From 1013249a5d6d91085107b10e3a881905a1800ab7 Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Thu, 28 Feb 2008 05:59:36 +0100 Subject: [PATCH] [svn r14409] Videoconference: - Removed useless script and updated to match the new tool - Using Dokeos translation files - Using random encryption salt generation - General cleaning --- main/conference/index.php | 11 +- main/conference/liveconf.php | 29 ---- main/webrooms/api.php | 210 +++++++++----------------- main/webrooms/checksession.php | 54 ++++--- main/webrooms/get_translation.lib.php | 17 ++- 5 files changed, 129 insertions(+), 192 deletions(-) delete mode 100755 main/conference/liveconf.php diff --git a/main/conference/index.php b/main/conference/index.php index d1e9d34671..42cb84f248 100755 --- a/main/conference/index.php +++ b/main/conference/index.php @@ -1,3 +1,12 @@ + + + \ No newline at end of file diff --git a/main/conference/liveconf.php b/main/conference/liveconf.php deleted file mode 100755 index 28011a998b..0000000000 --- a/main/conference/liveconf.php +++ /dev/null @@ -1,29 +0,0 @@ - - - - - diff --git a/main/webrooms/api.php b/main/webrooms/api.php index 0a790c24c4..a0b4486862 100644 --- a/main/webrooms/api.php +++ b/main/webrooms/api.php @@ -1,58 +1,17 @@ 0) error_log("setting SID to:".$_REQUEST["sid"]); - session_id($_REQUEST["sid"]); -} +$presentation_extension = array('.ppt', '.odp'); +$image_extension = array ('.png', '.jpg', '.gif', '.jpeg'); if ($debug>0) { @@ -69,75 +28,70 @@ if ($debug>0) } -/* -============================================================================== - INCLUDE -============================================================================== -*/ +/*==== INCLUDE ====*/ require_once ('../inc/global.inc.php'); api_block_anonymous_users(); require_once (api_get_path(LIBRARY_PATH)."course.lib.php"); require_once (api_get_path(LIBRARY_PATH)."document.lib.php"); require_once (api_get_path(LIBRARY_PATH)."fileUpload.lib.php"); -/* -============================================================================== - SETTING UP SOME VARIABLES -============================================================================== -*/ -$debug=0; -$action = $_REQUEST["action"]; -$cidReq = $_REQUEST["cidReq"]; +/*==== Variables initialisation ====*/ +$action = $_REQUEST["action"]; //safe as only used in if()'s +$seek = array('/','%2F','..'); +$destroy = array('','',''); +$cidReq = str_replace($seek,$destroy,$_REQUEST["cidReq"]); +$cidReq = Security::remove_XSS($cidReq); $user_id = api_get_user_id(); $coursePath = api_get_path(SYS_COURSE_PATH).$cidReq.'/document'; $_course = CourseManager::get_course_information($cidReq); -// FIXME: this sound very strange !!! but add_document need this to works +// FIXME: add_document needs this to work $_course['dbName'] = $_course['db_name']; // FIXME: check if CourseManager::get_user_in_course_status return != // COURSEMANAGER when the code is not valid -// FIXME: There is no valid course code which contains things like ../ if ($debug>0) error_log($coursePath, 0); +if ($action == "uploadgui") +{ + echo '
+ + + + - -if ($action == "upload") + Choose a file to upload:
+ +
+ '; + die(); +} +else if ($action == "upload") { -/* -============================================================================== - PERMISSION -============================================================================== -*/ + /*==== PERMISSION ====*/ $permissions = CourseManager::get_user_in_course_status($user_id, $cidReq); if ($permissions != COURSEMANAGER) { if ($debug >0) error_log("Upload from videoconf not allowed !!!",0); - die(); // this user is not allowed to add upload documents + die('Not allowed'); // this user is not allowed to add upload documents } -/* -============================================================================== - UPLOAD -============================================================================== -*/ - + /*==== UPLOAD ====*/ $destPath = $coursePath.VIDEOCONF_UPLOAD_PATH; - if (!is_dir($destPath)){ + if (!is_dir($destPath)) + { $result = create_unexisting_directory($_course,$user_id,0,NULL,$coursePath,VIDEOCONF_UPLOAD_PATH); if (!$result) + { if ($debug>0) error_log("Can't create ".$destPath." folder",0); + } } - $newPath = handle_uploaded_document($_course,$_FILES['Filedata'],$coursePath,VIDEOCONF_UPLOAD_PATH,$user_id,0,NULL,'',0,'rename',false); + $newPath = handle_uploaded_document($_course,$_FILES['filedata'],$coursePath,VIDEOCONF_UPLOAD_PATH,$user_id,0,NULL,'',0,'rename',false); // based on ../newscorm/presentation.class.php - $file_name = (strrpos($newPath,'.')