MDL-33791 Portfolio: Fixed security issue with passing file paths.
[moodle.git] / mod / forum / discuss.php
CommitLineData
1adbd2c3 1<?php
501cdbd8 2
8f685009
SH
3// This file is part of Moodle - http://moodle.org/
4//
5// Moodle is free software: you can redistribute it and/or modify
6// it under the terms of the GNU General Public License as published by
7// the Free Software Foundation, either version 3 of the License, or
8// (at your option) any later version.
9//
10// Moodle is distributed in the hope that it will be useful,
11// but WITHOUT ANY WARRANTY; without even the implied warranty of
12// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13// GNU General Public License for more details.
14//
15// You should have received a copy of the GNU General Public License
16// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
17
18/**
19 * Displays a post, and all the posts below it.
20 * If no post is given, displays all posts in a discussion
21 *
22 * @package mod-forum
23 * @copyright 1999 onwards Martin Dougiamas {@link http://moodle.com}
24 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
25 */
501cdbd8 26
65bcf17b 27 require_once('../../config.php');
65bcf17b 28
83da3d28 29 $d = required_param('d', PARAM_INT); // Discussion ID
30 $parent = optional_param('parent', 0, PARAM_INT); // If set, then display this post and all children.
31 $mode = optional_param('mode', 0, PARAM_INT); // If set, changes the layout of the thread
32 $move = optional_param('move', 0, PARAM_INT); // If set, moves this discussion to another forum
87b0b499 33 $mark = optional_param('mark', '', PARAM_ALPHA); // Used for tracking read posts if user initiated.
83da3d28 34 $postid = optional_param('postid', 0, PARAM_INT); // Used for tracking read posts if user initiated.
501cdbd8 35
a6855934 36 $url = new moodle_url('/mod/forum/discuss.php', array('d'=>$d));
8a876913
SH
37 if ($parent !== 0) {
38 $url->param('parent', $parent);
39 }
8a876913 40 $PAGE->set_url($url);
d3558659 41
01d0aceb
SH
42 $discussion = $DB->get_record('forum_discussions', array('id' => $d), '*', MUST_EXIST);
43 $course = $DB->get_record('course', array('id' => $discussion->course), '*', MUST_EXIST);
44 $forum = $DB->get_record('forum', array('id' => $discussion->forum), '*', MUST_EXIST);
45 $cm = get_coursemodule_from_instance('forum', $forum->id, $course->id, false, MUST_EXIST);
68258534 46
bf553d9e 47 require_course_login($course, true, $cm);
50e07a49 48
4cabf99f 49 // move this down fix for MDL-6926
01d0aceb 50 require_once($CFG->dirroot.'/mod/forum/lib.php');
4cabf99f 51
bf0f06b1 52 $modcontext = context_module::instance($cm->id);
65bcf17b 53 require_capability('mod/forum:viewdiscussion', $modcontext, NULL, true, 'noviewdiscussionspermission', 'forum');
54
9e86f2e7
AD
55 if (!empty($CFG->enablerssfeeds) && !empty($CFG->forum_enablerssfeeds) && $forum->rsstype && $forum->rssarticles) {
56 require_once("$CFG->libdir/rsslib.php");
57
bf0f06b1 58 $rsstitle = format_string($course->shortname, true, array('context' => context_course::instance($course->id))) . ': %fullname%';
43b92251 59 rss_add_http_header($modcontext, 'mod_forum', $forum, $rsstitle);
9e86f2e7
AD
60 }
61
65bcf17b 62 if ($forum->type == 'news') {
49a0ba94 63 if (!($USER->id == $discussion->userid || (($discussion->timestart == 0
64 || $discussion->timestart <= time())
fbc21e82 65 && ($discussion->timeend == 0 || $discussion->timeend > time())))) {
