diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/admin/class_list.php dokeosmod/main/admin/class_list.php --- dokeosorig/main/admin/class_list.php 2007-09-26 20:59:07.000000000 -0500 +++ dokeosmod/main/admin/class_list.php 2008-02-05 01:09:59.000000000 -0500 @@ -59,6 +59,10 @@ { $tbl_class_user = Database :: get_main_table(TABLE_MAIN_CLASS_USER); $tbl_class = Database :: get_main_table(TABLE_MAIN_CLASS); + $from = Database::escape_string($from); + $number_of_items = Database::escape_string($number_of_items); + $column = Database::escape_string($column); + $direction = Database::escape_string($direction); $sql = "SELECT id AS col0, name AS col1, COUNT(user_id) AS col2, @@ -84,6 +88,7 @@ function modify_filter($class_id) { global $charset; + $class_id = Security::remove_XSS($class_id); $result = ''.get_lang('Info').''; $result .= ''.get_lang('Edit').''; $result .= ''.get_lang('Delete').''; @@ -150,4 +155,4 @@ ============================================================================== */ Display :: display_footer(); -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/admin/course_category.php dokeosmod/main/admin/course_category.php --- dokeosorig/main/admin/course_category.php 2007-09-26 21:16:44.000000000 -0500 +++ dokeosmod/main/admin/course_category.php 2008-02-05 01:10:16.000000000 -0500 @@ -50,7 +50,7 @@ { deleteNode($_GET['id']); - header('Location: '.api_get_self().'?category='.$category); + header('Location: '.api_get_self().'?category='.Security::remove_XSS($category)); exit(); } elseif(($action == 'add' || $action == 'edit') && $_POST['formSent']) @@ -85,7 +85,7 @@ } elseif($action == 'edit') { - $categoryCode=$_GET['id']; + $categoryCode=Database::escape_string($_GET['id']); $result=api_sql_query("SELECT name,auth_course_child FROM $tbl_category WHERE code='$categoryCode'",__FILE__,__LINE__); @@ -97,7 +97,7 @@ { moveNodeUp($_GET['id'],$_GET['tree_pos'],$category); - header('Location: '.api_get_self().'?category='.$category); + header('Location: '.api_get_self().'?category='.Security::remove_XSS($category)); exit(); } } @@ -125,7 +125,7 @@ list($parent_id)=mysql_fetch_row($result); ?> -<< +<< -<< +<< -

+

-
+ @@ -199,10 +199,10 @@ ?>
  • - " alt="" align="absbottom" /> - " alt ="" /> - " alt="" /> - " alt="" /> + " alt="" align="absbottom" /> + " alt ="" /> + " alt="" /> + " alt="" /> ( - )
    • @@ -220,7 +220,7 @@ - + - + @@ -218,4 +218,4 @@ \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/auth/inscription.php dokeosmod/main/auth/inscription.php --- dokeosorig/main/auth/inscription.php 2007-09-17 10:10:42.000000000 -0500 +++ dokeosmod/main/auth/inscription.php 2008-02-05 01:10:44.000000000 -0500 @@ -104,6 +104,14 @@ $defaults['language'] = api_get_setting('platformLanguage'); } $defaults['status'] = STUDENT; +if(!empty($_GET['username'])) +{ + $defaults['username'] = Security::remove_XSS($_GET['username']); +} +if(!empty($_GET['email'])) +{ + $defaults['email'] = Security::remove_XSS($_GET['email']); +} $form->setDefaults($defaults); if ($form->validate()) @@ -255,4 +263,4 @@ */ Display :: display_footer(); -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/auth/profile.php dokeosmod/main/auth/profile.php --- dokeosorig/main/auth/profile.php 2007-09-26 09:51:18.000000000 -0500 +++ dokeosmod/main/auth/profile.php 2008-02-05 01:10:52.000000000 -0500 @@ -1,5 +1,5 @@ $course_url, 'name' => $_GET['courseCode']); + $interbreadcrumb[] = array ('url' => $course_url, 'name' => Security::remove_XSS($_GET['courseCode'])); +} +$warning_msg = ''; +if(!empty($_GET['fe'])) +{ + $warning_msg .= get_lang('UplUnableToSaveFileFilteredExtension'); + $_GET['fe'] = null; } - /* ----------------------------------------------------------- Configuration file @@ -112,7 +117,7 @@ /* * Initialize the form. */ -$form = new FormValidator('profile', 'post', api_get_self()."?{$_SERVER['QUERY_STRING']}", null, array('style' => 'width: 75%; float: '.($text_dir=='rtl'?'right;':'left;'))); +$form = new FormValidator('profile', 'post', api_get_self()."?".str_replace('&fe=1','',$_SERVER['QUERY_STRING']), null, array('style' => 'width: 75%; float: '.($text_dir=='rtl'?'right;':'left;'))); /* Make sure this is the first submit on the form, even though it is hidden! * Otherwise, if a user has productions and presses ENTER to submit, he will @@ -152,6 +157,16 @@ $form->addRule('email', get_lang('ThisFieldIsRequired'), 'required'); $form->addRule('email', get_lang('EmailWrong'), 'email'); +// OPENID URL +if(api_get_setting('openid_authentication')=='true') +{ + $form->addElement('text', 'openid', get_lang('OpenIDURL'), array('size' => 40)); + if (api_get_setting('profile', 'openid') !== 'true') + $form->freeze('openid'); + $form->applyFilter('openid', 'trim'); + //if (api_get_setting('registration', 'openid') == 'true') + // $form->addRule('openid', get_lang('ThisFieldIsRequired'), 'required'); +} // PHONE $form->addElement('text', 'phone', get_lang('phone'), array('size' => 20)); @@ -198,17 +213,19 @@ // MY COMPETENCES $form->add_html_editor('competences', get_lang('MyCompetences'), false); - + // MY DIPLOMAS $form->add_html_editor('diplomas', get_lang('MyDiplomas'), false); - + // WHAT I AM ABLE TO TEACH $form->add_html_editor('teach', get_lang('MyTeach'), false); - + // MY PRODUCTIONS $form->addElement('file', 'production', get_lang('MyProductions')); - if ($production_list = build_production_list($_user['user_id'])) - $form->addElement('static', 'productions', null, $production_list); + if ($production_list = UserManager::build_production_list($_user['user_id'],'',true)) + { + $form->addElement('static', 'productions', null, $production_list); + } // MY PERSONAL OPEN AREA $form->add_html_editor('openarea', get_lang('MyPersonalOpenArea'), false); @@ -275,7 +292,7 @@ */ /** - * Deprecated function. Use UserManager::get_user_picture_path_by_id($user_id,'none') instead + * Deprecated function. Use UserManager::get_user_picture_path_by_id($user_id,'none') instead * Get a user's display picture. If the user doesn't have a picture, this * function will return an empty string. * @@ -322,7 +339,7 @@ if (!file_exists($image_repository)) { - //error_log('Making path '.$image_repository,0); + //error_log('Making path '.$image_repository,0); mkpath($image_repository); }else{ //error_log('Path '.$image_repository.' exists',0); @@ -349,7 +366,7 @@ { $picture_filename = (PREFIX_IMAGE_FILENAME_WITH_UID ? $user_id.'_' : '').uniqid('').'.'.$file_extension; } - + $temp = new image($_FILES['picture']['tmp_name']); $picture_infos=getimagesize($_FILES['picture']['tmp_name']); $thumbwidth = IMAGE_THUMBNAIL_WIDTH; @@ -358,10 +375,10 @@ $thumbwidth=100; } $new_height = round(($thumbwidth/$picture_infos[0])*$picture_infos[1]); - + $temp->resize($thumbwidth,$new_height,0); $type=$picture_infos[2]; - + switch ($type) { case 2 : $temp->send_image('JPG',$image_repository.$picture_filename); break; @@ -370,7 +387,7 @@ case 1 : $temp->send_image('GIF',$image_repository.$picture_filename); break; } - + return $picture_filename; } @@ -402,76 +419,6 @@ */ /** - * Returns an XHTML formatted list of productions for a user, or FALSE if he - * doesn't have any. - * - * If there has been a request to remove a production, the function will return - * without building the list unless forced to do so by the optional second - * parameter. This increases performance by avoiding to read through the - * productions on the filesystem before the removal request has been carried - * out because they'll have to be re-read afterwards anyway. - * - * @param $user_id User id - * @param $force Optional parameter to force building after a removal request - * @return A string containing the XHTML code to dipslay the production list, or FALSE - */ -function build_production_list($user_id, $force = false) -{ - if (!$force && $_POST['remove_production']) - return true; // postpone reading from the filesystem - - $productions = get_user_productions($user_id); - - if (empty($productions)) - return false; - - $production_path = UserManager::get_user_picture_path_by_id($user_id,'web',true); - $production_dir = $production_path['dir']; - $del_image = api_get_path(WEB_CODE_PATH).'img/delete.gif'; - $del_text = get_lang('Delete'); - - $production_list = ''; - - return $production_list; -} - -/** - * Returns an array with the user's productions. - * - * @param $user_id User id - * @return An array containing the user's productions - */ -function get_user_productions($user_id) -{ - $production_path = UserManager::get_user_picture_path_by_id($user_id,'system',true); - $production_repository = $production_path['dir'].$user_id.'/'; - $productions = array(); - - if (is_dir($production_repository)) - { - $handle = opendir($production_repository); - - while ($file = readdir($handle)) - { - if ($file == '.' || $file == '..' || $file == '.htaccess') - continue; // skip current/parent directory and .htaccess - - $productions[] = $file; - } - } - - return $productions; // can be an empty array -} - -/** * Upload a submitted user production. * * @param $user_id User id @@ -488,29 +435,20 @@ $filename = replace_dangerous_char($_FILES['production']['name']); $filename = php2phps($filename); - if (move_uploaded_file($_FILES['production']['tmp_name'], $production_repository.$filename)) - return $filename; - + if(filter_extension($filename)) + { + if (move_uploaded_file($_FILES['production']['tmp_name'], $production_repository.$filename)) + return $filename; + } return false; // this should be returned if anything went wrong with the upload } -/** - * Remove a user production. - * - * @param $user_id User id - * @param $production The production to remove - */ -function remove_user_production($user_id, $production) -{ - $production_path = UserManager::get_user_picture_path_by_id($user_id,'system',true); - unlink($production_path['dir'].$user_id.'/'.$production); -} - /* ============================================================================== MAIN CODE ============================================================================== */ +$filtered_extension = false; if ($_SESSION['profile_update']) { $update_success = ($_SESSION['profile_update'] == 'success'); @@ -520,9 +458,11 @@ elseif ($_POST['remove_production']) { foreach (array_keys($_POST['remove_production']) as $production) - remove_user_production($_user['user_id'], urldecode($production)); + { + UserManager::remove_user_production($_user['user_id'], urldecode($production)); + } - if ($production_list = build_production_list($_user['user_id'], true)) + if ($production_list = UserManager::build_production_list($_user['user_id'], true,true)) $form->insertElementBefore($form->createElement('static', null, null, $production_list), 'productions'); $form->removeElement('productions'); @@ -542,7 +482,7 @@ { if ($new_picture = upload_user_image($_user['user_id'])) $user_data['picture_uri'] = $new_picture; - + } // remove existing picture if asked elseif ($user_data['remove_picture']) @@ -554,8 +494,16 @@ // upload production if a new one is provided if ($_FILES['production']['size']) - upload_user_production($_user['user_id']); + { + $res = upload_user_production($_user['user_id']); + if(!$res) + { + //it's a bit excessive to assume the extension is the reason why upload_user_production() returned false, but it's true in most cases + $filtered_extension = true; + } + } + // remove values that shouldn't go in the database unset($user_data['password1'], $user_data['password2'], $user_data['MAX_FILE_SIZE'], $user_data['remove_picture'], $user_data['apply_change']); @@ -592,7 +540,7 @@ $uidReset = true; include (api_get_path(INCLUDE_PATH).'local.inc.php'); $_SESSION['profile_update'] = 'success'; - header("Location: http://{$_SERVER['HTTP_HOST']}".api_get_self()."?{$_SERVER['QUERY_STRING']}"); + header("Location: ".api_get_self()."?{$_SERVER['QUERY_STRING']}".($filtered_extension && strstr($_SERVER['QUERY_STRING'],'&fe=1')===false?'&fe=1':'')); exit; } @@ -605,11 +553,15 @@ if ($file_deleted) { - Display :: display_normal_message(get_lang('FileDeleted')); + Display :: display_normal_message(get_lang('FileDeleted'),false); } elseif ($update_success) { - Display :: display_normal_message(get_lang('ProfileReg')); + Display :: display_normal_message(get_lang('ProfileReg'),false); +} +if(!empty($warning_msg)) +{ + Display :: display_warning_message($warning_msg,false); } // USER PICTURE $image_path = UserManager::get_user_picture_path_by_id($_user['user_id'],'web'); @@ -630,4 +582,4 @@ $form->display(); Display :: display_footer(); -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/calendar/myagenda.php dokeosmod/main/calendar/myagenda.php --- dokeosorig/main/calendar/myagenda.php 2007-09-29 00:22:43.000000000 -0500 +++ dokeosmod/main/calendar/myagenda.php 2008-02-05 01:11:13.000000000 -0500 @@ -386,7 +386,7 @@ { $agendaday = date("j",strtotime($item['start_date'])); $time= date("H:i",strtotime($item['start_date'])); - $URL = $_configuration['root_web']."main/calendar/agenda.php?cidReq=".urlencode($array_course_info["code"])."&day=$agendaday&month=$month&year=$year#$agendaday"; // RH //Patrick Cool: to highlight the relevant agenda item + $URL = api_get_path(WEB_PATH)."main/calendar/agenda.php?cidReq=".urlencode($array_course_info["code"])."&day=$agendaday&month=$month&year=$year#$agendaday"; // RH //Patrick Cool: to highlight the relevant agenda item $items[$agendaday][$item['start_time']] .= "".$time."".$array_course_info["visual_code"]." ".$item['title']."