>0 ? substr($newPath, 0, strrpos($newPath,'.')) : $newPath); - $file_extension = (strrpos($newPath,'.')>0 ? substr($newPath, strrpos($newPath,'.'),10) : ''); -/* error_log($newPath,0); - error_log($file_name,0); - error_log($file_extension,0); -*/ - if (in_array($file_extension, $PRESENTATION_EXTENSION)) + $file_name = (strrpos($newPath,'.')>0 ? substr($newPath, 0, strrpos($newPath,'.')) : $newPath); + $file_extension = (strrpos($newPath,'.')>0 ? substr($newPath, strrpos($newPath,'.'),10) : ''); + if (in_array($file_extension, $presentation_extension)) { if ($debug > 0) error_log("converting $coursePath$newPath", 0); /* creating output folder */ @@ -188,19 +142,20 @@ if ($action == "upload") api_item_property_update($_course, TOOL_DOCUMENT, $did, 'DocumentAdded', $user_id, 0, NULL); } } -} else if ($action == "service") -{/* -============================================================================== - LIST FILES -============================================================================== -*/ + echo ''; +} +else if ($action == "service") +{ + /*==== List files ====*/ if ($debug>0) error_log("sending file list",0); $subaction = $_REQUEST["subaction"]; - $canDelete = (CourseManager::get_user_in_course_status($user_id, $cidReq) == COURSEMANAGER); - if ($subaction == "list") { + $can_delete = (CourseManager::get_user_in_course_status($user_id, $cidReq) == COURSEMANAGER); + if ($subaction == "list") + { // FIXME: check security around $_REQUEST["cwd"] $cwd = $_REQUEST["cwd"]; - + $is_bellow_videoconf_upload_path = Security::check_abs_path($cwd,api_get_path(SYS_PATH)); + /* // treat /.. $nParent = 0; // the number of /.. into the url while (substr($cwd, -3, 3) == "/..") @@ -219,77 +174,63 @@ if ($action == "upload") // check if user can delete files. He must be manager and be inside /videoconf $isBellowVideoConfUploadPath = (substr($cwd,0,strlen(VIDEOCONF_UPLOAD_PATH)) == VIDEOCONF_UPLOAD_PATH); $canDelete = ($canDelete && $isBellowVideoConfUploadPath); + */ + $can_delete = ($can_delete && $is_bellow_videoconf_upload_path); // get files list $files = DocumentManager::get_all_document_data($_course, $cwd, 0, NULL, false); printf(""); printf(""); foreach($files as $i) + { if ($i["filetype"] != "folder") + { continue; + } else { - printf('%s%s%s', $i['path'],$i['title'],($canDelete?"true":"false")); + printf('%s%s%s', $i['path'],$i['title'],($can_delete?'true':'false')); } + } printf(""); foreach($files as $i) { $extension = (strrpos($i['path'],'.')>0 ? substr($i['path'], strrpos($i['path'],'.'),10) : ''); - if ($i["filetype"] != "file" || !in_array($extension, $IMAGE_EXTENSION)) + if ($i["filetype"] != "file" || !in_array($extension, $image_extension)) + { continue; + } else { - printf('%s%s%s', $i['path'],$i['title'],($canDelete?"true":"false")); + printf('%s%s%s', $i['path'],$i['title'],($can_delete?'true':'false')); } } printf(""); -// foreach($files as $i) { - // FIXME: Please optimise me !!! -// $extension = (strrpos($i['path'],'.')>0 ? substr($i['path'], strrpos($i['path'],'.'),10) : ''); -// if ($i["filetype"] != "file" || !in_array($extension, $PRESENTATION_EXTENSION)) -// continue; -// else -// { -// printf('%s%s%s', $i['path'], $i['title'],($canDelete?"true":"false")); -// } -// } -// printf("fr1fn1"); - printf(""); printf(""); - } else if ($subaction == "delete") {/* -============================================================================== - PERMISSION -============================================================================== -*/ - $permissions = CourseManager::get_user_in_course_status($user_id, $cidReq); - if ($permissions != COURSEMANAGER) + } + else if ($subaction == "delete") { - if ($debug > 0) error_log("Upload from videoconf not allowed !!!",0); - die(); // this user is not allowed to add upload documents - } - -/* -============================================================================== - DELETE -============================================================================== -*/ - $path = $_REQUEST["path"]; + /*==== PERMISSION ====*/ + $permissions = CourseManager::get_user_in_course_status($user_id, $cidReq); + if ($permissions != COURSEMANAGER) + { + if ($debug > 0) error_log("Upload from videoconf not allowed !!!",0); + die(); // this user is not allowed to add upload documents + } + /*==== DELETE ====*/ + $path = str_replace('../','',$_REQUEST["path"]); if ((substr($path,0,strlen(VIDEOCONF_UPLOAD_PATH)) != VIDEOCONF_UPLOAD_PATH)) { if ($debug >0 ) error_log("Delete from videoconf for "+$path+" NOT ALLOWED",0); die(); } - DocumentManager::delete_document($_course, $path, $coursePath); echo "OK"; // We have to returns something to OpenLaszlo } -} else if ($action == "download") +} +else if ($action == "download") { -/* -============================================================================== - DOWNLOAD -============================================================================== -*/ + /*==== DOWNLOAD ====*/ //check if the document is in the database if(!DocumentManager::get_document_id($_course,$_REQUEST['file'])) { @@ -307,11 +248,10 @@ if ($action == "upload") echo($error404); exit; } - $doc_url=$_REQUEST['file']; + $doc_url = str_replace('../','',$_REQUEST['file']); if ($debug >0) error_log($doc_url); $full_file_name = $coursePath.$doc_url; DocumentManager::file_send_for_download($full_file_name,false); exit; } - -?> +?> \ No newline at end of file diff --git a/main/webrooms/checksession.php b/main/webrooms/checksession.php index f0b5a89b87..1dde1f0c18 100644 --- a/main/webrooms/checksession.php +++ b/main/webrooms/checksession.php @@ -1,57 +1,61 @@ 0) error_log('New LP - Included learnpath',0); require_once('../newscorm/learnpathItem.class.php'); +if($debug>0) error_log('New LP - Included learnpathItem',0); require_once('../newscorm/scorm.class.php'); +if($debug>0) error_log('New LP - Included scorm',0); require_once('../newscorm/scormItem.class.php'); +if($debug>0) error_log('New LP - Included scormItem',0); require_once('../newscorm/aicc.class.php'); +if($debug>0) error_log('New LP - Included aicc',0); require_once('../newscorm/aiccItem.class.php'); -require_once('get_translation.lib.php'); +if($debug>0) error_log('New LP - Included aiccItem',0); include("../../main/inc/global.inc.php"); api_block_anonymous_users(); +//$confkey = "0123456789abcdef0123456789abcdef"; +$confkey = api_get_setting('service_visio','visio_pass'); +$challenge = api_generate_password(32); //generate a 32 characters-long challenge key + require_once (api_get_path(LIBRARY_PATH)."course.lib.php"); printf (''); printf(''); printf(''); -if(count($_SESSION['course'])>0) -{ - foreach ($_SESSION['_course'] as $key => $val) - { +foreach ($_SESSION['_course'] as $key => $val) printf('<%s>%s',$key,utf8_encode($val),$key); - } -} printf(''); printf(''); -if(count($_SESSION['_user'])>0) -{ - foreach ($_SESSION['_user'] as $key => $val) - { - if ($key != "auth_source") - { - printf('<%s>%s',$key,utf8_encode($val),$key); - } - } -} +foreach ($_SESSION['_user'] as $key => $val) if ($key != "auth_source") printf('<%s>%s',$key,utf8_encode($val),$key); printf('%s', session_id()); -printf('%s', (CourseManager::get_user_in_course_status($_SESSION['_user']['user_id'], $_SESSION['_course']['sysCode']) == COURSEMANAGER) ? "true" : "false"); +$isadmin =((CourseManager::get_user_in_course_status($_SESSION['_user']['user_id'], $_SESSION['_course']['sysCode']) == COURSEMANAGER)||api_is_platform_admin() ? "true" : "false"); +printf('%s', md5($confkey.$challenge)); +printf('%s', $challenge); +printf('%s', $isadmin); +printf('%s',($isadmin=='true' || $_SESSION["roomType"] == "conference")?'true':'false'); +printf('%s',($isadmin=='true' || $_SESSION["roomType"] == "conference")?'true':'false'); printf(''); printf(''); -printf(''.api_get_setting('service_visio','visio_rtmp_host_local').''); -printf(''.api_get_setting('service_visio','visio_is_web_rtmp').''); -printf(''.api_get_setting('service_visio','visio_rtmp_port').''); -printf(''.api_get_setting('service_visio','visio_rtmp_tunnel_port').''); +printf(''.api_get_setting('service_visio','visio_host').''); +printf(''.api_get_setting('service_visio','visio_port').''); printf(''); +$path = preg_replace('/^([^:]*:\/\/)/','',api_get_path(WEB_PATH)); +$path = str_replace('/','_',$path); +printf(''); +printf('%s', $path); +printf('%s', $_SESSION['roomType']); // fixme remove + +printf(''); printf(''); @@ -69,8 +73,8 @@ if(isset($_SESSION['oLP'])) $document_id = $_SESSION['oLP']->current; } -printf(' %s',$student_view); -printf(' %s',$document_id); +printf('%s',$student_view); +printf('%s',$document_id); printf(''); printf(''); printf(get_language_file_as_xml($language_interface)); diff --git a/main/webrooms/get_translation.lib.php b/main/webrooms/get_translation.lib.php index 6eae15ccf4..aa50e1fd19 100644 --- a/main/webrooms/get_translation.lib.php +++ b/main/webrooms/get_translation.lib.php @@ -1,4 +1,5 @@ '.$items[1].''.$string.''."\n"; } }