MDL-33791 Portfolio: Fixed security issue with passing file paths.
[moodle.git] / mod / assignment / type / online / assignment.class.php
1 <?php
2 require_once($CFG->libdir.'/formslib.php');
3 require_once($CFG->libdir . '/portfoliolib.php');
4 require_once($CFG->dirroot . '/mod/assignment/lib.php');
5 require_once($CFG->libdir . '/filelib.php');
7 /**
8  * Extend the base assignment class for assignments where you upload a single file
9  *
10  */
11 class assignment_online extends assignment_base {
13     var $filearea = 'submission';
15     function assignment_online($cmid='staticonly', $assignment=NULL, $cm=NULL, $course=NULL) {
16         parent::assignment_base($cmid, $assignment, $cm, $course);
17         $this->type = 'online';
18     }
20     function view() {
21         global $OUTPUT, $CFG, $USER, $PAGE;
23         $edit  = optional_param('edit', 0, PARAM_BOOL);
24         $saved = optional_param('saved', 0, PARAM_BOOL);
26         $context = context_module::instance($this->cm->id);
27         require_capability('mod/assignment:view', $context);
29         $submission = $this->get_submission($USER->id, false);
31         //Guest can not submit nor edit an assignment (bug: 4604)
32         if (!is_enrolled($this->context, $USER, 'mod/assignment:submit')) {
33             $editable = false;
34         } else {
35             $editable = $this->isopen() && (!$submission || $this->assignment->resubmit || !$submission->timemarked);
36         }
37         $editmode = ($editable and $edit);
39         if ($editmode) {
40             // prepare form and process submitted data
41             $editoroptions = array(
42                 'noclean'  => false,
43                 'maxfiles' => EDITOR_UNLIMITED_FILES,
44                 'maxbytes' => $this->course->maxbytes,
45                 'context'  => $this->context,
46                 'return_types' => FILE_INTERNAL | FILE_EXTERNAL
47             );
49             $data = new stdClass();
50             $data->id         = $this->cm->id;
51             $data->edit       = 1;
52             if ($submission) {
53                 $data->sid        = $submission->id;
54                 $data->text       = $submission->data1;
55                 $data->textformat = $submission->data2;
56             } else {
57                 $data->sid        = NULL;
58                 $data->text       = '';
59                 $data->textformat = NULL;
60             }
62             $data = file_prepare_standard_editor($data, 'text', $editoroptions, $this->context, 'mod_assignment', $this->filearea, $data->sid);
64             $mform = new mod_assignment_online_edit_form(null, array($data, $editoroptions));
66             if ($mform->is_cancelled()) {
67                 redirect($PAGE->url);
68             }
70             if ($data = $mform->get_data()) {
71                 $submission = $this->get_submission($USER->id, true); //create the submission if needed & its id
73                 $data = file_postupdate_standard_editor($data, 'text', $editoroptions, $this->context, 'mod_assignment', $this->filearea, $submission->id);
75                 $submission = $this->update_submission($data);
77                 //TODO fix log actions - needs db upgrade
78                 add_to_log($this->course->id, 'assignment', 'upload', 'view.php?a='.$this->assignment->id, $this->assignment->id, $this->cm->id);
79                 $this->email_teachers($submission);
81                 //redirect to get updated submission date and word count
82                 redirect(new moodle_url($PAGE->url, array('saved'=>1)));
83             }
84         }
86         add_to_log($this->course->id, "assignment", "view", "view.php?id={$this->cm->id}", $this->assignment->id, $this->cm->id);
88 /// print header, etc. and display form if needed
89         if ($editmode) {
90             $this->view_header(get_string('editmysubmission', 'assignment'));
91         } else {
92             $this->view_header();
93         }
95         $this->view_intro();
97         $this->view_dates();
99         if ($saved) {
100             echo $OUTPUT->notification(get_string('submissionsaved', 'assignment'), 'notifysuccess');
101         }
103         if (is_enrolled($this->context, $USER)) {
104             if ($editmode) {
105                 echo $OUTPUT->box_start('generalbox', 'onlineenter');
106                 $mform->display();
107             } else {
108                 echo $OUTPUT->box_start('generalbox boxwidthwide boxaligncenter', 'online');
109                 if ($submission && has_capability('mod/assignment:exportownsubmission', $this->context)) {
110                     echo plagiarism_get_links(array('userid' => $USER->id,
111                         'content' => trim(format_text($submission->data1, $submission->data2, array('context' => $context))),
112                         'cmid' => $this->cm->id,
113                         'course' => $this->course,
114                         'assignment' => $this->assignment));
115                     $text = file_rewrite_pluginfile_urls($submission->data1, 'pluginfile.php', $this->context->id, 'mod_assignment', $this->filearea, $submission->id);
116                     echo format_text($text, $submission->data2, array('overflowdiv'=>true));
117                     if ($CFG->enableportfolios) {
118                         require_once($CFG->libdir . '/portfoliolib.php');
