diff --git a/main/document/document.php b/main/document/document.php index a94e317d5e..e3835bad29 100755 --- a/main/document/document.php +++ b/main/document/document.php @@ -179,20 +179,25 @@ $is_certificate_mode = DocumentManager::is_certificate_mode($_GET['curdirpath']) //If no actions we proceed to show the document (Hack in order to use document.php?id=X) if (isset($document_id)) { - $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), true); - + $document_data = DocumentManager::get_document_data_by_id($document_id, api_get_course_id(), true); //If the document is not a folder we show the document if ($document_data) { $parent_id = $document_data['parent_id']; - if (!empty($document_data['filetype']) && $document_data['filetype'] == 'file') { - $visibility = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id()); + //$visibility = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id()); + $visibility = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id()); + + if (!empty($document_data['filetype']) && $document_data['filetype'] == 'file') { if ($visibility && api_is_allowed_to_session_edit()) { $url = api_get_path(WEB_COURSE_PATH).$course_info['path'].'/document'.$document_data['path'].'?'.api_get_cidreq(); header("Location: $url"); } exit; + } else { + if (!$visibility) { + api_not_allowed(); + } } $_GET['curdirpath'] = $document_data['path']; } @@ -370,8 +375,13 @@ if ($is_certificate_mode) { } // Interbreadcrumb for the current directory root path + if (empty($document_data['parents'])) { - $interbreadcrumb[] = array('url' => '#', 'name' => $document_data['title']); + if (isset($_GET['createdir'])) { + $interbreadcrumb[] = array('url' => $document_data['document_url'], 'name' => $document_data['title']); + } else { + $interbreadcrumb[] = array('url' => '#', 'name' => $document_data['title']); + } } else { foreach($document_data['parents'] as $document_sub_data) { if (!isset($_GET['createdir']) && $document_sub_data['id'] == $document_data['id']) { @@ -851,7 +861,7 @@ if (isset($_GET['curdirpath']) && $_GET['curdirpath'] == '/certificates' && isse } /* GET ALL DOCUMENT DATA FOR CURDIRPATH */ -if (isset($_GET['keyword']) && !empty($_GET['keyword'])) { +if (isset($_GET['keyword']) && !empty($_GET['keyword'])) { $docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, true); } else { $docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, false); @@ -863,7 +873,7 @@ if ($folders === false) { } echo '
'; -if ($is_allowed_to_edit || $group_member_with_upload_rights){ +//if ($is_allowed_to_edit || $group_member_with_upload_rights){ /* BUILD SEARCH FORM */ echo ''; $form = new FormValidator('search_document', 'get', '', '', null, false); @@ -873,7 +883,7 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights){ $form->addElement('style_submit_button', 'submit', get_lang('Search'), 'class="search"'); $form->display(); echo ''; -} +//} /* GO TO PARENT DIRECTORY */ if ($curdirpath!= '/' && $curdirpath != $group_properties['directory'] && !$is_certificate_mode) { @@ -899,7 +909,7 @@ if (isset($docs_and_folders) && is_array($docs_and_folders)) { // Create a sortable table with our data $sortable_data = array(); - $count = 1; + $count = 1; foreach ($docs_and_folders as $key => $document_data) { $row = array(); $row['id'] = $document_data['id']; @@ -1199,5 +1209,6 @@ if (!empty($table_footer)) { Display::display_warning_message($table_footer); } + // Footer Display::display_footer(); diff --git a/main/document/download.php b/main/document/download.php index 242329f519..68734d7360 100755 --- a/main/document/download.php +++ b/main/document/download.php @@ -72,7 +72,9 @@ if (substr($refer_script, 0, 15) == '/fillsurvey.php') { if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) { $full_file_name = $sys_course_path.$doc_url; // Check visibility of document and paths - if (!api_is_allowed_to_edit() && !DocumentManager::is_visible($doc_url, $_course, api_get_session_id())) { + $is_visible = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id()); + //$is_visible = DocumentManager::is_visible($doc_url, $_course, api_get_session_id()); + if (!api_is_allowed_to_edit() && !$is_visible) { Display::display_error_message(get_lang('ProtectedDocument'));//api_not_allowed backbutton won't work. exit; // You shouldn't be here anyway. } diff --git a/main/document/showinframes.php b/main/document/showinframes.php index dda5af5464..2c6c9c3fd5 100755 --- a/main/document/showinframes.php +++ b/main/document/showinframes.php @@ -83,7 +83,9 @@ if ($is_allowed_in_course == false) { } //Check user visibility -$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id()); +//$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id()); +$is_visible = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id()); + if (!api_is_allowed_to_edit() && !$is_visible) { api_not_allowed(true); } diff --git a/main/document/showinframesmin.php b/main/document/showinframesmin.php index d9374ebdf5..11f28dd495 100644 --- a/main/document/showinframesmin.php +++ b/main/document/showinframesmin.php @@ -69,7 +69,8 @@ if ($is_allowed_in_course == false) { } //Check user visibility -$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id()); +//$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id()); +$is_visible = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id()); if (!api_is_allowed_to_edit() && !