chamilo-lms/main/work/download.php

<?php
/* For licensing terms, see /license.txt */

/**
 *	This file is responsible for  passing requested documents to the browser.
 *	Html files are parsed to fix a few problems with URLs,
 *	but this code will hopefully be replaced soon by an Apache URL
 *	rewrite mechanism.
 *
 *	@package chamilo.work
 */

session_cache_limiter('public');
require_once '../inc/global.inc.php';
require_once 'work.lib.php';

$current_course_tool  = TOOL_STUDENTPUBLICATION;

$this_section = SECTION_COURSES;

// IMPORTANT to avoid caching of documents
header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
header('Cache-Control: public');
header('Pragma: no-cache');

//protection
api_protect_course_script(true);

$id = intval($_GET['id']);

$course_info = api_get_course_info();

if (empty($course_info)) {
    api_not_allowed(true);
}

$tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION);

if (!empty($course_info['real_id'])) {
	$sql = 'SELECT * FROM '.$tbl_student_publication.' WHERE c_id = '.$course_info['real_id'].' AND id = "'.$id.'"';
	$result = Database::query($sql);
    if ($result && Database::num_rows($result)) {
        $row = Database::fetch_array($result, 'ASSOC');
        $full_file_name = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'.$row['url'];

        $item_info = api_get_item_property_info(api_get_course_int_id(), 'work', $row['id']);

        allowOnlySubscribedUser(api_get_user_id(), $row['parent_id'], $course_info['real_id']);

        if (empty($item_info)) {
            exit;
        }

        /*
        field show_score in table course :  0 => 	New documents are visible for all users
                                            1 =>    New documents are only visible for the teacher(s)
        field visibility in table item_property :   0 => eye closed, invisible for all students
                                                    1 => eye open
        field accepted in table c_student_publication : 0 => eye closed, invisible for all students
                                                        1 => eye open
        (we should have visibility == accepted , otherwise there is an inconsistency in the Database)
        field value in table c_course_setting :     0 => Allow learners to delete their own publications = NO
                                                    1 => Allow learners to delete their own publications = YES

        +------------------+------------------------------+----------------------------+
        |Can download work?|      doc visible for all = 0 |     doc visible for all = 1|
        +------------------+------------------------------+----------------------------+
        |  visibility = 0  | editor only                  | editor only                |
        |                  |                              |                            |
        +------------------+------------------------------+----------------------------+
        |  visibility = 1  | editor                       | editor                     |
        |                  | + owner of the work          | + any student              |
        +------------------+------------------------------+----------------------------+
        (editor = teacher + admin + anybody with right api_is_allowed_to_edit)
        */

        $work_is_visible = ($item_info['visibility'] == 1 && $row['accepted'] == 1);
        $doc_visible_for_all = ($course_info['show_score'] == 1);
        $is_editor = api_is_allowed_to_edit(true,true,true);
        $student_is_owner_of_work = ($row['user_id'] == api_get_user_id());

	    if ($is_editor
	        || (!$doc_visible_for_all && $work_is_visible && $student_is_owner_of_work)
	        || ($doc_visible_for_all && $work_is_visible)) {
		    $title = str_replace(' ', '_', $row['title']);
            event_download($title);
		    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/')) {
		        DocumentManager::file_send_for_download($full_file_name, true, $title);
		    }
	    } else {
            api_not_allowed();
        }
	}
}
exit;
Feature #272 - Some corrections in "Assignments" tool. Code cleaning for "Assignments" and "Dropbox" tools. 15 years ago			`<?php`
			`/* For licensing terms, see /license.txt */`

[svn r17211] implemented allow ZIP export of assignments for teacher and tutor (see FS#3229) 16 years ago			`/**`
Feature #272 - Some corrections in "Assignments" tool. Code cleaning for "Assignments" and "Dropbox" tools. 15 years ago			`* This file is responsible for passing requested documents to the browser.`
			`* Html files are parsed to fix a few problems with URLs,`
			`* but this code will hopefully be replaced soon by an Apache URL`
			`* rewrite mechanism.`
			`*`
			`* @package chamilo.work`
			`*/`
[svn r17211] implemented allow ZIP export of assignments for teacher and tutor (see FS#3229) 16 years ago
			`session_cache_limiter('public');`
Adding check_abs_path when using the DocumentManager::file_send_for_download to prevent downloading unwanted files see #2722 14 years ago			`require_once '../inc/global.inc.php';`
Blocking access if user is not subscribed see BT#6615 11 years ago			`require_once 'work.lib.php';`

When hidden course tools we also block the access to the page with a api_not_allowed a new variables is needed: $current_course_tool = TOOL_ATTENDANCE; see BT#4138. Admins have access everywhere 13 years ago			`$current_course_tool = TOOL_STUDENTPUBLICATION;`

Feature #272 - Some corrections in "Assignments" tool. Code cleaning for "Assignments" and "Dropbox" tools. 15 years ago			`$this_section = SECTION_COURSES;`

[svn r17211] implemented allow ZIP export of assignments for teacher and tutor (see FS#3229) 16 years ago			`// IMPORTANT to avoid caching of documents`
			`header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');`
			`header('Cache-Control: public');`
			`header('Pragma: no-cache');`