    "; } } @@ -418,8 +418,8 @@ $dayone = getdate(mktime(0, 0, 0, $month, 1, $year)); //Start the week on monday $startdayofweek = $dayone['wday'] <> 0 ? ($dayone['wday'] - 1) : 6; - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".htmlentities($_GET['courseCode'])."&action=view&view=month&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".htmlentities($_GET['courseCode'])."&action=view&view=month&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=month&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=month&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); echo "
    \n", "\n", "\n", "\n", "\n", "\n"; @@ -481,8 +481,8 @@ $dayone = getdate(mktime(0, 0, 0, $month, 1, $year)); //Start the week on monday $startdayofweek = $dayone['wday'] <> 0 ? ($dayone['wday'] - 1) : 6; - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); echo "
    «", $monthName, " ", $year, "»
    \n", "\n", "\n", "\n", "\n", "\n"; @@ -562,8 +562,8 @@ $day_of_the_week = date("w", $today); // Numeric representation of the day of the week 0 (for Sunday) through 6 (for Saturday) of today $timestamp_first_date_of_week = $today - (($day_of_the_week -1) * 24 * 60 * 60); // timestamp of the monday of this week $timestamp_last_date_of_week = $today + ((7 - $day_of_the_week) * 24 * 60 * 60); // timestamp of the sunday of this week - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=week&week=". ($week_number -1); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=week&week=". ($week_number +1); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=week&week=". ($week_number -1); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=week&week=". ($week_number +1); echo "
    «", $monthName, " ", $year, "»
    \n"; // The title row containing the the week information (week of the year (startdate of week - enddate of week) echo "\n"; @@ -654,8 +654,8 @@ // we are loading all the calendar items of all the courses for today echo "
    \n"; // the forward and backwards url - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=day&day=".date("j", $previousday)."&month=".date("n", $previousday)."&year=".date("Y", $previousday); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=day&day=".date("j", $nextday)."&month=".date("n", $nextday)."&year=".date("Y", $nextday); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=day&day=".date("j", $previousday)."&month=".date("n", $previousday)."&year=".date("Y", $previousday); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=day&day=".date("j", $nextday)."&month=".date("n", $nextday)."&year=".date("Y", $nextday); // The title row containing the day echo "\n", "\n", "
    «"; echo $DaysLong[$day_of_the_week]." ".date("j", $today)." ".$MonthsLong[date("n", $today) - 1]." ".date("Y", $today); @@ -1386,4 +1386,4 @@ $start_end_array['end']['year'] = $end_year; return $start_end_array; } -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/editpost.php dokeosmod/main/forum/editpost.php --- dokeosorig/main/forum/editpost.php 2007-05-04 05:00:20.000000000 -0500 +++ dokeosmod/main/forum/editpost.php 2008-02-05 01:11:33.000000000 -0500 @@ -117,9 +117,9 @@ */ $interbreadcrumb[]=array("url" => "index.php","name" => $nameTools); $interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id'],"name" => prepare4display($current_forum_category['cat_title'])); -$interbreadcrumb[]=array("url" => "viewforum.php?forum=".$_GET['forum'],"name" => prepare4display($current_forum['forum_title'])); -$interbreadcrumb[]=array("url" => "viewthread.php?forum=".$_GET['forum']."&thread=".$_GET['thread'],"name" => prepare4display($current_thread['thread_title'])); -$interbreadcrumb[]=array("url" => "reply.php?forum=".$_GET['forum']."&thread=".$_GET['thread'],"name" => get_lang('EditPost')); +$interbreadcrumb[]=array("url" => "viewforum.php?forum=".Security::remove_XSS($_GET['forum']),"name" => prepare4display($current_forum['forum_title'])); +$interbreadcrumb[]=array("url" => "viewthread.php?forum=".Security::remove_XSS($_GET['forum'])."&thread=".$_GET['thread'],"name" => prepare4display($current_thread['thread_title'])); +$interbreadcrumb[]=array("url" => "reply.php?forum=".Security::remove_XSS($_GET['forum'])."&thread=".Security::remove_XSS($_GET['thread']),"name" => get_lang('EditPost')); /* ----------------------------------------------------------- @@ -198,7 +198,7 @@ echo '
    '; // the form for the reply -$values=show_edit_post_form($current_post, $current_thread, $_SESSION['formelements']); +$values=show_edit_post_form($current_post, $current_thread, $current_forum, $_SESSION['formelements']); if (!empty($values) and $_POST['SubmitPost']) { store_edit_post($values); diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/forumfunction.inc.php dokeosmod/main/forum/forumfunction.inc.php --- dokeosorig/main/forum/forumfunction.inc.php 2007-09-17 10:02:09.000000000 -0500 +++ dokeosmod/main/forum/forumfunction.inc.php 2008-02-05 01:11:41.000000000 -0500 @@ -95,14 +95,14 @@ { if ($_GET['action']=='edit' and isset($_GET['id']) OR $_POST['SubmitForum'] ) { - $inputvalues=get_forums($_GET['id']); // note: this has to be cleaned first + $inputvalues=get_forums(strval(intval($_GET['id']))); // note: this has to be cleaned first } show_add_forum_form($inputvalues); } // Edit a forum category if (($_GET['action']=='edit' AND $_GET['content']=='forumcategory' AND isset($_GET['id'])) OR $_POST['SubmitEditForumCategory'] ) { - $forum_category=get_forum_categories($_GET['id']); // note: this has to be cleaned first + $forum_category=get_forum_categories(strval(intval($_GET['id']))); // note: this has to be cleaned first show_edit_forumcategory_form($forum_category); } // Delete a forum category @@ -410,7 +410,7 @@ $sql="UPDATE ".$table_categories." SET cat_title='".mysql_real_escape_string($values['forum_category_title'])."', cat_comment='".mysql_real_escape_string($values['forum_category_comment'])."' WHERE cat_id='".mysql_real_escape_string($values['forum_category_id'])."'"; api_sql_query($sql); $last_id=mysql_insert_id(); - api_item_property_update($_course, TOOL_FORUM_CATEGORY, $values['forum_category_id'],"ForumCategoryAdded", $_user['user_id']); + api_item_property_update($_course, TOOL_FORUM_CATEGORY, $values['forum_category_id'],"ForumCategoryAdded", api_get_user_id()); $return_message=get_lang('ForumCategoryEdited'); } else @@ -418,7 +418,7 @@ $sql="INSERT INTO ".$table_categories." (cat_title, cat_comment, cat_order) VALUES ('".mysql_real_escape_string($values['forum_category_title'])."','".mysql_real_escape_string($values['forum_category_comment'])."','".mysql_real_escape_string($new_max)."')"; api_sql_query($sql); $last_id=mysql_insert_id(); - api_item_property_update($_course, TOOL_FORUM_CATEGORY, $last_id,"ForumCategoryAdded", $_user['user_id']); + api_item_property_update($_course, TOOL_FORUM_CATEGORY, $last_id,"ForumCategoryAdded", api_get_user_id()); $return_message=get_lang('ForumCategoryAdded'); } @@ -483,7 +483,7 @@ '".mysql_real_escape_string($new_max)."')"; api_sql_query($sql, __LINE__,__FILE__); $last_id=mysql_insert_id(); - api_item_property_update($_course, TOOL_FORUM, $last_id,"ForumCategoryAdded", $_user['user_id']); + api_item_property_update($_course, TOOL_FORUM, $last_id,"ForumCategoryAdded", api_get_user_id()); $return_message=get_lang('ForumAdded'); } @@ -526,7 +526,7 @@ $return_message=get_lang('ThreadDeleted'); } - api_item_property_update($_course,$tool_constant,$id,"delete"); // note: check if this returns a true and if so => return $return_message, if not => return false; + api_item_property_update($_course,$tool_constant,$id,"delete",api_get_user_id()); // note: check if this returns a true and if so => return $return_message, if not => return false; return $return_message; } @@ -552,7 +552,7 @@ $sql="DELETE FROM $table_posts WHERE post_id='".mysql_real_escape_string($post_id)."'"; // note: this has to be a recursive function that deletes all of the posts in this block. api_sql_query($sql,__FILE__,__LINE__); - $last_post_of_thread=check_if_last_post_of_thread($_GET['thread']); // note: clean the $_GET['thread'] + $last_post_of_thread=check_if_last_post_of_thread(strval(intval($_GET['thread']))); if (is_array($last_post_of_thread)) { @@ -561,14 +561,14 @@ thread_poster_id='".mysql_real_escape_string($last_post_of_thread['poster_id'])."', thread_last_post='".mysql_real_escape_string($last_post_of_thread['post_id'])."', thread_date='".mysql_real_escape_string($last_post_of_thread['post_date'])."' - WHERE thread_id='".mysql_real_escape_string($_GET['thread'])."'"; // note: clean the $_GET['thread'] + WHERE thread_id='".mysql_real_escape_string($_GET['thread'])."'"; api_sql_query($sql,__FILE__,__LINE__); return 'PostDeleted'; } if ($last_post_of_thread==false) { // we deleted the very single post of the thread so we need to delete the entry in the thread table also. - $sql="DELETE FROM $table_threads WHERE thread_id='".mysql_real_escape_string($_GET['thread'])."'"; // note: clean the $_GET['thread'] + $sql="DELETE FROM $table_threads WHERE thread_id='".mysql_real_escape_string($_GET['thread'])."'"; api_sql_query($sql,__FILE__,__LINE__); return 'PostDeletedSpecial'; } @@ -617,6 +617,7 @@ */ function display_visible_invisible_icon($content, $id, $current_visibility_status, $additional_url_parameters='') { + $id = Security::remove_XSS($id); if ($current_visibility_status=='1') { echo '$listitem) + if(is_array($list)) { - $internal_counter++; - if ($id==$key) + foreach ($list as $key=>$listitem) { - $position=$internal_counter; + $internal_counter++; + if ($id==$key) + { + $position=$internal_counter; + } } } if ($position>1) @@ -742,8 +748,9 @@ */ function change_visibility($content, $id, $target_visibility) { + global $_course; $constants=array('forumcategory'=>TOOL_FORUM_CATEGORY, 'forum'=>TOOL_FORUM, 'thread'=>TOOL_FORUM_THREAD); - api_item_property_update($_course,$constants[$content],$id,$target_visibility); // note: check if this returns true or false => returnmessage depends on it. + api_item_property_update($_course,$constants[$content],$id,$target_visibility,api_get_user_id()); // note: check if this returns true or false => returnmessage depends on it. if ($target_visibility=='visible') { handle_mail_cue($content, $id); @@ -1181,15 +1188,22 @@ // finding the last post information (last_post_id, last_poster_id, last_post_date, last_poster_name, last_poster_lastname, last_poster_firstname) if ($id=='') { - foreach ($forum_list as $key=>$value) + if(is_array($forum_list)) { - $last_post_info_of_forum=get_last_post_information($key,is_allowed_to_edit()); - $forum_list[$key]['last_post_id']=$last_post_info_of_forum['last_post_id']; - $forum_list[$key]['last_poster_id']=$last_post_info_of_forum['last_poster_id']; - $forum_list[$key]['last_post_date']=$last_post_info_of_forum['last_post_date']; - $forum_list[$key]['last_poster_name']=$last_post_info_of_forum['last_poster_name']; - $forum_list[$key]['last_poster_lastname']=$last_post_info_of_forum['last_poster_lastname']; - $forum_list[$key]['last_poster_firstname']=$last_post_info_of_forum['last_poster_firstname']; + foreach ($forum_list as $key=>$value) + { + $last_post_info_of_forum=get_last_post_information($key,is_allowed_to_edit()); + $forum_list[$key]['last_post_id']=$last_post_info_of_forum['last_post_id']; + $forum_list[$key]['last_poster_id']=$last_post_info_of_forum['last_poster_id']; + $forum_list[$key]['last_post_date']=$last_post_info_of_forum['last_post_date']; + $forum_list[$key]['last_poster_name']=$last_post_info_of_forum['last_poster_name']; + $forum_list[$key]['last_poster_lastname']=$last_post_info_of_forum['last_poster_lastname']; + $forum_list[$key]['last_poster_firstname']=$last_post_info_of_forum['last_poster_firstname']; + } + } + else + { + $forum_list = array(); } } else @@ -1300,7 +1314,6 @@ ON post.poster_id= last_poster_users.user_id WHERE thread.forum_id='".mysql_real_escape_string($forum_id)."' ORDER BY thread.thread_sticky DESC, thread.thread_date DESC"; - if (is_allowed_to_edit()) { // important note: it might seem a little bit awkward that we have 'thread.locked as locked' in the sql statement @@ -1555,14 +1568,14 @@ '".mysql_real_escape_string($values['thread_sticky'])."')"; $result=api_sql_query($sql, __LINE__, __FILE__); $last_thread_id=mysql_insert_id(); - api_item_property_update($_course, TOOL_FORUM_THREAD, $last_thread_id,"ForumThreadAdded", $_user['user_id']); + api_item_property_update($_course, TOOL_FORUM_THREAD, $last_thread_id,"ForumThreadAdded", api_get_user_id()); // if the forum properties tell that the posts have to be approved we have to put the whole thread invisible // because otherwise the students will see the thread and not the post in the thread. // we also have to change $visible because the post itself has to be visible in this case (otherwise the teacher would have // to make the thread visible AND the post if ($visible==0) { - api_item_property_update($_course, TOOL_FORUM_THREAD, $last_thread_id,"invisible", $_user['user_id']); + api_item_property_update($_course, TOOL_FORUM_THREAD, $last_thread_id,"invisible", api_get_user_id()); $visible=1; } @@ -1627,12 +1640,12 @@ global $origin; // initiate the object - $form = new FormValidator('thread', 'post', api_get_self().'?forum='.$_GET['forum'].'&thread='.$_GET['thread'].'&post='.$_GET['post'].'&action='.$_GET['action'].'&origin='.$origin); + $form = new FormValidator('thread', 'post', api_get_self().'?forum='.Security::remove_XSS($_GET['forum']).'&thread='.Security::remove_XSS($_GET['thread']).'&post='.Security::remove_XSS($_GET['post']).'&action='.Security::remove_XSS($_GET['action']).'&origin='.$origin); $form->setConstants(array('forum' => '5')); // settting the form elements - $form->addElement('hidden', 'forum_id', $_GET['forum']); - $form->addElement('hidden', 'thread_id', $_GET['thread']); + $form->addElement('hidden', 'forum_id', strval(intval($_GET['forum']))); + $form->addElement('hidden', 'thread_id', strval(intval($_GET['thread']))); // if anonymous posts are allowed we also display a form to allow the user to put his name or username in if ($current_forum['allow_anonymous']==1 AND !isset($_user['user_id'])) @@ -1663,10 +1676,10 @@ if (!empty($form_values)) { - $defaults['post_title']=prepare4display($form_values['post_title']); - $defaults['post_text']=prepare4display($form_values['post_text']); - $defaults['post_notification']=$form_values['post_notification']; - $defaults['thread_sticky']=$form_values['thread_sticky']; + $defaults['post_title']=prepare4display(Security::remove_XSS($form_values['post_title'])); + $defaults['post_text']=prepare4display(Security::remove_XSS($form_values['post_text'])); + $defaults['post_notification']=Security::remove_XSS($form_values['post_notification']); + $defaults['thread_sticky']=Security::remove_XSS($form_values['thread_sticky']); } // if we are quoting a message we have to retrieve the information of the post we are quoting so that @@ -1674,7 +1687,7 @@ if (($action=='quote' OR $action=='replymessage') and isset($_GET['post'])) { // we also need to put the parent_id of the post in a hidden form when we are quoting or replying to a message (<> reply to a thread !!!) - $form->addElement('hidden', 'post_parent_id', $_GET['post']); // note this has to be cleaned first + $form->addElement('hidden', 'post_parent_id', strval(intval($_GET['post']))); // note this has to be cleaned first // if we are replying or are quoting then we display a default title. $values=get_post_information($_GET['post']); // note: this has to be cleaned first @@ -1706,7 +1719,7 @@ $form->display(); if ($forum_setting['show_thread_iframe_on_reply'] and $action<>'newthread') { - echo ""; + echo ""; } } } @@ -1760,7 +1773,7 @@ update_thread($values['thread_id'], $new_post_id,$post_date); // update the forum - api_item_property_update($_course, TOOL_FORUM, $values['forum_id'],"NewMessageInForum", $_user['user_id']); + api_item_property_update($_course, TOOL_FORUM, $values['forum_id'],"NewMessageInForum", api_get_user_id()); $message=get_lang('ReplyAdded').'
    '; if ($current_forum['approval_direct_post']=='1' AND !api_is_allowed_to_edit()) @@ -1784,20 +1797,22 @@ /** * This function displays the form that is used to edit a post. This can be a new thread or a reply. -* @param $current_post array that contains all the information about the current post -* @param $current_thread array that contains all the information about the current thread -* @return +* @param array contains all the information about the current post +* @param array contains all the information about the current thread +* @param array contains all info about the current forum (to check if attachments are allowed) +* @param array contains the default values to fill the form +* @return void * * @author Patrick Cool , Ghent University * @version february 2006, dokeos 1.8 */ -function show_edit_post_form($current_post, $current_thread, $form_values='') +function show_edit_post_form($current_post, $current_thread, $current_forum, $form_values='') { global $forum_setting; global $_user; // initiate the object - $form = new FormValidator('edit_post', 'post', api_get_self().'?forum='.$_GET['forum'].'&thread='.$_GET['thread'].'&post='.$_GET['post']); + $form = new FormValidator('edit_post', 'post', api_get_self().'?forum='.Security::remove_XSS($_GET['forum']).'&thread='.Security::remove_XSS($_GET['thread']).'&post='.Security::remove_XSS($_GET['post'])); // settting the form elements $form->addElement('hidden', 'post_id', $current_post['post_id']); @@ -1843,10 +1858,10 @@ if (!empty($form_values)) { - $defaults['post_title']=$form_values['post_title']; - $defaults['post_text']=$form_values['post_text']; - $defaults['post_notification']=$form_values['post_notification']; - $defaults['thread_sticky']=$form_values['thread_sticky']; + $defaults['post_title']=Security::remove_XSS($form_values['post_title']); + $defaults['post_text']=Security::remove_XSS($form_values['post_text']); + $defaults['post_notification']=Security::remove_XSS($form_values['post_notification']); + $defaults['thread_sticky']=Security::remove_XSS($form_values['thread_sticky']); } $form->setDefaults($defaults); @@ -1901,8 +1916,8 @@ //update_added_resources('forum_post',$values['post_id']); $message=get_lang('EditPostStored').'
    '; - $message.=get_lang('ReturnTo').'     '.get_lang('Forum').'
    '; - $message.=get_lang('ReturnTo').' '.get_lang('Message').''; + $message.=get_lang('ReturnTo').' '.get_lang('Forum').'
    '; + $message.=get_lang('ReturnTo').' '.get_lang('Message').''; session_unregister('formelements'); session_unregister('origin'); @@ -2202,7 +2217,7 @@ $current_thread=get_thread_information($thread_id); $current_forum=get_forum_information($current_thread['forum_id']); $current_forum_category=get_forumcategory_information($current_forum['forum_category']); - if($current_thread['visibility']=='1' AND $current_forum['visibility']=='1' AND $current_forum_category['visibility']=='1' AND $current_forum['approval_direct_post']=='0') + if($current_thread['visibility']=='1' AND $current_forum['visibility']=='1' AND $current_forum_category['visibility']=='1' AND $current_forum['approval_direct_post']!='1') { $send_mails=true; } @@ -2371,11 +2386,11 @@ global $origin; // initiate the object - $form = new FormValidator('movepost', 'post', api_get_self().'?forum='.$_GET['forum'].'&thread='.$_GET['thread'].'&action='.$_GET['action'].'&origin='.$origin); + $form = new FormValidator('movepost', 'post', api_get_self().'?forum='.Security::remove_XSS($_GET['forum']).'&thread='.Security::remove_XSS($_GET['thread']).'&action='.Security::remove_XSS($_GET['action']).'&origin='.$origin); // the header for the form $form->addElement('header', '', get_lang('MoveThread')); // invisible form: the thread_id - $form->addElement('hidden', 'thread_id', $_GET['thread']); // note: this has to be cleaned first + $form->addElement('hidden', 'thread_id', strval(intval($_GET['thread']))); // note: this has to be cleaned first // the fora $forum_categories=get_forum_categories(); @@ -2428,15 +2443,15 @@ function move_post_form() { // initiate the object - $form = new FormValidator('movepost', 'post', api_get_self().'?forum='.$_GET['forum'].'&thread='.$_GET['thread'].'&post='.$_GET['post'].'&action='.$_GET['action'].'&post='.$_GET['post']); + $form = new FormValidator('movepost', 'post', api_get_self().'?forum='.Security::remove_XSS($_GET['forum']).'&thread='.Security::remove_XSS($_GET['thread']).'&post='.Security::remove_XSS($_GET['post']).'&action='.Security::remove_XSS($_GET['action']).'&post='.Security::remove_XSS($_GET['post'])); // the header for the form $form->addElement('header', '', get_lang('MovePost')); // invisible form: the post_id - $form->addElement('hidden', 'post_id', $_GET['post']); // note: this has to be cleaned first + $form->addElement('hidden', 'post_id', strval(intval($_GET['post']))); // note: this has to be cleaned first // dropdown list: Threads of this forum - $threads=get_threads($_GET['forum']); // note: this has to be cleaned + $threads=get_threads(strval(intval($_GET['forum']))); // note: this has to be cleaned //my_print_r($threads); $threads_list[0]=get_lang('ANewThread'); foreach ($threads as $key=>$value) @@ -2568,9 +2583,9 @@ /** -* -* @param -* @return +* Prepares a string or an array of strings for display by stripping slashes +* @param mixed String or array of strings +* @return mixed String or array of strings * * @author Patrick Cool , Ghent University * @version february 2006, dokeos 1.8 diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/index.php dokeosmod/main/forum/index.php --- dokeosorig/main/forum/index.php 2007-09-26 21:13:10.000000000 -0500 +++ dokeosmod/main/forum/index.php 2008-02-05 01:11:50.000000000 -0500 @@ -187,200 +187,205 @@ Display Forum Categories and the Forums in it ------------------------------------------------------------------------------------------------------ */ -echo "\n"; +echo '
    '."\n"; // Step 3: we display the forum_categories first -foreach ($forum_categories_list as $forum_category_key => $forum_category) +if(is_array($forum_categories_list)) { - echo "\t\n\t\t\n"; - if (api_is_allowed_to_edit()) - { - echo "\t\t\n\t\t\n"; - } - echo "\t\n"; - - // step 4: the interim headers (for the forum) - echo "\t\n"; - echo "\t\t\n"; - echo "\t\t\n"; - echo "\t\t\n"; - echo "\t\t\n"; - if (api_is_allowed_to_edit()) - { - echo "\t\t\n"; - } - echo "\t\n"; - - // the forums in this category - $forums_in_category=get_forums_in_category($forum_category['cat_id']); - - // step 5: we display all the forums in this category. - $forum_count=0; - foreach ($forum_list as $key=>$forum) - { - // Here we clean the whatnew_post_info array a little bit because to display the icon we - // test if $whatsnew_post_info[$forum['forum_id']] is empty or not. - foreach ($whatsnew_post_info[$forum['forum_id']] as $key_thread_id => $new_post_array) + if (api_is_allowed_to_edit()) { - if (empty($whatsnew_post_info[$forum['forum_id']][$key_thread_id])) - { - unset($whatsnew_post_info[$forum['forum_id']][$key_thread_id]); - unset($_SESSION['whatsnew_post_info'][$forum['forum_id']][$key_thread_id]); - } + echo "\t\t\n"; } - - // note: this can be speeded up if we transform the $forum_list to an array that uses the forum_category as the key. - if (prepare4display($forum['forum_category'])==prepare4display($forum_category['cat_id'])) + echo "\t\n"; + + // step 4: the interim headers (for the forum) + echo "\t\n"; + echo "\t\t\n"; + echo "\t\t\n"; + echo "\t\t\n"; + echo "\t\t\n"; + if (api_is_allowed_to_edit()) { - // the forum has to be showed if - // 1.v it is a not a group forum (teacher and student) - // 2.v it is a group forum and it is public (teacher and student) - // 3. it is a group forum and it is private (always for teachers only if the user is member of the forum - // if the forum is private and it is a group forum and the user is not a member of the group forum then it cannot be displayed - //if (!($forum['forum_group_public_private']=='private' AND !is_null($forum['forum_of_group']) AND !in_array($forum['forum_of_group'], $groups_of_user))) - //{ - $show_forum=false; - - // SHOULD WE SHOW THIS PARTICULAR FORUM - // you are teacher => show forum - - if (api_is_allowed_to_edit()) + echo "\t\t\n"; + } + echo "\t\n"; + + // the forums in this category + $forums_in_category=get_forums_in_category($forum_category['cat_id']); + + // step 5: we display all the forums in this category. + $forum_count=0; + foreach ($forum_list as $key=>$forum) + { + // Here we clean the whatnew_post_info array a little bit because to display the icon we + // test if $whatsnew_post_info[$forum['forum_id']] is empty or not. + if(is_array($whatsnew_post_info[$forum['forum_id']])) { - //echo 'teacher'; - $show_forum=true; + foreach ($whatsnew_post_info[$forum['forum_id']] as $key_thread_id => $new_post_array) + { + if (empty($whatsnew_post_info[$forum['forum_id']][$key_thread_id])) + { + unset($whatsnew_post_info[$forum['forum_id']][$key_thread_id]); + unset($_SESSION['whatsnew_post_info'][$forum['forum_id']][$key_thread_id]); + } + } } - // you are not a teacher - else + // note: this can be speeded up if we transform the $forum_list to an array that uses the forum_category as the key. + if (prepare4display($forum['forum_category'])==prepare4display($forum_category['cat_id'])) { - //echo 'student'; - // it is not a group forum => show forum (invisible forums are already left out see get_forums function) - if ($forum['forum_of_group']=='0') + // the forum has to be showed if + // 1.v it is a not a group forum (teacher and student) + // 2.v it is a group forum and it is public (teacher and student) + // 3. it is a group forum and it is private (always for teachers only if the user is member of the forum + // if the forum is private and it is a group forum and the user is not a member of the group forum then it cannot be displayed + //if (!($forum['forum_group_public_private']=='private' AND !is_null($forum['forum_of_group']) AND !in_array($forum['forum_of_group'], $groups_of_user))) + //{ + $show_forum=false; + + // SHOULD WE SHOW THIS PARTICULAR FORUM + // you are teacher => show forum + + if (api_is_allowed_to_edit()) { - //echo '-gewoon forum'; + //echo 'teacher'; $show_forum=true; } - // it is a group forum + // you are not a teacher else { - //echo '-groepsforum'; - // it is a group forum but it is public => show - if ($forum['forum_group_public_private']=='public') + //echo 'student'; + // it is not a group forum => show forum (invisible forums are already left out see get_forums function) + if ($forum['forum_of_group']=='0') { + //echo '-gewoon forum'; $show_forum=true; - //echo '-publiek'; } - // it is a group forum and it is private + // it is a group forum else { - //echo '-prive'; - // it is a group forum and it is private but the user is member of the group - if (in_array($forum['forum_of_group'],$groups_of_user)) + //echo '-groepsforum'; + // it is a group forum but it is public => show + if ($forum['forum_group_public_private']=='public') { - //echo '-is lid'; $show_forum=true; + //echo '-publiek'; } + // it is a group forum and it is private else { - //echo '-is GEEN lid'; - $show_forum=false; + //echo '-prive'; + // it is a group forum and it is private but the user is member of the group + if (in_array($forum['forum_of_group'],$groups_of_user)) + { + //echo '-is lid'; + $show_forum=true; + } + else + { + //echo '-is GEEN lid'; + $show_forum=false; + } } + } - } - } - //echo '
