// Manage all uploaded files in a course file area
// This file is a hack to files/index.php that removes
-// the headers and adds some controls so that images
-// can be selected within the Richtext editor.
+// the headers and adds file selection capability
// All the Moodle-specific stuff is in this top section
// Configuration and access control occurs here.
require("../../config.php");
require("../../files/mimetypes.php");
- require_variable($id);
- optional_variable($file, "");
- optional_variable($wdir, "");
- optional_variable($action, "");
+ global $USER;
+
+ $id = required_param('id', PARAM_INT);
+ $file = optional_param('file', '', PARAM_PATH);
+ $wdir = optional_param('wdir', '', PARAM_PATH);
+ $action = optional_param('action', '', PARAM_ACTION);
+ $name = optional_param('name', '', PARAM_FILE);
+ $oldname = optional_param('oldname', '', PARAM_FILE);
if (! $course = get_record("course", "id", $id) ) {
error("That's an invalid course id");
require_login($course->id);
- if (! isteacher($course->id) ) {
- error("Only teachers can edit files");
+ if (! isteacheredit($course->id) ) {
+ error("You need to be a teacher with editing privileges");
}
function html_footer() {
$numdirs = count($dirs);
$link = "";
$navigation = "";
- for ($i=1; $i<$numdirs; $i++) {
+ for ($i=1; $i<$numdirs-1; $i++) {
$navigation .= " -> ";
$link .= "/".urlencode($dirs[$i]);
$navigation .= "<a href=\"".$ME."?id=$course->id&wdir=$link\">".$dirs[$i]."</a>";
}
- $fullnav = "<a href=\"".$ME."?id=$course->id&wdir=/\">$strfiles</a> $navigation";
+ $fullnav = "<a href=\"".$ME."?id=$course->id&wdir=/\">$strfiles</a> $navigation -> ".$dirs[$numdirs-1];
}
print_header();
</script>
<?php
+ $fullnav = str_replace('->', '»', "$course->shortname -> $fullnav");
echo '<table border="0" cellpadding="3" cellspacing="0" width="100%">';
echo '<tr>';
echo '<td bgcolor="'.$THEME->cellheading.'" class="navbar">';
- echo '<font size="2"><b>'."$course->shortname -> $fullnav".'</b></font>';
+ echo '<font size="2"><b>'.$fullnav.'</b></font>';
echo '</td>';
echo '</tr>';
echo '</table>';
// End of configuration and access control
- $regexp="\\.\\.";
- if (ereg( $regexp, $file, $regs )| ereg( $regexp, $wdir,$regs )) {
+ if (!$wdir) {
+ $wdir="/";
+ }
+
+ if (($wdir != '/' and detect_munged_arguments($wdir, 0))
+ or ($file != '' and detect_munged_arguments($file, 0))) {
$message = "Error: Directories can not contain \"..\"";
$wdir = "/";
$action = "";
}
- if (!$wdir) {
- $wdir="/";
- }
-
switch ($action) {
html_header($course, $wdir);
require_once($CFG->dirroot.'/lib/uploadlib.php');
- if (!empty($save)) {
+ if (!empty($save) and confirm_sesskey()) {
$um = new upload_manager('userfile',false,false,$course,false,0);
$dir = "$basedir$wdir";
if ($um->process_file_uploads($dir)) {
}
// um will take care of error reporting.
displaydir($wdir);
+
} else {
$upload_max_filesize = get_max_upload_file_size($CFG->maxbytes);
$filesize = display_size($upload_max_filesize);
echo " <input type=\"hidden\" name=\"id\" value=$id />";
echo " <input type=\"hidden\" name=\"wdir\" value=$wdir />";
echo " <input type=\"hidden\" name=\"action\" value=\"upload\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " </td><tr><td width=\"10\">";
echo " <input type=\"submit\" name=\"save\" value=\"$struploadthisfile\" />";
echo "</form>";
break;
case "delete":
- if (!empty($confirm)) {
+ if (!empty($confirm) and confirm_sesskey()) {
html_header($course, $wdir);
foreach ($USER->filelist as $file) {
$fullfile = $basedir.$file;
print_simple_box_end();
echo "<br />";
notice_yesno (get_string("deletecheckfiles"),
- "".basename($ME)."?id=$id&wdir=$wdir&action=delete&confirm=1",
+ "".basename($ME)."?id=$id&wdir=$wdir&action=delete&confirm=1&sesskey=$USER->sesskey",
"".basename($ME)."?id=$id&wdir=$wdir&action=cancel");
} else {
displaydir($wdir);
case "move":
html_header($course, $wdir);
- if ($count = setfilelist($_POST)) {
+ if (($count = setfilelist($_POST)) and confirm_sesskey()) {
$USER->fileop = $action;
$USER->filesource = $wdir;
echo "<p align=\"center\">";
case "paste":
html_header($course, $wdir);
- if (isset($USER->fileop) and $USER->fileop == "move") {
+ if (isset($USER->fileop) and ($USER->fileop == "move") and confirm_sesskey()) {
foreach ($USER->filelist as $file) {
$shortfile = basename($file);
$oldfile = $basedir.$file;
break;
case "rename":
- if (!empty($name)) {
+ if (!empty($name) and confirm_sesskey()) {
html_header($course, $wdir);
$name = clean_filename($name);
- $oldname = clean_filename($oldname);
if (file_exists($basedir.$wdir."/".$name)) {
echo "Error: $name already exists!";
} else if (!rename($basedir.$wdir."/".$oldname, $basedir.$wdir."/".$name)) {
echo " <input type=\"hidden\" name=\"action\" value=\"rename\" />";
echo " <input type=\"hidden\" name=\"oldname\" value=\"$file\" />";
echo " <input type=\"text\" name=\"name\" size=\"35\" value=\"$file\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " <input type=\"submit\" value=\"$strrename\" />";
