From 23eb1cc518d4f769c15f0d8108ce0eba949c6e7d Mon Sep 17 00:00:00 2001 From: skodak Date: Tue, 26 Oct 2004 19:25:53 +0000 Subject: [PATCH] merged from 14_STABLE - changes: * sesskey; * only editing teachers can use it; * time modified - used filemtime (consistency with files/index.php, better for Win32); * directory sizes shown; * removed unused "torte" action; * updated breadcrums (active folder not linked and »); * updated comments; * some other fixes from files/index.php. Please test, test, test. --- mod/resource/coursefiles.php | 114 +++++++++++++++-------------------- 1 file changed, 50 insertions(+), 64 deletions(-) diff --git a/mod/resource/coursefiles.php b/mod/resource/coursefiles.php index 78be442c66..9a0696d455 100644 --- a/mod/resource/coursefiles.php +++ b/mod/resource/coursefiles.php @@ -3,8 +3,7 @@ // Manage all uploaded files in a course file area // This file is a hack to files/index.php that removes -// the headers and adds some controls so that images -// can be selected within the Richtext editor. +// the headers and adds file selection capability // All the Moodle-specific stuff is in this top section // Configuration and access control occurs here. @@ -14,10 +13,14 @@ require("../../config.php"); require("../../files/mimetypes.php"); - require_variable($id); - optional_variable($file, ""); - optional_variable($wdir, ""); - optional_variable($action, ""); + global $USER; + + $id = required_param('id', PARAM_INT); + $file = optional_param('file', '', PARAM_PATH); + $wdir = optional_param('wdir', '', PARAM_PATH); + $action = optional_param('action', '', PARAM_ACTION); + $name = optional_param('name', '', PARAM_FILE); + $oldname = optional_param('oldname', '', PARAM_FILE); if (! $course = get_record("course", "id", $id) ) { error("That's an invalid course id"); @@ -25,8 +28,8 @@ require_login($course->id); - if (! isteacher($course->id) ) { - error("Only teachers can edit files"); + if (! isteacheredit($course->id) ) { + error("You need to be a teacher with editing privileges"); } function html_footer() { @@ -50,12 +53,12 @@ $numdirs = count($dirs); $link = ""; $navigation = ""; - for ($i=1; $i<$numdirs; $i++) { + for ($i=1; $i<$numdirs-1; $i++) { $navigation .= " -> "; $link .= "/".urlencode($dirs[$i]); $navigation .= "id&wdir=$link\">".$dirs[$i].""; } - $fullnav = "id&wdir=/\">$strfiles $navigation"; + $fullnav = "id&wdir=/\">$strfiles $navigation -> ".$dirs[$numdirs-1]; } print_header(); @@ -70,10 +73,11 @@ ', '»', "$course->shortname -> $fullnav"); echo ''; echo ''; echo ''; echo ''; echo '
'; - echo ''."$course->shortname -> $fullnav".''; + echo ''.$fullnav.''; echo '
'; @@ -96,17 +100,17 @@ // End of configuration and access control - $regexp="\\.\\."; - if (ereg( $regexp, $file, $regs )| ereg( $regexp, $wdir,$regs )) { + if (!$wdir) { + $wdir="/"; + } + + if (($wdir != '/' and detect_munged_arguments($wdir, 0)) + or ($file != '' and detect_munged_arguments($file, 0))) { $message = "Error: Directories can not contain \"..\""; $wdir = "/"; $action = ""; } - if (!$wdir) { - $wdir="/"; - } - switch ($action) { @@ -114,7 +118,7 @@ html_header($course, $wdir); require_once($CFG->dirroot.'/lib/uploadlib.php'); - if (!empty($save)) { + if (!empty($save) and confirm_sesskey()) { $um = new upload_manager('userfile',false,false,$course,false,0); $dir = "$basedir$wdir"; if ($um->process_file_uploads($dir)) { @@ -122,6 +126,7 @@ } // um will take care of error reporting. displaydir($wdir); + } else { $upload_max_filesize = get_max_upload_file_size($CFG->maxbytes); $filesize = display_size($upload_max_filesize); @@ -138,6 +143,7 @@ echo " "; echo " "; echo " "; + echo " sesskey\" />"; echo " "; echo " "; echo ""; @@ -154,7 +160,7 @@ break; case "delete": - if (!empty($confirm)) { + if (!empty($confirm) and confirm_sesskey()) { html_header($course, $wdir); foreach ($USER->filelist as $file) { $fullfile = $basedir.$file; @@ -175,7 +181,7 @@ print_simple_box_end(); echo "
"; notice_yesno (get_string("deletecheckfiles"), - "".basename($ME)."?id=$id&wdir=$wdir&action=delete&confirm=1", + "".basename($ME)."?id=$id&wdir=$wdir&action=delete&confirm=1&sesskey=$USER->sesskey", "".basename($ME)."?id=$id&wdir=$wdir&action=cancel"); } else { displaydir($wdir); @@ -186,7 +192,7 @@ case "move": html_header($course, $wdir); - if ($count = setfilelist($_POST)) { + if (($count = setfilelist($_POST)) and confirm_sesskey()) { $USER->fileop = $action; $USER->filesource = $wdir; echo "