    '; - - if ($show_forum) - { - $form_count++; - echo "\t\n"; - echo "\t\t\n"; + echo "\t\t\n"; + if ($forum['forum_of_group']<>'0') { - echo icon('../img/forumgroupnew.gif'); + $group_title=substr($all_groups[$forum['forum_of_group']]['name'],0,30); + $forum_title_group_addition=' ('.$group_title.')'; } else { - echo icon('../img/forumgroup.gif'); + $forum_title_group_addition=''; } - } - else - { - if (is_array($whatsnew_post_info[$forum['forum_id']]) and !empty($whatsnew_post_info[$forum['forum_id']])) + + echo "\t\t\n"; + //$number_forum_topics_and_posts=get_post_topics_of_forum($forum['forum_id']); // deprecated + // the number of topics and posts + echo "\t\t\n"; + echo "\t\t\n"; + // the last post in the forum + if ($forum['last_poster_name']<>'') { - echo icon('../img/forum.gif'); + $name=$forum['last_poster_name']; + $poster_id=0; } else { - echo icon('../img/forum.gif'); + $name=$forum['last_poster_firstname'].' '.$forum['last_poster_lastname']; + $poster_id=$forum['last_poster_id']; + } + echo "\t\t\n"; - if ($forum['forum_of_group']<>'0') - { - $group_title=substr($all_groups[$forum['forum_of_group']]['name'],0,30); - $forum_title_group_addition=' ('.$group_title.')'; - } - else - { - $forum_title_group_addition=''; - } - - echo "\t\t\n"; - //$number_forum_topics_and_posts=get_post_topics_of_forum($forum['forum_id']); // deprecated - // the number of topics and posts - echo "\t\t\n"; - echo "\t\t\n"; - // the last post in the forum - if ($forum['last_poster_name']<>'') - { - $name=$forum['last_poster_name']; - $poster_id=0; - } - else - { - $name=$forum['last_poster_firstname'].' '.$forum['last_poster_lastname']; - $poster_id=$forum['last_poster_id']; - } - echo "\t\t\n"; - - - if (api_is_allowed_to_edit()) - { - echo "\t\t\n"; + + + if (api_is_allowed_to_edit()) + { + echo "\t\t\n"; + } + echo "\t"; } - echo "\t"; } } - } - if (count($forum_list)==0) - { - echo "\t\n"; + if (count($forum_list)==0) + { + echo "\t".(api_is_allowed_to_edit()?'':'')."\n"; + } } } echo "
    "; - echo ''.prepare4display($forum_category['cat_title']).'
    '; - if ($forum_category['cat_comment']<>'' AND trim($forum_category['cat_comment'])<>' ') + foreach ($forum_categories_list as $forum_category_key => $forum_category) { - echo ''.prepare4display($forum_category['cat_comment']).''; - } - echo "    		"; - echo "".icon('../img/edit.gif',get_lang('Edit')).""; - echo "".icon('../img/delete.gif',get_lang('Delete')).""; - display_visible_invisible_icon('forumcategory', prepare4display($forum_category['cat_id']), prepare4display($forum_category['visibility'])); - display_lock_unlock_icon('forumcategory',prepare4display($forum_category['cat_id']), prepare4display($forum_category['locked'])); - display_up_down_icon('forumcategory',prepare4display($forum_category['cat_id']), $forum_categories_list); + echo "\t
    "; + echo ''.prepare4display($forum_category['cat_title']).'
    '; + if ($forum_category['cat_comment']<>'' AND trim($forum_category['cat_comment'])<>' ') + { + echo ''.prepare4display($forum_category['cat_comment']).''; + } echo "
    ".get_lang('Forum')."".get_lang('Topics')."".get_lang('Posts')."".get_lang('LastPosts')."".get_lang('Actions')."
    "; + echo "".icon('../img/edit.gif',get_lang('Edit')).""; + echo "".icon('../img/delete.gif',get_lang('Delete')).""; + display_visible_invisible_icon('forumcategory', prepare4display($forum_category['cat_id']), prepare4display($forum_category['visibility'])); + display_lock_unlock_icon('forumcategory',prepare4display($forum_category['cat_id']), prepare4display($forum_category['locked'])); + display_up_down_icon('forumcategory',prepare4display($forum_category['cat_id']), $forum_categories_list); + echo "
    ".get_lang('Forum')."".get_lang('Topics')."".get_lang('Posts')."".get_lang('LastPosts')."".get_lang('Actions')."
    "; - if ($forum['forum_of_group']!=='0') + //echo '
    '; + + if ($show_forum) { - if (is_array($whatsnew_post_info[$forum['forum_id']]) and !empty($whatsnew_post_info[$forum['forum_id']])) + $form_count++; + echo "\t
    "; + if ($forum['forum_of_group']!=='0') + { + if (is_array($whatsnew_post_info[$forum['forum_id']]) and !empty($whatsnew_post_info[$forum['forum_id']])) + { + echo icon('../img/forumgroupnew.gif'); + } + else + { + echo icon('../img/forumgroup.gif'); + } + } + else + { + if (is_array($whatsnew_post_info[$forum['forum_id']]) and !empty($whatsnew_post_info[$forum['forum_id']])) + { + echo icon('../img/forum.gif'); + } + else + { + echo icon('../img/forum.gif'); + } + + } + echo "".prepare4display($forum['forum_title']).''.$forum_title_group_addition.'
    '.prepare4display($forum['forum_comment'])."    		".$forum['number_of_threads']."".$forum['number_of_posts'].""; + if (!empty($forum['last_post_id'])) + { + echo $forum['last_post_date']."
    ".get_lang('By').' '.display_user_link($poster_id, $name); } - - } - echo "    		".prepare4display($forum['forum_title']).''.$forum_title_group_addition.'
    '.prepare4display($forum['forum_comment'])."    		".$forum['number_of_threads']."".$forum['number_of_posts'].""; - if (!empty($forum['last_post_id'])) - { - echo $forum['last_post_date']."
    ".get_lang('By').' '.display_user_link($poster_id, $name); - } - echo "    		"; - echo "".icon('../img/edit.gif',get_lang('Edit')).""; - echo "".icon('../img/delete.gif',get_lang('Delete')).""; - display_visible_invisible_icon('forum',$forum['forum_id'], $forum['visibility']); - display_lock_unlock_icon('forum',$forum['forum_id'], $forum['locked']); - display_up_down_icon('forum',$forum['forum_id'], $forums_in_category); echo ""; + echo "".icon('../img/edit.gif',get_lang('Edit')).""; + echo "".icon('../img/delete.gif',get_lang('Delete')).""; + display_visible_invisible_icon('forum',$forum['forum_id'], $forum['visibility']); + display_lock_unlock_icon('forum',$forum['forum_id'], $forum['locked']); + display_up_down_icon('forum',$forum['forum_id'], $forums_in_category); + echo "
    ".get_lang('NoForumInThisCategory')."
    ".get_lang('NoForumInThisCategory')."
    \n"; diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/newthread.php dokeosmod/main/forum/newthread.php --- dokeosorig/main/forum/newthread.php 2007-05-04 05:00:20.000000000 -0500 +++ dokeosmod/main/forum/newthread.php 2008-02-05 01:12:06.000000000 -0500 @@ -103,7 +103,7 @@ $origin = ''; if(isset($_GET['origin'])) { - $origin = $_GET['origin']; + $origin = Security::remove_XSS($_GET['origin']); } @@ -127,8 +127,8 @@ */ $interbreadcrumb[]=array("url" => "index.php","name" => $nameTools); $interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id'],"name" => $current_forum_category['cat_title']); -$interbreadcrumb[]=array("url" => "viewforum.php?forum=".$_GET['forum'],"name" => $current_forum['forum_title']); -$interbreadcrumb[]=array("url" => "newthread.php?forum=".$_GET['forum'],"name" => get_lang('NewTopic')); +$interbreadcrumb[]=array("url" => "viewforum.php?forum=".Security::remove_XSS($_GET['forum']),"name" => $current_forum['forum_title']); +$interbreadcrumb[]=array("url" => "newthread.php?forum=".Security::remove_XSS($_GET['forum']),"name" => get_lang('NewTopic')); /* ----------------------------------------------------------- diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/reply.php dokeosmod/main/forum/reply.php --- dokeosorig/main/forum/reply.php 2007-05-04 05:00:20.000000000 -0500 +++ dokeosmod/main/forum/reply.php 2008-02-05 01:12:13.000000000 -0500 @@ -94,7 +94,7 @@ $origin = ''; if(isset($_GET['origin'])) { - $origin = $_GET['origin']; + $origin = Security::remove_XSS($_GET['origin']); $origin_string = '&origin='.$origin; } @@ -130,9 +130,9 @@ */ $interbreadcrumb[]=array("url" => "index.php","name" => $nameTools); $interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id'],"name" => $current_forum_category['cat_title']); -$interbreadcrumb[]=array("url" => "viewforum.php?forum=".$_GET['forum'],"name" => $current_forum['forum_title']); -$interbreadcrumb[]=array("url" => "viewthread.php?forum=".$_GET['forum']."&thread=".$_GET['thread'],"name" => $current_thread['thread_title']); -$interbreadcrumb[]=array("url" => "reply.php?forum=".$_GET['forum']."&thread=".$_GET['thread'],"name" => get_lang('Reply')); +$interbreadcrumb[]=array("url" => "viewforum.php?forum=".Security::remove_XSS($_GET['forum']),"name" => $current_forum['forum_title']); +$interbreadcrumb[]=array("url" => "viewthread.php?forum=".Security::remove_XSS($_GET['forum'])."&thread=".Security::remove_XSS($_GET['thread']),"name" => $current_thread['thread_title']); +$interbreadcrumb[]=array("url" => "reply.php?forum=".Security::remove_XSS($_GET['forum'])."&thread=".Security::remove_XSS($_GET['thread']),"name" => get_lang('Reply')); /* ----------------------------------------------------------- @@ -160,7 +160,8 @@ } else { - Display :: display_header(); + // the last element of the breadcrumb navigation is already set in interbreadcrumb, so give empty string + Display :: display_header(''); api_display_tool_title($nameTools); } //echo ''; diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/viewforumcategory.php dokeosmod/main/forum/viewforumcategory.php --- dokeosorig/main/forum/viewforumcategory.php 2007-09-26 21:13:10.000000000 -0500 +++ dokeosmod/main/forum/viewforumcategory.php 2008-02-05 01:12:26.000000000 -0500 @@ -83,7 +83,6 @@ ----------------------------------------------------------- */ include('forumconfig.inc.php'); -include('sanity.inc.php'); include('forumfunction.inc.php'); @@ -177,7 +176,7 @@ if (api_is_allowed_to_edit()) { //echo ''.get_lang('AddForumCategory').' | '; - echo ''.Display::return_icon('forum_new.gif').' '.get_lang('AddForum').''; + echo ''.Display::return_icon('forum_new.gif').' '.get_lang('AddForum').''; } /* @@ -193,8 +192,8 @@ if (api_is_allowed_to_edit()) { echo "\t\t"; - echo "".icon('../img/edit.gif',get_lang('Edit')).""; - echo "".icon('../img/delete.gif',get_lang('Delete')).""; + echo "".icon('../img/edit.gif',get_lang('Edit')).""; + echo "".icon('../img/delete.gif',get_lang('Delete')).""; display_visible_invisible_icon('forumcategory', $forum_category['cat_id'], $forum_category['visibility'], array("forumcategory"=>$_GET['forumcategory'])); display_lock_unlock_icon('forumcategory',$forum_category['cat_id'], $forum_category['locked'], array("forumcategory"=>$_GET['forumcategory'])); display_up_down_icon('forumcategory',$forum_category['cat_id'], $forum_categories_list); @@ -333,8 +332,8 @@ if (api_is_allowed_to_edit()) { echo "\t\t"; - echo "".icon('../img/edit.gif',get_lang('Edit')).""; - echo "".icon('../img/delete.gif',get_lang('Delete')).""; + echo "".icon('../img/edit.gif',get_lang('Edit')).""; + echo "".icon('../img/delete.gif',get_lang('Delete')).""; display_visible_invisible_icon('forum',$forum['forum_id'], $forum['visibility'], array("forumcategory"=>$_GET['forumcategory'])); display_lock_unlock_icon('forum',$forum['forum_id'], $forum['locked'], array("forumcategory"=>$_GET['forumcategory'])); display_up_down_icon('forum',$forum['forum_id'], $forums_in_category); diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/viewforum.php dokeosmod/main/forum/viewforum.php --- dokeosorig/main/forum/viewforum.php 2007-09-26 21:13:10.000000000 -0500 +++ dokeosmod/main/forum/viewforum.php 2008-02-05 01:12:32.000000000 -0500 @@ -83,7 +83,7 @@ $origin = ''; if(isset($_GET['origin'])) { - $origin = $_GET['origin']; + $origin = Security::remove_XSS($_GET['origin']); $origin_string = '&origin='.