From d820ddf499bc4264a5a5ce5b7911935ca5fe46c5 Mon Sep 17 00:00:00 2001
From: Jan Derriks <j.derriks@hva.nl>
Date: Tue, 23 Dec 2008 11:56:06 +0100
Subject: [PATCH] [svn r17433] FS#2835 - Access to a hidden (visibility=0
 somewhere in the path) document should be impossible.

---
 main/document/document.php    | 30 +++++++++++++++---
 main/document/download.php    | 12 ++++++--
 main/inc/lib/document.lib.php | 58 +++++++++++++++++++++--------------
 main/inc/lib/main_api.lib.php | 20 ++++++------
 4 files changed, 81 insertions(+), 39 deletions(-)

diff --git a/main/document/document.php b/main/document/document.php
index 0cd55ffd55..6f9835f816 100644
--- a/main/document/document.php
+++ b/main/document/document.php
@@ -1,5 +1,4 @@
-<?php // $Id: document.php 17320 2008-12-16 14:47:36Z cfasanando $
- 
+<?php // $Id: document.php 17433 2008-12-23 10:56:06Z derrj $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -81,6 +80,18 @@ api_protect_course_script(true);
 if(isset($_GET['id_session']))
 	$_SESSION['id_session'] = $_GET['id_session'];
 
+// Is the document tool visible?
+// Check whether the tool is actually visible
+$table_course_tool = Database::get_course_table(TABLE_TOOL_LIST, $_course['dbName']);
+$tool_sql = 'SELECT visibility FROM ' . $table_course_tool . ' WHERE name = "'. TOOL_DOCUMENT .'" LIMIT 1';
+$tool_result = api_sql_query($tool_sql,__FILE__,__LINE__);
+$tool_row = mysql_fetch_array($tool_result);
+$tool_visibility = $tool_row['visibility'];
+if ($tool_visibility == '0' && $to_group_id == '0' && !($is_allowed_to_edit || $group_member_with_upload_rights))
+{
+ api_not_allowed(true);
+}
+
 $htmlHeadXtra[] =
 "<script type=\"text/javascript\">
 function confirmation (name)
@@ -207,6 +218,10 @@ if($to_group_id!=0 && $curdirpath=='/')
 }
 //-----------------------------------------------------------
 
+// check visibility of the current dir path. Don't show anything if not allowed
+if (!(DocumentManager::is_visible($curdirpath, $_course)||$is_allowed_to_edit)){
+    api_not_allowed();
+}
 /*
 -----------------------------------------------------------
 	Constants and variables
@@ -239,10 +254,17 @@ if (isset($_GET['action']) && $_GET['action']=="download")
 		$error404 .= '</body></html>';
 		echo($error404);
 		exit;
-	}
+	}  
 	// launch event
 	event_download($_GET['id']);
-	$doc_url=$_GET['id'];
+	
+    // check visibility of document and paths
+    if (!($is_allowed_to_edit || $group_member_with_upload_rights) &&
+        !DocumentManager::is_visible($_GET['id'], $_course)){        
+        api_not_allowed();
+    }
+
+    $doc_url=$_GET['id'];
 	$full_file_name = $base_work_dir.$doc_url;
 	DocumentManager::file_send_for_download($full_file_name,true);
 	exit;
diff --git a/main/document/download.php b/main/document/download.php
index be28d54700..762aad4bb6 100644
--- a/main/document/download.php
+++ b/main/document/download.php
@@ -1,4 +1,4 @@
-<?php // $Id: download.php 12218 2007-05-01 18:27:14Z yannoo $
+<?php // $Id: download.php 17433 2008-12-23 10:56:06Z derrj $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -83,7 +83,7 @@ if(is_dir(api_get_path(SYS_COURSE_PATH).$_course['path']."/document".$doc_url))
 {
 	//remove last slash if present
 	//$doc_url = ($doc_url{strlen($doc_url)-1}=='/')?substr($doc_url,0,strlen($doc_url)-1):$doc_url; 
-	//mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (René)
+	//mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (Ren�)
 	while ($doc_url{$dul = strlen($doc_url)-1}=='/') $doc_url = substr($doc_url,0,$dul);
 	//group folder?
 	$gid_req = ($_GET['gidReq'])?'&gidReq='.$_GET['gidReq']:'';
@@ -99,5 +99,13 @@ event_download($doc_url);
 $sys_course_path = api_get_path(SYS_COURSE_PATH);
 $full_file_name = $sys_course_path.$_course['path'].'/document'.$doc_url;
 
