Feature #2044 saving files in current directory, implement groups, security and cleaning

main/document/create_drawing.php

@@ -19,10 +19,10 @@ require_once '../inc/global.inc.php';
 
 $_SESSION['whereami'] = 'document/draw';
 $this_section = SECTION_COURSES;
-require_once api_get_path(LIBRARY_PATH).'document.lib.php';
+
 require_once api_get_path(SYS_CODE_PATH).'document/document.inc.php';
 require_once api_get_path(LIBRARY_PATH).'groupmanager.lib.php';
-require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
+
 $nameTools = get_lang('Draw');
 
 api_protect_course_script();
@@ -57,6 +57,18 @@ if ($dir[strlen($dir) - 1] != '/') {
 	$dir .= '/';
 }
 
+$is_allowed_to_edit = api_is_allowed_to_edit(null, true);
+
+
+$filepath = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document'.$dir;
+
+if (!is_dir($filepath)) {
+	$filepath = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document/';
+	$dir = '/';
+}
+
+
+$to_group_id = 0;
 
 if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != '') {
 		$req_gid = '&gidReq='.$_SESSION['_gid'];
@@ -71,14 +83,60 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != '') {
 	}
 	$interbreadcrumb[] = array ("url" => "./document.php?curdirpath=".urlencode($_GET['dir']).$req_gid, "name" => get_lang('Documents'));
 
+if (!$is_allowed_in_course) {
+	api_not_allowed(true);
+}
+if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'])) {
+	api_not_allowed(true);
+}
+/*	Header */
+event_access_tool(TOOL_DOCUMENT);
+$display_dir = $dir;
+if (isset ($group)) {
+	$display_dir = explode('/', $dir);
+	unset ($display_dir[0]);
+	unset ($display_dir[1]);
+	$display_dir = implode('/', $display_dir);
+}
+
+// Interbreadcrumb for the current directory root path
+	// Copied from document.php
+	$dir_array = explode('/', $dir);
+	$array_len = count($dir_array);
+	if (!$is_certificate_mode) {
+		if ($array_len > 1) {
+			if (empty($_SESSION['_gid'])) {
+				$url_dir = 'document.php?&curdirpath=/';
+				$interbreadcrumb[] = array('url' => $url_dir, 'name' => get_lang('HomeDirectory'));
+			}
+		}
+	}
+	$dir_acum = '';
+	for ($i = 0; $i < $array_len; $i++) {
+		$url_dir = 'document.php?&curdirpath='.$dir_acum.$dir_array[$i];
+		//Max char 80
+		$url_to_who = cut($dir_array[$i],80);
+		if ($is_certificate_mode) {
+			$interbreadcrumb[] = array('url' => $url_dir.'&selectcat='.Security::remove_XSS($_GET['selectcat']), 'name' => $url_to_who);
+		} else {
+			$interbreadcrumb[] = array('url' => $url_dir, 'name' => $url_to_who);
+		}
+		$dir_acum .= $dir_array[$i].'/';
+	}
+	
+//path for svg-edit save
+$_SESSION['draw_dir']=Security::remove_XSS($_GET['dir']);
+if($_SESSION['draw_dir']=='/'){
+	$_SESSION['draw_dir']='';
+}
 
-////////////////////////
+//
 Display :: display_header($nameTools, 'Doc');
 echo '<div class="actions">';
 		echo '<a href="document.php?curdirpath='.Security::remove_XSS($_GET['dir']).'">'.Display::return_icon('back.png',get_lang('Back').' '.get_lang('To').' '.get_lang('DocumentsOverview')).get_lang('BackTo').' '.get_lang('DocumentsOverview').'</a>';
 echo '</div>';
 
-echo '<iframe style=\'height: 500px; width: 100%;\' scrolling=\'no\' frameborder=\'0\' src=\''.api_get_path(WEB_LIBRARY_PATH).'svg-edit/svg-editor.php \'>';
+echo '<iframe style=\'height: 500px; width: 100%;\' scrolling=\'no\' frameborder=\'0\' src=\''.api_get_path(WEB_LIBRARY_PATH).'svg-edit/svg-editor.php\'>';
 echo '</iframe>';
 
 Display :: display_footer();

main/inc/lib/svg-edit/extensions/filesave.php

@@ -11,18 +11,38 @@
  * @author Juan Carlos Raña Trabado
  * @since 25/september/2010
 */
+//Chamilo load libraries
+require_once '../../../../inc/global.inc.php';
+require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
 
-require_once '../../../../inc/global.inc.php';//hack for chamilo
-require_once api_get_path(LIBRARY_PATH).'course.lib.php';
-require_once api_get_path(LIBRARY_PATH).'groupmanager.lib.php';
-require_once api_get_path(LIBRARY_PATH).'security.lib.php';
-require_once api_get_path(LIBRARY_PATH).'document.lib.php';
-
+//Add security from Chamilo
 api_protect_course_script();
 api_block_anonymous_users();
 