$origin; } @@ -123,13 +123,14 @@ */ $interbreadcrumb[]=array("url" => "index.php","name" => $nameTools); $interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id'],"name" => prepare4display($current_forum_category['cat_title'])); -$interbreadcrumb[]=array("url" => "viewforum.php?forum=".$_GET['forum'],"name" => prepare4display($current_forum['forum_title'])); +$interbreadcrumb[]=array("url" => "viewforum.php?forum=".Security::remove_XSS($_GET['forum']),"name" => prepare4display($current_forum['forum_title'])); if($origin=='learnpath') { include(api_get_path(INCLUDE_PATH).'reduced_header.inc.php'); } else { - Display :: display_header(); + // the last element of the breadcrumb navigation is already set in interbreadcrumb, so give empty string + Display :: display_header(''); api_display_tool_title($nameTools); } @@ -196,7 +197,7 @@ { if ($current_forum['locked'] <> 1 AND $current_forum['locked'] <> 1) { - echo ''.Display::return_icon('forumthread_new.gif').' '.get_lang('NewTopic').''; + echo ''.Display::return_icon('forumthread_new.gif').' '.get_lang('NewTopic').''; } else { @@ -248,96 +249,99 @@ $whatsnew_post_info=$_SESSION['whatsnew_post_info']; $counter=0; -foreach ($threads as $row) +if(is_array($threads)) { - // thread who have no replies yet and the only post is invisible should not be displayed to students. - if (api_is_allowed_to_edit() OR !($row['thread_replies']=='0' AND $row['visible']=='0')) + foreach ($threads as $row) { - if($counter%2==0) - { - $class="row_odd"; - } - else - { - $class="row_even"; - } - echo "\t\n"; - echo "\t\t"; - if (is_array($whatsnew_post_info[$_GET['forum']][$row['thread_id']]) and !empty($whatsnew_post_info[$_GET['forum']][$row['thread_id']])) - { - echo icon('../img/forumthread.gif'); - } - else - { - echo icon('../img/forumthread.gif'); - } - - if ($row['thread_sticky']==1) - { - echo icon('../img/exclamation.gif'); - } - echo "\n"; - echo "\t\t".prepare4display($row['thread_title'])."\n"; - echo "\t\t".$row['thread_replies']."\n"; - if ($row['user_id']=='0') - { - $name=prepare4display($row['thread_poster_name']); - } - else - { - $name=$row['firstname'].' '.$row['lastname']; - } - if($origin != 'learnpath') - { - echo "\t\t".display_user_link($row['user_id'], $name)."\n"; - } - else - { - echo "\t\t".$name."\n"; - } - echo "\t\t".$row['thread_views']."\n"; - if ($row['last_poster_user_id']=='0') - { - $name=$row['poster_name']; - } - else - { - $name=$row['last_poster_firstname'].' '.$row['last_poster_lastname']; - } - // if the last post is invisible and it is not the teacher who is looking then we have to find the last visible post of the thread - if (($row['visible']=='1' OR api_is_allowed_to_edit()) && $origin!='learnpath') - { - $last_post=$row['thread_date']." ".get_lang('By').' '.display_user_link($row['last_poster_user_id'], $name); - } - else if($origin!='learnpath') - { - $last_post_sql="SELECT post.*, user.firstname, user.lastname FROM $table_posts post, $table_users user WHERE post.poster_id=user.user_id AND visible='1' AND thread_id='".$row['thread_id']."' ORDER BY post_id DESC"; - $last_post_result=api_sql_query($last_post_sql, __LINE__, __FILE__); - $last_post_row=mysql_fetch_array($last_post_result); - $name=$last_post_row['firstname'].' '.$last_post_row['lastname']; - $last_post=$last_post_row['post_date']." ".get_lang('By').' '.display_user_link($last_post_row['poster_id'], $name); - } - else - { - $last_post_sql="SELECT post.*, user.firstname, user.lastname FROM $table_posts post, $table_users user WHERE post.poster_id=user.user_id AND visible='1' AND thread_id='".$row['thread_id']."' ORDER BY post_id DESC"; - $last_post_result=api_sql_query($last_post_sql, __LINE__, __FILE__); - $last_post_row=mysql_fetch_array($last_post_result); - $name=$last_post_row['firstname'].' '.$last_post_row['lastname']; - $last_post=$last_post_row['post_date']." ".get_lang('By').' '.$name; - } - echo "\t\t".$last_post."\n"; - if (api_is_allowed_to_edit()) + // thread who have no replies yet and the only post is invisible should not be displayed to students. + if (api_is_allowed_to_edit() OR !($row['thread_replies']=='0' AND $row['visible']=='0')) { + if($counter%2==0) + { + $class="row_odd"; + } + else + { + $class="row_even"; + } + echo "\t\n"; echo "\t\t"; - echo "".icon('../img/delete.gif',get_lang('Delete')).""; - display_visible_invisible_icon('thread', $row['thread_id'], $row['visibility'], array("forum"=>$_GET['forum'],'origin'=>$origin)); - display_lock_unlock_icon('thread',$row['thread_id'], $row['locked'], array("forum"=>$_GET['forum'],'origin'=>$origin)); - echo "".icon('../img/deplacer_fichier.gif',get_lang('MoveThread')).""; + if (is_array($whatsnew_post_info[$_GET['forum']][$row['thread_id']]) and !empty($whatsnew_post_info[$_GET['forum']][$row['thread_id']])) + { + echo icon('../img/forumthread.gif'); + } + else + { + echo icon('../img/forumthread.gif'); + } + + if ($row['thread_sticky']==1) + { + echo icon('../img/exclamation.gif'); + } echo "\n"; + echo "\t\t".prepare4display($row['thread_title'])."\n"; + echo "\t\t".$row['thread_replies']."\n"; + if ($row['user_id']=='0') + { + $name=prepare4display($row['thread_poster_name']); + } + else + { + $name=$row['firstname'].' '.$row['lastname']; + } + if($origin != 'learnpath') + { + echo "\t\t".display_user_link($row['user_id'], $name)."\n"; + } + else + { + echo "\t\t".$name."\n"; + } + echo "\t\t".$row['thread_views']."\n"; + if ($row['last_poster_user_id']=='0') + { + $name=$row['poster_name']; + } + else + { + $name=$row['last_poster_firstname'].' '.$row['last_poster_lastname']; + } + // if the last post is invisible and it is not the teacher who is looking then we have to find the last visible post of the thread + if (($row['visible']=='1' OR api_is_allowed_to_edit()) && $origin!='learnpath') + { + $last_post=$row['thread_date']." ".get_lang('By').' '.display_user_link($row['last_poster_user_id'], $name); + } + else if($origin!='learnpath') + { + $last_post_sql="SELECT post.*, user.firstname, user.lastname FROM $table_posts post, $table_users user WHERE post.poster_id=user.user_id AND visible='1' AND thread_id='".$row['thread_id']."' ORDER BY post_id DESC"; + $last_post_result=api_sql_query($last_post_sql, __LINE__, __FILE__); + $last_post_row=mysql_fetch_array($last_post_result); + $name=$last_post_row['firstname'].' '.$last_post_row['lastname']; + $last_post=$last_post_row['post_date']." ".get_lang('By').' '.display_user_link($last_post_row['poster_id'], $name); + } + else + { + $last_post_sql="SELECT post.*, user.firstname, user.lastname FROM $table_posts post, $table_users user WHERE post.poster_id=user.user_id AND visible='1' AND thread_id='".$row['thread_id']."' ORDER BY post_id DESC"; + $last_post_result=api_sql_query($last_post_sql, __LINE__, __FILE__); + $last_post_row=mysql_fetch_array($last_post_result); + $name=$last_post_row['firstname'].' '.$last_post_row['lastname']; + $last_post=$last_post_row['post_date']." ".get_lang('By').' '.$name; + } + echo "\t\t".$last_post."\n"; + if (api_is_allowed_to_edit()) + { + echo "\t\t"; + echo "".icon('../img/delete.gif',get_lang('Delete')).""; + display_visible_invisible_icon('thread', $row['thread_id'], $row['visibility'], array("forum"=>$_GET['forum'],'origin'=>$origin)); + display_lock_unlock_icon('thread',$row['thread_id'], $row['locked'], array("forum"=>$_GET['forum'],'origin'=>$origin)); + echo "".icon('../img/deplacer_fichier.gif',get_lang('MoveThread')).""; + echo "\n"; + } + echo "\t\n"; } - echo "\t\n"; + $counter++; } - $counter++; } echo ""; diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/viewthread_flat.inc.php dokeosmod/main/forum/viewthread_flat.inc.php --- dokeosorig/main/forum/viewthread_flat.inc.php 2007-09-26 21:13:10.000000000 -0500 +++ dokeosmod/main/forum/viewthread_flat.inc.php 2008-02-05 01:12:52.000000000 -0500 @@ -97,14 +97,14 @@ // The course admin him/herself can do this off course always if (($current_forum['allow_edit']==1 AND $row['user_id']==$_user['user_id']) or api_is_allowed_to_edit()) { - echo "".icon('../img/edit.gif',get_lang('Edit'))."\n"; + echo "".icon('../img/edit.gif',get_lang('Edit'))."\n"; } if (api_is_allowed_to_edit()) { - echo "".icon('../img/delete.gif',get_lang('Delete'))."\n"; - display_visible_invisible_icon('post', $row['post_id'], $row['visible'],array('forum'=>$_GET['forum'],'thread'=>$_GET['thread'], 'origin'=>$origin )); + echo "".icon('../img/delete.gif',get_lang('Delete'))."\n"; + display_visible_invisible_icon('post', $row['post_id'], $row['visible'],array('forum'=>Security::remove_XSS($_GET['forum']),'thread'=>Security::remove_XSS($_GET['thread']), 'origin'=>$origin )); echo "\n"; - echo "".icon('../img/deplacer_fichier.gif',get_lang('Edit')).""; + echo "".icon('../img/deplacer_fichier.gif',get_lang('Edit')).""; } echo '

    '; //if (($current_forum_category['locked']==0 AND $current_forum['locked']==0 AND $current_thread['locked']==0) OR api_is_allowed_to_edit()) @@ -112,8 +112,8 @@ { if ($_user['user_id'] OR ($current_forum['allow_anonymous']==1 AND !$_user['user_id'])) { - echo ''.get_lang('ReplyToMessage').'
    '; - echo ''.get_lang('QuoteMessage').'

    '; + echo ''.get_lang('ReplyToMessage').'
    '; + echo ''.get_lang('QuoteMessage').'

    '; } } else diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/viewthread_nested.inc.php dokeosmod/main/forum/viewthread_nested.inc.php --- dokeosorig/main/forum/viewthread_nested.inc.php 2007-09-26 21:13:10.000000000 -0500 +++ dokeosmod/main/forum/viewthread_nested.inc.php 2008-02-05 01:12:59.000000000 -0500 @@ -95,14 +95,14 @@ // The course admin him/herself can do this off course always if (($current_forum['allow_edit']==1 AND $post['user_id']==$_user['user_id']) or api_is_allowed_to_edit()) { - echo "".icon('../img/edit.gif',get_lang('Edit'))."\n"; + echo "".icon('../img/edit.gif',get_lang('Edit'))."\n"; } if (api_is_allowed_to_edit()) { - echo "".icon('../img/delete.gif',get_lang('Delete'))."\n"; - display_visible_invisible_icon('post', $post['post_id'], $post['visible'],array('forum'=>$_GET['forum'],'thread'=>$_GET['thread'] )); + echo "".icon('../img/delete.gif',get_lang('Delete'))."\n"; + display_visible_invisible_icon('post', $post['post_id'], $post['visible'],array('forum'=>Security::remove_XSS($_GET['forum']),'thread'=>Security::remove_XSS($_GET['thread']) )); echo "\n"; - echo "".icon('../img/deplacer_fichier.gif',get_lang('Edit')).""; + echo "".icon('../img/deplacer_fichier.gif',get_lang('Edit')).""; } echo '

    '; //if (($current_forum_category['locked']==0 AND $current_forum['locked']==0 AND $current_thread['locked']==0) OR api_is_allowed_to_edit()) @@ -110,8 +110,8 @@ { if ($_user['user_id'] OR ($current_forum['allow_anonymous']==1 AND !$_user['user_id'])) { - echo ''.get_lang('ReplyToMessage').'