119                         $button = new portfolio_add_button();
120                         $button->set_callback_options('assignment_portfolio_caller', array('id' => $this->cm->id), 'mod_assignment');
121                         $fs = get_file_storage();
122                         if ($files = $fs->get_area_files($this->context->id, 'mod_assignment', $this->filearea, $submission->id, "timemodified", false)) {
123                             $button->set_formats(PORTFOLIO_FORMAT_RICHHTML);
124                         } else {
125                             $button->set_formats(PORTFOLIO_FORMAT_PLAINHTML);
126                         }
127                         $button->render();
128                     }
129                 } else if ($this->isopen()){    //fix for #4206
130                     echo '<div style="text-align:center">'.get_string('emptysubmission', 'assignment').'</div>';
131                 }
132             }
133             echo $OUTPUT->box_end();
134             if (!$editmode && $editable) {
135                 if (!empty($submission)) {
136                     $submitbutton = "editmysubmission";
137                 } else {
138                     $submitbutton = "addsubmission";
139                 }
140                 echo "<div style='text-align:center'>";
141                 echo $OUTPUT->single_button(new moodle_url('view.php', array('id'=>$this->cm->id, 'edit'=>'1')), get_string($submitbutton, 'assignment'));
142                 echo "</div>";
143             }
145         }
147         $this->view_feedback();
149         $this->view_footer();
150     }
152     /*
153      * Display the assignment dates
154      */
155     function view_dates() {
156         global $USER, $CFG, $OUTPUT;
158         if (!$this->assignment->timeavailable && !$this->assignment->timedue) {
159             return;
160         }
162         echo $OUTPUT->box_start('generalbox boxaligncenter', 'dates');
163         echo '<table>';
164         if ($this->assignment->timeavailable) {
165             echo '<tr><td class="c0">'.get_string('availabledate','assignment').':</td>';
166             echo '    <td class="c1">'.userdate($this->assignment->timeavailable).'</td></tr>';
167         }
168         if ($this->assignment->timedue) {
169             echo '<tr><td class="c0">'.get_string('duedate','assignment').':</td>';
170             echo '    <td class="c1">'.userdate($this->assignment->timedue).'</td></tr>';
171         }
172         $submission = $this->get_submission($USER->id);
173         if ($submission) {
174             echo '<tr><td class="c0">'.get_string('lastedited').':</td>';
175             echo '    <td class="c1">'.userdate($submission->timemodified);
176         /// Decide what to count
177             if ($CFG->assignment_itemstocount == ASSIGNMENT_COUNT_WORDS) {
178                 echo ' ('.get_string('numwords', '', count_words(format_text($submission->data1, $submission->data2))).')</td></tr>';
179             } else if ($CFG->assignment_itemstocount == ASSIGNMENT_COUNT_LETTERS) {
180                 echo ' ('.get_string('numletters', '', count_letters(format_text($submission->data1, $submission->data2))).')</td></tr>';
181             }
182         }
183         echo '</table>';
184         echo $OUTPUT->box_end();
185     }
187     function update_submission($data) {
188         global $CFG, $USER, $DB;
190         $submission = $this->get_submission($USER->id, true);
192         $update = new stdClass();
193         $update->id           = $submission->id;
194         $update->data1        = $data->text;
195         $update->data2        = $data->textformat;
196         $update->timemodified = time();
198         $DB->update_record('assignment_submissions', $update);
200         $submission = $this->get_submission($USER->id);
201         $this->update_grade($submission);
202         $fs = get_file_storage();
203         $files = $fs->get_area_files($this->context->id, 'mod_assignment', 'submission', $submission->id);
204         // Let Moodle know that an assessable content was uploaded (eg for plagiarism detection)
205         $eventdata = new stdClass();
206         $eventdata->modulename   = 'assignment';
207         $eventdata->name         = 'update_submission';
208         $eventdata->cmid         = $this->cm->id;
209         $eventdata->itemid       = $update->id;
210         $eventdata->courseid     = $this->course->id;
211         $eventdata->userid       = $USER->id;
212         $eventdata->content      = trim(format_text($update->data1, $update->data2));
213         if ($files) {
214             $eventdata->pathnamehashes = array_keys($files);
215         }
216         events_trigger('assessable_content_uploaded', $eventdata);
217         return $submission;
218     }
221     function print_student_answer($userid, $return=false){
222         global $OUTPUT;
223         if (!$submission = $this->get_submission($userid)) {
224             return '';
225         }
227         $link = new moodle_url("/mod/assignment/type/online/file.php?id={$this->cm->id}&userid={$submission->userid}");
228         $action = new popup_action('click', $link, 'file'.$userid, array('height' => 450, 'width' => 580));
229         $popup = $OUTPUT->action_link($link, shorten_text(trim(strip_tags(format_text($submission->data1,$submission->data2))), 15), $action, array('title'=>get_string('submission', 'assignment')));
231         $output = '<div class="files">'.
