download.php 4.36 KB
Newer Older
Richard Mansfield's avatar
Richard Mansfield committed
1
2
3
4
5
<?php
/**
 *
 * @package    mahara
 * @subpackage artefact-file
6
 * @author     Catalyst IT Ltd
7
8
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL version 3 or later
 * @copyright  For copyright information on Mahara, please see the README file distributed with this software.
Richard Mansfield's avatar
Richard Mansfield committed
9
10
11
12
 *
 */

define('INTERNAL', 1);
13
define('PUBLIC', 1);
Richard Mansfield's avatar
Richard Mansfield committed
14
15
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
safe_require('artefact', 'file');
16
require_once('file.php');
Richard Mansfield's avatar
Richard Mansfield committed
17
18

$fileid = param_integer('file');
19
$viewid = param_integer('view', null);
20
$postid = param_integer('post', null);
21
$size   = get_imagesize_parameters();
22
23
24
25
26
27
$forcedl = param_boolean('download');

$options = array();
if ($forcedl) {
    $options['forcedownload'] = true;
}
Richard Mansfield's avatar
Richard Mansfield committed
28
else {
29
30
31
    $options['downloadurl'] = get_config('wwwroot')
        . substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], 'artefact/file/download.php'))
        . '&download=1';
Richard Mansfield's avatar
Richard Mansfield committed
32
}
33
34

if ($viewid && $fileid) {
35
    $file = artefact_instance_from_id($fileid);
36
    $ancestors = $file->get_item_ancestors();
37
    $artefactok = false;
38
39

    if (artefact_in_view($file, $viewid)) {
40
41
        $artefactok = true;
    }
42
43
44
45
46
47
48
49
50
    // Check to see if the artefact has a parent that is allowed to be in this view.
    // For example, subdirectory of a folder artefact on a view.
    if (!empty($ancestors) && !$artefactok) {
        foreach ($ancestors as $ancestor) {
            $pathitem = artefact_instance_from_id($ancestor);
            if (artefact_in_view($pathitem, $viewid)) {
                $artefactok = true;
                break;
            }
51
52
        }
    }
53
54
55
56
57
58
59
60
61
62
63
64
65

    // The user may be trying to download a file that's not in the view, but which has
    // been attached to public feedback on the view
    if ($commentid = param_integer('comment', null)) {
        if (!record_exists('artefact_attachment', 'artefact', $commentid, 'attachment', $fileid)) {
            throw new AccessDeniedException('');
        }
        safe_require('artefact', 'comment');
        $comment = new ArtefactTypeComment($commentid);
        if (!$comment->viewable_in($viewid)) {
            throw new AccessDeniedException('');
        }
    }
66
    else if ($artefactok == false) {
67
        throw new AccessDeniedException('');
68
69
70
    }

    if (!can_view_view($viewid)) {
71
        throw new AccessDeniedException('');
72
73
    }

74
75
76
77
    if (!($file instanceof ArtefactTypeFile)) {
        throw new NotFoundException();
    }
}
Richard Mansfield's avatar
Richard Mansfield committed
78
79
80
81
82
83
else {
    // We just have a file ID
    $file = artefact_instance_from_id($fileid);
    if (!($file instanceof ArtefactTypeFile)) {
        throw new NotFoundException();
    }
84

Richard Mansfield's avatar
Richard Mansfield committed
85
    // If the file is in the public directory, it's fine to serve
86
    $fileispublic = $file->get('institution') == 'mahara';
87
    $fileispublic = $fileispublic && (bool)get_field('artefact', 'id', 'id', $fileid, 'parent', ArtefactTypeFolder::admin_public_folder_id());
88

Richard Mansfield's avatar
Richard Mansfield committed
89
90
91
    if (!$fileispublic) {
        // If the file is in the logged in menu and the user is logged in then
        // they can view it
92
        $fileinloggedinmenu = $file->get('institution') == 'mahara';
93
94
95
96
        // check if users are allowed to access files in subfolders
        if (!get_config('sitefilesaccess')) {
            $fileinloggedinmenu = $fileinloggedinmenu && $file->get('parent') == null;
        }
97
98
        $fileinloggedinmenu = $fileinloggedinmenu && $USER->is_logged_in();
        $fileinloggedinmenu = $fileinloggedinmenu && record_exists('site_menu', 'file', $fileid, 'public', 0);
99

Richard Mansfield's avatar
Richard Mansfield committed
100
101
        if (!$fileinloggedinmenu) {
            // Alternatively, if you own the file or you are an admin, it should always work
102

103
            if (!$USER->can_view_artefact($file)) {
104
105
106
107
108
109
110
111
112
113
114

                // Check for images sitting in visible forum posts
                $visibleinpost = false;
                if ($postid && $file instanceof ArtefactTypeImage) {
                    safe_require('interaction', 'forum');
                    $visibleinpost = PluginInteractionForum::can_see_attached_file($file, $postid);
                }

                if (!$visibleinpost) {
                    throw new AccessDeniedException(get_string('accessdenied', 'error'));
                }
Richard Mansfield's avatar
Richard Mansfield committed
115
            }
116
117
118
119
        }
    }
}

120
$path  = $file->get_path($size);
121
$title = $file->download_title();
122
123
124
if ($contenttype = $file->override_content_type()) {
    $options['overridecontenttype'] = $contenttype;
}
125
$options['owner'] = $file->get('owner');
126
serve_file($path, $title, $file->get('filetype'), $options);