12e57b92 66 print_error('invaliddiscussionid', 'forum', "$CFG->wwwroot/mod/forum/view.php?f=$forum->id");
fbc21e82 67 }
68ddf8bc 68 }
69
65bcf17b 70/// move discussion if requested
71 if ($move > 0 and confirm_sesskey()) {
a5f77de6 72 $return = $CFG->wwwroot.'/mod/forum/discuss.php?d='.$discussion->id;
65bcf17b 73
74 require_capability('mod/forum:movediscussions', $modcontext);
1fc49f00 75
65bcf17b 76 if ($forum->type == 'single') {
12e57b92 77 print_error('cannotmovefromsingleforum', 'forum', $return);
83da3d28 78 }
65bcf17b 79
4e445355 80 if (!$forumto = $DB->get_record('forum', array('id' => $move))) {
12e57b92 81 print_error('cannotmovetonotexist', 'forum', $return);
83da3d28 82 }
7c900d5d 83
5fad08b4
CF
84 if ($forumto->type == 'single') {
85 print_error('cannotmovetosingleforum', 'forum', $return);
86 }
87
65bcf17b 88 if (!$cmto = get_coursemodule_from_instance('forum', $forumto->id, $course->id)) {
12e57b92 89 print_error('cannotmovetonotfound', 'forum', $return);
65bcf17b 90 }
91
92 if (!coursemodule_visible_for_user($cmto)) {
12e57b92 93 print_error('cannotmovenotvisible', 'forum', $return);
1fc49f00 94 }
65bcf17b 95
bf0f06b1 96 require_capability('mod/forum:startdiscussion', context_module::instance($cmto->id));
ee8d825f 97
0faf6791 98 if (!forum_move_attachments($discussion, $forum->id, $forumto->id)) {
9146b979 99 echo $OUTPUT->notification("Errors occurred while moving attachment directories - check your file permissions");
65bcf17b 100 }
4e445355 101 $DB->set_field('forum_discussions', 'forum', $forumto->id, array('id' => $discussion->id));
102 $DB->set_field('forum_read', 'forumid', $forumto->id, array('discussionid' => $discussion->id));
65bcf17b 103 add_to_log($course->id, 'forum', 'move discussion', "discuss.php?d=$discussion->id", $discussion->id, $cmto->id);
104
105 require_once($CFG->libdir.'/rsslib.php');
01d0aceb 106 require_once($CFG->dirroot.'/mod/forum/rsslib.php');
65bcf17b 107
a74bea12
AD
108 // Delete the RSS files for the 2 forums to force regeneration of the feeds
109 forum_rss_delete_file($forum);
110 forum_rss_delete_file($forumto);
65bcf17b 111
e4c5abdc 112 redirect($return.'&moved=-1&sesskey='.sesskey());
1fc49f00 113 }
114
02c34fe1 115 add_to_log($course->id, 'forum', 'view discussion', "discuss.php?d=$discussion->id", $discussion->id, $cm->id);
501cdbd8 116
117 unset($SESSION->fromdiscussion);
118
279826e2 119 if ($mode) {
f2d042c4 120 set_user_preference('forum_displaymode', $mode);
279826e2 121 }
501cdbd8 122
acb50c1b 123 $displaymode = get_user_preferences('forum_displaymode', $CFG->forum_displaymode);
501cdbd8 124
e92ea3d8 125 if ($parent) {
65bcf17b 126 // If flat AND parent, then force nested display this time
127 if ($displaymode == FORUM_MODE_FLATOLDEST or $displaymode == FORUM_MODE_FLATNEWEST) {
128 $displaymode = FORUM_MODE_NESTED;
e92ea3d8 129 }
130 } else {
501cdbd8 131 $parent = $discussion->firstpost;
501cdbd8 132 }
133
11b0c469 134 if (! $post = forum_get_post_full($parent)) {
12e57b92 135 print_error("notexists", 'forum', "$CFG->wwwroot/mod/forum/view.php?f=$forum->id");
501cdbd8 136 }
137
c15b86dc 138
65bcf17b 139 if (!forum_user_can_view_post($post, $course, $cm, $forum, $discussion)) {
12e57b92 140 print_error('nopermissiontoview', 'forum', "$CFG->wwwroot/mod/forum/view.php?id=$forum->id");
f37da850 141 }
142
65bcf17b 143 if ($mark == 'read' or $mark == 'unread') {
90f4745c 144 if ($CFG->forum_usermarksread && forum_tp_can_track_forums($forum) && forum_tp_is_tracked($forum)) {