232                   $OUTPUT->pix_icon(file_extension_icon('.htm'), 'html', 'moodle', array('class' => 'icon')).
233                   $popup .
234                   plagiarism_get_links(array('userid' => $userid,
235                       'content' => trim(format_text($submission->data1, $submission->data2)),
236                       'cmid' => $this->cm->id,
237                       'course' => $this->course,
238                       'assignment' => $this->assignment)) .
239                   '</div>';
240                   return $output;
241     }
243     function print_user_files($userid=0, $return=false) {
244         global $OUTPUT, $CFG, $USER;
246         if (!$userid) {
247             if (!isloggedin()) {
248                 return '';
249             }
250             $userid = $USER->id;
251         }
253         if (!$submission = $this->get_submission($userid)) {
254             return '';
255         }
257         $link = new moodle_url("/mod/assignment/type/online/file.php?id={$this->cm->id}&userid={$submission->userid}");
258         $action = new popup_action('click', $link, 'file'.$userid, array('height' => 450, 'width' => 580));
259         $popup = $OUTPUT->action_link($link, get_string('popupinnewwindow','assignment'), $action, array('title'=>get_string('submission', 'assignment')));
261         $output = '<div class="files">'.
262                   $OUTPUT->pix_icon(file_extension_icon('.htm'), 'html', 'moodle', array('height' => 16, 'width' => 16)).
263                   $popup .
264                   '</div>';
266         $wordcount = '<p id="wordcount">'. $popup . '&nbsp;';
267     /// Decide what to count
268         if ($CFG->assignment_itemstocount == ASSIGNMENT_COUNT_WORDS) {
269             $wordcount .= '('.get_string('numwords', '', count_words(format_text($submission->data1, $submission->data2))).')';
270         } else if ($CFG->assignment_itemstocount == ASSIGNMENT_COUNT_LETTERS) {
271             $wordcount .= '('.get_string('numletters', '', count_letters(format_text($submission->data1, $submission->data2))).')';
272         }
273         $wordcount .= '</p>';
275         $text = file_rewrite_pluginfile_urls($submission->data1, 'pluginfile.php', $this->context->id, 'mod_assignment', $this->filearea, $submission->id);
276         return $wordcount . format_text($text, $submission->data2, array('overflowdiv'=>true));
279         }
281     function preprocess_submission(&$submission) {
282         if ($this->assignment->var1 && empty($submission->submissioncomment)) {  // comment inline
283             if ($this->usehtmleditor) {
284                 // Convert to html, clean & copy student data to teacher
285                 $submission->submissioncomment = format_text($submission->data1, $submission->data2);
286                 $submission->format = FORMAT_HTML;
287             } else {
288                 // Copy student data to teacher
289                 $submission->submissioncomment = $submission->data1;
290                 $submission->format = $submission->data2;
291             }
292         }
293     }
295     function setup_elements(&$mform) {
296         global $CFG, $COURSE;
298         $ynoptions = array( 0 => get_string('no'), 1 => get_string('yes'));
300         $mform->addElement('select', 'resubmit', get_string('allowresubmit', 'assignment'), $ynoptions);
301         $mform->addHelpButton('resubmit', 'allowresubmit', 'assignment');
302         $mform->setDefault('resubmit', 0);
304         $mform->addElement('select', 'emailteachers', get_string('emailteachers', 'assignment'), $ynoptions);
305         $mform->addHelpButton('emailteachers', 'emailteachers', 'assignment');
306         $mform->setDefault('emailteachers', 0);
308         $mform->addElement('select', 'var1', get_string('commentinline', 'assignment'), $ynoptions);
309         $mform->addHelpButton('var1', 'commentinline', 'assignment');
310         $mform->setDefault('var1', 0);
312         $coursecontext = context_course::instance($COURSE->id);
313         plagiarism_get_form_elements_module($mform, $coursecontext, 'mod_assignment');
315     }
317     function portfolio_exportable() {
318         return true;
319     }
321     function portfolio_load_data($caller) {
322         $submission = $this->get_submission();
323         $fs = get_file_storage();
324         if ($files = $fs->get_area_files($this->context->id, 'mod_assignment', $this->filearea, $submission->id, "timemodified", false)) {
325             $caller->set('multifiles', $files);
326         }
327     }
329     function portfolio_get_sha1($caller) {
330         $submission = $this->get_submission();
331         $textsha1 = sha1(format_text($submission->data1, $submission->data2));
332         $filesha1 = '';
333         try {
334             $filesha1 = $caller->get_sha1_file();
335         } catch (portfolio_caller_exception $e) {} // no files
336         return sha1($textsha1 . $filesha1);
337     }
339     function portfolio_prepare_package($exporter, $user) {
340         $submission = $this->get_submission($user->id);
341         $options = portfolio_format_text_options();
342         $html = format_text($submission->data1, $submission->data2, $options);
343         $html = portfolio_rewrite_pluginfile_urls($html, $this->context->id, 'mod_assignment', $this->filearea, $submission->id, $exporter->get('format'));
344         if (in_array($exporter->get('formatclass'), array(PORTFOLIO_FORMAT_PLAINHTML, PORTFOLIO_FORMAT_RICHHTML))) {
345             if ($files = $exporter->get('caller')->get('multifiles')) {
346                 foreach ($files as $f) {
347                     $exporter->copy_existing_file($f);
348                 }
349             }
350             return $exporter->write_new_file($html, 'assignment.html', !empty($files));
351         } else if ($exporter->get('formatclass') == PORTFOLIO_FORMAT_LEAP2A) {
352             $leapwriter = $exporter->get('format')->leap2a_writer();
353             $entry = new portfolio_format_leap2a_entry('assignmentonline' . $this->assignment->id, $this->assignment->name, 'resource', $html);
354             $entry->add_category('web', 'resource_type');
355             $entry->published = $submission->timecreated;
356             $entry->updated = $submission->timemodified;
357             $entry->author = $user;
358             $leapwriter->add_entry($entry);
359             if ($files = $exporter->get('caller')->get('multifiles')) {
360                 $leapwriter->link_files($entry, $files, 'assignmentonline' . $this->assignment->id . 'file');
361                 foreach ($files as $f) {
362                     $exporter->copy_existing_file($f);
363                 }
364             }
365             $exporter->write_new_file($leapwriter->to_xml(), $exporter->get('format')->manifest_name(), true);
366         } else {
367             debugging('invalid format class: ' . $exporter->get('formatclass'));
368         }
369     }
371     function extend_settings_navigation($node) {
372         global $PAGE, $CFG, $USER;
374         // get users submission if there is one
375         $submission = $this->get_submission();
376         if (is_enrolled($PAGE->cm->context, $USER, 'mod/assignment:submit')) {
377             $editable = $this->isopen() && (!$submission || $this->assignment->resubmit || !$submission->timemarked);
378         } else {
379             $editable = false;
380         }
382         // If the user has submitted something add a bit more stuff
383         if ($submission) {
384             // Add a view link to the settings nav
385             $link = new moodle_url('/mod/assignment/view.php', array('id'=>$PAGE->cm->id));
386             $node->add(get_string('viewmysubmission', 'assignment'), $link, navigation_node::TYPE_SETTING);
388             if (!empty($submission->timemodified)) {
389                 $submittednode = $node->add(get_string('submitted', 'assignment') . ' ' . userdate($submission->timemodified));
390                 $submittednode->text = preg_replace('#([^,])\s#', '$1&nbsp;', $submittednode->text);
391                 $submittednode->add_class('note');
392                 if ($submission->timemodified <= $this->assignment->timedue || empty($this->assignment->timedue)) {
393                     $submittednode->add_class('early');
394                 } else {
395                     $submittednode->add_class('late');
396                 }
397             }
398         }
