Commit 7211a9fb authored by Richard Mansfield's avatar Richard Mansfield
Browse files
parents 86ebc756 e0a92efd
......@@ -31,6 +31,7 @@ define('SUBMENUITEM', 'adminfiles');
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
safe_require('artefact', 'file');
define('TITLE', get_string('adminfiles', 'admin'));
$copyright = get_field('site_content', 'content', 'name', 'uploadcopyright');
$wwwroot = get_config('wwwroot');
......
......@@ -29,6 +29,7 @@ define('ADMIN', 1);
define('MENUITEM', 'configsite');
define('SUBMENUITEM', 'sitemenu');
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
define('TITLE', get_string('sitemenu', 'admin'));
$strings = array('edit','delete','update','cancel','add','name','unknownerror');
$adminstrings = array('confirmdeletemenuitem', 'deletefailed','deletingmenuitem','savingmenuitem',
......
......@@ -31,6 +31,7 @@ define('SUBMENUITEM', 'siteoptions');
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
require_once('pieforms/pieform.php');
define('TITLE', get_string('siteoptions', 'admin'));
$langoptions = get_languages();
$themeoptions = get_themes();
......
......@@ -30,6 +30,7 @@ define('MENUITEM', 'configsite');
define('SUBMENUITEM', 'sitepages');
require(dirname(dirname(dirname(__FILE__))).'/init.php');
require_once('pieforms/pieform.php');
define('TITLE', get_string('sitepages', 'admin'));
$sitepages = get_records_array('site_content');
$pageoptions = array();
......
......@@ -26,6 +26,7 @@
define('INTERNAL', 1);
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
require_once('file.php');
$uploadnumber = param_integer('uploadnumber');
$createid = param_variable('createid');
......
......@@ -25,14 +25,63 @@
*/
define('INTERNAL', 1);
define('PUBLIC', 1);
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
safe_require('artefact', 'file');
require_once('artefact.php');
require_once('file.php');
$fileid = param_integer('file');
$viewid = param_integer('view', null);
if ($viewid && $fileid) {
if (!artefact_in_view($fileid, $viewid)) {
throw new UserException('Artefact ' . $fileid . ' is not in view ' . $viewid);
}
if (!can_view_view($viewid)) {
throw new AccessDeniedException();
}
$file = artefact_instance_from_id($fileid);
$path = $file->get_path();
$title = $file->get('title');
serve_file($path, $title);
}
// We just have a file ID
$file = artefact_instance_from_id($fileid);
$path = $file->get_path();
log_debug('just a file ID - checking permissions');
// If the file is in the public directory, it's fine to serve
$fileispublic = $file->get('parent') == ArtefactTypeFolder::admin_public_folder_id();
$fileispublic &= $file->get('adminfiles');
$fileispublic &= record_exists('site_menu', 'file', $fileid, 'public', 1);
if (!$fileispublic) {
log_debug('file is NOT in the public menu');
// If the file is in the logged in menu and the user is logged in then
// they can view it
$fileinloggedinmenu = $file->get('adminfiles');
$fileinloggedinmenu &= $file->get('parent') == null;
$fileinloggedinmenu &= record_exists('site_menu', 'file', $fileid, 'public', 0);
$fileinloggedinmenu &= $USER->is_logged_in();
if (!$fileinloggedinmenu) {
log_debug('file is NOT in logged in menu, or user is not logged in');
// Alternatively, if you own the file or you are an admin, it should always work
$fileisavailable = $USER->get('admin') || $file->get('owner') == $USER->get('id');
if (!$fileisavailable) {
log_debug('user does NOT own the file, or they are NOT an admin');
throw new AccessDeniedException();
}
}
}
log_debug('file permissions ok');
$path = $file->get_path();
$title = $file->get('title');
serve_file($path, $title);
serve_file($path, $title, array('lifetime' => 0) /* only for debugging */);
?>
......@@ -42,8 +42,13 @@ var grouplist = new TableRenderer(
'name',
'count',
function(r) {
var deleteLink = BUTTON({'type':'button', 'class': 'button'}, {$enc_delete});
var editLink = BUTTON({'type': 'button', 'class': 'button'}, {$enc_edit});
connect(editLink, 'onclick', function (e) {
e.stop();
window.location.href = 'edit.php?id=' + r.id;
});
var deleteLink = BUTTON({'type':'button', 'class': 'button'}, {$enc_delete});
connect(deleteLink, 'onclick', function (e) {
e.stop();
......@@ -64,13 +69,10 @@ var grouplist = new TableRenderer(
return TD(
null,
FORM(
{'action': 'edit.php?id=' + r.id, 'method': 'post'},
BUTTON({'type': 'submit', 'class': 'button'}, {$enc_edit}),
' ',
deleteLink
)
);
editLink,
' ',
deleteLink
)
}
]
);
......
......@@ -262,6 +262,14 @@ function handle_activity($activitytype, $data, $cron=false) {
}
$data->message = get_string('onartefact', 'activity')
. ' ' . $ainfo->title . ' ' . get_string('ownedby', 'activity');
/*
this query selects four different cases
1. user is watching the artefact directly
2. user is watching a parent artefact with recurse = on
3. user is watching a view with recurse = on; and:
a. artefact is directly associated with view
b. artefact is a child of an artefact associated with view
*/
$sql = '
SELECT DISTINCT u.*, p.method, ?||wa.view AS url
FROM ' . $prefix . 'usr u
......@@ -282,12 +290,7 @@ SELECT DISTINCT u.*, p.method, ?||wa.view AS url
ON va.artefact = pc.parent
JOIN ' . $prefix . 'usr_watchlist_view wv
ON va.view = wv.view
WHERE pc.artefact = ? AND wv.recurse = 1
UNION SELECT wv.usr AS uid, wv.view AS view
FROM ' . $prefix . 'view_artefact va
JOIN ' . $prefix . 'usr_watchlist_view wv
ON va.view = wv.view
WHERE va.artefact = ?
WHERE (pc.artefact = ? OR va.artefact = ?)AND wv.recurse = 1
) wa ON wa.uid = u.id
WHERE p.activity = ? OR p.activity IS NULL';
$values = array(get_config('wwwroot') . 'view/view.php?artefact='
......
......@@ -678,5 +678,22 @@ class AccessDeniedException extends UserException {
}
}
/**
* Exception - Not found. Throw this if a user is trying to view something
* that doesn't exist
*/
class NotFoundException extends UserException {
public function strings() {
return array_merge(parent::strings(),
array('message' => 'The page you are looking for could not be found',
'title' => 'Not found'));
}
public function render_exception() {
header('HTTP/1.0 404 Not Found', true);
return parent::render_exception();
}
}
?>
This diff is collapsed.
......@@ -1348,18 +1348,4 @@ function get_dir_contents($directory) {
return $contents;
}
function serve_file($file, $filename) {
if (!file_exists($file)) {
header('HTTP/1.0 404 Not Found');
exit;
}
// Moodle security stuff went here...
require_once('file.php');
session_write_close(); // unlock session during fileserving
send_file($file, $filename);
}
?>
......@@ -1055,14 +1055,6 @@ table#installer {
.maincontent #filebrowser td a {
font-weight: bold;
}
.maincontent #filebrowser input {
background: url(../images/btn_short_short.gif) no-repeat;
width: 50px;
height: 18px;
padding: 0;
margin: 1px;
border: none;
}
.maincontent #uploader #uploadform table th,
.maincontent #uploader #uploadform table td,
.maincontent #myfiles #createfolderform table th,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment