Several syntax and security issues fixed.

main/document/add_link.php

@@ -9,11 +9,11 @@
  */
  
 // Including the global initialization file
-require_once '../inc/global.inc.php';
+require_once __DIR__.'/../inc/global.inc.php';
  
 // Including additional libraries
-require_once '../inc/lib/document.lib.php';
-require_once '../inc/lib/urlUtils.lib.php';
+require_once __DIR__.'/../inc/lib/document.lib.php';
+require_once __DIR__.'/../inc/lib/urlUtils.lib.php';
 
 $fileLinkEnabled = api_get_configuration_value('enable_add_file_link');
 
@@ -26,6 +26,10 @@ $course_info = api_get_course_info();
 if (empty($course_info)) {
     api_not_allowed(true);
 }
+
+if ($is_certificate_mode) {
+    api_not_allowed(true);
+}
  
 $document_data  = DocumentManager::get_document_data_by_id($_REQUEST['id'], api_get_course_id(), true);
 if (empty($document_data)) {
@@ -34,7 +38,7 @@ if (empty($document_data)) {
 } else {
     if ($document_data['filetype'] == 'folder') {
         $document_id    = $document_data['id'];
-        $path           = $document_data['path']."/";
+        $path           = $document_data['path'].'/';
         $parent_id      = DocumentManager::get_document_id(api_get_course_info(), dirname($path));
     }
 }
@@ -62,18 +66,14 @@ if (api_get_group_id()) {
 } else { // No course admin and no group member...
     api_not_allowed(true);
 }
- 
+
 // Group docs can only be uploaded in the group directory
 if ($to_group_id != 0 && $path == '/') {
     $path = $group_properties['directory'] . "/";
 }
  
 // Breadcrumbs
-if ($is_certificate_mode) {
-    $interbreadcrumb[] = array('url' => '../gradebook/'.$_SESSION['gradebook_dest'], 'name' => get_lang('Gradebook'));
-} else {
-    $interbreadcrumb[] = array('url' => './document.php?id='.$document_id.$req_gid, 'name'=> get_lang('Documents'));
-}
+$interbreadcrumb[] = array('url' => './document.php?id='.$document_id.$req_gid, 'name'=> get_lang('Documents'));
  
 // Interbreadcrumb for the current directory root path
 if (empty($document_data['parents'])) {
@@ -102,11 +102,7 @@ Display::display_header($nameTools, 'Doc');
 // Actions
 echo '<div class="actions">';
 // Link back to the documents overview
-if ($is_certificate_mode) {
-    echo '<a href="document.php?id='.$document_id.'&selectcat=' . $selectcat.'">'.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('CertificateOverview'), '', ICON_SIZE_MEDIUM).'</a>';
-} else {
-    echo '<a href="document.php?id='.$document_id.'">'.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('DocumentsOverview'), '', ICON_SIZE_MEDIUM).'</a>';
-}
+echo '<a href="document.php?id='.$document_id.'">'.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('DocumentsOverview'), '', ICON_SIZE_MEDIUM).'</a>';
 echo '</div>';
  
 // Form to select directory
@@ -115,13 +111,12 @@ $folders = DocumentManager::get_all_document_folders(
     $groupIid,
     $is_allowed_to_edit
 );
-if (!$is_certificate_mode) {
-    echo DocumentManager::build_directory_selector(
-        $folders,
-        $document_id,
-        (isset($group_properties['directory']) ? $group_properties['directory'] : array())
-    );
-}
+
+echo DocumentManager::build_directory_selector(
+    $folders,
+    $document_id,
+    (isset($group_properties['directory']) ? $group_properties['directory'] : array())
+);
  
 $action = api_get_self().'?'.api_get_cidreq().'&id='.$document_id;
  
@@ -142,8 +137,8 @@ $form->addButtonSend(get_lang('AddCloudLink'), 'submitDocument');
  
 $form->addRule('name', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'client');
 $form->addRule('name', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'server');
-$form->addRule('url', get_lang('langGiveURL'), 'required', null, 'client');
-$form->addRule('url', get_lang('langGiveURL'), 'required', null, 'server');
+$form->addRule('url', get_lang('PleaseEnterURL'), 'required', null, 'client');
+$form->addRule('url', get_lang('PleaseEnterURL'), 'required', null, 'server');
 // Well formed url pattern (must have the protocol)
 $urlRegEx = URLUtils::getWellformedUrlRegex();
 $form->addRule('url', get_lang('MalformedUrl'), 'regex', $urlRegEx, 'client');

main/document/document.php

@@ -128,6 +128,7 @@ DocumentManager::create_directory_certificate_in_course($courseInfo);
 $dbl_click_id = 0;
 $selectcat = isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : null;
 $moveTo = isset($_POST['move_to']) ? Security::remove_XSS($_POST['move_to']) : null;
+$moveFile = isset($_POST['move_file']) && is_int($_POST['move_file']) ? $_POST['move_file'] : null;
 
 /* 	Constants and variables */
 $userId = api_get_user_id();
@@ -606,7 +607,7 @@ if (isset($document_id) && empty($action)) {
             $groupIid
         );
 
-        if (!empty($document_data['filetype']) && $document_data['filetype'] == 'file' || $document_data['filetype'] == "link") {
+        if (!empty($document_data['filetype']) && $document_data['filetype'] == 'file' || $document_data['filetype'] == 'link') {
             if ($visibility && api_is_allowed_to_session_edit()) {
                 $url = api_get_path(WEB_COURSE_PATH).
                     $courseInfo['path'].'/document'.$document_data['path'].'?'
@@ -1114,9 +1115,9 @@ if ($isAllowedToEdit || $group_member_with_upload_rights ||
         }
     }
 
-    if (!empty($moveTo) && isset($_POST['move_file'])) {
+    if (!empty($moveTo) && isset($moveFile)) {
         if (!$isAllowedToEdit) {
-            if (DocumentManager::check_readonly($courseInfo, api_get_user_id(), $_POST['move_file'])) {
+            if (DocumentManager::check_readonly($courseInfo, api_get_user_id(), $moveFile)) {
                 api_not_allowed(true);
             }
         }
@@ -1129,7 +1130,7 @@ if ($isAllowedToEdit || $group_member_with_upload_rights ||
 
         // Get the document data from the ID
         $document_to_move = DocumentManager::get_document_data_by_id(
-            $_POST['move_file'],
+            $moveFile,
             api_get_course_id(),
             false,
             $sessionId
@@ -1138,11 +1139,10 @@ if ($isAllowedToEdit || $group_member_with_upload_rights ||
         // Security fix: make sure they can't move files that are not in the document table
         if (!empty($document_to_move)) {
             if ($document_to_move['filetype'] == 'link') {
-                $real_path_target = $base_work_dir.$_POST['move_to'].'/';
-                if (!DocumentManager::cloudLinkExists($_course, $_POST['move_to'], $document_to_move['comment'])) {
-                    $doc_id = $_POST['move_file'];
-            
-                    DocumentManager::updateDBInfoCloudLink($document_to_move['path'], $_POST['move_to'].'/', $doc_id);
+                $real_path_target = $base_work_dir.$moveTo.'/';
+                if (!DocumentManager::cloudLinkExists($_course, $moveTo, $document_to_move['comment'])) {
+                    $doc_id = $moveFile;
+                    DocumentManager::updateDBInfoCloudLink($document_to_move['path'], $moveTo.'/', $doc_id);
             
                     //update database item property
                     api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'FileMoved', api_get_user_id(), $to_group_id, null, null, null, $session_id);
@@ -1161,8 +1161,8 @@ if ($isAllowedToEdit || $group_member_with_upload_rights ||
                     );
                 }
                 // Set the current path
-                $curdirpath = $_POST['move_to'];
-                $curdirpathurl = urlencode($_POST['move_to']);
+                $curdirpath = $moveTo;
+                $curdirpathurl = urlencode($moveTo);
             } else {
                 $real_path_target = $base_work_dir.$moveTo.'/'.basename($document_to_move['path']);
                 $fileExist = false;
@@ -1177,7 +1177,7 @@ if ($isAllowedToEdit || $group_member_with_upload_rights ||
                     );
 
                     //update database item property
-                    $doc_id = $_POST['move_file'];
+                    $doc_id = $moveFile;
                     if (is_dir($real_path_target)) {
                         api_item_property_update(
                             $courseInfo,
@@ -1214,8 +1214,8 @@ if ($isAllowedToEdit || $group_member_with_upload_rights ||
                     }
 
                     // Set the current path
-                    $curdirpath = $_POST['move_to'];
-                    $curdirpathurl = urlencode($_POST['move_to']);
+                    $curdirpath = $moveTo;
+                    $curdirpathurl = urlencode($moveTo);
                 } else {
                     if ($fileExist) {
                         if (is_dir($real_path_target)) {

main/document/edit_document.php

@@ -28,7 +28,7 @@ use ChamiloSession as Session;
  */
 
 require_once __DIR__.'/../inc/global.inc.php';
-require_once '../inc/lib/urlUtils.lib.php';
+require_once __DIR__.'/../inc/lib/urlUtils.lib.php';
 