400         if (!$submission || $editable) {
401             // If this assignment is editable once submitted add an edit link to the settings nav
402             $link = new moodle_url('/mod/assignment/view.php', array('id'=>$PAGE->cm->id, 'edit'=>1, 'sesskey'=>sesskey()));
403             $node->add(get_string('editmysubmission', 'assignment'), $link, navigation_node::TYPE_SETTING);
404         }
405     }
407     public function send_file($filearea, $args, $forcedownload, array $options=array()) {
408         global $USER;
409         require_capability('mod/assignment:view', $this->context);
411         $fullpath = "/{$this->context->id}/mod_assignment/$filearea/".implode('/', $args);
413         $fs = get_file_storage();
414         if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
415             send_file_not_found();
416         }
418         if (($USER->id != $file->get_userid()) && !has_capability('mod/assignment:grade', $this->context)) {
419             send_file_not_found();
420         }
422         session_get_instance()->write_close(); // unlock session during fileserving
424         send_stored_file($file, 60*60, 0, true, $options);
425     }
427     /**
428      * creates a zip of all assignment submissions and sends a zip to the browser
429      */
430     public function download_submissions() {
431         global $CFG, $DB;
433         raise_memory_limit(MEMORY_EXTRA);
435         $submissions = $this->get_submissions('','');
436         if (empty($submissions)) {
437             print_error('errornosubmissions', 'assignment');
438         }
439         $filesforzipping = array();
441         //NOTE: do not create any stuff in temp directories, we now support unicode file names and that would not work, sorry
443         //online assignment can use html
444         $filextn=".html";
446         $groupmode = groups_get_activity_groupmode($this->cm);
447         $groupid = 0;   // All users
448         $groupname = '';
449         if ($groupmode) {
450             $groupid = groups_get_activity_group($this->cm, true);
451             $groupname = groups_get_group_name($groupid).'-';
452         }
453         $filename = str_replace(' ', '_', clean_filename($this->course->shortname.'-'.$this->assignment->name.'-'.$groupname.$this->assignment->id.".zip")); //name of new zip file.
454         foreach ($submissions as $submission) {
455             $a_userid = $submission->userid; //get userid
456             if ((groups_is_member($groupid,$a_userid)or !$groupmode or !$groupid)) {
457                 $a_assignid = $submission->assignment; //get name of this assignment for use in the file names.
458                 $a_user = $DB->get_record("user", array("id"=>$a_userid),'id,username,firstname,lastname'); //get user firstname/lastname
459                 $submissioncontent = "<html><body>". format_text($submission->data1, $submission->data2). "</body></html>";      //fetched from database
460                 //get file name.html
461                 $fileforzipname =  clean_filename(fullname($a_user) . "_" .$a_userid.$filextn);
462                 $filesforzipping[$fileforzipname] = array($submissioncontent);
463             }
464         }      //end of foreach
466         if ($zipfile = assignment_pack_files($filesforzipping)) {
467             send_temp_file($zipfile, $filename); //send file and delete after sending.
468         }
469     }
472 class mod_assignment_online_edit_form extends moodleform {
473     function definition() {
474         $mform = $this->_form;
476         list($data, $editoroptions) = $this->_customdata;
478         // visible elements
479         $mform->addElement('editor', 'text_editor', get_string('submission', 'assignment'), null, $editoroptions);
480         $mform->setType('text_editor', PARAM_RAW); // to be cleaned before display
481         $mform->addRule('text_editor', get_string('required'), 'required', null, 'client');
483         // hidden params
484         $mform->addElement('hidden', 'id');
485         $mform->setType('id', PARAM_INT);
487         $mform->addElement('hidden', 'edit');
488         $mform->setType('edit', PARAM_INT);
490         // buttons
491         $this->add_action_buttons();
493         $this->set_data($data);
494     }