MDL-13766, fixed mimetype validation.
[moodle.git] / repository / repository_ajax.php
CommitLineData
aa6c1ced 1<?php
5bce5972 2
6f2cd52a
DC
3// This file is part of Moodle - http://moodle.org/
4//
5// Moodle is free software: you can redistribute it and/or modify
6// it under the terms of the GNU General Public License as published by
7// the Free Software Foundation, either version 3 of the License, or
8// (at your option) any later version.
9//
10// Moodle is distributed in the hope that it will be useful,
11// but WITHOUT ANY WARRANTY; without even the implied warranty of
12// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13// GNU General Public License for more details.
14//
15// You should have received a copy of the GNU General Public License
16// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
17
18
19/**
20 * The Web service script that is called from the filepicker front end
21 *
22 * @since 2.0
23 * @package moodlecore
24 * @subpackage repository
25 * @copyright 2009 Dongsheng Cai <dongsheng@moodle.com>
26 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
27 */
455860ce 28
e35194be
DC
29define('AJAX_SCRIPT', true);
30
14469892
DC
31require_once(dirname(dirname(__FILE__)).'/config.php');
32require_once(dirname(dirname(__FILE__)).'/lib/filelib.php');
33require_once(dirname(__FILE__).'/lib.php');
99eaca9d 34
9d4ef80f 35require_login();
cf493e89 36
d0f8585d 37/// Parameters
9d4ef80f 38$action = optional_param('action', '', PARAM_ALPHA);
3e123368 39$repo_id = optional_param('repo_id', 0, PARAM_INT); // Pepository ID
3e123368
DC
40$contextid = optional_param('ctx_id', SYSCONTEXTID, PARAM_INT); // Context ID
41$env = optional_param('env', 'filepicker', PARAM_ALPHA); // Opened in editor or moodleform
1dce6261 42$license = optional_param('license', $CFG->sitedefaultlicense, PARAM_TEXT);
3e123368
DC
43$author = optional_param('author', '', PARAM_TEXT); // File author
44$source = optional_param('source', '', PARAM_RAW); // File to download
45$itemid = optional_param('itemid', 0, PARAM_INT); // Itemid
46$page = optional_param('page', '', PARAM_RAW); // Page
47$maxbytes = optional_param('maxbytes', 0, PARAM_INT); // Maxbytes
48$req_path = optional_param('p', '', PARAM_RAW); // Path
e35194be 49$accepted_types = optional_param('accepted_types', '*', PARAM_RAW);
3e123368
DC
50$saveas_filename = optional_param('title', '', PARAM_FILE); // save as file name
51$saveas_path = optional_param('savepath', '/', PARAM_PATH); // save as file path
9d4ef80f
DC
52$search_text = optional_param('s', '', PARAM_CLEANHTML);
53$linkexternal = optional_param('linkexternal', '', PARAM_ALPHA);
455860ce 54
577aab9b 55/// Headers to make it not cacheable
9d4ef80f
DC
56header('Cache-Control: no-cache, must-revalidate');
57header('Expires: Sat, 26 Jul 1997 05:00:00 GMT');
58
59$err = new stdclass;
0eb58cf4 60
6127179b
DC
61if (!confirm_sesskey()) {
62 $err->error = get_string('invalidsesskey');
63 die(json_encode($err));
64}
65
d0f8585d 66/// Check permissions
9d4ef80f 67if (! (isloggedin() && repository::check_context($contextid)) ) {
e35194be 68 $err->error = get_string('nopermissiontoaccess', 'repository');
9d4ef80f
DC
69 die(json_encode($err));
70}
0eb58cf4 71
3e123368
DC
72$moodle_maxbytes = get_max_upload_file_size();
73// to prevent maxbytes greater than moodle maxbytes setting
74if ($maxbytes == 0 || $maxbytes>=$moodle_maxbytes) {
75 $maxbytes = $moodle_maxbytes;
76}
77
577aab9b 78/// Wait as long as it takes for this script to finish
9d4ef80f 79set_time_limit(0);
577aab9b 80
9d4ef80f
DC
81// Early actions which need to be done before repository instaces initialised
82switch ($action) {
83 // global search
84 case 'gsearch':
85 $params = array();
86 $params['context'] = array(get_context_instance_by_id($contextid), get_system_context());
87 $params['currentcontext'] = get_context_instance_by_id($contextid);
88 $repos = repository::get_instances($params);
89 $list = array();
90 foreach($repos as $repo){