65bcf17b 145 if ($mark == 'read') {
90f4745c 146 forum_tp_add_read_record($USER->id, $postid);
65bcf17b 147 } else {
148 // unread
149 forum_tp_delete_read_records($USER->id, $postid);
150 }
151 }
152 }
cef1ce6a 153
6f1cc8d6 154 $searchform = forum_search_form($course);
39790bd8 155
01d0aceb
SH
156 $forumnode = $PAGE->navigation->find($cm->id, navigation_node::TYPE_ACTIVITY);
157 if (empty($forumnode)) {
158 $forumnode = $PAGE->navbar;
159 } else {
c89fa3fe 160 $forumnode->make_active();
87a462ea 161 }
01d0aceb 162 $node = $forumnode->add(format_string($discussion->name), new moodle_url('/mod/forum/discuss.php', array('d'=>$discussion->id)));
c89fa3fe 163 $node->display = false;
01d0aceb
SH
164 if ($node && $post->id != $discussion->firstpost) {
165 $node->add(format_string($post->subject), $PAGE->url);
166 }
167
15ca5e5e 168 $PAGE->set_title("$course->shortname: ".format_string($discussion->name));
169 $PAGE->set_heading($course->fullname);
170 $PAGE->set_button($searchform);
171 echo $OUTPUT->header();
c6d691dc 172
9197e147 173/// Check to see if groups are being used in this forum
174/// If so, make sure the current person is allowed to see this discussion
8b79a625 175/// Also, if we know they should be able to reply, then explicitly set $canreply for performance reasons
c6d691dc 176
8e18e1ec
PS
177 $canreply = forum_user_can_post($forum, $discussion, $USER, $cm, $course, $modcontext);
178 if (!$canreply and $forum->type !== 'news') {
179 if (isguestuser() or !isloggedin()) {
180 $canreply = true;
181 }
182 if (!is_enrolled($modcontext) and !is_viewing($modcontext)) {
183 // allow guests and not-logged-in to see the link - they are prompted to log in after clicking the link
184 // normal users with temporary guest access see this link too, they are asked to enrol instead
185 $canreply = enrol_selfenrol_available($course->id);
186 }
9197e147 187 }
188
c6d691dc 189/// Print the controls across the top
c00037cd 190 echo '<div class="discussioncontrols clearfix">';
c6d691dc 191
6708a1f5 192 if (!empty($CFG->enableportfolios) && has_capability('mod/forum:exportdiscussion', $modcontext)) {
24ba58ee 193 require_once($CFG->libdir.'/portfoliolib.php');
0d06b6fd 194 $button = new portfolio_add_button();
37743241 195 $button->set_callback_options('forum_portfolio_caller', array('discussionid' => $discussion->id), 'mod_forum');
f3cc571a
DM
196 $button = $button->to_html(PORTFOLIO_ADD_FULL_FORM, get_string('exportdiscussion', 'mod_forum'));
197 $buttonextraclass = '';
198 if (empty($button)) {
199 // no portfolio plugin available.
200 $button = '&nbsp;';
201 $buttonextraclass = ' noavailable';
202 }
203 echo html_writer::tag('div', $button, array('class' => 'discussioncontrol exporttoportfolio'.$buttonextraclass));
f357d2f8
DM
204 } else {
205 echo html_writer::tag('div', '&nbsp;', array('class'=>'discussioncontrol nullcontrol'));
10ae55f9 206 }
207
f357d2f8
DM
208 // groups selector not needed here
209 echo '<div class="discussioncontrol displaymode">';
210 forum_print_mode_form($discussion->id, $displaymode);
211 echo "</div>";
212
cef1ce6a 213 if ($forum->type != 'single'
214 && has_capability('mod/forum:movediscussions', $modcontext)) {
65bcf17b 215
f357d2f8 216 echo '<div class="discussioncontrol movediscussion">';
cef1ce6a 217 // Popup menu to move discussions to other forums. The discussion in a
218 // single discussion forum can't be moved.
