MDL-10689:
[moodle-linuxchix.git] / question / file.php
blob841a317bf5c55a9e8446580314bc07c1b5d70cba
1 <?php
2 // This script fetches files from the dataroot/questionattempt directory
3 // It is based on the top-level file.php
4 //
5 // On a module-by-module basis (currently only implemented for quiz), it checks
6 // whether the user has permission to view the file.
7 //
8 // Syntax: question/file.php/attemptid/questionid/filename.ext
9 // Workaround: question/file.php?file=/attemptid/questionid/filename.ext
11 require_once('../config.php');
12 require_once('../lib/filelib.php');
14 // disable moodle specific debug messages
15 disable_debugging();
17 $relativepath = get_file_argument('file.php');
18 // force download for any student-submitted files to prevent XSS attacks.
19 $forcedownload = 1;
21 // relative path must start with '/', because of backup/restore!!!
22 if (!$relativepath) {
23 error('No valid arguments supplied or incorrect server configuration');
24 } else if ($relativepath{0} != '/') {
25 error('No valid arguments supplied, path does not start with slash!');
28 $pathname = $CFG->dataroot.'/questionattempt'.$relativepath;
30 // extract relative path components
31 $args = explode('/', trim($relativepath, '/'));
33 // check for the right number of directories in the path
34 if (count($args) != 3) {
35 error('Invalid arguments supplied');
38 // security: require login
39 require_login();
41 // security: do not return directory node!
42 if (is_dir($pathname)) {
43 question_attempt_not_found();
46 $lifetime = 0; // do not cache because students may reupload files
48 // security: check that the user has permission to access this file
49 $haspermission = false;
50 if ($attempt = get_record("question_attempts", "id", $args[0])) {
51 $modfile = $CFG->dirroot .'/mod/'. $attempt->modulename .'/lib.php';
52 $modcheckfileaccess = $attempt->modulename .'_check_file_access';
53 if (file_exists($modfile)) {
54 @require_once($modfile);
55 if (function_exists($modcheckfileaccess)) {
56 $haspermission = $modcheckfileaccess($args[0], $args[1]);
59 } else if ($args[0][0] == 0) {
60 global $USER;
61 $list = explode('_', $args[0]);
62 if ($list[1] == $USER->id) {
63 $haspermission = true;
67 if ($haspermission) {
68 // check that file exists
69 if (!file_exists($pathname)) {
70 question_attempt_not_found();
73 // send the file
74 session_write_close(); // unlock session during fileserving
75 $filename = $args[count($args)-1];
76 send_file($pathname, $filename, $lifetime, $CFG->filteruploadedfiles, false, $forcedownload);
77 } else {
78 question_attempt_not_found();
81 function question_attempt_not_found() {
82 global $CFG;
83 header('HTTP/1.0 404 not found');
84 error(get_string('filenotfound', 'error'), $CFG->wwwroot); //this is not displayed on IIS??