 212
208 213 case "move":
209 214 html_header($course, $wdir);
210   - if ($count = setfilelist($_POST)) {
  215 + if (($count = setfilelist($_POST)) and confirm_sesskey()) {
211 216 $USER->fileop = $action;
212 217 $USER->filesource = $wdir;
213 218 echo "<p align=center>";
@@ -220,7 +225,7 @@ function set_value(txt) {
220 225
221 226 case "paste":
222 227 html_header($course, $wdir);
223   - if (isset($USER->fileop) and $USER->fileop == "move") {
  228 + if (isset($USER->fileop) and ($USER->fileop == "move") and confirm_sesskey()) {
224 229 foreach ($USER->filelist as $file) {
225 230 $shortfile = basename($file);
226 231 $oldfile = $basedir.$file;
@@ -236,10 +241,9 @@ function set_value(txt) {
236 241 break;
237 242
238 243 case "rename":
239   - if (!empty($name)) {
  244 + if (!empty($name) and confirm_sesskey()) {
240 245 html_header($course, $wdir);
241 246 $name = clean_filename($name);
242   - $oldname = clean_filename($oldname);
243 247 if (file_exists($basedir.$wdir."/".$name)) {
244 248 echo "Error: $name already exists!";
245 249 } else if (!rename($basedir.$wdir."/".$oldname, $basedir.$wdir."/".$name)) {
@@ -260,6 +264,7 @@ function set_value(txt) {
260 264 echo " <INPUT TYPE=hidden NAME=action VALUE=rename>";
261 265 echo " <INPUT TYPE=hidden NAME=oldname VALUE=\"$file\">";
262 266 echo " <INPUT TYPE=text NAME=name SIZE=35 VALUE=\"$file\">";
  267 + echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
263 268 echo " <INPUT TYPE=submit VALUE=\"$strrename\">";
264 269 echo "</FORM>";
265 270 echo "</TD><TD>";
@@ -275,7 +280,7 @@ function set_value(txt) {
275 280 break;
276 281
277 282 case "mkdir":
278   - if (!empty($name)) {
  283 + if (!empty($name) and confirm_sesskey()) {
279 284 html_header($course, $wdir);
280 285 $name = clean_filename($name);
281 286 if (file_exists("$basedir$wdir/$name")) {
@@ -297,6 +302,7 @@ function set_value(txt) {
297 302 echo " <INPUT TYPE=hidden NAME=wdir VALUE=$wdir>";
298 303 echo " <INPUT TYPE=hidden NAME=action VALUE=mkdir>";
299 304 echo " <INPUT TYPE=text NAME=name SIZE=35>";
  305 + echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
300 306 echo " <INPUT TYPE=submit VALUE=\"$strcreate\">";
301 307 echo "</FORM>";
302 308 echo "</TD><TD>";
@@ -313,7 +319,7 @@ function set_value(txt) {
313 319
314 320 case "edit":
315 321 html_header($course, $wdir);
316   - if (isset($text)) {
  322 + if (isset($text) and confirm_sesskey()) {
317 323 $fileptr = fopen($basedir.$file,"w");
318 324 fputs($fileptr, stripslashes($text));
319 325 fclose($fileptr);
@@ -345,6 +351,7 @@ function set_value(txt) {
345 351 echo " <INPUT TYPE=hidden NAME=wdir VALUE=\"$wdir\">";
346 352 echo " <INPUT TYPE=hidden NAME=file VALUE=\"$file\">";
347 353 echo " <INPUT TYPE=hidden NAME=action VALUE=edit>";
  354 + echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
348 355 print_textarea($usehtmleditor, 25, 80, 680, 400, "text", $contents);
349 356 echo "</TD></TR><TR><TD>";
350 357 echo " <INPUT TYPE=submit VALUE=\"".get_string("savechanges")."\">";
@@ -368,7 +375,7 @@ function set_value(txt) {
368 375 break;
369 376
370 377 case "zip":
371   - if (!empty($name)) {
  378 + if (!empty($name) and confirm_sesskey()) {
372 379 html_header($course, $wdir);
373 380 $name = clean_filename($name);
374 381
@@ -400,6 +407,7 @@ function set_value(txt) {
400 407 echo " <INPUT TYPE=hidden NAME=wdir VALUE=\"$wdir\">";
401 408 echo " <INPUT TYPE=hidden NAME=action VALUE=zip>";
402 409 echo " <INPUT TYPE=text NAME=name SIZE=35 VALUE=\"new.zip\">";
  410 + echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
403 411 echo " <INPUT TYPE=submit VALUE=\"".get_string("createziparchive")."\">";
404 412 echo "</FORM>";
405 413 echo "</TD><TD>";
@@ -420,7 +428,7 @@ function set_value(txt) {
420 428
421 429 case "unzip":
422 430 html_header($course, $wdir);
423   - if (!empty($file)) {
  431 + if (!empty($file) and confirm_sesskey()) {
424 432 $strok = get_string("ok");
425 433 $strunpacking = get_string("unpacking", "", $file);
426 434
@@ -447,7 +455,7 @@ function set_value(txt) {
447 455
448 456 case "listzip":
449 457 html_header($course, $wdir);
450   - if (!empty($file)) {
  458 + if (!empty($file) and confirm_sesskey()) {
451 459 $strname = get_string("name");
452 460 $strsize = get_string("size");
453 461 $strmodified = get_string("modified");
@@ -458,8 +466,8 @@ function set_value(txt) {
458 466 $file = basename($file);
459 467
460 468 include_once($CFG->libdir.'/pclzip/pclzip.lib.php');
461   - $archive = new PclZip("$basedir/$wdir/$file");
462   - if (!$list = $archive->listContent("$basedir/$wdir")) {
