diff --git a/.htaccess b/.htaccess
index d24712d053..1f3d7492f5 100755
--- a/.htaccess
+++ b/.htaccess
@@ -8,6 +8,9 @@
RewriteEngine on
+# Disables access to myfile.php/something
+AcceptPathInfo Off
+
# Prevent execution of PHP from directories used for different types of uploads
RedirectMatch 403 ^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
@@ -88,4 +91,3 @@ AddType application/font-woff .woff .woff2
ExpiresActive On
ExpiresByType application/font-woff "access plus 1 month"
-
diff --git a/index.php b/index.php
index f08a3a1f1a..0ed26c2a58 100755
--- a/index.php
+++ b/index.php
@@ -191,10 +191,16 @@ if (api_is_anonymous()) {
}
// direct login to course
if (isset($_GET['firstpage'])) {
- api_set_firstpage_parameter($_GET['firstpage']);
- // if we are already logged, go directly to course
- if (api_user_is_login()) {
- echo "";
+ $firstPage = $_GET['firstpage'];
+ $courseInfo = api_get_course_info($firstPage);
+
+ if (!empty($courseInfo)) {
+ api_set_firstpage_parameter($firstPage);
+
+ // if we are already logged, go directly to course
+ if (api_user_is_login()) {
+ echo "";
+ }
}
} else {
api_delete_firstpage_parameter();
diff --git a/main/admin/questions.php b/main/admin/questions.php
index 54a75a2e0a..a4afbd6f1c 100644
--- a/main/admin/questions.php
+++ b/main/admin/questions.php
@@ -19,6 +19,11 @@ Session::erase('objQuestion');
Session::erase('objAnswer');
$interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('PlatformAdmin')];
+$action = $_REQUEST['action'] ?? '';
+$id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : '';
+$description = $_REQUEST['description'] ?? '';
+$title = $_REQUEST['title'] ?? '';
+$page = isset($_GET['page']) && !empty($_GET['page']) ? (int) $_GET['page'] : 1;
// Prepare lists for form
// Courses list
@@ -81,7 +86,7 @@ $form
'selected_course',
[get_lang('Course'), get_lang('CourseInWhichTheQuestionWasInitiallyCreated')],
$courseSelectionList,
- ['onchange' => 'mark_course_id_changed(); submit_form(this);', 'id' => 'selected_course']
+ ['id' => 'selected_course']
)
->setSelected($selectedCourse);
$form
@@ -89,7 +94,7 @@ $form
'question_level',
get_lang('Difficulty'),
$levels,
- ['onchange' => 'submit_form(this);', 'id' => 'question_level']
+ ['id' => 'question_level']
)
->setSelected($questionLevel);
$form
@@ -97,7 +102,7 @@ $form
'answer_type',
get_lang('AnswerType'),
$questionTypesList,
- ['onchange' => 'submit_form(this);', 'id' => 'answer_type']
+ ['id' => 'answer_type']
)
->setSelected($answerType);
@@ -112,13 +117,18 @@ $length = 20;
$questionCount = 0;
$start = 0;
$end = 0;
-
+$pdfContent = '';
+
+$params = [
+ 'id' => $id,
+ 'title' => Security::remove_XSS($title),
+ 'description' => Security::remove_XSS($description),
+ 'selected_course' => $selectedCourse,
+ 'question_level' => $questionLevel,
+ 'answer_type' => $answerType,
+];
if ($formSent) {
- $id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : '';
- $description = $_REQUEST['description'] ?? '';
- $title = $_REQUEST['title'] ?? '';
- $page = isset($_GET['page']) && !empty($_GET['page']) ? (int) $_GET['page'] : 1;
-
+ $params['form_sent'] = 1;
$em = Database::getManager();
$repo = $em->getRepository('ChamiloCourseBundle:CQuizQuestion');
$criteria = new Criteria();
@@ -149,19 +159,14 @@ if ($formSent) {
$questions = $repo->matching($criteria);
- if (empty($id)) {
- $id = '';
- }
- $params = [
- 'id' => $id,
- 'title' => Security::remove_XSS($title),
- 'description' => Security::remove_XSS($description),
- 'form_sent' => 1,
- ];
$url = api_get_self().'?'.http_build_query($params);
$form->setDefaults($params);
$questionCount = count($questions);
+ if ('export_pdf' === $action) {
+ $length = $questionCount;
+ }
+
$paginator = new Paginator();
$pagination = $paginator->paginate($questions, $page, $length);
$pagination->setItemNumberPerPage($length);
@@ -209,6 +214,7 @@ if ($formSent) {
$question->courseCode = $courseCode;
// Creating empty exercise
$exercise = new Exercise($courseId);
+ /* @var Question $questionObject */
$questionObject = Question::read($question->getIid(), $courseInfo);
ob_start();
@@ -226,9 +232,17 @@ if ($formSent) {
);
$question->questionData = ob_get_contents();
+ if ('export_pdf' === $action) {
+ $pdfContent .= '#'.$question->getIid().'. '.$question->getQuestion().'
