Merge branch '1.11.x' of github.com:chamilo/chamilo-lms into 1.11.x

4 years ago · 118af0819f
parent 2fe2fce7b8 2c8c0ad950
commit 118af0819f
16 changed files with 112 additions and 57 deletions
--- a/.htaccess
+++ b/.htaccess
@ -8,6 +8,9 @@

 RewriteEngine on

+# Disables access to myfile.php/something
+AcceptPathInfo Off
+
 # Prevent execution of PHP from directories used for different types of uploads
 RedirectMatch 403 ^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
 RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
@ -88,4 +91,3 @@ AddType application/font-woff .woff .woff2
  ExpiresActive On
  ExpiresByType application/font-woff "access plus 1 month"
 </IfModule>
-
--- a/index.php
+++ b/index.php
@ -191,10 +191,16 @@ if (api_is_anonymous()) {
 }
 // direct login to course
 if (isset($_GET['firstpage'])) {
-    api_set_firstpage_parameter($_GET['firstpage']);
-    // if we are already logged, go directly to course
-    if (api_user_is_login()) {
-        echo "<script>self.location.href='index.php?firstpage=".Security::remove_XSS($_GET['firstpage'])."'</script>";
+    $firstPage = $_GET['firstpage'];
+    $courseInfo = api_get_course_info($firstPage);
+
+    if (!empty($courseInfo)) {
+        api_set_firstpage_parameter($firstPage);
+
+        // if we are already logged, go directly to course
+        if (api_user_is_login()) {
+            echo "<script>self.location.href='index.php?firstpage=".Security::remove_XSS($firstPage)."'</script>";
+        }
    }
 } else {
    api_delete_firstpage_parameter();
--- a/main/admin/questions.php
+++ b/main/admin/questions.php
@ -19,6 +19,11 @@ Session::erase('objQuestion');
 Session::erase('objAnswer');

 $interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('PlatformAdmin')];
+$action = $_REQUEST['action'] ?? '';
+$id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : '';
+$description = $_REQUEST['description'] ?? '';
+$title = $_REQUEST['title'] ?? '';
+$page = isset($_GET['page']) && !empty($_GET['page']) ? (int) $_GET['page'] : 1;

 // Prepare lists for form
 // Courses list
@ -81,7 +86,7 @@ $form
        'selected_course',
        [get_lang('Course'), get_lang('CourseInWhichTheQuestionWasInitiallyCreated')],
        $courseSelectionList,
-        ['onchange' => 'mark_course_id_changed(); submit_form(this);', 'id' => 'selected_course']
+        ['id' => 'selected_course']
    )
    ->setSelected($selectedCourse);
 $form
@ -89,7 +94,7 @@ $form
        'question_level',
        get_lang('Difficulty'),
        $levels,
-        ['onchange' => 'submit_form(this);', 'id' => 'question_level']
+        ['id' => 'question_level']
    )
    ->setSelected($questionLevel);
 $form
@ -97,7 +102,7 @@ $form
        'answer_type',
        get_lang('AnswerType'),
        $questionTypesList,
-        ['onchange' => 'submit_form(this);', 'id' => 'answer_type']
+        ['id' => 'answer_type']
    )
    ->setSelected($answerType);

@ -112,13 +117,18 @@ $length = 20;
 $questionCount = 0;
 $start = 0;
 $end = 0;
-
+$pdfContent = '';
+
+$params = [
+    'id' => $id,
+    'title' => Security::remove_XSS($title),
+    'description' => Security::remove_XSS($description),
+    'selected_course' => $selectedCourse,
+    'question_level' => $questionLevel,
+    'answer_type' => $answerType,
+];
 if ($formSent) {
-    $id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : '';
-    $description = $_REQUEST['description'] ?? '';
-    $title = $_REQUEST['title'] ?? '';
-    $page = isset($_GET['page']) && !empty($_GET['page']) ? (int) $_GET['page'] : 1;
-
+    $params['form_sent'] = 1;
    $em = Database::getManager();
    $repo = $em->getRepository('ChamiloCourseBundle:CQuizQuestion');
    $criteria = new Criteria();
@ -149,19 +159,14 @@ if ($formSent) {

    $questions = $repo->matching($criteria);

-    if (empty($id)) {
-        $id = '';
-    }
-    $params = [
-        'id' => $id,
-        'title' => Security::remove_XSS($title),
-        'description' => Security::remove_XSS($description),
-        'form_sent' => 1,
-    ];
    $url = api_get_self().'?'.http_build_query($params);
    $form->setDefaults($params);
    $questionCount = count($questions);

+    if ('export_pdf' === $action) {
+        $length = $questionCount;
+    }
+
    $paginator = new Paginator();
    $pagination = $paginator->paginate($questions, $page, $length);
    $pagination->setItemNumberPerPage($length);
@ -209,6 +214,7 @@ if ($formSent) {
            $question->courseCode = $courseCode;
            // Creating empty exercise
            $exercise = new Exercise($courseId);
+            /* @var Question $questionObject */
            $questionObject = Question::read($question->getIid(), $courseInfo);

            ob_start();
@ -226,9 +232,17 @@ if ($formSent) {
            );
            $question->questionData = ob_get_contents();

+            if ('export_pdf' === $action) {
+                $pdfContent .= '<span style="color:#000; font-weight:bold; font-size:x-large;">#'.$question->getIid().'. '.$question->getQuestion().'</span><br />';
+                $pdfContent .= '<span style="color:#444;">('.$questionTypesList[$question->getType()].') ['.get_lang('Source').': '.$courseCode.']</span><br />';
+                $pdfContent .= $question->getDescription().'<br />';
+                $pdfContent .= $question->questionData;
+                continue;
+            }
+
            $deleteUrl = $url.'&'.http_build_query([
                'courseId' => $question->getCId(),
-                'questionId' => $question->getId(),
+                'questionId' => $question->getIid(),
                'action' => 'delete',
            ]);

@ -250,7 +264,7 @@ if ($formSent) {
                                'id_session' => $exercise->sessionId,
                                'exerciseId' => $exerciseId,
                                'type' => $question->getType(),
-                                'editQuestion' => $question->getId(),
+                                'editQuestion' => $question->getIid(),
                            ]
                        ),
                        ['target' => '_blank']
@ -309,8 +323,17 @@ if ($formSent) {

 $formContent = $form->returnForm();

-$action = $_REQUEST['action'] ?? '';
 switch ($action) {
+    case 'export_pdf':
+        $pdfContent = Security::remove_XSS($pdfContent);
+        $pdfParams = [
+            'filename' => 'questions-export-'.api_get_local_time(),
+            'pdf_date' => api_get_local_time(),
+            'orientation' => 'P',
+        ];
+        $pdf = new PDF('A4', $pdfParams['orientation'], $pdfParams);
+        $pdf->html_to_pdf_with_template($pdfContent, false, false, true);
+        exit;
    case 'delete':
        $questionId = $_REQUEST['questionId'] ?? '';
        $courseId = $_REQUEST['courseId'] ?? '';
@ -338,30 +361,21 @@ $actionsLeft = Display::url(
    Display::return_icon('back.png', get_lang('PlatformAdmin'), [], ICON_SIZE_MEDIUM),
    api_get_path(WEB_CODE_PATH).'admin/index.php'
 );
-$actionsRight = '';
-/*
+
+$exportUrl = api_get_path(WEB_CODE_PATH)
+    .'admin/questions.php?action=export_pdf&'
+    .http_build_query($params);
+
 $actionsRight = Display::url(
    Display::return_icon('pdf.png', get_lang('ExportToPDF'), [], ICON_SIZE_MEDIUM),
-    api_get_path(WEB_CODE_PATH).'admin/questions.php?action=exportpdf'
+    $exportUrl
 );
-*/

 $toolbar = Display::toolbarAction(
    'toolbar-admin-questions',
    [$actionsLeft, $actionsRight]
 );

-$htmlHeadXtra[] = "
-<script>
-    function submit_form(obj) {
-        document.question_pool.submit();
-    }
-
-    function mark_course_id_changed() {
-        $('#course_id_changed').val('1');
-    }
-</script>";
-
 $tpl = new Template(get_lang('Questions'));
 $tpl->assign('form', $formContent);
 $tpl->assign('toolbar', $toolbar);
--- a/main/admin/settings.lib.php
+++ b/main/admin/settings.lib.php
@ -159,7 +159,7 @@ function handlePluginUpload()
    $form = new FormValidator(
        'plugin_upload',
        'post',
-        'settings.php?category=Plugins#tabs-4'
+        api_get_path(WEB_CODE_PATH).'admin/settings.php?category=Plugins#tabs-4'
    );
    $form->addElement(
        'file',
@ -397,8 +397,9 @@ function handleStylesheets()
    $form = new FormValidator(
        'stylesheet_upload',
        'post',
-        'settings.php?category=Stylesheets#tabs-3'
+        api_get_path().'admin/settings.php?category=Stylesheets#tabs-3'
    );
+    $form->protect();
    $form->addElement(
        'text',
        'name_stylesheet',
@ -1640,8 +1641,9 @@ function generateSettingsForm($settings, $settings_by_access_list)
    $form = new FormValidator(
        'settings',
        'post',
-        'settings.php?category='.Security::remove_XSS($_GET['category'])
+        api_get_path(WEB_CODE_PATH).'admin/settings.php?category='.Security::remove_XSS($_GET['category'])
    );
+    $form->protect();