+// check visibility of document and paths
+$is_allowed_to_edit = api_is_allowed_to_edit();
+if (!$is_allowed_to_edit &&
+    !DocumentManager::is_visible($doc_url, $_course)){
+       echo "document not visible"; //api_not_allowed backbutton won't work
+       exit; // you shouldn't be here anyway
+}
+
 DocumentManager::file_send_for_download($full_file_name);
 ?>
\ No newline at end of file
diff --git a/main/inc/lib/document.lib.php b/main/inc/lib/document.lib.php
index 74fa513364..eef31fa57e 100644
--- a/main/inc/lib/document.lib.php
+++ b/main/inc/lib/document.lib.php
@@ -81,7 +81,7 @@ class DocumentManager
 	{
 		global $_course, $maxFilledSpace;
 		$course_code = $_course['sysCode'];
-		$course_table = Database :: get_main_table(TABLE_MAIN_COURSE);
+		$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
 
 		$sql_query = "SELECT `".DISK_QUOTA_FIELD."` FROM $course_table WHERE `code` = '$course_code'";
 		$sql_result = api_sql_query($sql_query, __FILE__, __LINE__);
@@ -374,7 +374,7 @@ class DocumentManager
 		{
 			//no forced download, just let the browser decide what to do according to the mimetype
 
-			$content_type = DocumentManager :: file_get_mime_type($filename);
+			$content_type = DocumentManager::file_get_mime_type($filename);
 			header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
 			header('Last-Modified: '.gmdate('D, d M Y H:i:s').' GMT');
             // Commented to avoid double caching declaration when playing with IE and HTTPS
@@ -448,7 +448,7 @@ class DocumentManager
 		{
 			//no forced download, just let the browser decide what to do according to the mimetype
 
-			$content_type = DocumentManager :: file_get_mime_type($filename);
+			$content_type = DocumentManager::file_get_mime_type($filename);
 			header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
 			header('Last-Modified: '.gmdate('D, d M Y H:i:s').' GMT');
 			header('Cache-Control: no-cache, must-revalidate');
@@ -484,8 +484,8 @@ class DocumentManager
 	*/
 	function get_all_document_data($_course, $path = '/', $to_group_id = 0, $to_user_id = NULL, $can_see_invisible = false)
 	{
-		$TABLE_ITEMPROPERTY = Database :: get_course_table(TABLE_ITEM_PROPERTY, $_course['dbName']);
-		$TABLE_DOCUMENT = Database :: get_course_table(TABLE_DOCUMENT, $_course['dbName']);
+		$TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY, $_course['dbName']);
+		$TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT, $_course['dbName']);
 
 		//if to_user_id = NULL -> change query (IS NULL)
 		//$to_user_id = (is_null($to_user_id))?'IS NULL':'= '.$to_user_id;
@@ -575,8 +575,8 @@ class DocumentManager
 	 */
 	function get_all_document_folders($_course, $to_group_id = '0', $can_see_invisible = false)
 	{
-		$TABLE_ITEMPROPERTY = Database :: get_course_table(TABLE_ITEM_PROPERTY, $_course['dbName']);
-		$TABLE_DOCUMENT = Database :: get_course_table(TABLE_DOCUMENT, $_course['dbName']);
+		$TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY, $_course['dbName']);
+		$TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT, $_course['dbName']);
 		if(empty($to_group_id)){$to_group_id = '0';} //avoid empty strings in $to_group_id
 		if ($can_see_invisible)
 		{
@@ -687,8 +687,8 @@ class DocumentManager
 			$document_id = DocumentManager::get_document_id($_course, $file);
 		}		
 		
-		$TABLE_PROPERTY = Database :: get_course_table(TABLE_ITEM_PROPERTY, $_course['dbName']);
-		$TABLE_DOCUMENT = Database :: get_course_table(TABLE_DOCUMENT, $_course['dbName']);
+		$TABLE_PROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY, $_course['dbName']);
+		$TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT, $_course['dbName']);
 		
 		if ($to_delete)
 		{
@@ -748,14 +748,7 @@ class DocumentManager
 				{	
 					return true;				
 				}			
-			}
-			
-
-				
-			
-			
-		
-		
+			}		
 		}
 		return false;
 	}
@@ -768,11 +761,11 @@ class DocumentManager
 	 **/
 	function is_folder($_course, $document_id)
 	{	
-		$TABLE_DOCUMENT = Database :: get_course_table(TABLE_DOCUMENT, $_course['dbName']);
+		$TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT, $_course['dbName']);
 		//if (!empty($document_id))
 		
