From 42ae966ca7bf871cca19dc349aff3a336ca90c56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juan=20Carlos=20Ra=C3=B1a?= <juancarlos@innovasoc.com>
Date: Mon, 28 Jun 2010 21:54:05 +0200
Subject: [PATCH] prevent download for students into main directory and into
 main shared folder directory. Also, into shared folder, a student only can
 download his shared folder directory

---
 main/document/document.inc.php | 36 +++++++++++++++++++++++++++++++---
 main/document/document.php     | 34 ++++++++++++++++++++++++--------
 2 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/main/document/document.inc.php b/main/document/document.inc.php
index f49e535d8e..e0bbdf0cb1 100755
--- a/main/document/document.inc.php
+++ b/main/document/document.inc.php
@@ -162,7 +162,20 @@ function create_document_link($www, $title, $path, $filetype, $size, $visibility
 	if (!$show_as_icon) {
 		if ($filetype == 'folder') {
 			if (api_is_allowed_to_edit() || api_is_platform_admin() || api_get_setting('students_download_folders') == 'true') {
-				$force_download_html = ($size == 0) ? '' : '<a href="'.$forcedownload_link.'" style="float:right"'.$prevent_multiple_click.'>'.Display::return_icon($forcedownload_icon, get_lang('Download'), array('height'=>'16', 'width' => '16')).'</a>';
+				
+				//filter when I am into shared folder, I can show for donwload only my shared folder
+				if(is_shared_folder($_GET['curdirpath']))
+				{							
+					$my_preg_folder="/shared_folder\/sf_user_".api_get_user_id()."/";
+					if (preg_match($my_preg_folder, urldecode($forcedownload_link))|| api_is_allowed_to_edit() || api_is_platform_admin())
+					{			
+					  $force_download_html = ($size == 0) ? '' : '<a href="'.$forcedownload_link.'" style="float:right"'.$prevent_multiple_click.'>'.Display::return_icon($forcedownload_icon, get_lang('Download'), array('height'=>'16', 'width' => '16')).'</a>';
+					}
+				}
+				elseif(!preg_match('/shared_folder/', urldecode($forcedownload_link)) || api_is_allowed_to_edit() || api_is_platform_admin())
+				{
+					$force_download_html = ($size == 0) ? '' : '<a href="'.$forcedownload_link.'" style="float:right"'.$prevent_multiple_click.'>'.Display::return_icon($forcedownload_icon, get_lang('Download'), array('height'=>'16', 'width' => '16')).'</a>';
+				}
 			}
 		} else {
 			$force_download_html = ($size==0)?'':'<a href="'.$forcedownload_link.'" style="float:right"'.$prevent_multiple_click.'>'.Display::return_icon($forcedownload_icon, get_lang('Download'), array('height'=>'16', 'width' => '16')).'</a>';
@@ -468,10 +481,27 @@ function create_dir_form() {
 	return $new_folder_text;
 }
 
+
+/**
+ * Checks whether the user is in shared folder
+ * @return return bool Return true when user is in shared folder
+ */
+function is_shared_folder($curdirpath) {
+	return Security::remove_XSS($curdirpath) == '/shared_folder';
+}
+
+/**
+ * Checks whether the user is in any user shared folder
+ * @return return bool Return true when user is in any user shared folder
+ */
+function is_any_user_shared_folder($path) {
+	return preg_match('/shared_folder\/sf_user_/', Security::remove_XSS($path));	
+}	
+
 /**
  * Checks whether the user is in his/her shared folder
- * @return return bool Return true when user is in his shared folder
+ * @return return bool Return true when user is in his user shared folder
  */
 function is_my_shared_folder($user_id, $path) {
 	return Security::remove_XSS($path) == '/shared_folder/sf_user_'.$user_id;
-}
+}
\ No newline at end of file
diff --git a/main/document/document.php b/main/document/document.php
index 6f05721ccb..87df85a43d 100755
--- a/main/document/document.php
+++ b/main/document/document.php
@@ -275,9 +275,24 @@ if (isset($_GET['action']) && $_GET['action'] == 'download') {
 	exit;
 }
 
-// Download of an completed folder
-if (isset($_GET['action']) && $_GET['action'] == 'downloadfolder' && (api_get_setting('students_download_folders') == 'true' || api_is_allowed_to_edit() || api_is_platform_admin())) {
-	require 'downloadfolder.inc.php';
+
+// Download a folder
+if (isset($_GET['action']) && $_GET['action'] == 'downloadfolder' && $curdirpath!='/' && (api_get_setting('students_download_folders') == 'true' || api_is_allowed_to_edit() || api_is_platform_admin())) {
+	
+	//filter when I am into shared folder, I can donwload only my shared folder
+	
+	if(is_any_user_shared_folder($_GET['path']))
+	{
+		if(is_my_shared_folder($_user['user_id'], $_GET['path']) || api_is_allowed_to_edit() || api_is_platform_admin())
+		{
+		  require 'downloadfolder.inc.php';
+		}
+	}
+	else
+	{
+		require 'downloadfolder.inc.php';
+	}
+	
 }
 
 // Slideshow inititalisation
@@ -772,13 +787,16 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights || is_my_shared_fold
 
 if (!is_null($docs_and_folders)) {
 
-	// Download zipped folder
+	// Show download zipped folder icon
 	global $total_size;
 	if (!$is_certificate_mode && $total_size != 0 && (api_get_setting('students_download_folders') == 'true' || api_is_allowed_to_edit() || api_is_platform_admin())) {
-?>
-	<a href="<?php echo api_get_self(); ?>?<?php echo api_get_cidreq(); ?>&action=downloadfolder&path=<?php echo $curdirpathurl; ?>">
-		<?php Display::display_icon('zip_save.gif', get_lang('Save').' (ZIP)'); echo get_lang('Save').' (ZIP)'; ?></a>&nbsp;
-<?php
+		
+		//don't show icon into shared folder, and don´t show into main path (root)
+		if (!is_shared_folder($curdirpath) && $curdirpath!='/' || api_is_allowed_to_edit() || api_is_platform_admin())
+		{
+	    	echo '<a href="'.api_get_self().'?'.api_get_cidreq().'&action=downloadfolder&path='.$curdirpathurl.'">'.Display::display_icon('zip_save.gif', get_lang('Save').' (ZIP)'). get_lang('Save').' (ZIP)</a>&nbsp';
+		}
+
 	}
 }