    '; - echo ''.get_lang('QuoteMessage').'

    '; + echo ''.get_lang('ReplyToMessage').'
    '; + echo ''.get_lang('QuoteMessage').'

    '; } } else diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/viewthread.php dokeosmod/main/forum/viewthread.php --- dokeosorig/main/forum/viewthread.php 2007-05-04 05:00:20.000000000 -0500 +++ dokeosmod/main/forum/viewthread.php 2008-02-05 01:13:09.000000000 -0500 @@ -91,7 +91,7 @@ $origin = ''; if(isset($_GET['origin'])) { - $origin = $_GET['origin']; + $origin = Security::remove_XSS($_GET['origin']); } @@ -127,12 +127,13 @@ $interbreadcrumb[]=array("url" => "index.php","name" => $nameTools); $interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id'],"name" => prepare4display($current_forum_category['cat_title'])); - $interbreadcrumb[]=array("url" => "viewforum.php?forum=".$_GET['forum'],"name" => prepare4display($current_forum['forum_title'])); + $interbreadcrumb[]=array("url" => "viewforum.php?forum=".Security::remove_XSS($_GET['forum']),"name" => prepare4display($current_forum['forum_title'])); if ($message<>'PostDeletedSpecial') { - $interbreadcrumb[]=array("url" => "viewthread.php?forum=".$_GET['forum']."&thread=".$_GET['thread'],"name" => prepare4display($current_thread['thread_title'])); + $interbreadcrumb[]=array("url" => "viewthread.php?forum=".Security::remove_XSS($_GET['forum'])."&thread=".Security::remove_XSS($_GET['thread']),"name" => prepare4display($current_thread['thread_title'])); } - Display :: display_header(); + // the last element of the breadcrumb navigation is already set in interbreadcrumb, so give empty string + Display :: display_header(''); api_display_tool_title($nameTools); } @@ -193,9 +194,11 @@ ----------------------------------------------------------- */ echo '
    '; - echo ''.get_lang('FlatView').' | '; - echo ''.get_lang('ThreadedView').' | '; - echo ''.get_lang('NestedView').''; + $my_url = ''.get_lang('FlatView').' | '; + echo $my_url.'&view=threaded&origin='.$origin.'">'.get_lang('ThreadedView').' | '; + echo $my_url.'&view=nested&origin='.$origin.'">'.get_lang('NestedView').''; + $my_url = null; echo '
    '; // the reply to thread link should only appear when the forum_category is not locked AND the forum is not locked AND the thread is not locked. // if one of the three levels is locked then the link should not be displayed @@ -204,7 +207,7 @@ // The link should only appear when the user is logged in or when anonymous posts are allowed. if ($_user['user_id'] OR ($current_forum['allow_anonymous']==1 AND !$_user['user_id'])) { - echo ''.get_lang('ReplyToThread').''; + echo ''.get_lang('ReplyToThread').''; } } // note: this is to prevent that some browsers display the links over the table (FF does it but Opera doesn't) diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/forum/viewthread_threaded.inc.php dokeosmod/main/forum/viewthread_threaded.inc.php --- dokeosorig/main/forum/viewthread_threaded.inc.php 2007-09-26 21:13:10.000000000 -0500 +++ dokeosmod/main/forum/viewthread_threaded.inc.php 2008-02-05 01:13:17.000000000 -0500 @@ -58,7 +58,7 @@ if ($_GET['post']) { - $display_post_id=$_GET['post']; // note: this has to be cleaned first + $display_post_id=Security::remove_XSS($_GET['post']); // note: this has to be cleaned first } else { @@ -106,14 +106,14 @@ // The course admin him/herself can do this off course always if (($current_forum['allow_edit']==1 AND $rows[$display_post_id]['user_id']==$_user['user_id']) or api_is_allowed_to_edit()) { - echo "".icon('../img/edit.gif',get_lang('Edit'))."\n"; + echo "".icon('../img/edit.gif',get_lang('Edit'))."\n"; } if (api_is_allowed_to_edit()) { - echo "".icon('../img/delete.gif',get_lang('Delete'))."\n"; - display_visible_invisible_icon('post', $rows[$display_post_id]['post_id'], $rows[$display_post_id]['visible'],array('forum'=>$_GET['forum'],'thread'=>$_GET['thread'], 'post'=>$_GET['post'] )); + echo "".icon('../img/delete.gif',get_lang('Delete'))."\n"; + display_visible_invisible_icon('post', $rows[$display_post_id]['post_id'], $rows[$display_post_id]['visible'],array('forum'=>Security::remove_XSS($_GET['forum']),'thread'=>Security::remove_XSS($_GET['thread']), 'post'=>Security::remove_XSS($_GET['post']) )); echo "\n"; - echo "".icon('../img/deplacer_fichier.gif',get_lang('Edit'))."\n"; + echo "".icon('../img/deplacer_fichier.gif',get_lang('Edit'))."\n"; } echo '

    '; //if (($current_forum_category['locked']==0 AND $current_forum['locked']==0 AND $current_thread['locked']==0) OR api_is_allowed_to_edit()) @@ -121,8 +121,8 @@ { if ($_user['user_id'] OR ($current_forum['allow_anonymous']==1 AND !$_user['user_id'])) { - echo ''.get_lang('ReplyToMessage').'
    '; - echo ''.get_lang('QuoteMessage').'

    '; + echo ''.get_lang('ReplyToMessage').'
    '; + echo ''.get_lang('QuoteMessage').'

    '; } } else @@ -219,7 +219,7 @@ { $class=''; } - echo "".prepare4display($post['post_title'])."\n"; + echo "".prepare4display($post['post_title'])."\n"; } } diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/inc/lib/add_course.lib.inc.php dokeosmod/main/inc/lib/add_course.lib.inc.php --- dokeosorig/main/inc/lib/add_course.lib.inc.php 2007-09-27 03:07:47.000000000 -0500 +++ dokeosmod/main/inc/lib/add_course.lib.inc.php 2008-02-05 01:13:31.000000000 -0500 @@ -1954,10 +1954,10 @@ code = '".Database :: escape_string($courseSysCode) . "', db_name = '".Database :: escape_string($courseDbName) . "', directory = '".Database :: escape_string($courseRepository) . "', - course_language = '".$course_language . "', + course_language = '".Database::escape_string($course_language) . "', title = '".Database :: escape_string($title) . "', - description = '".lang2db($langCourseDescription) . "', - category_code = '".$category . "', + description = '".lang2db(get_lang('CourseDescription')) . "', + category_code = '".Database::escape_string($category) . "', visibility = '".$defaultVisibilityForANewCourse . "', show_score = '', disk_quota = '".api_get_setting('default_document_quotum') . "', @@ -1970,16 +1970,16 @@ api_sql_query($sql, __FILE__, __LINE__); - $sort = api_max_sort_value('0', $_user['user_id']); + $sort = api_max_sort_value('0', api_get_user_id()); require_once (api_get_path(LIBRARY_PATH).'course.lib.php'); $i_course_sort = CourseManager :: userCourseSort($uidCreator,$courseSysCode); $sql = "INSERT INTO ".$TABLECOURSUSER . " SET course_code = '".addslashes($courseSysCode) . "', - user_id = '".$uidCreator . "', + user_id = '".Database::escape_string($uidCreator) . "', status = '1', - role = '".lang2db('Professor') . "', + role = '".lang2db(get_lang('Professor')) . "', tutor_id='1', sort='". ($i_course_sort) . "', user_course_cat='0'"; @@ -1989,7 +1989,7 @@ foreach($teachers as $key){ $sql = "INSERT INTO ".$TABLECOURSUSER . " SET course_code = '".addslashes($courseSysCode) . "', - user_id = '".$key . "', + user_id = '".Database::escape_string($key) . "', status = '1', role = '', tutor_id='0', @@ -2016,6 +2016,7 @@ { include (api_get_path(LIBRARY_PATH) . "pclzip/pclzip.lib.php"); printVar(dirname($archive), "Zip : "); + $uid = api_get_user_id(); /* string tempnam ( string dir, string prefix) tempnam() cree un fichier temporaire unique dans le dossier dir. Si le dossier n'existe pas, tempnam() va generer un nom de fichier dans le dossier temporaire du systeme. @@ -2034,4 +2035,4 @@ rmdir($tmpDirName); return $courseProperties; } -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/inc/lib/events.lib.inc.php dokeosmod/main/inc/lib/events.lib.inc.php --- dokeosorig/main/inc/lib/events.lib.inc.php 2007-08-12 14:21:05.000000000 -0500 +++ dokeosmod/main/inc/lib/events.lib.inc.php 2008-02-05 21:06:01.000000000 -0500 @@ -77,7 +77,7 @@ // @getHostByAddr($_SERVER['REMOTE_ADDR']) : will provide host and country information // $_SERVER['HTTP_USER_AGENT'] : will provide browser and os information // $_SERVER['HTTP_REFERER'] : provide information about refering url - $referer = $_SERVER['HTTP_REFERER']; + $referer = Database::escape_string($_SERVER['HTTP_REFERER']); // record informations only if user comes from another site //if(!eregi($_configuration['root_web'],$referer)) $pos = strpos($referer, $_configuration['root_web']); @@ -96,7 +96,7 @@ VALUES ('".$remhost."', - '".$_SERVER['HTTP_USER_AGENT']."', '".$referer."', FROM_UNIXTIME($reallyNow) )"; + '".Database::escape_string($_SERVER['HTTP_USER_AGENT'])."', '".$referer."', FROM_UNIXTIME($reallyNow) )"; $res = api_sql_query($sql,__FILE__,__LINE__); //$mysql_query($sql); } @@ -129,7 +129,7 @@ VALUES ('".$_user['user_id']."', - '".$_SERVER['REMOTE_ADDR']."', + '".Database::escape_string($_SERVER['REMOTE_ADDR'])."', FROM_UNIXTIME(".$reallyNow."))"; $res = api_sql_query($sql,__FILE__,__LINE__); //$mysql_query($sql); @@ -611,4 +611,4 @@ $res = api_sql_query($sql,__FILE__,__LINE__); return true; } -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/inc/lib/fileUpload.lib.php dokeosmod/main/inc/lib/fileUpload.lib.php --- dokeosorig/main/inc/lib/fileUpload.lib.php 2007-09-19 03:21:27.000000000 -0500 +++ dokeosmod/main/inc/lib/fileUpload.lib.php 2008-02-05 01:14:02.000000000 -0500 @@ -106,7 +106,7 @@ function php2phps ($fileName) { - $fileName = eregi_replace("\.(php.?|phtml)$", ".phps", $fileName); + $fileName = preg_replace('/\.(php.?|phtml.?)(\.){0,1}.*$/i', '.phps', $fileName); return $fileName; } @@ -309,131 +309,106 @@ $clean_name = replace_dangerous_char($uploaded_file['name']); //no "dangerous" files $clean_name = disable_dangerous_file($clean_name); - //echo "
    clean name = ".$clean_name; - //echo "
    upload_path = ".$upload_path; - //if the upload path differs from / (= root) it will need a slash at the end - if ($upload_path!='/') - $upload_path = $upload_path.'/'; - //echo "
    upload_path = ".$upload_path; - $file_path = $upload_path.$clean_name; - //echo "
    file path = ".$file_path; - //full path to where we want to store the file with trailing slash - $where_to_save = $base_work_dir.$upload_path; - //at least if the directory doesn't exist, tell so - if(!is_dir($where_to_save)){ - Display::display_error_message(get_lang('DestDirectoryDoesntExist').' ('.$upload_path.')'); + if(!filter_extension($clean_name)) + { + Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); return false; } - //echo "
    where to save = ".$where_to_save; - // full path of the destination - $store_path = $where_to_save.$clean_name; - //echo "
    store path = ".$store_path; - //name of the document without the extension (for the title) - $document_name = get_document_title($uploaded_file['name']); - //size of the uploaded file (in bytes) - $file_size = $uploaded_file['size']; - //what to do if the target file exists - switch ($what_if_file_exists) - { - //overwrite the file if it exists - case 'overwrite': - - //check if the target file exists, so we can give another message - if (file_exists($store_path)) - { - $file_exists = true; - } - else - { - $file_exists = false; - } - if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path)) + else + { + //extension is good + //echo "
    clean name = ".$clean_name; + //echo "
    upload_path = ".$upload_path; + //if the upload path differs from / (= root) it will need a slash at the end + if ($upload_path!='/') + $upload_path = $upload_path.'/'; + //echo "
    upload_path = ".$upload_path; + $file_path = $upload_path.$clean_name; + //echo "
    file path = ".$file_path; + //full path to where we want to store the file with trailing slash + $where_to_save = $base_work_dir.$upload_path; + //at least if the directory doesn't exist, tell so + if(!is_dir($where_to_save)){ + Display::display_error_message(get_lang('DestDirectoryDoesntExist').' ('.$upload_path.')'); + return false; + } + //echo "
    where to save = ".$where_to_save; + // full path of the destination + $store_path = $where_to_save.$clean_name; + //echo "
    store path = ".$store_path; + //name of the document without the extension (for the title) + $document_name = get_document_title($uploaded_file['name']); + //size of the uploaded file (in bytes) + $file_size = $uploaded_file['size']; + //what to do if the target file exists + switch ($what_if_file_exists) { - if($file_exists) + //overwrite the file if it exists + case 'overwrite': + + //check if the target file exists, so we can give another message + if (file_exists($store_path)) { - //UPDATE DATABASE! - $document_id = DocumentManager::get_document_id($_course,$file_path); - if ($document_id) - { - //update filesize - update_existing_document($_course,$document_id,$uploaded_file['size']); - //update document item_property - api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentUpdated',$user_id,$to_group_id,$to_user_id); - } - //if the file is in a folder, we need to update all parent folders - item_property_update_on_folder($_course,$upload_path,$user_id); - //display success message with extra info to user - if($output){ - Display::display_confirmation_message(get_lang('UplUploadSucceeded')."
