WIP: If file_send_for_download fails then fire a api_not_allowed()

9 years ago · 1163c1e600
parent 4910db2632
commit 1163c1e600
9 changed files with 41 additions and 10 deletions
--- a/main/announcements/download.php
+++ b/main/announcements/download.php
@ -62,14 +62,17 @@ $doc_url = Database::escape_string($doc_url);
 $sql = "SELECT filename FROM $tbl_announcement_attachment
  	  	WHERE c_id = $course_id AND path LIKE BINARY '$doc_url'";

-$result= Database::query($sql);
+$result = Database::query($sql);
 if (Database::num_rows($result) > 0) {
    $row= Database::fetch_array($result);
    $title = str_replace(' ','_', $row['filename']);
    if (Security::check_abs_path($full_file_name,
        api_get_path(SYS_COURSE_PATH) . api_get_course_path() . '/upload/announcements/')
    ) {
-        DocumentManager::file_send_for_download($full_file_name, true, $title);
+        $result = DocumentManager::file_send_for_download($full_file_name, true, $title);
+        if ($result === false) {
+            api_not_allowed(true);
+        }
    }
 }
 exit;
--- a/main/blog/download.php
+++ b/main/blog/download.php
@ -58,12 +58,19 @@ $sql = 'SELECT filename FROM '.$tbl_blogs_attachment.'
 $result = Database::query($sql);
 if (Database::num_rows($result) > 0) {
    $row = Database::fetch_array($result);
-    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/blog/')) {
-        DocumentManager::file_send_for_download(
+    if (Security::check_abs_path(
+        $full_file_name,
+        api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/blog/')
+    ) {
+        $result = DocumentManager::file_send_for_download(
            $full_file_name,
            true,
            $row['filename']
        );
+
+        if ($result === false) {
+            api_not_allowed(true);
+        }
    }
 }
 exit;
--- a/main/calendar/download.php
+++ b/main/calendar/download.php
@ -82,7 +82,10 @@ if (Database::num_rows($result)) {
        $full_file_name,
        api_get_path(SYS_COURSE_PATH).$course_info['path'].'/upload/calendar/'
    )) {
-        DocumentManager::file_send_for_download($full_file_name, true, $title);
+        $result = DocumentManager::file_send_for_download($full_file_name, true, $title);
+        if ($result === false) {
+            api_not_allowed(true);
+        }
    }
 }

--- a/main/document/document.php
+++ b/main/document/document.php
@ -315,7 +315,10 @@ switch ($action) {
        }
        $full_file_name = $base_work_dir.$document_data['path'];
        if (Security::check_abs_path($full_file_name, $base_work_dir.'/')) {
-            DocumentManager::file_send_for_download($full_file_name, true);
+            $result = DocumentManager::file_send_for_download($full_file_name, true);
+            if ($result === false) {
+                api_not_allowed(true);
+            }
        }
        exit;
        break;
--- a/main/document/download.php
+++ b/main/document/download.php
@ -101,6 +101,9 @@ if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {
    // Launch event
    Event::event_download($doc_url);
    $download = (!empty($_GET['dl']) ? true : false);
-    DocumentManager::file_send_for_download($full_file_name, $download);
+    $result = DocumentManager::file_send_for_download($full_file_name, $download);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
 }
 exit;
--- a/main/document/download_scorm.php
+++ b/main/document/download_scorm.php
@ -55,6 +55,9 @@ if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {
    Event::event_download($doc_url);

    $fixLinks = api_get_configuration_value('lp_replace_http_to_https');
-    DocumentManager::file_send_for_download($full_file_name, false, '', $fixLinks);
+    $result = DocumentManager::file_send_for_download($full_file_name, false, '', $fixLinks);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
 }
 exit;
--- a/main/document/downloadfolder.inc.php
+++ b/main/document/downloadfolder.inc.php
@ -314,6 +314,9 @@ $name = ($path == '/') ? 'documents.zip' : $documentInfo['title'].'.zip';

 if (Security::check_abs_path($tempZipFile, api_get_path(SYS_ARCHIVE_PATH))) {
    $result = DocumentManager::file_send_for_download($tempZipFile, true, $name);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
    @unlink($tempZipFile);
    exit;
 } else {
--- a/main/dropbox/dropbox_download.php
+++ b/main/dropbox/dropbox_download.php
@ -100,7 +100,10 @@ if (!$allowed_to_download) {
        exit;
    }
    $file = $work->title;
-    DocumentManager::file_send_for_download($path, true, $file);
+    $result = DocumentManager::file_send_for_download($path, true, $file);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
    exit;
 }
 //@todo clean this file the code below is useless there are 2 exits in previous conditions ... maybe a bad copy/paste/merge?
--- a/main/dropbox/dropbox_functions.inc.php
+++ b/main/dropbox/dropbox_functions.inc.php
@ -1189,7 +1189,10 @@ function zip_download($fileList)
    }
    Session::erase('dropbox_files_to_download');
    $name = 'dropbox-'.api_get_utc_datetime().'.zip';
-    DocumentManager::file_send_for_download($temp_zip_file, true, $name);
+    $result = DocumentManager::file_send_for_download($temp_zip_file, true, $name);
+    if ($result === false) {
+        api_not_allowed(true);
+    }
    @unlink($temp_zip_file);
    exit;
 }