chamilo-lms/main/lp/download.php

<?php
/* For licensing terms, see /license.txt */

use ChamiloSession as Session;

/**
 * This file is responsible for  passing requested documents to the browser.
 *
 * @package chamilo.document
 */
session_cache_limiter('none');
require_once __DIR__.'/../inc/global.inc.php';
$this_section = SECTION_COURSES;

// Protection
api_protect_course_script();
$_course = api_get_course_info();

if (!isset($_course)) {
    api_not_allowed(true);
}

$doc_url = $_GET['doc_url'];
// Change the '&' that got rewritten to '///' by mod_rewrite back to '&'
$doc_url = str_replace('///', '&', $doc_url);
// Still a space present? it must be a '+' (that got replaced by mod_rewrite)
$doc_url = str_replace(' ', '+', $doc_url);

$doc_url = str_replace(['../', '\\..', '\\0', '..\\'], ['', '', '', ''], $doc_url); //echo $doc_url;

if (strpos($doc_url, '../') || strpos($doc_url, '/..')) {
    $doc_url = '';
}
$sys_course_path = api_get_path(SYS_COURSE_PATH).$_course['path'].'/scorm';
$user_id = api_get_user_id();
/** @var learnpath $lp */
$lp = Session::read('oLP');
if ($lp) {
    $lp_id = $lp->get_id();
    $lp_item_id = $lp->current;
    $lp_item_info = new learnpathItem($lp_item_id);
    if (!empty($lp_item_info)) {
        $visible = learnpath::is_lp_visible_for_student($lp_id, $user_id);

        if ($visible) {
            Event::event_download($doc_url);
            if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {
                $full_file_name = $sys_course_path.$doc_url;
                DocumentManager::file_send_for_download($full_file_name);
                exit;
            }
        }
        //}
    }
}

echo Display::return_message(get_lang('ProtectedDocument'), 'error');
//api_not_allowed backbutton won't work.
exit;
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`<?php`
			`/* For licensing terms, see /license.txt */`
Remove $_SESSION + format code 8 years ago
			`use ChamiloSession as Session;`

Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`/**`
Remove $_SESSION + format code 8 years ago			`* This file is responsible for passing requested documents to the browser.`
Applied fixes from FlintCI 8 years ago			`*`
Remove $_SESSION + format code 8 years ago			`* @package chamilo.document`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`*/`
Minor - format code. 11 years ago			`session_cache_limiter('none');`
Use __DIR__ when calling global.inc.php This is needed for an easy migration to chamilo v2 9 years ago			`require_once __DIR__.'/../inc/global.inc.php';`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`$this_section = SECTION_COURSES;`

			`// Protection`
			`api_protect_course_script();`
Improve function is_lp_visible_for_student see BT#15881 6 years ago			`$_course = api_get_course_info();`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago
			`if (!isset($_course)) {`
			`api_not_allowed(true);`
			`}`

			`$doc_url = $_GET['doc_url'];`
			`// Change the '&' that got rewritten to '///' by mod_rewrite back to '&'`
			`$doc_url = str_replace('///', '&', $doc_url);`
			`// Still a space present? it must be a '+' (that got replaced by mod_rewrite)`
			`$doc_url = str_replace(' ', '+', $doc_url);`

Applied fixes from FlintCI 8 years ago			`$doc_url = str_replace(['../', '\\..', '\\0', '..\\'], ['', '', '', ''], $doc_url); //echo $doc_url;`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if (strpos($doc_url, '../') \|\| strpos($doc_url, '/..')) {`
Minor - format code. 11 years ago			`$doc_url = '';`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`}`
			`$sys_course_path = api_get_path(SYS_COURSE_PATH).$_course['path'].'/scorm';`
			`$user_id = api_get_user_id();`
Remove $_SESSION + format code 8 years ago			`/** @var learnpath $lp */`
			`$lp = Session::read('oLP');`
			`if ($lp) {`
			`$lp_id = $lp->get_id();`
			`$lp_item_id = $lp->current;`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`$lp_item_info = new learnpathItem($lp_item_id);`
			`if (!empty($lp_item_info)) {`
Minor - Adding static into some classes to avoid PHP warnings 13 years ago			`$visible = learnpath::is_lp_visible_for_student($lp_id, $user_id);`
Minor - format code. 11 years ago
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`if ($visible) {`
Adding Event and ExerciseLib classes. 11 years ago			`Event::event_download($doc_url);`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {`
			`$full_file_name = $sys_course_path.$doc_url;`
			`DocumentManager::file_send_for_download($full_file_name);`
			`exit;`
			`}`
			`}`
Minor - format code. 11 years ago			`//}`
			`}`
Trying to fix the LP scorm import/export still doesn't work for all cases (working on it) see #4706 14 years ago			`}`

Minor - Replace deprecated display_x_message() by return_message(..., 'x') 9 years ago			`echo Display::return_message(get_lang('ProtectedDocument'), 'error');`
Minor - format code 9 years ago			`//api_not_allowed backbutton won't work.`
Minor - format code. 11 years ago			`exit;`