[moodle.git] / pluginfile.php

<?php  // $Id$

    require_once('config.php');
    require_once('lib/filelib.php');

    // disable moodle specific debug messages
    disable_debugging();

    $relativepath = get_file_argument();
    $forcedownload = optional_param('forcedownload', 0, PARAM_BOOL);

    // relative path must start with '/'
    if (!$relativepath) {
        print_error('invalidargorconf');
    } else if ($relativepath{0} != '/') {
        print_error('pathdoesnotstartslash');
    }

    // extract relative path components
    $args = explode('/', ltrim($relativepath, '/'));

    if (count($args) == 0) { // always at least user id
        print_error('invalidarguments');
    }

    $contextid = (int)array_shift($args);
    $filearea = array_shift($args);

    $context = get_context_instance_by_id($contextid);
    $fs = get_file_storage();


    if ($context->contextlevel == CONTEXT_SYSTEM) {
        if ($filearea === 'blog') {

            if (empty($CFG->bloglevel)) {
                print_error('siteblogdisable', 'blog');
            }
            if ($CFG->bloglevel < BLOG_GLOBAL_LEVEL) {
                require_login();
                if (isguestuser()) {
                    print_error('noguest');
                }
                if ($CFG->bloglevel == BLOG_USER_LEVEL) {
                    if ($USER->id != $entry->userid) {
                        send_file_not_found();
                    }
                }
            }
            $entryid = (int)array_shift($args);
            if (!$entry = $DB->get_record('post', array('module'=>'blog', 'id'=>$entryid))) {
                send_file_not_found();
            }
            if ('publishstate' === 'public') {
                if ($CFG->forcelogin) {
                    require_login();
                }

            } else if ('publishstate' === 'site') {
                require_login();
                //ok
            } else if ('publishstate' === 'draft') {
                require_login();
                if ($USER->id != $entry->userid) {
                    send_file_not_found();
                }
            }

            //TODO: implement shared course and shared group access

            $relativepath = '/'.implode('/', $args);
            $fullpath = $context->id.'blog'.$entryid.$relativepath;

            if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
                send_file_not_found();
            }

            send_stored_file($file, 10*60, 0, true); // download MUST be forced - security!

        } else {
            send_file_not_found();
        }


    } else if ($context->contextlevel == CONTEXT_USER) {
        send_file_not_found();


    } else if ($context->contextlevel == CONTEXT_COURSECAT) {
        if ($filearea !== 'coursecat_intro') {
            send_file_not_found();
        }

        if ($CFG->forcelogin) {
            // no login necessary - unless login forced everywhere
            require_login();
        }

        $relativepath = '/'.implode('/', $args);
        $fullpath = $context->id.'coursecat_intro0'.$relativepath;

        if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->get_filename() == '.') {
            send_file_not_found();
        }

        session_get_instance()->write_close(); // unlock session during fileserving
        send_stored_file($file, 60*60, 0, $forcedownload);


    } else if ($context->contextlevel == CONTEXT_COURSE) {
        if (!$course = $DB->get_record('course', array('id'=>$context->instanceid))) {
            print_error('invalidcourseid');
        }

        if ($filearea === 'course_backup') {
            require_login($course);
            require_capability('moodle/site:backupdownload', $context);

            $relativepath = '/'.implode('/', $args);
            $fullpath = $context->id.'course_backup0'.$relativepath;

            if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
                send_file_not_found();
            }

            session_get_instance()->write_close(); // unlock session during fileserving
            send_stored_file($file, 0, 0, true);

        } else if ($filearea === 'course_intro') {
            if ($CFG->forcelogin) {
                require_login();
            }

            $relativepath = '/'.implode('/', $args);
            $fullpath = $context->id.'course_intro0'.$relativepath;

            if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
                send_file_not_found();
            }

            session_get_instance()->write_close(); // unlock session during fileserving
            send_stored_file($file, 60*60, 0, false); // TODO: change timeout?

        } else if ($filearea === 'course_section') {
            if ($CFG->forcelogin) {
                require_login($course);
            } else if ($course->id !== SITEID) {
                require_login($course);
            }

            $sectionid = (int)array_shift($args);

            if ($course->numsections < $sectionid) {
                if (!has_capability('moodle/course:update', $context)) {
                    // disable access to invisible sections if can not edit course
                    // this is going to break some ugly hacks, but is necessary
                    send_file_not_found();
                }
            }

            $relativepath = '/'.implode('/', $args);
            $fullpath = $context->id.'course_section'.$sectionid.$relativepath;

            if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
                send_file_not_found();
            }

            session_get_instance()->write_close(); // unlock session during fileserving
            send_stored_file($file, 60*60, 0, false); // TODO: change timeout?