 $groupRights = Session::read('group_member_with_upload_rights');
 
@@ -469,8 +469,8 @@ if ($owner_id == api_get_user_id() ||
     if ($file_type == 'link') {
         $form->addRule('title', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'client');
         $form->addRule('title', get_lang('PleaseEnterCloudLinkName'), 'required', null, 'server');
-        $form->addRule('comment', get_lang('langGiveURL'), 'required', null, 'client');
-        $form->addRule('comment', get_lang('langGiveURL'), 'required', null, 'server');
+        $form->addRule('comment', get_lang('PleaseEnterURL'), 'required', null, 'client');
+        $form->addRule('comment', get_lang('PleaseEnterURL'), 'required', null, 'server');
         // Well formed url pattern (must have the protocol)
         $urlRegEx = URLUtils::getWellformedUrlRegex();
         $form->addRule('comment', get_lang('MalformedUrl'), 'regex', $urlRegEx, 'client');

main/inc/lib/document.lib.php

@@ -5673,7 +5673,7 @@ class DocumentManager
             $basename = substr(strrchr($basename, '.'), 1);
         } elseif ($type == 'link') {
             $icon = 'clouddoc.png';
-            $basename = 'Cloud link';
+            $basename = get_lang('CloudFileLink');
         } else {
             if ($path == '/shared_folder') {
                 $icon = 'folder_users.png';
@@ -6757,7 +6757,7 @@ class DocumentManager
             return false;
         }
  
-        $document_id = $id;
+        $document_id = intval($id);
  
         $file_deleted_from_db = false;
  
@@ -6781,13 +6781,12 @@ class DocumentManager
      * @param array $_course
      * @param string $path
      * @param string $url
-     * @return int id of link / false if no link found
-     * @deprecated
+     * @return int link's id / false if no link found
      */
     public static function getCloudLinkId($_course, $path, $url)
     {
         $TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT);
-        $course_id = $_course['real_id'];
+        $course_id = int_val($_course['real_id']);
         $path = Database::escape_string($path);
 
         if (substr($path, -1) != '/') {

main/install/data.sql

@@ -1960,12 +1960,4 @@ VALUES
 INSERT INTO settings_current (variable, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable)
 VALUES ('allow_download_documents_by_api_key', 'radio', 'WebServices', 'false', 'AllowDownloadDocumentsByApiKeyTitle', 'AllowDownloadDocumentsByApiKeyComment', '', NULL, 1);
 INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_download_documents_by_api_key', 'true', 'Yes');
-INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_download_documents_by_api_key', 'false', 'No');
-
--- Cloud File Links
-INSERT INTO `settings_options` (`variable`, `value`, `display_text`) VALUES
-('enable_add_file_link', 'true', 'Yes'),
-('enable_add_file_link', 'false', 'No');
-
-INSERT INTO `settings_current` (`variable`, `subkey`, `type`, `category`, `selected_value`, `title`, `comment`, `scope`, `subkeytext`, `access_url`, `access_url_changeable`, `access_url_locked`) VALUES
-('enable_add_file_link', NULL, 'radio', 'Tools', 'false', 'enable_add_file_link_title', 'enable_add_file_link_comment', NULL, NULL, 1, 0, 0);
+INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_download_documents_by_api_key', 'false', 'No');

main/lang/english/trad4all.inc.php

@@ -8069,6 +8069,7 @@ $Diagram = "Diagram";
 $CareerXDoesntHaveADiagram = "Career %s doesn't have a diagram.";
 
 // Cloud files in documents strings
+$CloudFileLink = "Cloud file link";
 $enable_add_file_link_title = 'Enable adding cloud files links';
 $enable_add_file_link_comment = 'Tool for adding cloud files\' links from external storage sites (Dropbox, Google Drive...) at Documents.';
 $UrlAlreadyExists = "It already exists one equal URL in this folder.";
@@ -8079,6 +8080,7 @@ $CloudLinkMoved = "Cloud file link moved.";
 $CloudLinkDeleteError = "Error deleting cloud file link.";
 $CloudLinkAdded = "Cloud file link added.";
 $PleaseEnterCloudLinkName = "Please, enter a name for the cloud file link.";
+$PleaseEnterURL = "Please, enter the URL for the cloud file link.";
 $MalformedUrl = "URL field format not valid. Expected format example: http://dropbox.com/sh/loremipsum/loremipsum?dl=0";
 $CloudLinkModified = "Cloud file link modified.";
 $NotValidDomain = "Not valid domain. It must be one of these:";