    $form->addElement(
        'hidden',
@ -1965,6 +1967,11 @@ function generateSettingsForm($settings, $settings_by_access_list)
        }

        switch ($row['variable']) {
+            case 'upload_extensions_replace_by':
+                $default_values[$row['variable']] = api_replace_dangerous_char(
+                    str_replace('.', '', $default_values[$row['variable']])
+                );
+                break;
            case 'pdf_export_watermark_enable':
                $url = PDF::get_watermark(null);

--- a/main/admin/user_edit.php
+++ b/main/admin/user_edit.php
@ -421,7 +421,12 @@ if ($form->validate()) {
        $phone = $user['phone'];
        $username = isset($user['username']) ? $user['username'] : $userInfo['username'];
        $status = (int) $user['status'];
-        $platform_admin = (int) $user['platform_admin'];
+        $platform_admin = 0;
+        // Only platform admin can change user status to admin.
+        if (api_is_platform_admin()) {
+            $platform_admin = (int) $user['platform_admin'];
+        }
+
        $send_mail = (int) $user['send_mail'];
        $reset_password = (int) $user['reset_password'];
        $hr_dept_id = isset($user['hr_dept_id']) ? intval($user['hr_dept_id']) : null;
--- a/main/auth/profile.php
+++ b/main/auth/profile.php
@ -739,7 +739,7 @@ if ($allowSocialTool) {
            $actions .= '<a href="'.api_get_path(WEB_PATH).'main/messages/inbox.php">'.
                Display::return_icon('inbox.png', get_lang('Messages')).'</a>';
        }
-        $show = isset($_GET['show']) ? '&amp;show='.Security::remove_XSS($_GET['show']) : '';
+        $show = isset($_GET['show']) ? '&show='.(int) $_GET['show'] : '';

        if (isset($_GET['type']) && $_GET['type'] === 'extended') {
            $actions .= '<a href="profile.php?type=reduced'.$show.'">'.
--- a/main/blog/blog.php
+++ b/main/blog/blog.php
@ -7,7 +7,7 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';

-$blog_id = isset($_GET['blog_id']) ? $_GET['blog_id'] : 0;
+$blog_id = isset($_GET['blog_id']) ? (int) $_GET['blog_id'] : 0;

 if (empty($blog_id)) {
    api_not_allowed(true);
--- a/main/document/create_paint.php
+++ b/main/document/create_paint.php
@ -1,6 +1,9 @@
 <?php
+
 /* For licensing terms, see /license.txt */

+exit;
+
 use ChamiloSession as Session;

 /**
--- a/main/document/save_pixlr.php
+++ b/main/document/save_pixlr.php
@ -3,6 +3,8 @@

 use ChamiloSession as Session;

+exit;
+
 /**
 * This file allows creating new svg and png documents with an online editor.
 *
--- a/main/exercise/exercise_show.php
+++ b/main/exercise/exercise_show.php
@ -79,6 +79,7 @@ if (empty($nbrQuestions)) {
 if (empty($questionList)) {
    $questionList = Session::read('questionList');
 }
+/* @var Exercise $objExercise */
 if (empty($objExercise)) {
    $objExercise = Session::read('objExercise');
 }
--- a/main/forum/download.php
+++ b/main/forum/download.php
@ -42,7 +42,7 @@ $sql = 'SELECT thread_id, forum_id,filename
        WHERE
            f.c_id = '.$course_id.' AND
            a.c_id = '.$course_id.' AND
-            path LIKE BINARY "'.$doc_url.'"';
+            path LIKE BINARY "'.Database::escape_string($doc_url).'"';

 $result = Database::query($sql);
 $row = Database::fetch_array($result);
--- a/main/inc/ajax/exercise.ajax.php
+++ b/main/inc/ajax/exercise.ajax.php
@ -167,6 +167,10 @@ switch ($action) {
        $sidx = $_REQUEST['sidx']; //index to filter
        $sord = $_REQUEST['sord']; //asc or desc