"; @@ -199,7 +205,7 @@ case "paste": html_header($course, $wdir); - if (isset($USER->fileop) and $USER->fileop == "move") { + if (isset($USER->fileop) and ($USER->fileop == "move") and confirm_sesskey()) { foreach ($USER->filelist as $file) { $shortfile = basename($file); $oldfile = $basedir.$file; @@ -215,10 +221,9 @@ break; case "rename": - if (!empty($name)) { + if (!empty($name) and confirm_sesskey()) { html_header($course, $wdir); $name = clean_filename($name); - $oldname = clean_filename($oldname); if (file_exists($basedir.$wdir."/".$name)) { echo "Error: $name already exists!"; } else if (!rename($basedir.$wdir."/".$oldname, $basedir.$wdir."/".$name)) { @@ -239,6 +244,7 @@ echo " "; echo " "; echo " "; + echo " sesskey\" />"; echo " "; echo ""; echo ""; @@ -254,7 +260,7 @@ break; case "mkdir": - if (!empty($name)) { + if (!empty($name) and confirm_sesskey()) { html_header($course, $wdir); $name = clean_filename($name); if (file_exists("$basedir$wdir/$name")) { @@ -276,6 +282,7 @@ echo " "; echo " "; echo " "; + echo " sesskey\" />"; echo " "; echo ""; echo ""; @@ -292,7 +299,7 @@ case "edit": html_header($course, $wdir); - if (isset($text)) { + if (isset($text) and confirm_sesskey()) { $fileptr = fopen($basedir.$file,"w"); fputs($fileptr, stripslashes($text)); fclose($fileptr); @@ -324,6 +331,7 @@ echo " "; echo " "; echo " "; + echo " sesskey\" />"; print_textarea($usehtmleditor, 25, 80, 680, 400, "text", $contents); echo ""; echo " "; @@ -347,7 +355,7 @@ break; case "zip": - if (!empty($name)) { + if (!empty($name) and confirm_sesskey()) { html_header($course, $wdir); $name = clean_filename($name); @@ -399,7 +407,7 @@ case "unzip": html_header($course, $wdir); - if (!empty($file)) { + if (!empty($file) and confirm_sesskey()) { $strok = get_string("ok"); $strunpacking = get_string("unpacking", "", $file); @@ -426,7 +434,7 @@ case "listzip": html_header($course, $wdir); - if (!empty($file)) { + if (!empty($file) and confirm_sesskey()) { $strname = get_string("name"); $strsize = get_string("size"); $strmodified = get_string("modified"); @@ -437,8 +445,8 @@ $file = basename($file); include_once($CFG->libdir.'/pclzip/pclzip.lib.php'); - $archive = new PclZip("$basedir/$wdir/$file"); - if (!$list = $archive->listContent("$basedir/$wdir")) { + $archive = new PclZip(cleardoubleslashes("$basedir/$wdir/$file")); + if (!$list = $archive->listContent(cleardoubleslashes("$basedir/$wdir"))) { notify($archive->errorInfo(true)); } else { @@ -471,34 +479,6 @@ html_footer(); break; - case "torte": - if($_POST) - { - while(list($key, $val) = each($_POST)) - { - if(ereg("file([0-9]+)", $key, $regs)) - { - $file = $val; - } - } - if(@filetype($CFG->dataroot ."/". $course->id . $file) == "file") - { - if(mimeinfo("icon", $file) == "image.gif") - { - $url = $CFG->wwwroot ."/file.php?file=/" .$course->id . $file; - runjavascript($url); - } - else - { - print "File is not a image!"; - } - } - else - { - print "You cannot insert FOLDER into richtext editor!!!"; - } - } - break; case "cancel"; clearfilelist(); @@ -555,7 +535,10 @@ function setfilelist($VARS) { foreach ($VARS as $key => $val) { if (substr($key,0,4) == "file") { $count++; - $USER->filelist[] = rawurldecode($val); + $val = rawurldecode($val); + if (!detect_munged_arguments($val, 0)) { + $USER->filelist[] = $val; + } } } return $count; @@ -667,7 +650,8 @@ function displaydir ($wdir) { $filename = $fullpath."/".$dir; $fileurl = rawurlencode($wdir."/".$dir); $filesafe = rawurlencode($dir); - $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p"); + $filesize = display_size(get_directory_size("$fullpath/$dir")); + $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p"); echo ""; @@ -692,7 +676,7 @@ function displaydir ($wdir) { $fileurl = "$wdir/$file"; $filesafe = rawurlencode($file); $fileurlsafe = rawurlencode($fileurl); - $filedate = userdate(filectime($filename), "%d %b %Y, %I:%M %p"); + $filedate = userdate(filemtime($filename), "%d %b %Y, %I:%M %p"); if (substr($fileurl,0,1) == '/') { $selectfile = substr($fileurl,1); @@ -726,8 +710,8 @@ function displaydir ($wdir) { if ($icon == "text.gif" || $icon == "html.gif") { $edittext .= "$stredit"; } else if ($icon == "zip.gif") { - $edittext .= "$strunzip "; - $edittext .= "$strlist "; + $edittext .= "sesskey\">$strunzip "; + $edittext .= "sesskey\">$strlist "; } print_cell("right", "$edittext $strrename"); @@ -746,6 +730,7 @@ function displaydir ($wdir) { echo ""; echo ""; echo " "; + echo "sesskey\" />"; $options = array ( "move" => "$strmovetoanotherfolder", "delete" => "$strdeletecompletely", @@ -762,6 +747,7 @@ function displaydir ($wdir) { echo " "; echo " "; echo " "; + echo " sesskey\" />"; echo " "; echo ""; } -- 2.39.5