main/lang/galician/trad4all.inc.php

@@ -7297,8 +7297,9 @@ $StudentPublicationSelectionForGradebookTitle = "Tarefas consideradas para avali
 $StudentPublicationSelectionForGradebookComment = "Na ferramenta de tarefas, os estudantes poden subir máis dun arquivo. No caso de haber máis dun arquivo do mesmo estudante para unha soa tarefa, cal destes debe ser considerado para a nota nas avaluacións? Isto depende da súa metodoloxía. Seleccione 'primeiro' para poñer o acento sobre a atención ao detalle (como entregar a tempo e o traballo finalizado a primeira vez). Use 'último' para poner o acento sobre o traballo colaborativo e a adaptabilidade.";
 
 // Cloud files in documents strings
-$enable_add_file_link_title = 'Permitir engadir enlaces a ficheiros na nube';
-$enable_add_file_link_comment = 'Ferramenta para engadir enlaces a ficheiros situados en sitios de almacenamento externo (Dropbox, Google Drive, etc...) en Documentos.';
+$CloudFileLink = "Enlace a ficheiro na nube";
+$enable_add_file_link_title = "Permitir engadir enlaces a ficheiros na nube";
+$enable_add_file_link_comment = "Ferramenta para engadir enlaces a ficheiros situados en sitios de almacenamento externo (Dropbox, Google Drive, etc...) en Documentos.";
 $UrlAlreadyExists = "Xa existe unha URL igual neste directorio.";
 $ErrorAddLink = "Produciuse un erro engadindo o enlace.";
 $AddCloudLink = "Engadir enlace a un ficheiro na nube";
@@ -7307,6 +7308,7 @@ $CloudLinkMoved = "Enlace a ficheiro na nube movido.";
 $CloudLinkDeleteError = "Erro ao eliminar o enlace ao ficheiro na nube.";
 $CloudLinkAdded = "Enlace a ficheiro na nube engadido.";
 $PleaseEnterCloudLinkName = "Por favor, introduza un nome para o enlace ao ficheiro na nube.";
+$PleaseEnterURL = "Por favor, introduza a URL do ficheiro na nube.";
 $MalformedUrl = "Formato do campo URL non válido. Exemplo do formato esperado: http://dropbox.com/sh/loremipsum/loremipsum?dl=0";
 $CloudLinkModified = "Enlace a ficheiro na nube modificado.";
 $NotValidDomain = "Dominio non válido. Debe ser un dos seguintes:";

main/lang/spanish/trad4all.inc.php

@@ -8083,6 +8083,7 @@ $BestScoreNotInLearningPath = "Mejor nota fuera de lecciones";
 $StudentXHadEnoughSkillsToGetSkillXToAssignClickHereX = "El alumno %s tiene suficiente competencias secundarias para obtener la competencia %s. Para asignar esta competencia, es posible ir aquí : %s";
 
 // Cloud files in documents strings
+$CloudFileLink = "Enlace a fichero en la nube";
 $enable_add_file_link_title = 'Permitir añadir enlaces a ficheros en la nube';
 $enable_add_file_link_comment = 'Herramienta para añadir enlaces a ficheros situados en sitios de almacenamiento externo (Dropbox, Google Drive, etc...) en Documentos.';
 $UrlAlreadyExists = "Ya existe una URL igual en este directorio.";
@@ -8093,6 +8094,7 @@ $CloudLinkMoved = "Enlace a fichero en la nube movido.";
 $CloudLinkDeleteError = "Error al eliminar el enlace al fichero en la nube.";
 $CloudLinkAdded = "Enlace a fichero en la nube añadido.";
 $PleaseEnterCloudLinkName = "Por favor, introduzca un nombre para el enlace al fichero en la nube.";
+$PleaseEnterURL = "Por favor, introduzca la URL del fichero en la nube.";
 $MalformedUrl = "Formato del campo URL no válido. Ejemplo del formato esperado: http://dropbox.com/sh/loremipsum/loremipsum?dl=0";
 $CloudLinkModified = "Enlace a fichero en la nube modificado.";
 $NotValidDomain = "Dominio no válido. Debe de ser uno de los siguientes:";