$is_visible) { api_not_allowed(true); } diff --git a/main/inc/lib/document.lib.php b/main/inc/lib/document.lib.php index b026505436..669ecb5602 100755 --- a/main/inc/lib/document.lib.php +++ b/main/inc/lib/document.lib.php @@ -476,7 +476,7 @@ return 'application/octet-stream'; * @param boolean $can_see_invisible * @return array with all document data */ - public static function get_all_document_data($_course, $path = '/', $to_group_id = 0, $to_user_id = NULL, $can_see_invisible = false, $search =false) { + public static function get_all_document_data($_course, $path = '/', $to_group_id = 0, $to_user_id = NULL, $can_see_invisible = false, $search = false) { $TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY, $_course['dbName']); $TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT, $_course['dbName']); $TABLE_COURSE = Database::get_main_table(TABLE_MAIN_COURSE); @@ -497,7 +497,7 @@ return 'application/octet-stream'; $to_value = Database::escape_string($to_value); //if they can't see invisible files, they can only see files with visibility 1 - $visibility_bit = ' = 1'; + //$visibility_bit = ' = 1'; //if they can see invisible files, only deleted files (visibility 2) are filtered out //if ($can_see_invisible) { $visibility_bit = ' <> 2'; @@ -533,7 +533,7 @@ return 'application/octet-stream'; AND ".$to_field." = ".$to_value." AND last.visibility".$visibility_bit.$condition_session; } - + $result = Database::query($sql); $doc_list = array(); @@ -587,7 +587,8 @@ return 'application/octet-stream'; } $temp[$row['id']] = $row; } - + //@todo use the DocumentManager::is_visible function + //Checking disponibility in a session foreach($my_repeat_ids as $id) { foreach($doc_list as $row ) { @@ -623,8 +624,19 @@ return 'application/octet-stream'; unset($document_data[$row['id']]); } } + + //Checking parents visibility + $final_document_data = array(); + foreach($document_data as $row) { + $is_visible = DocumentManager::check_visibility_tree($row['id'], $_course['code'], $current_session_id, api_get_user_id()); + if ($is_visible) { + $final_document_data[$row['id']]=$row; + } + } + } else { + $final_document_data = $document_data; } - return $document_data; + return $final_document_data; } else { //display_error("Error getting document info from database (".Database::error().")!"); return false; @@ -1014,29 +1026,51 @@ return 'application/octet-stream'; $result = Database::query($sql); if ($result && Database::num_rows($result) == 1) { $row = Database::fetch_array($result,'ASSOC'); - //Public document URL - $row['url'] = api_get_path(WEB_CODE_PATH).'document/showinframes.php?cidReq='.$course_code.'&id='.$id; - $row['document_url'] = api_get_path(WEB_CODE_PATH).'document/document.php?cidReq='.$course_code.'&id='.$id; + + //@todo need to clarify the name of the URLs not nice right now $url_path = urlencode($row['path']); - $path = str_replace('%2F', '/',$url_path); - $row['direct_url'] = $www.$path; - $row['parent_id'] = self::get_document_id($course_info, dirname($row['path'])); + $path = str_replace('%2F', '/',$url_path); + + $row['url'] = api_get_path(WEB_CODE_PATH).'document/showinframes.php?cidReq='.$course_code.'&id='.$id; + $row['document_url'] = api_get_path(WEB_CODE_PATH).'document/document.php?cidReq='.$course_code.'&id='.$id; + $row['direct_url'] = $www.$path; + + if (dirname($row['path']) == '.') { + $row['parent_id'] = '0'; + } else { + $row['parent_id'] = self::get_document_id($course_info, dirname($row['path'])); + } $parents = array(); - //Use to generate the breadcrumb - if ($load_parents) { + + //Use to generate parents (needed for the breadcrumb) + //@todo sorry but this for is here because there's not a parent_id in the document table so we parsed the path!! + + $visibility = true; + + if ($load_parents) { $dir_array = explode('/', $row['path']); $dir_array = array_filter($dir_array); $array_len = count($dir_array) +1 ; - $real_dir = ''; + $real_dir = ''; - for ($i = 1; $i < $array_len; $i++) { + for ($i = 1; $i < $array_len; $i++) { + $sub_visibility = true; $real_dir .= '/'.$dir_array[$i]; $parent_id = self::get_document_id($course_info, $real_dir); if (!empty($parent_id)) { - $parents[] = self::get_document_data_by_id($parent_id, $course_code, false); + $sub_document_data = self::get_document_data_by_id($parent_id, $course_code, false); + //@todo add visibility here + + /*$sub_visibility = self::is_visible_by_id($parent_id, $course_info, api_get_session_id(), api_get_user_id()); + if ($visibility && $sub_visibility == false) { + $visibility = false; + } + */ + $parents[] = $sub_document_data; } - } - } + } + } + //$row['visibility_for_user'] = $visibility; $row['parents'] = $parents; return $row; } @@ -2841,5 +2875,26 @@ return 'application/octet-stream'; return $return; } + public function check_visibility_tree($doc_id, $course_code, $session_id, $user_id) { + $document_data = self::get_document_data_by_id($doc_id, $course_code); + + if (!empty($document_data)) { + if ($document_data['parent_id'] == false) { + $visible = self::is_visible_by_id($doc_id, $course_info, $session_id, $user_id); + return $visible; + } else { + $course_info = api_get_course_info($course_code); + $visible = self::is_visible_by_id($doc_id, $course_info, $session_id, $user_id); + + if (!$visible) { + return false; + } else { + return self::check_visibility_tree($document_data['parent_id'], $course_code, $session_id, $user_id); + } + } + } else { + return false; + } + } } //end class DocumentManager \ No newline at end of file