MDL-28501 mod_folder: make force downloading behavior configuable
authorCharles Fulton <fultonc@lafayette.edu>
Fri, 29 Jun 2018 19:42:20 +0000 (15:42 -0400)
committerCharles Fulton <fultonc@lafayette.edu>
Mon, 7 Sep 2020 18:37:33 +0000 (14:37 -0400)
mod/folder/backup/moodle2/backup_folder_stepslib.php
mod/folder/db/access.php
mod/folder/db/install.xml
mod/folder/db/upgrade.php
mod/folder/lang/en/folder.php
mod/folder/lib.php
mod/folder/mod_form.php
mod/folder/renderer.php
mod/folder/version.php

index 0fdd959..950ade3 100644 (file)
@@ -38,7 +38,7 @@ class backup_folder_activity_structure_step extends backup_activity_structure_st
         // Define each element separated
         $folder = new backup_nested_element('folder', array('id'), array(
             'name', 'intro', 'introformat', 'revision',
-            'timemodified', 'display', 'showexpanded'));
+            'timemodified', 'display', 'showexpanded', 'forcedownload'));
 
         // Build the tree
         // (nice mono-tree, lol)
index 3900004..d7fd6ea 100644 (file)
@@ -58,9 +58,9 @@ $capabilities = array(
         )
     ),*/
 
-    // can manage files in the folder
+    // Can manage files in the folder.
     'mod/folder:managefiles' => array(
-        'riskbitmask' => RISK_SPAM,
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'archetypes' => array(
@@ -68,4 +68,3 @@ $capabilities = array(
         )
     )
 );
-
index 9fc25e1..11e7bb6 100644 (file)
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<XMLDB PATH="mod/folder/db" VERSION="20130407" COMMENT="XMLDB file for Folder module"
+<XMLDB PATH="mod/folder/db" VERSION="20200213" COMMENT="XMLDB file for Folder module"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="../../../lib/xmldb/xmldb.xsd"
 >
@@ -14,8 +14,9 @@
         <FIELD NAME="revision" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="0" SEQUENCE="false" COMMENT="incremented when after each file changes, solves browser caching issues"/>
         <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="0" SEQUENCE="false"/>
         <FIELD NAME="display" TYPE="int" LENGTH="4" NOTNULL="true" DEFAULT="0" SEQUENCE="false" COMMENT="Display type of folder contents - on a separate page or inline"/>
-        <FIELD NAME="showexpanded" TYPE="int" LENGTH="1" NOTNULL="true" UNSIGNED="false" DEFAULT="1" SEQUENCE="false" COMMENT="1 = expanded, 0 = collapsed for sub-folders"/>
-        <FIELD NAME="showdownloadfolder" TYPE="int" LENGTH="1" NOTNULL="true" UNSIGNED="false" DEFAULT="1" SEQUENCE="false" COMMENT="1 = show download folder button"/>
+        <FIELD NAME="showexpanded" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = expanded, 0 = collapsed for sub-folders"/>
+        <FIELD NAME="showdownloadfolder" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = show download folder button"/>
+        <FIELD NAME="forcedownload" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" SEQUENCE="false" COMMENT="1 = force download of individual files"/>
       </FIELDS>
       <KEYS>
         <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
@@ -25,4 +26,4 @@
       </INDEXES>
     </TABLE>
   </TABLES>
-</XMLDB>
+</XMLDB>
\ No newline at end of file
index 6bb16b9..7eaf3d1 100644 (file)
@@ -45,7 +45,9 @@
 defined('MOODLE_INTERNAL') || die();
 
 function xmldb_folder_upgrade($oldversion) {
-    global $CFG;
+    global $CFG, $DB;
+
+    $dbman = $DB->get_manager(); // Loads ddl manager and xmldb classes.
 