65bcf17b 219 $modinfo = get_fast_modinfo($course);
220 if (isset($modinfo->instances['forum'])) {
65bcf17b 221 $forummenu = array();
5fad08b4
CF
222 // Check forum types and eliminate simple discussions.
223 $forumcheck = $DB->get_records('forum', array('course' => $course->id),'', 'id, type');
65bcf17b 224 foreach ($modinfo->instances['forum'] as $forumcm) {
ee8d825f 225 if (!$forumcm->uservisible || !has_capability('mod/forum:startdiscussion',
bf0f06b1 226 context_module::instance($forumcm->id))) {
65bcf17b 227 continue;
fcc69042 228 }
65bcf17b 229 $section = $forumcm->sectionnum;
71a56e08 230 $sectionname = get_section_name($course, $section);
f1a3e072 231 if (empty($forummenu[$section])) {
7487c856 232 $forummenu[$section] = array($sectionname => array());
f1a3e072 233 }
5fad08b4
CF
234 $forumidcompare = $forumcm->instance != $forum->id;
235 $forumtypecheck = $forumcheck[$forumcm->instance]->type !== 'single';
236 if ($forumidcompare and $forumtypecheck) {
f1a3e072 237 $url = "/mod/forum/discuss.php?d=$discussion->id&move=$forumcm->instance&sesskey=".sesskey();
7487c856 238 $forummenu[$section][$sectionname][$url] = format_string($forumcm->name);
1fc49f00 239 }
240 }
241 if (!empty($forummenu)) {
12a24e00 242 echo '<div class="movediscussionoption">';
15e48a1a
SM
243 $select = new url_select($forummenu, '',
244 array(''=>get_string("movethisdiscussionto", "forum")),
245 'forummenu', get_string('move'));
f1a3e072 246 echo $OUTPUT->render($select);
1fc49f00 247 echo "</div>";
248 }
249 }
12a24e00 250 echo "</div>";
1fc49f00 251 }
12a24e00
RW
252 echo '<div class="clearfloat">&nbsp;</div>';
253 echo "</div>";
1fc49f00 254
a4f495bf 255 if (!empty($forum->blockafter) && !empty($forum->blockperiod)) {
39790bd8 256 $a = new stdClass();
65bcf17b 257 $a->blockafter = $forum->blockafter;
a4f495bf 258 $a->blockperiod = get_string('secondstotime'.$forum->blockperiod);
9146b979 259 echo $OUTPUT->notification(get_string('thisforumisthrottled','forum',$a));
a4f495bf 260 }
261
0468976c 262 if ($forum->type == 'qanda' && !has_capability('mod/forum:viewqandawithoutposting', $modcontext) &&
bbbf2d40 263 !forum_user_has_posted($forum->id,$discussion->id,$USER->id)) {
9146b979 264 echo $OUTPUT->notification(get_string('qandanotify','forum'));
098d27d4 265 }
266
65bcf17b 267 if ($move == -1 and confirm_sesskey()) {
9146b979 268 echo $OUTPUT->notification(get_string('discussionmoved', 'forum', format_string($forum->name,true)));
8de14dc7 269 }
270
65bcf17b 271 $canrate = has_capability('mod/forum:rate', $modcontext);
272 forum_print_discussion($course, $cm, $forum, $discussion, $post, $displaymode, $canreply, $canrate);
c6d691dc 273
396fb912 274 echo $OUTPUT->footer();
65bcf17b 275
501cdbd8 276
1adbd2c3 277