-
Notifications
You must be signed in to change notification settings - Fork 4
/
file.php
86 lines (71 loc) · 2.9 KB
/
file.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
// This script fetches files from the dataroot/questionattempt directory
// It is based on the top-level file.php
//
// On a module-by-module basis (currently only implemented for quiz), it checks
// whether the user has permission to view the file.
//
// Syntax: question/file.php/attemptid/questionid/filename.ext
// Workaround: question/file.php?file=/attemptid/questionid/filename.ext
// disable moodle specific debug messages and any errors in output
define('NO_DEBUG_DISPLAY', true);
require_once('../config.php');
require_once('../lib/filelib.php');
$relativepath = get_file_argument();
// force download for any student-submitted files to prevent XSS attacks.
$forcedownload = 1;
// relative path must start with '/', because of backup/restore!!!
if (!$relativepath) {
print_error('invalidarguments');
} else if ($relativepath{0} != '/') {
print_error('pathdoesnotstartslash');
}
$pathname = $CFG->dataroot.'/questionattempt'.$relativepath;
// extract relative path components
$args = explode('/', trim($relativepath, '/'));
// check for the right number of directories in the path
if (count($args) != 3) {
print_error('invalidarguments');
}
// security: require login
require_login();
// security: do not return directory node!
if (is_dir($pathname)) {
question_attempt_not_found();
}
$lifetime = 0; // do not cache because students may reupload files
// security: check that the user has permission to access this file
$haspermission = false;
if ($attempt = $DB->get_record("question_attempts", array("id" => $args[0]))) {
$modfile = $CFG->dirroot .'/mod/'. $attempt->modulename .'/lib.php';
$modcheckfileaccess = $attempt->modulename .'_check_file_access';
if (file_exists($modfile)) {
@require_once($modfile);
if (function_exists($modcheckfileaccess)) {
$haspermission = $modcheckfileaccess($args[0], $args[1]);
}
}
} else if ($args[0][0] == 0) {
global $USER;
$list = explode('_', $args[0]);
if ($list[1] == $USER->id) {
$haspermission = true;
}
}
if ($haspermission) {
// check that file exists
if (!file_exists($pathname)) {
question_attempt_not_found();
}
// send the file
session_get_instance()->write_close(); // unlock session during fileserving
$filename = $args[count($args)-1];
send_file($pathname, $filename, $lifetime, $CFG->filteruploadedfiles, false, $forcedownload);
} else {
question_attempt_not_found();
}
function question_attempt_not_found() {
global $CFG;
header('HTTP/1.0 404 not found');
print_error('filenotfound', 'error', $CFG->wwwroot); //this is not displayed on IIS??
}