91 if ($repo->global_search()) {
e35194be
DC
92 $ret = $repo->search($search_text);
93 array_walk($ret['list'], 'repository_attach_id', $repo->id); // See function below
94 $tmp = array_merge($list, $ret['list']);
95 $list = $tmp;
d0f8585d 96 }
9d4ef80f
DC
97 }
98 $listing = array('list'=>$list);
99 $listing['gsearch'] = true;
9d4ef80f
DC
100 die(json_encode($listing));
101 break;
d0f8585d 102
9d4ef80f
DC
103 // remove the cache files & logout
104 case 'ccache':
105 $cache = new curl_cache;
106 $cache->refresh();
107 $action = 'list';
108 break;
109}
d0f8585d 110
111/// Get repository instance information
9d4ef80f
DC
112$sql = 'SELECT i.name, i.typeid, r.type FROM {repository} r, {repository_instances} i '.
113 'WHERE i.id=? AND i.typeid=r.id';
d0f8585d 114
9d4ef80f 115if (!$repository = $DB->get_record_sql($sql, array($repo_id))) {
e35194be 116 $err->error = get_string('invalidrepositoryid', 'repository');
9d4ef80f
DC
117 die(json_encode($err));
118} else {
119 $type = $repository->type;
120}
121
e35194be
DC
122if (file_exists($CFG->dirroot.'/repository/'.$type.'/lib.php')) {
123 require_once($CFG->dirroot.'/repository/'.$type.'/lib.php');
9d4ef80f 124 $classname = 'repository_' . $type;
e35194be 125 $repo = new $classname($repo_id, $contextid, array('ajax'=>true, 'name'=>$repository->name, 'type'=>$type));
a06878d3 126} else {
e35194be 127 $err->error = get_string('invalidplugin', 'repository', $type);
9d4ef80f 128 die(json_encode($err));
a06878d3 129}
9d4ef80f 130
d0f8585d 131/// These actions all occur on the currently active repository instance
9d4ef80f
DC
132switch ($action) {
133 case 'sign':
134 case 'signin':
135 case 'list':
136 if ($repo->check_login()) {
e35194be
DC
137 $listing = $repo->get_listing($req_path, $page);
138 $listing['repo_id'] = $repo_id;
139 echo json_encode($listing);
d0f8585d 140 break;
9d4ef80f
DC
141 } else {
142 $action = 'login';
143 }
144 case 'login':
e35194be
DC
145 $listing = $repo->print_login();
146 $listing['repo_id'] = $repo_id;
147 echo json_encode($listing);
9d4ef80f
DC
148 break;
149 case 'logout':
150 $logout = $repo->logout();
9d4ef80f
DC
151 $logout['repo_id'] = $repo_id;
152 echo json_encode($logout);
153 break;
154 case 'searchform':
e35194be 155 $search_form['form'] = $repo->print_search();
9d4ef80f
DC
156 echo json_encode($search_form);
157 break;
158 case 'search':
e35194be
DC
159 $search_result = $repo->search($search_text, (int)$page);
160 $search_result['repo_id'] = $repo_id;
161 $search_result['search_result'] = true;
162 echo json_encode($search_result);
9d4ef80f
DC
163 break;
164 case 'download':
e35194be
DC
165 // validate mimetype
166 $mimetypes = array();
2385e6de 167 if ((is_array($accepted_types) and in_array('*', $accepted_types)) or $accepted_types == '*') {
e35194be
DC
168 $mimetypes = '*';
169 } else {
170 foreach ($accepted_types as $type) {
16f61c70 171 $mimetypes[] = mimeinfo('type', $type);
e35194be
DC
172 }
173 if (!in_array(mimeinfo('type', $saveas_filename), $mimetypes)) {
2385e6de 174 throw new moodle_exception('invalidfiletype', 'repository', '', mimeinfo('type', $saveas_filename));
e35194be
DC
175 }
176 }
177
178 // We have two special repoisitory type need to deal with
179 // local and recent plugins don't added new files to moodle, just add new records to database
180 // so we don't check user quota and maxbytes here
181 if (in_array($repo->options['type'], array('local', 'recent', 'user'))) {
182 $fileinfo = $repo->copy_to_area($source, 'draft', $itemid, $saveas_path, $saveas_filename);
183 $info = array();
184 $info['file'] = $fileinfo['title'];
185 $info['id'] = $itemid;
16f61c70 186 $info['url'] = $CFG->httpswwwroot.'/draftfile.php/'.$fileinfo['contextid'].'/user/draft/'.$itemid.'/'.$fileinfo['title'];
e35194be
DC
187 $filesize = $fileinfo['filesize'];
188 if (($maxbytes!==-1) && ($filesize>$maxbytes)) {
189 throw new file_exception('maxbytes');
190 }
191 echo json_encode($info);
192 die; // ends here!!