     // Automatically generated Moodle v3.5.0 release upgrade line.
     // Put any upgrade step following this.
@@ -61,6 +63,20 @@ function xmldb_folder_upgrade($oldversion) {
 
     // Automatically generated Moodle v3.9.0 release upgrade line.
     // Put any upgrade step following this.
+    if ($oldversion < 2021052501) {
+
+        // Define field forcedownload to be added to folder.
+        $table = new xmldb_table('folder');
+        $field = new xmldb_field('forcedownload', XMLDB_TYPE_INTEGER, '1', null, XMLDB_NOTNULL, null, '1', 'showdownloadfolder');
+
+        // Conditionally launch add field forcedownload.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Folder savepoint reached.
+        upgrade_mod_savepoint(true, 2021052501, 'folder');
+    }
 
     return true;
 }
index a3fa5d0..59e33ab 100644 (file)
@@ -1,5 +1,4 @@
 <?php
-
 // This file is part of Moodle - http://moodle.org/
 //
 // Moodle is free software: you can redistribute it and/or modify
@@ -33,6 +32,8 @@ $string['folder:addinstance'] = 'Add a new folder';
 $string['folder:managefiles'] = 'Manage files in folder module';
 $string['folder:view'] = 'View folder content';
 $string['foldercontent'] = 'Files and subfolders';
+$string['forcedownload'] = 'Force download of files';
+$string['forcedownload_help'] = 'Whether certain files, such as images or HTML files, should be displayed in the browser rather than being downloaded. Note that for security reasons, the setting should only be unticked if all users with the capability to manage files in the folder are trusted users.';
 $string['indicator:cognitivedepth'] = 'Folder cognitive';
 $string['indicator:cognitivedepth_help'] = 'This indicator is based on the cognitive depth reached by the student in a Folder resource.';
 $string['indicator:cognitivedepthdef'] = 'Folder cognitive';
index 0e36aa9..03e2009 100644 (file)
@@ -283,9 +283,13 @@ function folder_pluginfile($course, $cm, $context, $filearea, $args, $forcedownl
         return false;
     }
 
-    // finally send the file
-    // for folder module, we force download file all the time
-    send_stored_file($file, 0, 0, true, $options);
+    // Set security posture for in-browser display.
+    if (!$forcedownload) {
+        header("Content-Security-Policy: default-src 'none'; img-src 'self'");
+    }
+
+    // Finally send the file.
+    send_stored_file($file, 0, 0, $forcedownload, $options);
 }
 
 /**
index ec57d86..85156d2 100644 (file)
@@ -68,6 +68,12 @@ class mod_folder_mod_form extends moodleform_mod {
         $mform->addElement('advcheckbox', 'showdownloadfolder', get_string('showdownloadfolder', 'folder'));
         $mform->addHelpButton('showdownloadfolder', 'showdownloadfolder', 'mod_folder');
         $mform->setDefault('showdownloadfolder', true);
+
+        // Adding option to enable viewing of individual files.
+        $mform->addElement('advcheckbox', 'forcedownload', get_string('forcedownload', 'folder'));
+        $mform->addHelpButton('forcedownload', 'forcedownload', 'mod_folder');
+        $mform->setDefault('forcedownload', true);
+
         //-------------------------------------------------------
         $this->standard_coursemodule_elements();
 
index c48bda9..74732f4 100644 (file)
@@ -146,9 +146,14 @@ class mod_folder_renderer extends plugin_renderer_base {
             }
             $filename = html_writer::tag('span', $image, array('class' => 'fp-icon')).
                     html_writer::tag('span', $filenamedisplay, array('class' => 'fp-filename'));
+            $urlparams = null;
+            if ($tree->folder->forcedownload) {
+                $urlparams = ['forcedownload' => 1];
+            }
             $filename = html_writer::tag('span',
-                    html_writer::link($url->out(false, array('forcedownload' => 1)), $filename),
-                    array('class' => 'fp-filename-icon'));
+                html_writer::link($url->out(false, $urlparams), $filename),
+                ['class' => 'fp-filename-icon']
+            );
             $result .= html_writer::tag('li', $filename);
         }
         $result .= '</ul>';
index 4ed1f15..2b515e3 100644 (file)
@@ -24,7 +24,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2021052500;       // The current module version (Date: YYYYMMDDXX)
+$plugin->version   = 2021052501;       // The current module version (Date: YYYYMMDDXX)
 $plugin->requires  = 2021052500;    // Requires this Moodle version
 $plugin->component = 'mod_folder';     // Full name of the plugin (used for diagnostics)
 $plugin->cron      = 0;