        } else if ($filearea === 'user_profile') {
            $userid = (int)array_shift($args);
            $usercontext = get_context_instance(CONTEXT_USER, $userid);

            if (!empty($CFG->forceloginforprofiles)) {
                require_login();
                if (isguestuser()) {
                    print_error('noguest');
                }

                if (!isteacherinanycourse()
                    and !isteacherinanycourse($userid)
                    and !has_capability('moodle/user:viewdetails', $usercontext)) {
                    print_error('usernotavailable');
                }
                if (!has_capability('moodle/user:viewdetails', $context) &&
                    !has_capability('moodle/user:viewdetails', $usercontext)) {
                    print_error('cannotviewprofile');
                }
                if (!has_capability('moodle/course:view', $context, $userid, false)) {
                    print_error('notenrolledprofile');
                }
                if (groups_get_course_groupmode($course) == SEPARATEGROUPS and !has_capability('moodle/site:accessallgroups', $context)) {
                    print_error('groupnotamember');
                }
            }

            $relativepath = '/'.implode('/', $args);
            $fullpath = $usercontext->id.'user_profile0'.$relativepath;

            if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
                send_file_not_found();
            }

            session_get_instance()->write_close(); // unlock session during fileserving
            send_stored_file($file, 0, 0, true); // must force download - security!

        } else {
            send_file_not_found();
        }

    } else if ($context->contextlevel == CONTEXT_MODULE) {

        if (!$coursecontext = get_context_instance_by_id(get_parent_contextid($context))) {
            send_file_not_found();
        }

        if (!$course = $DB->get_record('course', array('id'=>$coursecontext->instanceid))) {
            send_file_not_found();
        }
        $modinfo = get_fast_modinfo($course);
        if (empty($modinfo->cms[$context->instanceid])) {
            send_file_not_found();
        }

        $cminfo = $modinfo->cms[$context->instanceid];
        $modname = $cminfo->modname;
        $libfile = "$CFG->dirroot/mod/$modname/lib.php";
        if (!file_exists($libfile)) {
            send_file_not_found();
        }

        require_once($libfile);
        if ($filearea === $modname.'_intro') {
            if (!plugin_supports('mod', $modname, FEATURE_MOD_INTRO, true)) {
                send_file_not_found();
            }
            if (!$cminfo->uservisible) {
                send_file_not_found();
            }
            // all users may access it
            $relativepath = '/'.implode('/', $args);
            $fullpath = $context->id.$filearea.'0'.$relativepath;
            
            $fs = get_file_storage();
            if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
                send_file_not_found();
            }
            
            $lifetime = isset($CFG->filelifetime) ? $CFG->filelifetime : 86400;
    
            // finally send the file
            send_stored_file($file, $lifetime, 0);
        }

        $filefunction = $modname.'_pluginfile';
        if (function_exists($filefunction)) {
            if ($filefunction($course, $cminfo, $context, $filearea, $args) !== false) {
                die;
            }
        }

    } else if ($context->contextlevel == CONTEXT_BLOCK) {
        //not supported yet
        send_file_not_found();


