From 1163c1e600ec3e4b04e4491cfe41a062d7b5d167 Mon Sep 17 00:00:00 2001
From: jmontoyaa <gugli100@gmail.com>
Date: Fri, 30 Sep 2016 13:16:35 +0200
Subject: [PATCH] WIP: If file_send_for_download fails then fire a
 api_not_allowed()

---
 main/announcements/download.php        |  7 +++++--
 main/blog/download.php                 | 11 +++++++++--
 main/calendar/download.php             |  5 ++++-
 main/document/document.php             |  5 ++++-
 main/document/download.php             |  5 ++++-
 main/document/download_scorm.php       |  5 ++++-
 main/document/downloadfolder.inc.php   |  3 +++
 main/dropbox/dropbox_download.php      |  5 ++++-
 main/dropbox/dropbox_functions.inc.php |  5 ++++-
 9 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/main/announcements/download.php b/main/announcements/download.php
index bf594cc606..da3c525407 100755
--- a/main/announcements/download.php
+++ b/main/announcements/download.php
@@ -62,14 +62,17 @@ $doc_url = Database::escape_string($doc_url);
 $sql = "SELECT filename FROM $tbl_announcement_attachment
   	  	WHERE c_id = $course_id AND path LIKE BINARY '$doc_url'";
 
-$result= Database::query($sql);
+$result = Database::query($sql);
 if (Database::num_rows($result) > 0) {
     $row= Database::fetch_array($result);
     $title = str_replace(' ','_', $row['filename']);
     if (Security::check_abs_path($full_file_name,
         api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/')
     ) {
-        DocumentManager::file_send_for_download($full_file_name, true, $title);
+        $result = DocumentManager::file_send_for_download($full_file_name, true, $title);
+        if ($result === false) {
+            api_not_allowed(true);
+        }
     }
 }
 exit;
diff --git a/main/blog/download.php b/main/blog/download.php
index 76124ac256..c1f33962e3 100755
--- a/main/blog/download.php
+++ b/main/blog/download.php
@@ -58,12 +58,19 @@ $sql = 'SELECT filename FROM '.$tbl_blogs_attachment.'
 $result = Database::query($sql);
 if (Database::num_rows($result) > 0) {
     $row = Database::fetch_array($result);
-    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/blog/')) {
-        DocumentManager::file_send_for_download(
+    if (Security::check_abs_path(
+        $full_file_name,
+        api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/blog/')
+    ) {
+        $result = DocumentManager::file_send_for_download(
             $full_file_name,
             true,
             $row['filename']
         );
+
+        if ($result === false) {
+            api_not_allowed(true);
+        }
     }
 }
 exit;
diff --git a/main/calendar/download.php b/main/calendar/download.php
index f16114267e..3b92dd361e 100755
--- a/main/calendar/download.php
+++ b/main/calendar/download.php
@@ -82,7 +82,10 @@ if (Database::num_rows($result)) {
         $full_file_name,
         api_get_path(SYS_COURSE_PATH).$course_info['path'].'/upload/calendar/'
     )) {
-        DocumentManager::file_send_for_download($full_file_name, true, $title);
+        $result = DocumentManager::file_send_for_download($full_file_name, true, $title);
+        if ($result === false) {
+            api_not_allowed(true);
+        }
     }
 }
 
diff --git a/main/document/document.php b/main/document/document.php
index 5f778696f0..6444dada30 100755
--- a/main/document/document.php
+++ b/main/document/document.php
@@ -315,7 +315,10 @@ switch ($action) {
         }
         $full_file_name = $base_work_dir.$document_data['path'];
         if (Security::check_abs_path($full_file_name, $base_work_dir.'/')) {
-            DocumentManager::file_send_for_download($full_file_name, true);
+            $result = DocumentManager::file_send_for_download($full_file_name, true);
+            if ($result === false) {
+                api_not_allowed(true);
+            }
         }
         exit;
         break;
diff --git a/main/document/download.php b/main/document/download.php
index e0bdb2a6e0..d1de7c5924 100755
--- a/main/document/download.php
+++ b/main/document/download.php
@@ -101,6 +101,9 @@ if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {
     // Launch event
     Event::event_download($doc_url);
     $download = (!empty($_GET['dl']) ? true : false);
-    DocumentManager::file_send_for_download($full_file_name, $download);
+    $result = DocumentManager::file_send_for_download($full_file_name, $download);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
 }
 exit;
diff --git a/main/document/download_scorm.php b/main/document/download_scorm.php
index 7ef5b7da2b..4cbd23cf0e 100755
--- a/main/document/download_scorm.php
+++ b/main/document/download_scorm.php
@@ -55,6 +55,9 @@ if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {
     Event::event_download($doc_url);
 
     $fixLinks = api_get_configuration_value('lp_replace_http_to_https');
-    DocumentManager::file_send_for_download($full_file_name, false, '', $fixLinks);
+    $result = DocumentManager::file_send_for_download($full_file_name, false, '', $fixLinks);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
 }
 exit;
diff --git a/main/document/downloadfolder.inc.php b/main/document/downloadfolder.inc.php
index 652eb37ccc..4e582af284 100755
--- a/main/document/downloadfolder.inc.php
+++ b/main/document/downloadfolder.inc.php
@@ -314,6 +314,9 @@ $name = ($path == '/') ? 'documents.zip' : $documentInfo['title'].'.zip';
 
 if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
     $result = DocumentManager::file_send_for_download($tempZipFile, true, $name);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
     @unlink($tempZipFile);
     exit;
 } else {
diff --git a/main/dropbox/dropbox_download.php b/main/dropbox/dropbox_download.php
index 3de0057fb0..460f2015cf 100755
--- a/main/dropbox/dropbox_download.php
+++ b/main/dropbox/dropbox_download.php
@@ -100,7 +100,10 @@ if (!$allowed_to_download) {
         exit;
     }
     $file = $work->title;
-    DocumentManager::file_send_for_download($path, true, $file);
+    $result = DocumentManager::file_send_for_download($path, true, $file);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
     exit;
 }
 //@todo clean this file the code below is useless there are 2 exits in previous conditions ... maybe a bad copy/paste/merge?
diff --git a/main/dropbox/dropbox_functions.inc.php b/main/dropbox/dropbox_functions.inc.php
index 6d03d85107..3c5b5ca3d1 100755
--- a/main/dropbox/dropbox_functions.inc.php
+++ b/main/dropbox/dropbox_functions.inc.php
@@ -1189,7 +1189,10 @@ function zip_download($fileList)
     }
     Session::erase('dropbox_files_to_download');
     $name = 'dropbox-'.api_get_utc_datetime().'.zip';
-    DocumentManager::file_send_for_download($temp_zip_file, true, $name);
+    $result = DocumentManager::file_send_for_download($temp_zip_file, true, $name);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
     @unlink($temp_zip_file);
     exit;
 }