Merge branch '1.11.x' of github.com:chamilo/chamilo-lms into 1.11.x

4 years ago · 0d7aee9f78
parent b0ec4f21e7 8e0d403208
commit 0d7aee9f78
4 changed files with 33 additions and 5 deletions
--- a/app/cache/.htaccess
+++ b/app/cache/.htaccess
@ -1 +1,8 @@
+order deny,allow
+deny from all
+# pChart generated files should be allowed
+<FilesMatch "^[0-9a-f]+$">
+    order allow,deny
+    allow from all
+</FilesMatch>
 php_flag engine off
--- a/main/admin/archive_cleanup.php
+++ b/main/admin/archive_cleanup.php
@ -46,7 +46,17 @@ if ($form->validate()) {
    }

    $archive_path = api_get_path(SYS_ARCHIVE_PATH);
-    $htaccess = 'php_flag engine off';
+    $htaccess = <<<TEXT
+order deny,allow
+deny from all
+# pChart generated files should be allowed
+<FilesMatch "^[0-9a-f]+$">
+    order allow,deny
+    allow from all
+</FilesMatch>
+php_flag engine off
+TEXT;
+
    $result = rmdirr($archive_path, true, true);
    if (false === $result) {
        Display::addFlash(Display::return_message(get_lang('ArchiveDirCleanupFailed'), 'error'));
--- a/main/inc/lib/online.inc.php
+++ b/main/inc/lib/online.inc.php
@ -76,10 +76,17 @@ function LoginCheck($uid)
 function preventMultipleLogin($userId)
 {
    $table = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ONLINE);
-    $userId = intval($userId);
+    $userId = (int) $userId;
    if (api_get_setting('prevent_multiple_simultaneous_login') === 'true') {
        if (!empty($userId) && !api_is_anonymous()) {
            $isFirstLogin = Session::read('first_user_login');
+            $currentIp = Session::read('current_ip');
+            $differentIp = false;
+            if (!empty($currentIp) && api_get_real_ip() !== $currentIp) {
+                $isFirstLogin = null;
+                $differentIp = true;
+            }
+
            if (empty($isFirstLogin)) {
                $sql = "SELECT login_id FROM $table
                        WHERE login_user_id = $userId
@ -94,7 +101,7 @@ function preventMultipleLogin($userId)
                $userIsReallyOnline = user_is_online($userId);

                // Trying double login.
-                if (!empty($loginData) && $userIsReallyOnline == true) {
+                if ((!empty($loginData) && $userIsReallyOnline) || $differentIp) {
                    session_regenerate_id();
                    Session::destroy();
                    header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=multiple_connection_not_allowed');
@ -102,6 +109,7 @@ function preventMultipleLogin($userId)
                } else {
                    // First time
                    Session::write('first_user_login', 1);
+                    Session::write('current_ip', api_get_real_ip());
                }
            }
        }
--- a/main/webservices/user_info.soap.php
+++ b/main/webservices/user_info.soap.php
@ -1,15 +1,18 @@
 <?php
+
 /* For licensing terms, see /license.txt */
+
 /**
 * This script provides the caller service with user details.
 * It is set to work with the Chamilo module for Drupal:
 * http://drupal.org/project/chamilo.
 *
 * @author Yannick Warnier <yannick.warnier@dokeos.com>
- *
- * @package chamilo.webservices
 */
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_webservices();
+
 // Create the server instance
 $server = new soap_server();
 // Initialize WSDL support