[svn r18072] FS#2867 - FCKEditor, simple file manager, image manager: Restricting users to browse only their own folders under "shared_folder" while they use the online editor. This restriction is important for teachers, because they are able to access the "shared_folder" starting from the document repository root.

main/inc/lib/fckeditor/editor/filemanager/browser/default/connectors/php/commands.php

@@ -35,16 +35,21 @@ function GetFolders( $resourceType, $currentFolder )
 	$oCurrentFolder = opendir( $sServerDir ) ;
 
 	$in_group = api_is_in_group();
+	$in_shared_folder = $currentFolder == '/shared_folder/';
+	$user_id = api_get_user_id();
 
 	while ( $sFile = readdir( $oCurrentFolder ) )
 	{
 		if ( $sFile != '.' && $sFile != '..'
 			&& strpos( $sFile, '_DELETED_' ) === false
 			&& ( $in_group || ( !$in_group && strpos( $sFile, '_groupdocs' ) === false ) )
+			&& (!$in_shared_folder || ($in_shared_folder && $sFile == $user_id))
 			&& $sFile != '.thumbs'
 			&& $sFile != '.svn'
 			&& is_dir( $sServerDir . $sFile ) )
+		{
 			$aFolders[] = '<Folder name="' . ConvertToXmlAttribute( $sFile ) . '" />' ;
+		}
 	}
 
 	closedir( $oCurrentFolder ) ;
@@ -72,16 +77,20 @@ function GetFoldersAndFiles( $resourceType, $currentFolder )
 	$oCurrentFolder = opendir( $sServerDir ) ;
 
 	$in_group = api_is_in_group();
+	$in_shared_folder = $currentFolder == '/shared_folder/';
+	$user_id = api_get_user_id();
 
 	while ( $sFile = readdir( $oCurrentFolder ) )
 	{
+		$is_dir = @is_dir( $sServerDir . $sFile );
 		if ( $sFile != '.' && $sFile != '..'
 			&& strpos( $sFile, '_DELETED_' ) === false
 			&& ( $in_group || ( !$in_group && strpos( $sFile, '_groupdocs' ) === false ) )
+			&& (!$in_shared_folder || ($in_shared_folder && (!$is_dir || ($is_dir && $sFile == $user_id))))
 			&& $sFile != '.thumbs'
 			&& $sFile != '.svn' )
 		{
-			if ( is_dir( $sServerDir . $sFile ) )
+			if ( $is_dir )
 				$aFolders[] = '<Folder name="' . ConvertToXmlAttribute( $sFile ) . '" />' ;
 			else
 			{

main/inc/lib/fckeditor/editor/plugins/ImageManager/Classes/ImageManager.php

@@ -115,6 +115,8 @@ class ImageManager
 			$group_directory = $group_directory[count($group_directory) - 1];
 		}
 
+		$user_id = api_get_user_id();
+
 		while (false !== ($entry = $d->read())) 
 		{
 			//If it is a directory, and it doesn't start with
@@ -133,6 +135,17 @@ class ImageManager
 					continue;
 				}
 
+				if (strpos($fullpath, '/shared_folder/') !== false)
+				{
+					if (!preg_match('/.*\/shared_folder\/$/', $fullpath))
+					{
+						if (strpos($fullpath, '/shared_folder/'.$user_id.'/') === false)
+						{
+							continue;
+						}
+					}
+				}
+
 				$dirs[$relative] = $fullpath;
 				$dirs = array_merge($dirs, $this->_dirs($fullpath, $relative));
 			}
@@ -169,6 +182,7 @@ class ImageManager
 		$d = @dir($fullpath);
 		
 		$in_group = api_is_in_group();
+		$user_id = api_get_user_id();
 
 		while (false !== ($entry = $d->read())) 
 		{
@@ -176,8 +190,24 @@ class ImageManager
 				&& !strpos($entry, '_DELETED_')
 				&& ($in_group || (!$in_group && strpos($entry, '_groupdocs') === false)))
 			{
-				if(is_dir($fullpath.$entry)
-					&& $this->isThumbDir($entry) == false)
+				$is_dir = is_dir($fullpath.$entry);
+
+				if ($is_dir)
+				{
+					$dir_entry = Files::fixPath($fullpath.$entry);
+					if (strpos($dir_entry, '/shared_folder/') !== false)
+					{
+						if (!preg_match('/.*\/shared_folder\/$/', $dir_entry))
+						{
+							if (strpos($dir_entry, '/shared_folder/'.$user_id.'/') === false)
+							{
+								continue;
+							}
+						}
+					}
+				}
+
+				if($is_dir && $this->isThumbDir($entry) == false)
 				{
 					$relative = Files::fixPath($path.$entry);
 					$full = Files::fixPath($fullpath.$entry);