  469 + $archive = new PclZip(cleardoubleslashes("$basedir/$wdir/$file"));
  470 + if (!$list = $archive->listContent(cleardoubleslashes("$basedir/$wdir"))) {
463 471 notify($archive->errorInfo(true));
464 472
465 473 } else {
@@ -492,34 +500,6 @@ function set_value(txt) {
492 500 html_footer();
493 501 break;
494 502
495   - case "torte":
496   - if($_POST)
497   - {
498   - while(list($key, $val) = each($_POST))
499   - {
500   - if(ereg("file([0-9]+)", $key, $regs))
501   - {
502   - $file = $val;
503   - }
504   - }
505   - if(@filetype($CFG->dataroot ."/". $course->id . $file) == "file")
506   - {
507   - if(mimeinfo("icon", $file) == "image.gif")
508   - {
509   - $url = $CFG->wwwroot ."/file.php?file=/" .$course->id . $file;
510   - runjavascript($url);
511   - }
512   - else
513   - {
514   - print "File is not a image!";
515   - }
516   - }
517   - else
518   - {
519   - print "You cannot insert FOLDER into richtext editor!!!";
520   - }
521   - }
522   - break;
523 503 case "cancel";
524 504 clearfilelist();
525 505
@@ -576,7 +556,10 @@ function setfilelist($VARS) {
576 556 foreach ($VARS as $key => $val) {
577 557 if (substr($key,0,4) == "file") {
578 558 $count++;
579   - $USER->filelist[] = rawurldecode($val);
  559 + $val = rawurldecode($val);
  560 + if (!detect_munged_arguments($val, 0)) {
  561 + $USER->filelist[] = $val;
  562 + }
580 563 }
581 564 }
582 565 return $count;
@@ -687,13 +670,13 @@ function displaydir ($wdir) {
687 670 $filename = $fullpath."/".$dir;
688 671 $fileurl = rawurlencode($wdir."/".$dir);
689 672 $filesafe = rawurlencode($dir);
690   - $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p");
691   -
  673 + $filesize = display_size(get_directory_size("$fullpath/$dir"));
  674 + $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p");
692 675 echo "<TR>";
693 676
694 677 print_cell("center", "<INPUT TYPE=checkbox NAME=\"file$count\" VALUE=\"$fileurl\">");
695 678 print_cell("left", "<A HREF=\"".basename($ME)."?id=$id&wdir=$fileurl\"><IMG SRC=\"$CFG->pixpath/f/folder.gif\" HEIGHT=16 WIDTH=16 BORDER=0 ALT=\"Folder\"></A> <A HREF=\"".basename($ME)."?id=$id&wdir=$fileurl\">".htmlspecialchars($dir)."</A>");
696   - print_cell("right", "-");
  679 + print_cell("right", "<b>$filesize</b>");
697 680 print_cell("right", $filedate);
698 681 print_cell("right", "<A HREF=\"".basename($ME)."?id=$id&wdir=$wdir&file=$filesafe&action=rename\">$strrename</A>");
699 682
@@ -713,7 +696,7 @@ function displaydir ($wdir) {
713 696 $fileurl = "$wdir/$file";
714 697 $filesafe = rawurlencode($file);
715 698 $fileurlsafe = rawurlencode($fileurl);
716   - $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p");
  699 + $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p");
717 700
718 701 if (substr($fileurl,0,1) == '/') {
719 702 $selectfile = substr($fileurl,1);
@@ -747,8 +730,8 @@ function displaydir ($wdir) {
747 730 if ($icon == "text.gif" || $icon == "html.gif") {
748 731 $edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=edit\">$stredit</a>";
749 732 } else if ($icon == "zip.gif") {
750   - $edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=unzip\">$strunzip</a>&nbsp;";
751   - $edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=listzip\">$strlist</a> ";
  733 + $edittext .= "<a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$fileurl&amp;action=unzip&amp;sesskey=$USER->sesskey\">$strunzip</a>&nbsp;";
  734 + $edittext .= "<a href=\"".basename($ME)."?id=$id&amp;wdir=$wdir&amp;file=$fileurl&amp;action=listzip&amp;sesskey=$USER->sesskey\">$strlist</a> ";
752 735 }
753 736
754 737 print_cell("right", "$edittext <A HREF=\"".basename($ME)."?id=$id&wdir=$wdir&file=$filesafe&action=rename\">$strrename</A>");
@@ -767,6 +750,7 @@ function displaydir ($wdir) {
767 750 echo "<TR><TD>";
768 751 echo "<INPUT TYPE=hidden NAME=id VALUE=\"$id\">";
769 752 echo "<INPUT TYPE=hidden NAME=wdir VALUE=\"$wdir\"> ";
  753 + echo "<input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
770 754 $options = array (
771 755 "move" => "$strmovetoanotherfolder",
772 756 "delete" => "$strdeletecompletely",
@@ -783,6 +767,7 @@ function displaydir ($wdir) {
783 767 echo " <INPUT TYPE=hidden NAME=id VALUE=$id>";
784 768 echo " <INPUT TYPE=hidden NAME=wdir VALUE=\"$wdir\">";
785 769 echo " <INPUT TYPE=hidden NAME=action VALUE=paste>";
  770 + echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
786 771 echo " <INPUT TYPE=submit VALUE=\"$strmovefilestohere\">";
787 772 echo "</FORM>";
788 773 }

0 comments on commit 5dcda7b

Please sign in to comment.
Something went wrong with that request. Please try again.