echo "</form>";
echo "</td><td>";
break;
case "mkdir":
- if (!empty($name)) {
+ if (!empty($name) and confirm_sesskey()) {
html_header($course, $wdir);
$name = clean_filename($name);
if (file_exists("$basedir$wdir/$name")) {
echo " <input type=\"hidden\" name=\"wdir\" value=$wdir />";
echo " <input type=\"hidden\" name=\"action\" value=\"mkdir\" />";
echo " <input type=\"text\" name=\"name\" size=\"35\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " <input type=\"submit\" value=\"$strcreate\" />";
echo "</form>";
echo "</td><td>";
case "edit":
html_header($course, $wdir);
- if (isset($text)) {
+ if (isset($text) and confirm_sesskey()) {
$fileptr = fopen($basedir.$file,"w");
fputs($fileptr, stripslashes($text));
fclose($fileptr);
echo " <input type=\"hidden\" name=\"wdir\" value=\"$wdir\" />";
echo " <input type=\"hidden\" name=\"file\" value=\"$file\" />";
echo " <input type=\"hidden\" name=\"action\" value=\"edit\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
print_textarea($usehtmleditor, 25, 80, 680, 400, "text", $contents);
echo "</td></tr><tr><td>";
echo " <input type=\"submit\" value=\"".get_string("savechanges")."\" />";
break;
case "zip":
- if (!empty($name)) {
+ if (!empty($name) and confirm_sesskey()) {
html_header($course, $wdir);
$name = clean_filename($name);
case "unzip":
html_header($course, $wdir);
- if (!empty($file)) {
+ if (!empty($file) and confirm_sesskey()) {
$strok = get_string("ok");
$strunpacking = get_string("unpacking", "", $file);
case "listzip":
html_header($course, $wdir);
- if (!empty($file)) {
+ if (!empty($file) and confirm_sesskey()) {
$strname = get_string("name");
$strsize = get_string("size");
$strmodified = get_string("modified");
$file = basename($file);
include_once($CFG->libdir.'/pclzip/pclzip.lib.php');
- $archive = new PclZip("$basedir/$wdir/$file");
- if (!$list = $archive->listContent("$basedir/$wdir")) {
+ $archive = new PclZip(cleardoubleslashes("$basedir/$wdir/$file"));
+ if (!$list = $archive->listContent(cleardoubleslashes("$basedir/$wdir"))) {
notify($archive->errorInfo(true));
} else {
html_footer();
break;
- case "torte":
- if($_POST)
- {
- while(list($key, $val) = each($_POST))
- {
- if(ereg("file([0-9]+)", $key, $regs))
- {
- $file = $val;
- }
- }
- if(@filetype($CFG->dataroot ."/". $course->id . $file) == "file")
- {
- if(mimeinfo("icon", $file) == "image.gif")
- {
- $url = $CFG->wwwroot ."/file.php?file=/" .$course->id . $file;
- runjavascript($url);
- }
- else
- {
- print "File is not a image!";
- }
- }
- else
- {
- print "You cannot insert FOLDER into richtext editor!!!";
- }
- }
- break;
case "cancel";
clearfilelist();
foreach ($VARS as $key => $val) {
if (substr($key,0,4) == "file") {
$count++;
- $USER->filelist[] = rawurldecode($val);
+ $val = rawurldecode($val);
+ if (!detect_munged_arguments($val, 0)) {
+ $USER->filelist[] = $val;
+ }
}
}
return $count;
$filename = $fullpath."/".$dir;
$fileurl = rawurlencode($wdir."/".$dir);
$filesafe = rawurlencode($dir);
- $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p");
+ $filesize = display_size(get_directory_size("$fullpath/$dir"));
+ $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p");
echo "<tr>";
$fileurl = "$wdir/$file";
$filesafe = rawurlencode($file);
$fileurlsafe = rawurlencode($fileurl);
- $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p");
+ $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p");
if (substr($fileurl,0,1) == '/') {
$selectfile = substr($fileurl,1);
if ($icon == "text.gif" || $icon == "html.gif") {
$edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=edit\">$stredit</a>";
} else if ($icon == "zip.gif") {
- $edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=unzip\">$strunzip</a> ";
- $edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=listzip\">$strlist</a> ";
+ $edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=unzip&sesskey=$USER->sesskey\">$strunzip</a> ";
+ $edittext .= "<a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$fileurl&action=listzip&sesskey=$USER->sesskey\">$strlist</a> ";
}
print_cell("right", "$edittext <a href=\"".basename($ME)."?id=$id&wdir=$wdir&file=$filesafe&action=rename\">$strrename</a>");
echo "<tr><td>";
echo "<input type=\"hidden\" name=\"id\" value=\"$id\" />";
echo "<input type=\"hidden\" name=\"wdir\" value=\"$wdir\" /> ";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
$options = array (
"move" => "$strmovetoanotherfolder",
"delete" => "$strdeletecompletely",
echo " <input type=\"hidden\" name=\"id\" value=$id />";
echo " <input type=\"hidden\" name=\"wdir\" value=\"$wdir\" />";
echo " <input type=\"hidden\" name=\"action\" value=\"paste\" />";
+ echo " <input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
echo " <input type=\"submit\" value=\"$strmovefilestohere\" />";
echo "</form>";
}
projects / moodle.git / commitdiff