193 } else {
194 $allowexternallink = (int)get_config(null, 'repositoryallowexternallinks');
195 if (!empty($allowexternallink)) {
196 $allowexternallink = true;
197 } else {
198 $allowexternallink = false;
199 }
200 // allow external links in url element all the time
201 $allowexternallink = ($allowexternallink || ($env == 'url'));
202
203 // Use link of the files
204 if ($allowexternallink and $linkexternal === 'yes' and ($repo->supported_returntypes() & FILE_EXTERNAL)) {
205 // use external link
206 $link = $repo->get_link($source);
9d4ef80f 207 $info = array();
e35194be
DC
208 $info['filename'] = $saveas_filename;
209 $info['type'] = 'link';
210 $info['url'] = $link;
acb70a9b 211 echo json_encode($info);
e35194be 212 die;
9d4ef80f 213 } else {
e35194be
DC
214 // Download file to moodle
215 $file = $repo->get_file($source, $saveas_filename);
216 if ($file['path'] === false) {
217 $err->error = get_string('cannotdownload', 'repository');
218 die(json_encode($err));
99d52655 219 }
ea1780ad 220
e35194be
DC
221 // check if exceed maxbytes
222 if (($maxbytes!==-1) && (filesize($file['path']) > $maxbytes)) {
223 throw new file_exception('maxbytes');
224 }
14469892 225
e35194be
DC
226 // check if exceed user quota
227 $userquota = file_get_user_used_space();
228 if (filesize($file['path'])+$userquota>=(int)$CFG->userquota) {
229 throw new file_exception('userquotalimit');
230 }
ea1780ad 231
e35194be
DC
232 $record = new stdclass;
233 $record->filepath = $saveas_path;
234 $record->filename = $saveas_filename;
235 $record->component = 'user';
236 $record->filearea = 'draft';
237 $record->itemid = $itemid;
14469892 238
e35194be
DC
239 if (!empty($file['license'])) {
240 $record->license = $file['license'];
241 } else {
242 $record->license = $license;
243 }
244 if (!empty($file['author'])) {
245 $record->author = $file['author'];
246 } else {
247 $record->author = $author;
248 }
249 $record->source = !empty($file['url']) ? $file['url'] : '';
1dce6261 250
e35194be
DC
251 $info = repository::move_to_filepool($file['path'], $record);
252 if (empty($info)) {
253 $info['e'] = get_string('error', 'moodle');
acb70a9b 254 }
e35194be
DC
255 echo json_encode($info);
256 die;
9d4ef80f 257 }
9d4ef80f
DC
258 }
259 break;
260 case 'upload':
e35194be
DC
261 $result = $repo->upload();
262 echo json_encode($result);
9d4ef80f
DC
263 break;
264}
d0f8585d 265
266/**
267 * Small function to walk an array to attach repository ID
9d4ef80f
DC
268 * @param array $value
269 * @param string $key
270 * @param int $id
d0f8585d 271 */
272function repository_attach_id(&$value, $key, $id){
273 $value['repo_id'] = $id;
0eb58cf4 274}