';
+ $pdfContent .= '('.$questionTypesList[$question->getType()].') ['.get_lang('Source').': '.$courseCode.']
';
+ $pdfContent .= $question->getDescription().'
';
+ $pdfContent .= $question->questionData;
+ continue;
+ }
+
$deleteUrl = $url.'&'.http_build_query([
'courseId' => $question->getCId(),
- 'questionId' => $question->getId(),
+ 'questionId' => $question->getIid(),
'action' => 'delete',
]);
@@ -250,7 +264,7 @@ if ($formSent) {
'id_session' => $exercise->sessionId,
'exerciseId' => $exerciseId,
'type' => $question->getType(),
- 'editQuestion' => $question->getId(),
+ 'editQuestion' => $question->getIid(),
]
),
['target' => '_blank']
@@ -309,8 +323,17 @@ if ($formSent) {
$formContent = $form->returnForm();
-$action = $_REQUEST['action'] ?? '';
switch ($action) {
+ case 'export_pdf':
+ $pdfContent = Security::remove_XSS($pdfContent);
+ $pdfParams = [
+ 'filename' => 'questions-export-'.api_get_local_time(),
+ 'pdf_date' => api_get_local_time(),
+ 'orientation' => 'P',
+ ];
+ $pdf = new PDF('A4', $pdfParams['orientation'], $pdfParams);
+ $pdf->html_to_pdf_with_template($pdfContent, false, false, true);
+ exit;
case 'delete':
$questionId = $_REQUEST['questionId'] ?? '';
$courseId = $_REQUEST['courseId'] ?? '';
@@ -338,30 +361,21 @@ $actionsLeft = Display::url(
Display::return_icon('back.png', get_lang('PlatformAdmin'), [], ICON_SIZE_MEDIUM),
api_get_path(WEB_CODE_PATH).'admin/index.php'
);
-$actionsRight = '';
-/*
+
+$exportUrl = api_get_path(WEB_CODE_PATH)
+ .'admin/questions.php?action=export_pdf&'
+ .http_build_query($params);
+
$actionsRight = Display::url(
Display::return_icon('pdf.png', get_lang('ExportToPDF'), [], ICON_SIZE_MEDIUM),
- api_get_path(WEB_CODE_PATH).'admin/questions.php?action=exportpdf'
+ $exportUrl
);
-*/
$toolbar = Display::toolbarAction(
'toolbar-admin-questions',
[$actionsLeft, $actionsRight]
);
-$htmlHeadXtra[] = "
-";
-
$tpl = new Template(get_lang('Questions'));
$tpl->assign('form', $formContent);
$tpl->assign('toolbar', $toolbar);
diff --git a/main/admin/settings.lib.php b/main/admin/settings.lib.php
index be97fe29fe..2f2a683327 100755
--- a/main/admin/settings.lib.php
+++ b/main/admin/settings.lib.php
@@ -159,7 +159,7 @@ function handlePluginUpload()
$form = new FormValidator(
'plugin_upload',
'post',
- 'settings.php?category=Plugins#tabs-4'
+ api_get_path(WEB_CODE_PATH).'admin/settings.php?category=Plugins#tabs-4'
);
$form->addElement(
'file',
@@ -397,8 +397,9 @@ function handleStylesheets()
$form = new FormValidator(
'stylesheet_upload',
'post',
- 'settings.php?category=Stylesheets#tabs-3'
+ api_get_path().'admin/settings.php?category=Stylesheets#tabs-3'
);
+ $form->protect();
$form->addElement(
'text',
'name_stylesheet',
@@ -1640,8 +1641,9 @@ function generateSettingsForm($settings, $settings_by_access_list)
$form = new FormValidator(
'settings',
'post',
- 'settings.php?category='.Security::remove_XSS($_GET['category'])
+ api_get_path(WEB_CODE_PATH).'admin/settings.php?category='.Security::remove_XSS($_GET['category'])
);
+ $form->protect();
$form->addElement(
'hidden',
@@ -1965,6 +1967,11 @@ function generateSettingsForm($settings, $settings_by_access_list)
}
switch ($row['variable']) {
+ case 'upload_extensions_replace_by':
+ $default_values[$row['variable']] = api_replace_dangerous_char(
+ str_replace('.', '', $default_values[$row['variable']])
+ );
+ break;
case 'pdf_export_watermark_enable':
$url = PDF::get_watermark(null);
diff --git a/main/admin/user_edit.php b/main/admin/user_edit.php
index 7c89497ffd..33f99d411a 100755
--- a/main/admin/user_edit.php
+++ b/main/admin/user_edit.php
@@ -421,7 +421,12 @@ if ($form->validate()) {
$phone = $user['phone'];
$username = isset($user['username']) ? $user['username'] : $userInfo['username'];
$status = (int) $user['status'];
- $platform_admin = (int) $user['platform_admin'];
+ $platform_admin = 0;
+ // Only platform admin can change user status to admin.