    } else {
        send_file_not_found();
    }
Commit	Line	Data
172dd12c	1	<?php // $Id$
	2
	3	require_once('config.php');
	4	require_once('lib/filelib.php');
	5
	6	// disable moodle specific debug messages
	7	disable_debugging();
	8
11e7b506	9	$relativepath = get_file_argument();
172dd12c	10	$forcedownload = optional_param('forcedownload', 0, PARAM_BOOL);
	11
	12	// relative path must start with '/'
	13	if (!$relativepath) {
	14	print_error('invalidargorconf');
	15	} else if ($relativepath{0} != '/') {
	16	print_error('pathdoesnotstartslash');
	17	}
	18
	19	// extract relative path components
	20	$args = explode('/', ltrim($relativepath, '/'));
	21
	22	if (count($args) == 0) { // always at least user id
	23	print_error('invalidarguments');
	24	}
	25
	26	$contextid = (int)array_shift($args);
	27	$filearea = array_shift($args);
	28
	29	$context = get_context_instance_by_id($contextid);
	30	$fs = get_file_storage();
	31
	32
	33	if ($context->contextlevel == CONTEXT_SYSTEM) {
	34	if ($filearea === 'blog') {
	35
	36	if (empty($CFG->bloglevel)) {
	37	print_error('siteblogdisable', 'blog');
	38	}
	39	if ($CFG->bloglevel < BLOG_GLOBAL_LEVEL) {
	40	require_login();
	41	if (isguestuser()) {
	42	print_error('noguest');
	43	}
	44	if ($CFG->bloglevel == BLOG_USER_LEVEL) {
	45	if ($USER->id != $entry->userid) {
9e5fa330	46	send_file_not_found();
172dd12c	47	}
	48	}
	49	}
	50	$entryid = (int)array_shift($args);
	51	if (!$entry = $DB->get_record('post', array('module'=>'blog', 'id'=>$entryid))) {
9e5fa330	52	send_file_not_found();
172dd12c	53	}
	54	if ('publishstate' === 'public') {
	55	if ($CFG->forcelogin) {
	56	require_login();
	57	}
	58
	59	} else if ('publishstate' === 'site') {
	60	require_login();
	61	//ok
	62	} else if ('publishstate' === 'draft') {
	63	require_login();
	64	if ($USER->id != $entry->userid) {
9e5fa330	65	send_file_not_found();
172dd12c	66	}
	67	}
	68
	69	//TODO: implement shared course and shared group access
	70
	71	$relativepath = '/'.implode('/', $args);
	72	$fullpath = $context->id.'blog'.$entryid.$relativepath;
	73
	74	if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
9e5fa330	75	send_file_not_found();
172dd12c	76	}
172dd12c	77
6c0d09ee	78	send_stored_file($file, 10*60, 0, true); // download MUST be forced - security!
172dd12c	79
172dd12c	80	} else {
9e5fa330	81	send_file_not_found();
172dd12c	82	}
	83
	84
	85	} else if ($context->contextlevel == CONTEXT_USER) {
9e5fa330	86	send_file_not_found();
172dd12c	87
	88
	89	} else if ($context->contextlevel == CONTEXT_COURSECAT) {
106f3b67	90	if ($filearea !== 'coursecat_intro') {
9e5fa330	91	send_file_not_found();
172dd12c	92	}
	93
	94	if ($CFG->forcelogin) {
	95	// no login necessary - unless login forced everywhere
	96	require_login();
	97	}
	98
	99	$relativepath = '/'.implode('/', $args);
106f3b67	100	$fullpath = $context->id.'coursecat_intro0'.$relativepath;
172dd12c	101
172dd12c	102	if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->get_filename() == '.') {
9e5fa330	103	send_file_not_found();
172dd12c	104	}
172dd12c	105
56949c17	106	session_get_instance()->write_close(); // unlock session during fileserving
172dd12c	107	send_stored_file($file, 60*60, 0, $forcedownload);
	108
	109
	110	} else if ($context->contextlevel == CONTEXT_COURSE) {
172dd12c	111	if (!$course = $DB->get_record('course', array('id'=>$context->instanceid))) {
	112	print_error('invalidcourseid');
	113	}
	114
106f3b67	115	if ($filearea === 'course_backup') {
172dd12c	116	require_login($course);
172dd12c	117	require_capability('moodle/site:backupdownload', $context);
106f3b67	118
	119	$relativepath = '/'.implode('/', $args);
	120	$fullpath = $context->id.'course_backup0'.$relativepath;
	121
	122	if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
	123	send_file_not_found();
	124	}
	125
56949c17	126	session_get_instance()->write_close(); // unlock session during fileserving
106f3b67	127	send_stored_file($file, 0, 0, true);
	128
	129	} else if ($filearea === 'course_intro') {
172dd12c	130	if ($CFG->forcelogin) {
	131	require_login();
	132	}
172dd12c	133
106f3b67	134	$relativepath = '/'.implode('/', $args);
106f3b67	135	$fullpath = $context->id.'course_intro0'.$relativepath;
172dd12c	136
106f3b67	137	if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
	138	send_file_not_found();
	139	}
172dd12c	140