+        if (!in_array($sidx, ['firstname', 'lastname', 'start_date'])) {
+            $sidx = 1;
+        }
+
        if (!in_array($sord, ['asc', 'desc'])) {
            $sord = 'desc';
        }
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@ -1342,7 +1342,7 @@ function filter_extension(&$filename)
            if ($skip == 'true') {
                return 0;
            } else {
-                $new_ext = api_get_setting('upload_extensions_replace_by');
+                $new_ext = getReplacedByExtension();
                $filename = str_replace('.'.$ext, '.'.$new_ext, $filename);

                return 1;
@ -1362,7 +1362,7 @@ function filter_extension(&$filename)
            if ($skip == 'true') {
                return 0;
            } else {
-                $new_ext = api_get_setting('upload_extensions_replace_by');
+                $new_ext = getReplacedByExtension();
                $filename = str_replace('.'.$ext, '.'.$new_ext, $filename);

                return 1;
@ -1373,6 +1373,13 @@ function filter_extension(&$filename)
    }
 }

+function getReplacedByExtension()
+{
+    $extension = api_get_setting('upload_extensions_replace_by');
+
+    return 'REPLACED_'.api_replace_dangerous_char(str_replace('.', '', $extension));
+}
+
 /**
 * Adds a new document to the database.
 *
--- a/main/inc/lib/pear/HTML/QuickForm.php
+++ b/main/inc/lib/pear/HTML/QuickForm.php
@ -1430,6 +1430,11 @@ class HTML_QuickForm extends HTML_Common
            $check = Security::check_token('form', $this);
            Security::clear_token();
            if (false === $check) {
+                // Redirect to the same URL + show token not validated message.
+                $url = $this->getAttribute('action');
+                Display::addFlash(Display::return_message(get_lang('NotValidated'), 'warning'));
+                api_location($url);
+
                return false;
            }
        }
--- a/main/session/add_users_to_session.php
+++ b/main/session/add_users_to_session.php
@ -15,7 +15,7 @@ $xajax->registerFunction('search_users');
 $this_section = SECTION_PLATFORM_ADMIN;

 $id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
-$addProcess = isset($_GET['add']) ? Security::remove_XSS($_GET['add']) : null;
+$addProcess = isset($_GET['add']) && 'true' === $_GET['add'] ? 'true' : null;

 SessionManager::protectSession($id_session);

--- a/main/session/session_category_list.php
+++ b/main/session/session_category_list.php
@ -27,15 +27,15 @@ $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION);

 $page = isset($_GET['page']) ? (int) $_GET['page'] : null;
 $action = isset($_REQUEST['action']) ? Security::remove_XSS($_REQUEST['action']) : null;
-$sort = isset($_GET['sort']) && in_array($_GET['sort'], ['name', 'nbr_session', 'date_start', 'date_end'])
-    ? Security::remove_XSS($_GET['sort'])
-    : 'name';
+$columns = ['name', 'nbr_session', 'date_start', 'date_end'];
+$sort = isset($_GET['sort']) && in_array($_GET['sort'], $columns) ? Security::remove_XSS($_GET['sort']) : 'name';
 $idChecked = isset($_REQUEST['idChecked']) ? Security::remove_XSS($_REQUEST['idChecked']) : null;
-$order = isset($_REQUEST['order']) ? Security::remove_XSS($_REQUEST['order']) : 'ASC';
+$order = $_REQUEST['order'] ?? 'ASC';
+$order = $order === 'ASC' ? 'DESC' : 'ASC';
 $keyword = isset($_REQUEST['keyword']) ? Security::remove_XSS($_REQUEST['keyword']) : null;

 if ($action === 'delete_on_session' || $action === 'delete_off_session') {
-    $delete_session = $action == 'delete_on_session' ? true : false;
+    $delete_session = $action === 'delete_on_session' ? true : false;
    SessionManager::delete_session_category($idChecked, $delete_session);
    Display::addFlash(Display::return_message(get_lang('SessionCategoryDelete')));
    header('Location: '.api_get_self().'?sort='.$sort);
@ -91,7 +91,6 @@ if (isset($_GET['search']) && $_GET['search'] === 'advanced') {

    $query_rows = "SELECT count(*) as total_rows
                  FROM $tbl_session_category sc $where ";
-    $order = ($order == 'ASC') ? 'DESC' : 'ASC';
    $result_rows = Database::query($query_rows);
    $recorset = Database::fetch_array($result_rows);
    $num = $recorset['total_rows'];