			`//protection`
			`api_protect_course_script(true);`

Some fixes when deleting/editing a work 13 years ago			`$id = intval($_GET['id']);`
Feature #272 - Some corrections in "Assignments" tool. Code cleaning for "Assignments" and "Dropbox" tools. 15 years ago
Fixing download work file now we check the itemproperty + the student_publication.checked fields 13 years ago			`$course_info = api_get_course_info();`

			`if (empty($course_info)) {`
Blocking access if user is not subscribed see BT#6615 11 years ago			`api_not_allowed(true);`
[svn r17211] implemented allow ZIP export of assignments for teacher and tutor (see FS#3229) 16 years ago			`}`

Fixing course copy with works now using ids 13 years ago			`$tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION);`
[svn r17211] implemented allow ZIP export of assignments for teacher and tutor (see FS#3229) 16 years ago
Blocking access if user is not subscribed see BT#6615 11 years ago			`if (!empty($course_info['real_id'])) {`
Fixing course copy with works now using ids 13 years ago			`$sql = 'SELECT * FROM '.$tbl_student_publication.' WHERE c_id = '.$course_info['real_id'].' AND id = "'.$id.'"';`
Resolving bug that let students see assignments, adding a new rule in courses/.htaccess see BT#3081 13 years ago			`$result = Database::query($sql);`
Blocking access if user is not subscribed see BT#6615 11 years ago			`if ($result && Database::num_rows($result)) {`
			`$row = Database::fetch_array($result, 'ASSOC');`
Should fix bug when teacher decides to share the student assignments see #4528 13 years ago			`$full_file_name = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'.$row['url'];`
Blocking access if user is not subscribed see BT#6615 11 years ago
			`$item_info = api_get_item_property_info(api_get_course_int_id(), 'work', $row['id']);`

			`allowOnlySubscribedUser(api_get_user_id(), $row['parent_id'], $course_info['real_id']);`

Fixing download work file now we check the itemproperty + the student_publication.checked fields 13 years ago			`if (empty($item_info)) {`
			`exit;`
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`}`
Blocking access if user is not subscribed see BT#6615 11 years ago
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`/*`
			`field show_score in table course : 0 => New documents are visible for all users`
Blocking access if user is not subscribed see BT#6615 11 years ago			`1 => New documents are only visible for the teacher(s)`
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`field visibility in table item_property : 0 => eye closed, invisible for all students`
			`1 => eye open`
			`field accepted in table c_student_publication : 0 => eye closed, invisible for all students`
			`1 => eye open`
			`(we should have visibility == accepted , otherwise there is an inconsistency in the Database)`
			`field value in table c_course_setting : 0 => Allow learners to delete their own publications = NO`
			`1 => Allow learners to delete their own publications = YES`
Blocking access if user is not subscribed see BT#6615 11 years ago
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`+------------------+------------------------------+----------------------------+`
			`\|Can download work?\| doc visible for all = 0 \| doc visible for all = 1\|`
			`+------------------+------------------------------+----------------------------+`
			`\| visibility = 0 \| editor only \| editor only \|`
			`\| \| \| \|`
Blocking access if user is not subscribed see BT#6615 11 years ago			`+------------------+------------------------------+----------------------------+`
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`\| visibility = 1 \| editor \| editor \|`
			`\| \| + owner of the work \| + any student \|`
Blocking access if user is not subscribed see BT#6615 11 years ago			`+------------------+------------------------------+----------------------------+`
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`(editor = teacher + admin + anybody with right api_is_allowed_to_edit)`
			`*/`
Blocking access if user is not subscribed see BT#6615 11 years ago
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`$work_is_visible = ($item_info['visibility'] == 1 && $row['accepted'] == 1);`
			`$doc_visible_for_all = ($course_info['show_score'] == 1);`
Replace api_is_allowed_to_edit() with api_is_allowed_to_edit(true, true, true) - ref #5947 12 years ago			`$is_editor = api_is_allowed_to_edit(true,true,true);`
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`$student_is_owner_of_work = ($row['user_id'] == api_get_user_id());`
Blocking access if user is not subscribed see BT#6615 11 years ago
Fix teacher and admin cannot download an assignment if eye is closed - ref #5947 12 years ago			`if ($is_editor`
			`\|\| (!$doc_visible_for_all && $work_is_visible && $student_is_owner_of_work)`
			`\|\| ($doc_visible_for_all && $work_is_visible)) {`
Resolving bug that let students see assignments, adding a new rule in courses/.htaccess see BT#3081 13 years ago			`$title = str_replace(' ', '_', $row['title']);`
Fixing course copy with works now using ids 13 years ago			`event_download($title);`
Resolving bug that let students see assignments, adding a new rule in courses/.htaccess see BT#3081 13 years ago			`if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/')) {`
			`DocumentManager::file_send_for_download($full_file_name, true, $title);`
			`}`
Some fixes when deleting/editing a work 13 years ago			`} else {`
			`api_not_allowed();`
Blocking access if user is not subscribed see BT#6615 11 years ago			`}`
Resolving bug that let students see assignments, adding a new rule in courses/.htaccess see BT#3081 13 years ago			`}`
Adding check_abs_path when using the DocumentManager::file_send_for_download to prevent downloading unwanted files see #2722 14 years ago			`}`
Blocking access if user is not subscribed see BT#6615 11 years ago			`exit;`