+//Adding Chamilo style because Display :: display_error_message() dont run well.
+?>
+<style type="text/css">
+<!--
+.error-message {
+	position: relative;
+	margin-top: 10px;
+	margin-bottom: 10px;
+	border-width: 1px;
+	border-style: solid;
+	-moz-border-radius: 10px;
+	padding: 6px;
+	border: 1px solid #FF0000;
+	color: #440000;
+	background-color: #FFD1D1;
+	min-height: 30px;
+}
+-->
+</style>
+<?php
+
 if(!isset($_POST['output_svg']) && !isset($_POST['output_png'])) {
-	die('post fail');
+	echo '<div class="error-message">'. get_lang('lang_no_access_here').'</div>';// from Chamilo
+	die();
 }
 
 $file = '';
@@ -51,49 +71,62 @@ if($suffix == 'svg') {
 
 /////hack for Chamilo
 
+//get SVG-Edit values
 $filename=$file;//from svg-edit
 $extension=$suffix;// from svg-edit
 $content=$contents;//from svg-edit
- 
-//a bit title security  
+
+$title = Database::escape_string(str_replace('_',' ',$filename));
+
+//get Chamilo variables 
+$current_session_id = api_get_session_id();
+$groupId=$_SESSION['_gid'];
+$relativeUrlPath=$_SESSION['draw_dir'];// for main documents and for groups (groupmanager only returns the root directory of the group) // alias $groupPath
+$dirBaseDocuments = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document/';
+$saveDir=$dirBaseDocuments.$_SESSION['draw_dir']; // saveDir alias exporDir
+
+//a bit title security
+
 $filename = addslashes(trim($filename));
 $filename = Security::remove_XSS($filename);
-$filename = replace_dangerous_char($filename);
-$filename = disable_dangerous_file($filename); 
- 
-$current_session_id = api_get_session_id();
-//TODO:implement groups
-if (0 != $groupId)
+$filename = replace_dangerous_char($filename, 'strict');
+$filename = disable_dangerous_file($filename);
+
+//a bit mime security
+$finfo = new finfo(FILEINFO_MIME);
+$current_mime=$finfo->buffer($contents);
+$mime_png='image/png';//image/png; charset=binary 
+$mime_svg='application/xml';//application/xml; charset=us-ascii
+if(strpos($current_mime, $mime_png)===false && $extension=='png')
 {
-	$groupPart = '_group' . $groupId; // and add groupId to put the same document title in different groups
-	$group_properties  = GroupManager :: get_group_properties($groupId);
-	$groupPath = $group_properties['directory'];
+	die('File extension does not match its content');
+}elseif(strpos($current_mime, $mime_svg)===false && $extension=='svg')
+{
+	die('File extension does not match its content');
 }
-else
+//check path
+if(!isset($_SESSION['draw_dir']))
 {
-	$groupPart = '';
-	$groupPath ='';
+	die('Error');
 }
 
-$exportDir = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document/';
-$groupId=0;
-if(file_exists($exportDir . '/' .$filename.$i.'.'.$extension))
-{   
+//checks if the file exists, then rename the new
+if(file_exists($saveDir.'/'.$filename.$i.'.'.$extension)){
 	$i = 1;
-	while ( file_exists($exportDir . '/' .$filename.'_'.$i.'.'.$extension) ) $i++; //prevent duplicates
-	$drawFileName = $filename . '_' . $i . '.'.$extension;
-}
-else
-{
-	$drawFileName = $filename.'.'.$extension;;	
+	while (file_exists($saveDir.'/'.$filename.'_'.$i.'.'.$extension)) $i++; //prevent duplicates
+	$drawFileName = $filename.'_'.$i.'.'.$extension;
+	$title=$title.' '.$i.'.'.$extension;
+}else{
+	$drawFileName = $filename.'.'.$extension;
+	$title = $title.'.'.$extension;
 }
-$documentPath = $exportDir . '/' . $drawFileName;
+$documentPath = $saveDir.'/'.$drawFileName;
 
 //add new document to disk
 file_put_contents( $documentPath, $contents );	
 
 //add new document to database
-$doc_id = add_document($_course, $groupPath.'/'.$drawFileName, 'file', filesize($documentPath), $drawFileName);
+$doc_id = add_document($_course, $relativeUrlPath.'/'.$drawFileName, 'file', filesize($documentPath), $title);
 api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId,null, null,$current_session_id);
 api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'invisible', $_user['user_id'], $groupId,null, null,$current_session_id);