 		$resultans   =  api_sql_query('SELECT filetype FROM '.$TABLE_DOCUMENT.' WHERE id='.$document_id.'', __FILE__, __LINE__);		
-		$result=  Database ::fetch_array($resultans,'ASSOC');
+		$result=  Database::fetch_array($resultans,'ASSOC');
 		if ($result['filetype']=='folder')
 		{
 			return true;			
@@ -780,9 +773,7 @@ class DocumentManager
 		else
 		{
 			return false;
-		}
-				
-		
+		}		
 	}
 	
 	/**
@@ -996,7 +987,28 @@ class DocumentManager
 		api_sql_query($sql);
 		
 	}
-	
+	/**
+	 * return true if the documentpath and all parent folders have visibility=1 as item_property
+	 *
+	 * @param string $document_path the relative complete path of the document
+     * @param array  $course the _course array info of the document's course
+	 */
+	function is_visible($doc_path, $course){
+       	$docTable  = Database::get_course_table(TABLE_DOCUMENT, $course['dbName']);
+		$propTable = Database::get_course_table(TABLE_ITEM_PROPERTY, $course['dbName']);
+        //note the extra / at the end of doc_path to match every path in the
+        // document table that is part of the document path
+        $sql = "SELECT path FROM $docTable d, $propTable ip " .
+                "where d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 AND ".
+                "locate(concat(path,'/'),'".$doc_path."/')=1";
+        $result = api_sql_query($sql,__FILE__,__LINE__);
+        if (Database::num_rows($result) > 0){
+            $row = Database::fetch_array($result);
+            //echo "$row[0] not visible";
+            return false;
+        }
+        return true; // ok, document is visible
+    }
 
 }
 //end class DocumentManager
diff --git a/main/inc/lib/main_api.lib.php b/main/inc/lib/main_api.lib.php
index 7d82994611..b1366401ac 100644
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@@ -1534,7 +1534,7 @@ function api_not_allowed($print_headers = false) {
 	 // to the user_portal			
 	 	if (!headers_sent() or $print_headers){Display::display_header('');}
 		echo '<div align="center">';
-		Display :: display_error_message(get_lang('NotAllowedClickBack').'<br/><br/><a href="'.$_SERVER['HTTP_REFERRER'].'">'.get_lang('BackToPreviousPage').'</a><br/>',false);
+		Display::display_error_message(get_lang('NotAllowedClickBack').'<br/><br/><a href="'.$_SERVER['HTTP_REFERER'].'">'.get_lang('BackToPreviousPage').'</a><br/>',false);
 		echo '</div>';
 		if ($print_headers){Display::display_footer();}
 		die();
@@ -1543,7 +1543,7 @@ function api_not_allowed($print_headers = false) {
 		if (!empty($user) && !api_is_anonymous()) {
 			if (!headers_sent() or $print_headers) { Display::display_header('');}
 			echo '<div align="center">';
-			Display :: display_error_message(get_lang('NotAllowedClickBack').'<br/><br/><a href="'.$_SERVER['HTTP_REFERRER'].'">'.get_lang('BackToPreviousPage').'</a><br/>',false);
+			Display::display_error_message(get_lang('NotAllowedClickBack').'<br/><br/><a href="'.$_SERVER['HTTP_REFERER'].'">'.get_lang('BackToPreviousPage').'</a><br/>',false);
 			echo '</div>';
 			if ($print_headers) {Display::display_footer();}
 			die();			
@@ -1557,7 +1557,7 @@ function api_not_allowed($print_headers = false) {
 			$test = $form->return_form();
 			if(!headers_sent() or $print_headers){Display::display_header('');}
 			echo '<div align="center">';
-			Display :: display_error_message(get_lang('NotAllowed').'<br/><br/>'.get_lang('PleaseLoginAgainFromFormBelow').'<br/>'.$test,false);
+			Display::display_error_message(get_lang('NotAllowed').'<br/><br/>'.get_lang('PleaseLoginAgainFromFormBelow').'<br/>'.$test,false);
 			echo '</div>';
 			$_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
 			if ($print_headers) {Display::display_footer();}
@@ -1567,7 +1567,7 @@ function api_not_allowed($print_headers = false) {
 		if (!empty($user) && !api_is_anonymous()) {
 			if (!headers_sent() or $print_headers) {Display::display_header('');}
 			echo '<div align="center">';
-			Display :: display_error_message(get_lang('NotAllowedClickBack').'<br/><br/><a href="'.$_SERVER['HTTP_REFERRER'].'">'.get_lang('BackToPreviousPage').'</a><br/>',false);
+			Display::display_error_message(get_lang('NotAllowedClickBack').'<br/><br/><a href="'.$_SERVER['HTTP_REFERER'].'">'.get_lang('BackToPreviousPage').'</a><br/>',false);
 			echo '</div>';
 			if ($print_headers) {Display::display_footer();}
 			die();			
@@ -1575,7 +1575,7 @@ function api_not_allowed($print_headers = false) {
 			//if no course ID was included in the requested URL, redirect to homepage
 			if ($print_headers) {Display::display_header('');}
 			echo '<div align="center">';
-			Display :: display_error_message(get_lang('NotAllowed').'<br/><br/><a href="'.$home_url.'">'.get_lang('PleaseLoginAgainFromHomepage').'</a><br/>',false);
+			Display::display_error_message(get_lang('NotAllowed').'<br/><br/><a href="'.$home_url.'">'.get_lang('PleaseLoginAgainFromHomepage').'</a><br/>',false);
 			echo '</div>';
 			if ($print_headers) {Display::display_footer();}
 			die();
@@ -1616,7 +1616,7 @@ function api_get_item_visibility($_course,$tool,$id) {
 	if (!is_array($_course) or count($_course)==0 or empty($tool) or empty($id)) return -1;
 	$tool = Database::escape_string($tool);
 	$id = Database::escape_string($id);
-	$TABLE_ITEMPROPERTY = Database :: get_course_table(TABLE_ITEM_PROPERTY,$_course['dbName']);
+	$TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY,$_course['dbName']);
 	$sql = "SELECT * FROM $TABLE_ITEMPROPERTY WHERE tool = '$tool' AND ref = $id";
 	$res = api_sql_query($sql);
 	if($res === false or Database::num_rows($res)==0) return -1;
@@ -1655,7 +1655,7 @@ function api_item_property_update($_course, $tool, $item_id, $lastedit_type, $us
 