56949c17	141	session_get_instance()->write_close(); // unlock session during fileserving
3156b8ca	142	send_stored_file($file, 60*60, 0, false); // TODO: change timeout?
	143
	144	} else if ($filearea === 'course_section') {
	145	if ($CFG->forcelogin) {
	146	require_login($course);
	147	} else if ($course->id !== SITEID) {
	148	require_login($course);
	149	}
	150
	151	$sectionid = (int)array_shift($args);
	152
	153	if ($course->numsections < $sectionid) {
	154	if (!has_capability('moodle/course:update', $context)) {
	155	// disable access to invisible sections if can not edit course
	156	// this is going to break some ugly hacks, but is necessary
	157	send_file_not_found();
	158	}
	159	}
	160
	161	$relativepath = '/'.implode('/', $args);
	162	$fullpath = $context->id.'course_section'.$sectionid.$relativepath;
	163
	164	if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
	165	send_file_not_found();
	166	}
	167
	168	session_get_instance()->write_close(); // unlock session during fileserving
106f3b67	169	send_stored_file($file, 60*60, 0, false); // TODO: change timeout?
172dd12c	170
106f3b67	171	} else if ($filearea === 'user_profile') {
	172	$userid = (int)array_shift($args);
	173	$usercontext = get_context_instance(CONTEXT_USER, $userid);
	174
	175	if (!empty($CFG->forceloginforprofiles)) {
	176	require_login();
	177	if (isguestuser()) {
	178	print_error('noguest');
	179	}
	180
	181	if (!isteacherinanycourse()
	182	and !isteacherinanycourse($userid)
	183	and !has_capability('moodle/user:viewdetails', $usercontext)) {
	184	print_error('usernotavailable');
	185	}
	186	if (!has_capability('moodle/user:viewdetails', $context) &&
	187	!has_capability('moodle/user:viewdetails', $usercontext)) {
	188	print_error('cannotviewprofile');
	189	}
	190	if (!has_capability('moodle/course:view', $context, $userid, false)) {
	191	print_error('notenrolledprofile');
	192	}
	193	if (groups_get_course_groupmode($course) == SEPARATEGROUPS and !has_capability('moodle/site:accessallgroups', $context)) {
	194	print_error('groupnotamember');
	195	}
	196	}
	197
	198	$relativepath = '/'.implode('/', $args);
	199	$fullpath = $usercontext->id.'user_profile0'.$relativepath;
	200
	201	if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
	202	send_file_not_found();
	203	}
	204
56949c17	205	session_get_instance()->write_close(); // unlock session during fileserving
106f3b67	206	send_stored_file($file, 0, 0, true); // must force download - security!
	207
	208	} else {
	209	send_file_not_found();
	210	}
172dd12c	211
172dd12c	212	} else if ($context->contextlevel == CONTEXT_MODULE) {
106f3b67	213
172dd12c	214	if (!$coursecontext = get_context_instance_by_id(get_parent_contextid($context))) {
9e5fa330	215	send_file_not_found();
172dd12c	216	}
	217
	218	if (!$course = $DB->get_record('course', array('id'=>$coursecontext->instanceid))) {
9e5fa330	219	send_file_not_found();
172dd12c	220	}
	221	$modinfo = get_fast_modinfo($course);
	222	if (empty($modinfo->cms[$context->instanceid])) {
9e5fa330	223	send_file_not_found();
172dd12c	224	}
	225
	226	$cminfo = $modinfo->cms[$context->instanceid];
	227	$modname = $cminfo->modname;
	228	$libfile = "$CFG->dirroot/mod/$modname/lib.php";
dc5c2bd9	229	if (!file_exists($libfile)) {
	230	send_file_not_found();
	231	}
	232
	233	require_once($libfile);
	234	if ($filearea === $modname.'_intro') {
	235	if (!plugin_supports('mod', $modname, FEATURE_MOD_INTRO, true)) {
	236	send_file_not_found();
	237	}
	238	if (!$cminfo->uservisible) {
	239	send_file_not_found();
	240	}
	241	// all users may access it
dc5c2bd9	242	$relativepath = '/'.implode('/', $args);
	243	$fullpath = $context->id.$filearea.'0'.$relativepath;
	244
	245	$fs = get_file_storage();
	246	if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
	247	send_file_not_found();
	248	}
	249
	250	$lifetime = isset($CFG->filelifetime) ? $CFG->filelifetime : 86400;
	251
	252	// finally send the file
	253	send_stored_file($file, $lifetime, 0);
	254	}
	255
	256	$filefunction = $modname.'_pluginfile';
	257	if (function_exists($filefunction)) {
	258	if ($filefunction($course, $cminfo, $context, $filearea, $args) !== false) {
	259	die;
172dd12c	260	}
172dd12c	261	}
172dd12c	262
	263	} else if ($context->contextlevel == CONTEXT_BLOCK) {
	264	//not supported yet
9e5fa330	265	send_file_not_found();
172dd12c	266
	267
	268	} else {
9e5fa330	269	send_file_not_found();
172dd12c	270	}