[Summary view] [Print] [Text view]

   1  <?php
   2        // This script fetches files from the dataroot/questionattempt directory
   3        // It is based on the top-level file.php
   4        //
   5        // On a module-by-module basis (currently only implemented for quiz), it checks
   6        // whether the user has permission to view the file.
   7        //
   8        // Syntax:      question/file.php/attemptid/questionid/filename.ext
   9        // Workaround:  question/file.php?file=/attemptid/questionid/filename.ext
  10  
  11      require_once ('../config.php');
  12      require_once ('../lib/filelib.php');
  13  
  14      // disable moodle specific debug messages
  15      disable_debugging();
  16  
  17      $relativepath = get_file_argument('file.php');
  18      // force download for any student-submitted files to prevent XSS attacks.
  19      $forcedownload = 1;
  20  
  21      // relative path must start with '/', because of backup/restore!!!
  22      if (!$relativepath) {
  23          error('No valid arguments supplied or incorrect server configuration');
  24      } else if ($relativepath{0} != '/') {
  25          error('No valid arguments supplied, path does not start with slash!');
  26      }
  27  
  28      $pathname = $CFG->dataroot.'/questionattempt'.$relativepath;
  29  
  30      // extract relative path components
  31      $args = explode('/', trim($relativepath, '/'));
  32  
  33      // check for the right number of directories in the path
  34      if (count($args) != 3) {
  35          error('Invalid arguments supplied');
  36      }
  37  
  38      // security: require login
  39      require_login();
  40  
  41      // security: do not return directory node!
  42      if (is_dir($pathname)) {
  43          question_attempt_not_found();
  44      }
  45  
  46      $lifetime = 0;  // do not cache because students may reupload files
  47  
  48      // security: check that the user has permission to access this file
  49      $haspermission = false;
  50      if ($attempt = get_record("question_attempts", "id", $args[0])) {
  51          $modfile = $CFG->dirroot .'/mod/'. $attempt->modulename .'/lib.php';
  52          $modcheckfileaccess = $attempt->modulename .'_check_file_access';
  53          if (file_exists($modfile)) {
  54              @require_once($modfile);
  55              if (function_exists($modcheckfileaccess)) {
  56                  $haspermission = $modcheckfileaccess($args[0], $args[1]);
  57              }
  58          }
  59      } else if ($args[0][0] == 0) {
  60          global $USER;
  61          $list = explode('_', $args[0]);
  62          if ($list[1] == $USER->id) {
  63              $haspermission = true;
  64          }
  65      }
  66  
  67      if ($haspermission) {
  68          // check that file exists
  69          if (!file_exists($pathname)) {
  70              question_attempt_not_found();
  71          }
  72  
  73          // send the file
  74          session_write_close(); // unlock session during fileserving
  75          $filename = $args[count($args)-1];
  76          send_file($pathname, $filename, $lifetime, $CFG->filteruploadedfiles, false, $forcedownload);
  77      } else {
  78          question_attempt_not_found();
  79      }
  80  
  81      function question_attempt_not_found() {
  82          global $CFG;
  83          header('HTTP/1.0 404 not found');
  84          print_error('filenotfound', 'error', $CFG->wwwroot); //this is not displayed on IIS??
  85      }
  86  ?>