 	$time = time();
 	$time = date("Y-m-d H:i:s", $time);
-	$TABLE_ITEMPROPERTY = Database :: get_course_table(TABLE_ITEM_PROPERTY,$_course['dbName']);
+	$TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY,$_course['dbName']);
 	if ($to_user_id <= 0)
 		$to_user_id = NULL; //no to_user_id set
 	$start_visible = ($start_visible == 0) ? "0000-00-00 00:00:00" : $start_visible;
@@ -1831,7 +1831,7 @@ function api_display_language_form($hide_if_no_choice=false) {
 *  array['folder'] = An array with the corresponding dokeos-folder
 */
 function api_get_languages() {
-	$tbl_language = Database :: get_main_table(TABLE_MAIN_LANGUAGE);
+	$tbl_language = Database::get_main_table(TABLE_MAIN_LANGUAGE);
 	$sql = "SELECT * FROM $tbl_language WHERE available='1' ORDER BY original_name ASC";
 	$result = api_sql_query($sql, __FILE__, __LINE__);
 	while ($row = mysql_fetch_array($result)) {
@@ -1959,7 +1959,7 @@ function api_send_mail($to, $subject, $message, $additional_headers = null, $add
 */
 function api_max_sort_value($user_course_category, $user_id) {
 
-	$tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
+	$tbl_course_user = Database::get_main_table(TABLE_MAIN_COURSE_USER);
 
 	$sql_max = "SELECT max(sort) as max_sort FROM $tbl_course_user WHERE user_id='".$user_id."' AND user_course_cat='".$user_course_category."'";
 	$result_max = mysql_query($sql_max) or die(mysql_error());
@@ -2053,7 +2053,7 @@ function api_time_to_hms($seconds) {
   
   //if seconds = -1, it means we have wrong datas in the db
   if($seconds==-1) {
-  	  return get_lang('Unknown').Display :: return_icon('info2.gif',get_lang('WrongDatasForTimeSpentOnThePlatform'));
+  	  return get_lang('Unknown').Display::return_icon('info2.gif',get_lang('WrongDatasForTimeSpentOnThePlatform'));
   }
   
   //How many hours ?