+ if (api_is_platform_admin()) {
+ $platform_admin = (int) $user['platform_admin'];
+ }
+
$send_mail = (int) $user['send_mail'];
$reset_password = (int) $user['reset_password'];
$hr_dept_id = isset($user['hr_dept_id']) ? intval($user['hr_dept_id']) : null;
diff --git a/main/auth/profile.php b/main/auth/profile.php
index 5dc1517934..0fe2f1047c 100755
--- a/main/auth/profile.php
+++ b/main/auth/profile.php
@@ -739,7 +739,7 @@ if ($allowSocialTool) {
$actions .= ''.
Display::return_icon('inbox.png', get_lang('Messages')).'';
}
- $show = isset($_GET['show']) ? '&show='.Security::remove_XSS($_GET['show']) : '';
+ $show = isset($_GET['show']) ? '&show='.(int) $_GET['show'] : '';
if (isset($_GET['type']) && $_GET['type'] === 'extended') {
$actions .= ''.
diff --git a/main/blog/blog.php b/main/blog/blog.php
index 4408a78977..6001306ee2 100755
--- a/main/blog/blog.php
+++ b/main/blog/blog.php
@@ -7,7 +7,7 @@
*/
require_once __DIR__.'/../inc/global.inc.php';
-$blog_id = isset($_GET['blog_id']) ? $_GET['blog_id'] : 0;
+$blog_id = isset($_GET['blog_id']) ? (int) $_GET['blog_id'] : 0;
if (empty($blog_id)) {
api_not_allowed(true);
diff --git a/main/document/create_paint.php b/main/document/create_paint.php
index 040d1900a3..f4ce917f34 100755
--- a/main/document/create_paint.php
+++ b/main/document/create_paint.php
@@ -1,6 +1,9 @@
getAttribute('action');
+ Display::addFlash(Display::return_message(get_lang('NotValidated'), 'warning'));
+ api_location($url);
+
return false;
}
}
diff --git a/main/session/add_users_to_session.php b/main/session/add_users_to_session.php
index ec91091cab..c73b571b0d 100644
--- a/main/session/add_users_to_session.php
+++ b/main/session/add_users_to_session.php
@@ -15,7 +15,7 @@ $xajax->registerFunction('search_users');
$this_section = SECTION_PLATFORM_ADMIN;
$id_session = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
-$addProcess = isset($_GET['add']) ? Security::remove_XSS($_GET['add']) : null;
+$addProcess = isset($_GET['add']) && 'true' === $_GET['add'] ? 'true' : null;
SessionManager::protectSession($id_session);
diff --git a/main/session/session_category_list.php b/main/session/session_category_list.php
index 77308b4cca..80794314f8 100644
--- a/main/session/session_category_list.php
+++ b/main/session/session_category_list.php
@@ -27,15 +27,15 @@ $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION);
$page = isset($_GET['page']) ? (int) $_GET['page'] : null;
$action = isset($_REQUEST['action']) ? Security::remove_XSS($_REQUEST['action']) : null;
-$sort = isset($_GET['sort']) && in_array($_GET['sort'], ['name', 'nbr_session', 'date_start', 'date_end'])
- ? Security::remove_XSS($_GET['sort'])
- : 'name';
+$columns = ['name', 'nbr_session', 'date_start', 'date_end'];
+$sort = isset($_GET['sort']) && in_array($_GET['sort'], $columns) ? Security::remove_XSS($_GET['sort']) : 'name';
$idChecked = isset($_REQUEST['idChecked']) ? Security::remove_XSS($_REQUEST['idChecked']) : null;
-$order = isset($_REQUEST['order']) ? Security::remove_XSS($_REQUEST['order']) : 'ASC';
+$order = $_REQUEST['order'] ?? 'ASC';
+$order = $order === 'ASC' ? 'DESC' : 'ASC';
$keyword = isset($_REQUEST['keyword']) ? Security::remove_XSS($_REQUEST['keyword']) : null;
if ($action === 'delete_on_session' || $action === 'delete_off_session') {
- $delete_session = $action == 'delete_on_session' ? true : false;
+ $delete_session = $action === 'delete_on_session' ? true : false;
SessionManager::delete_session_category($idChecked, $delete_session);
Display::addFlash(Display::return_message(get_lang('SessionCategoryDelete')));
header('Location: '.api_get_self().'?sort='.$sort);
@@ -91,7 +91,6 @@ if (isset($_GET['search']) && $_GET['search'] === 'advanced') {
$query_rows = "SELECT count(*) as total_rows
FROM $tbl_session_category sc $where ";
- $order = ($order == 'ASC') ? 'DESC' : 'ASC';
$result_rows = Database::query($query_rows);
$recorset = Database::fetch_array($result_rows);
$num = $recorset['total_rows'];