    ".$file_path .' '. get_lang('UplFileOverwritten'),false); - } - return $file_path; + $file_exists = true; } else { - //put the document data in the database - $document_id = add_document($_course,$file_path,'file',$file_size,$document_name); - if ($document_id) + $file_exists = false; + } + if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path)) + { + if($file_exists) { - //put the document in item_property update - api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id); + //UPDATE DATABASE! + $document_id = DocumentManager::get_document_id($_course,$file_path); + if ($document_id) + { + //update filesize + update_existing_document($_course,$document_id,$uploaded_file['size']); + //update document item_property + api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentUpdated',$user_id,$to_group_id,$to_user_id); + } + //if the file is in a folder, we need to update all parent folders + item_property_update_on_folder($_course,$upload_path,$user_id); + //display success message with extra info to user + if($output){ + Display::display_confirmation_message(get_lang('UplUploadSucceeded')."
    ".$file_path .' '. get_lang('UplFileOverwritten'),false); + } + return $file_path; + } + else + { + //put the document data in the database + $document_id = add_document($_course,$file_path,'file',$file_size,$document_name); + if ($document_id) + { + //put the document in item_property update + api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id); + } + //if the file is in a folder, we need to update all parent folders + item_property_update_on_folder($_course,$upload_path,$user_id); + //display success message to user + Display::display_confirmation_message(get_lang('UplUploadSucceeded')."
    ".$file_path,false); + return $file_path; } - //if the file is in a folder, we need to update all parent folders - item_property_update_on_folder($_course,$upload_path,$user_id); - //display success message to user - Display::display_confirmation_message(get_lang('UplUploadSucceeded')."
    ".$file_path,false); - return $file_path; } - } - else - { - Display::display_error_message(get_lang('UplUnableToSaveFile')); - return false; - } - break; - - //rename the file if it exists - case 'rename': - $new_name = unique_name($where_to_save, $clean_name); - $store_path = $where_to_save.$new_name; - $new_file_path = $upload_path.$new_name; - - if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path)) - { - //put the document data in the database - $document_id = add_document($_course,$new_file_path,'file',$file_size,$document_name); - if ($document_id) + else { - //update document item_property - api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id); - } - //if the file is in a folder, we need to update all parent folders - item_property_update_on_folder($_course,$upload_path,$user_id); - //display success message to user - if($output){ - Display::display_confirmation_message(get_lang('UplUploadSucceeded'). "
    " .get_lang('UplFileSavedAs') . $new_file_path,false); + Display::display_error_message(get_lang('UplUnableToSaveFile')); + return false; } - return $new_file_path; - } - else - { - Display::display_error_message(get_lang('UplUnableToSaveFile')); - return false; - } - break; - - //only save the file if it doesn't exist or warn user if it does exist - default: - if (file_exists($store_path)) - { - Display::display_error_message($clean_name.' '.get_lang('UplAlreadyExists')); - } - else - { + break; + + //rename the file if it exists + case 'rename': + $new_name = unique_name($where_to_save, $clean_name); + $store_path = $where_to_save.$new_name; + $new_file_path = $upload_path.$new_name; + if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path)) { - //put the document data in the database - $document_id = add_document($_course,$file_path,'file',$file_size,$document_name); + $document_id = add_document($_course,$new_file_path,'file',$file_size,$document_name); if ($document_id) { //update document item_property @@ -443,18 +418,52 @@ item_property_update_on_folder($_course,$upload_path,$user_id); //display success message to user if($output){ - Display::display_confirmation_message(get_lang('UplUploadSucceeded')."
    ".$file_path,false); + Display::display_confirmation_message(get_lang('UplUploadSucceeded'). "
    " .get_lang('UplFileSavedAs') . $new_file_path,false); } - return $file_path; + return $new_file_path; } else { Display::display_error_message(get_lang('UplUnableToSaveFile')); return false; } + break; + + //only save the file if it doesn't exist or warn user if it does exist + default: + if (file_exists($store_path)) + { + Display::display_error_message($clean_name.' '.get_lang('UplAlreadyExists')); + } + else + { + if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path)) + { + + //put the document data in the database + $document_id = add_document($_course,$file_path,'file',$file_size,$document_name); + if ($document_id) + { + //update document item_property + api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id); + } + //if the file is in a folder, we need to update all parent folders + item_property_update_on_folder($_course,$upload_path,$user_id); + //display success message to user + if($output){ + Display::display_confirmation_message(get_lang('UplUploadSucceeded')."
    ".$file_path,false); + } + return $file_path; + } + else + { + Display::display_error_message(get_lang('UplUnableToSaveFile')); + return false; + } + } + break; } - break; - } + } } } @@ -1078,7 +1087,7 @@ * The list of extensions accepted/rejected can be found from * api_get_setting('upload_extensions_exclude') and api_get_setting('upload_extensions_include') * @param string filename passed by reference. The filename will be modified if filter rules say so! (you can include path but the filename should look like 'abc.html') - * @return int 0 to skip file in zip extraction, 1 to keep file + * @return int 0 to skip file, 1 to keep file */ function filter_extension(&$filename) { @@ -1088,7 +1097,7 @@ { $extensions = split(';',strtolower(api_get_setting('upload_extensions_blacklist'))); $skip = api_get_setting('upload_extensions_skip'); - $ext = strrchr($filename, "."); + $ext = strrchr($filename, "."); $ext = substr($ext,1); if(empty($ext)){return 1;}//we're in blacklist mode, so accept empty extensions if(in_array(strtolower($ext),$extensions)) @@ -1889,4 +1898,4 @@ $string = strtr ( $string, "�����������������������������������������������������", "AAAAAAaaaaaaOOOOOOooooooEEEEeeeeCcIIIIiiiiUUUUuuuuyNn"); return $string; } -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/inc/lib/online.inc.php dokeosmod/main/inc/lib/online.inc.php --- dokeosorig/main/inc/lib/online.inc.php 2006-11-26 13:45:33.000000000 -0500 +++ dokeosmod/main/inc/lib/online.inc.php 2008-02-05 01:14:10.000000000 -0500 @@ -128,7 +128,8 @@ function GetFullUserName($uid) { $user_table = Database::get_main_table(TABLE_MAIN_USER); - $query = "SELECT `firstname`,`lastname` FROM ".$user_table." WHERE `user_id`='$uid'"; + $safe_uid = Database::escape_string($uid); + $query = "SELECT `firstname`,`lastname` FROM ".$user_table." WHERE `user_id`='$safe_uid'"; $result = @api_sql_query($query,__FILE__,__LINE__); if (count($result)>0) { @@ -247,6 +248,7 @@ function who_is_online_in_this_course($uid, $valid, $coursecode) { $track_online_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ONLINE); + $coursecode = Database::escape_string($coursecode); $query = "SELECT login_user_id,login_date FROM ".$track_online_table ." WHERE course='".$coursecode."' AND DATE_ADD(login_date,INTERVAL $valid MINUTE) >= NOW() "; $result = api_sql_query($query,__FILE__,__LINE__); if (count($result)>0) diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/inc/lib/usermanager.lib.php dokeosmod/main/inc/lib/usermanager.lib.php --- dokeosorig/main/inc/lib/usermanager.lib.php 2007-09-17 10:04:03.000000000 -0500 +++ dokeosmod/main/inc/lib/usermanager.lib.php 2008-02-05 01:14:16.000000000 -0500 @@ -144,6 +144,8 @@ $table_class_user = Database :: get_main_table(TABLE_MAIN_CLASS_USER); $table_course = Database :: get_main_table(TABLE_MAIN_COURSE); $table_admin = Database :: get_main_table(TABLE_MAIN_ADMIN); + $table_session_user = Database :: get_main_table(TABLE_MAIN_SESSION_USER); + $table_session_course_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER); // Unsubscribe the user from all groups in all his courses $sql = "SELECT * FROM $table_course c, $table_course_user cu WHERE cu.user_id = '".$user_id."' AND c.code = cu.course_code"; @@ -162,6 +164,14 @@ // Unsubscribe user from all courses $sql = "DELETE FROM $table_course_user WHERE user_id = '".$user_id."'"; api_sql_query($sql,__FILE__,__LINE__); + + // Unsubscribe user from all courses in sessions + $sql = "DELETE FROM $table_session_course_user WHERE id_user = '".$user_id."'"; + api_sql_query($sql,__FILE__,__LINE__); + + // Unsubscribe user from all sessions + $sql = "DELETE FROM $table_session_user WHERE id_user = '".$user_id."'"; + api_sql_query($sql,__FILE__,__LINE__); // Delete user picture $user_info = api_get_user_info($user_id); @@ -189,10 +199,28 @@ $sql = "DELETE FROM $agenda_table WHERE user = '".$user_id."'"; api_sql_query($sql,__FILE__,__LINE__); + //$gradebook_results_table = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_RESULT); + //$sql = 'DELETE FROM '.$gradebook_results_table.' WHERE user_id = '.$user_id; + //api_sql_query($sql, __FILE__, __LINE__); + return true; } /** + * Update user information with new openid + * @param int $user_id + * @param string $openid + * @return boolean true if the user information was updated + */ + function update_openid($user_id, $openid) + { + $table_user = Database :: get_main_table(TABLE_MAIN_USER); + $sql = "UPDATE $table_user SET + openid='".Database::escape_string($openid)."'"; + $sql .= " WHERE user_id='$user_id'"; + return api_sql_query($sql,__FILE__,__LINE__); + } + /** * Update user information * @param int $user_id * @param string $firstname @@ -323,8 +351,8 @@ echo ""; } @@ -390,5 +418,96 @@ } return array('dir'=>$dir,'file'=>$path); } + +/* +----------------------------------------------------------- + PRODUCTIONS FUNCTIONS +----------------------------------------------------------- +*/ + + /** + * Returns an XHTML formatted list of productions for a user, or FALSE if he + * doesn't have any. + * + * If there has been a request to remove a production, the function will return + * without building the list unless forced to do so by the optional second + * parameter. This increases performance by avoiding to read through the + * productions on the filesystem before the removal request has been carried + * out because they'll have to be re-read afterwards anyway. + * + * @param $user_id User id + * @param $force Optional parameter to force building after a removal request + * @return A string containing the XHTML code to dipslay the production list, or FALSE + */ + function build_production_list($user_id, $force = false, $showdelete=false) + { + if (!$force && $_POST['remove_production']) + return true; // postpone reading from the filesystem + + $productions = UserManager::get_user_productions($user_id); + + if (empty($productions)) + return false; + + $production_path = UserManager::get_user_picture_path_by_id($user_id,'web',true); + $production_dir = $production_path['dir'].$user_id.'/'; + $del_image = api_get_path(WEB_CODE_PATH).'img/delete.gif'; + $del_text = get_lang('Delete'); + + $production_list = ''; + + return $production_list; + } + + /** + * Returns an array with the user's productions. + * + * @param $user_id User id + * @return An array containing the user's productions + */ + function get_user_productions($user_id) + { + $production_path = UserManager::get_user_picture_path_by_id($user_id,'system',true); + $production_repository = $production_path['dir'].$user_id.'/'; + $productions = array(); + + if (is_dir($production_repository)) + { + $handle = opendir($production_repository); + + while ($file = readdir($handle)) + { + if ($file == '.' || $file == '..' || $file == '.htaccess') + continue; // skip current/parent directory and .htaccess + + $productions[] = $file; + } + } + + return $productions; // can be an empty array + } + + /** + * Remove a user production. + * + * @param $user_id User id + * @param $production The production to remove + */ + function remove_user_production($user_id, $production) + { + $production_path = UserManager::get_user_picture_path_by_id($user_id,'system',true); + unlink($production_path['dir'].$user_id.'/'.$production); + } } -?> \ Pas de fin de ligne à la fin du fichier. +?> diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/mySpace/index.php dokeosmod/main/mySpace/index.php --- dokeosorig/main/mySpace/index.php 2007-09-27 09:57:38.000000000 -0500 +++ dokeosmod/main/mySpace/index.php 2008-02-05 01:14:55.000000000 -0500 @@ -553,7 +553,7 @@ if(api_is_platform_admin() && $view=='admin'){ $tracking_column = isset($_GET['tracking_list_coaches_column']) ? $_GET['tracking_list_coaches_column'] : 0; - $tracking_direction = isset($_GET['tracking_list_coaches_direction']) ? $_GET['tracking_list_coaches_direction'] : 'DESC'; + $tracking_direction = (isset($_GET['tracking_list_coaches_direction']) && in_array(strtoupper($_GET['tracking_list_coaches_direction']),array('ASC','DESC','ASCENDING','DESCENDING','0','1'))) ? $_GET['tracking_list_coaches_direction'] : 'DESC'; //prepare array for column order - when impossible, use lastname $order = array(0=>'firstname',1=>'lastname',2=>'lastname',3=>'login_date',4=>'lastname',5=>'lastname'); @@ -584,9 +584,12 @@ $sqlCoachs = " SELECT DISTINCT id_coach, user_id, lastname, firstname, MAX(login_date) as login_date FROM $tbl_user, $tbl_session_course, $tbl_track_login WHERE id_coach=user_id AND login_user_id=user_id - GROUP BY user_id " . + GROUP BY user_id " ; // ORDER BY login_date ".$tracking_direction; - "ORDER BY ".$order[$tracking_column]." ".$tracking_direction; + if(!empty($order[$trackin_column])) + { + $sqlCoachs .= "ORDER BY ".$order[$tracking_column]." ".$tracking_direction; + } $result_coaches=api_sql_query($sqlCoachs, __FILE__, __LINE__); $total_no_coachs = mysql_num_rows($result_coaches); diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/work/work.lib.php dokeosmod/main/work/work.lib.php --- dokeosorig/main/work/work.lib.php 2007-09-26 21:19:40.000000000 -0500 +++ dokeosmod/main/work/work.lib.php 2008-02-05 01:15:08.000000000 -0500 @@ -41,11 +41,11 @@ } if (! $always_show_upload_form ) { - $display_output .= "".Display::return_icon('submit_file.gif')." ". get_lang("UploadADocument") . " "; + $display_output .= "".Display::return_icon('submit_file.gif')." ". get_lang("UploadADocument") . " "; } if (! $always_show_tool_options && api_is_allowed_to_edit() ) { - $display_output .= "".Display::return_icon('acces_tool.gif').' ' . get_lang("EditToolOptions") . " "; + $display_output .= "".Display::return_icon('acces_tool.gif').' ' . get_lang("EditToolOptions") . " "; } if ($display_output != "") @@ -68,7 +68,7 @@ */ function display_tool_options($uploadvisibledisabled, $origin,$base_work_dir,$cur_dir_path,$cur_dir_path_url) { - global $charset; + global $charset, $group_properties; $is_allowed_to_edit = api_is_allowed_to_edit(); $work_table = Database::get_course_table(TABLE_STUDENT_PUBLICATION); @@ -137,8 +137,8 @@ get_lang("Up").' '."\n"; } echo '' . - ''. - ''.get_lang("CreateDir").' '."\n"; + ''.get_lang('CreateDir').''. + ''.get_lang('CreateDir').' '."\n"; echo ""; } @@ -185,19 +185,19 @@ $sort_params = array(); if( isset($_GET['column'])) { - $sort_params[] = 'column='.$_GET['column']; + $sort_params[] = 'column='.Security::remove_XSS($_GET['column']); } if( isset($_GET['page_nr'])) { - $sort_params[] = 'page_nr='.$_GET['page_nr']; + $sort_params[] = 'page_nr='.Security::remove_XSS($_GET['page_nr']); } if( isset($_GET['per_page'])) { - $sort_params[] = 'per_page='.$_GET['per_page']; + $sort_params[] = 'per_page='.Security::remove_XSS($_GET['per_page']); } if( isset($_GET['direction'])) { - $sort_params[] = 'direction='.$_GET['direction']; + $sort_params[] = 'direction='.Security::remove_XSS($_GET['direction']); } $sort_params = implode('&',$sort_params); @@ -224,14 +224,15 @@ if (!empty($_SESSION['toolgroup'])) { $group_query = " WHERE post_group_id = '".$_SESSION['toolgroup']."' "; // set to select only messages posted by the user's group + $subdirs_query = "AND url NOT LIKE '$sub_course_dir%/%'"; } else { $group_query = ''; + $subdirs_query = "WHERE url NOT LIKE '$sub_course_dir%/%'"; } - $sql_get_publications_list = "SELECT * FROM $work_table $group_query ORDER BY id"; + $sql_get_publications_list = "SELECT * FROM $work_table $group_query $subdirs_query ORDER BY id"; } - //echo $sql_get_publications_list; $sql_result = api_sql_query($sql_get_publications_list,__FILE__,__LINE__); $table_header[] = array(get_lang('Title'),true); @@ -252,28 +253,25 @@ $mydir = $my_sub_dir.$dir; $action = ''; //display info depending on the permissions - if( $is_allowed_to_edit) - { - $row = array(); - $class = ''; - $url = implode("/", array_map("rawurlencode", explode("/", $work->url))); - $row[] = 'dir '.$dir.''; - $row[] = ''; - $row[] = ''; - $row[] = ''; - if( $is_allowed_to_edit) - { - //$action .= ''.get_lang('Modify').''; - $action .= ''.get_lang('DirDelete').''; - $row[] = $action; - }else{ - $row[] = ""; - } - $table_data[] = $row; + $row = array(); + $class = ''; + $url = implode("/", array_map("rawurlencode", explode("/", $work->url))); + $row[] = 'dir '.$dir.''; + $row[] = ''; + $row[] = ''; + $row[] = ''; + if( $is_allowed_to_edit) + { + //$action .= ''.get_lang('Modify').''; + $action .= ''.get_lang('DirDelete').''; + $row[] = $action; + }else{ + $row[] = ""; } + $table_data[] = $row; } while( $work = mysql_fetch_object($sql_result)) { diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/main/work/work.php dokeosmod/main/work/work.php --- dokeosorig/main/work/work.php 2007-09-19 02:49:58.000000000 -0500 +++ dokeosmod/main/work/work.php 2008-02-05 01:15:15.000000000 -0500 @@ -23,7 +23,7 @@ * @author Patrick Cool , Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default. * @author Roan Embrechts, code refactoring and virtual course support * @author Frederic Vauthier, directories management -* @version $Id: work.php 13078 2007-09-19 07:49:58Z elixir_julian $ +* @version $Id: work.php 14070 2007-12-26 00:27:59Z yannoo $ * * @todo refactor more code into functions, use quickforms, coding standards, ... */ @@ -147,19 +147,19 @@ $currentUserFirstName = $_user['firstName']; $currentUserLastName = $_user['lastName']; -$authors = $_POST['authors']; -$delete = $_REQUEST['delete']; -$description = $_REQUEST['description']; +$authors = Database::escape_string($_POST['authors']); +$delete = Database::escape_string($_REQUEST['delete']); +$description = Database::escape_string($_REQUEST['description']); $display_tool_options = $_REQUEST['display_tool_options']; $display_upload_form = $_REQUEST['display_upload_form']; -$edit = $_REQUEST['edit']; -$make_invisible = $_REQUEST['make_invisible']; -$make_visible = $_REQUEST['make_visible']; -$origin = $_REQUEST['origin']; -$submitGroupWorkUrl = $_REQUEST['submitGroupWorkUrl']; -$title = $_REQUEST['title']; -$uploadvisibledisabled = $_REQUEST['uploadvisibledisabled']; -$id = (int) $_REQUEST['id']; +$edit = Database::escape_string($_REQUEST['edit']); +$make_invisible = Database::escape_string($_REQUEST['make_invisible']); +$make_visible = Database::escape_string($_REQUEST['make_visible']); +$origin = Security::remove_XSS($_REQUEST['origin']); +$submitGroupWorkUrl = Security::remove_XSS($_REQUEST['submitGroupWorkUrl']); +$title = Database::escape_string($_REQUEST['title']); +$uploadvisibledisabled = Database::escape_string($_REQUEST['uploadvisibledisabled']); +$id = strval(intval($_REQUEST['id'])); //directories management $sys_course_path = api_get_path(SYS_COURSE_PATH); @@ -381,7 +381,7 @@ if ($edit) { - $sql = "SELECT * FROM ".$work_table." WHERE id='".mysql_real_escape_string($edit)."'"; + $sql = "SELECT * FROM ".$work_table." WHERE id='".$edit."'"; $result = api_sql_query($sql,__FILE__,__LINE__); if ($result) @@ -587,7 +587,7 @@ if ($edit) { //Get the author ID for that document from the item_property table - $author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=".mysql_real_escape_string($edit); + $author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=".$edit; $author_qry = api_sql_query($author_sql,__FILE__,__LINE__); if(Database::num_rows($author_qry)==1) { @@ -631,56 +631,65 @@ // Transform any .php file in .phps fo security $new_file_name = php2phps($new_file_name); - - if( ! $title ) - { - $title = $_FILES['file']['name']; - } - - if ( ! $authors) - { - $authors = $currentUserFirstName." ".$currentUserLastName; - } - - // compose a unique file name to avoid any conflict - - $new_file_name = uniqid('').$new_file_name; - - if (isset($_SESSION['toolgroup'])) - { - $post_group_id = $_SESSION['toolgroup']; - } - else + //filter extension + if(!filter_extension($new_file_name)) + { + Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); + $succeed = false; + } + else { - $post_group_id = '0'; - } - //if we come from the group tools the groupid will be saved in $work_table - move_uploaded_file($_FILES['file']['tmp_name'],$updir.$my_cur_dir_path.$new_file_name); - - $url = "work/".$my_cur_dir_path.$new_file_name; - $result = api_sql_query("SHOW FIELDS FROM ".$work_table." LIKE 'sent_date'",__FILE__,__LINE__); - - if(!mysql_num_rows($result)) - { - api_sql_query("ALTER TABLE ".$work_table." ADD sent_date DATETIME NOT NULL"); + if( ! $title ) + { + $title = $new_file_name; + } + + if ( ! $authors) + { + $authors = $currentUserFirstName." ".$currentUserLastName; + } + + // compose a unique file name to avoid any conflict + + $new_file_name = uniqid('').$new_file_name; + + if (isset($_SESSION['toolgroup'])) + { + $post_group_id = $_SESSION['toolgroup']; + } + else + { + $post_group_id = '0'; + } + //if we come from the group tools the groupid will be saved in $work_table + + move_uploaded_file($_FILES['file']['tmp_name'],$updir.$my_cur_dir_path.$new_file_name); + + $url = "work/".$my_cur_dir_path.$new_file_name; + $result = api_sql_query("SHOW FIELDS FROM ".$work_table." LIKE 'sent_date'",__FILE__,__LINE__); + + if(!mysql_num_rows($result)) + { + api_sql_query("ALTER TABLE ".$work_table." ADD sent_date DATETIME NOT NULL"); + } + + $sql_add_publication = "INSERT INTO ".$work_table." + SET url = '".$url."', + title = '".$title."', + description = '".$description."', + author = '".$authors."', + active = '".$active."', + accepted = '".(!$uploadvisibledisabled)."', + post_group_id = '".$post_group_id."', + sent_date = NOW()"; + + api_sql_query($sql_add_publication,__FILE__,__LINE__); + + $Id = mysql_insert_id(); + api_item_property_update($_course,'work',$Id,get_lang('DocumentAdded'),$user_id); + $succeed = true; } - - $sql_add_publication = "INSERT INTO ".$work_table." - SET url = '".$url."', - title = '".$title."', - description = '".$description."', - author = '".$authors."', - active = '".$active."', - accepted = '".(!$uploadvisibledisabled)."', - post_group_id = '".$post_group_id."', - sent_date = NOW()"; - - api_sql_query($sql_add_publication,__FILE__,__LINE__); - - $Id = mysql_insert_id(); - api_item_property_update($_course,'work',$Id,get_lang('DocumentAdded'),$user_id); - $succeed = true; } /* @@ -768,16 +777,51 @@ // Lets predefine some variables. Be sure to change the from address! $table_course_user = Database::get_main_table(TABLE_MAIN_COURSE_USER); $table_user = Database::get_main_table(TABLE_MAIN_USER); - $sql_resp = 'SELECT u.email as myemail FROM '.$table_course_user.' cu, '.$table_user.' u WHERE cu.course_code = '."'".api_get_course_id()."'".' AND cu.status = 1 AND u.user_id = cu.user_id'; - //echo $sql_resp; - $res_resp = api_sql_query($sql_resp,__FILE__,__LINE__); - if(Database::num_rows($res_resp)>0){ - $emailto = ''; + $table_session = Database::get_main_table(TABLE_MAIN_SESSION); + $table_session_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE); + + $emailto = array(); + if(empty($_SESSION['id_session'])) + { + $sql_resp = 'SELECT u.email as myemail FROM '.$table_course_user.' cu, '.$table_user.' u WHERE cu.course_code = '."'".api_get_course_id()."'".' AND cu.status = 1 AND u.user_id = cu.user_id'; + $res_resp = api_sql_query($sql_resp,__FILE__,__LINE__); while($row_email = Database::fetch_array($res_resp)){ if(!empty($row_email['myemail'])){ - $emailto .= $row_email['myemail'].','; + $emailto[$row_email['myemail']] = $row_email['myemail']; } } + } + else + { + // coachs of the session + $sql_resp ='SELECT user.email as myemail + FROM '.$table_session.' session + INNER JOIN '.$table_user.' user + ON user.user_id = session.id_coach + WHERE session.id = '.intval($_SESSION['id_session']); + $res_resp = api_sql_query($sql_resp,__FILE__,__LINE__); + while($row_email = Database::fetch_array($res_resp)){ + if(!empty($row_email['myemail'])){ + $emailto[$row_email['myemail']] = $row_email['myemail']; + } + } + + //coach of the course + $sql_resp ='SELECT user.email as myemail + FROM '.$table_session_course.' session_course + INNER JOIN '.$table_user.' user + ON user.user_id = session_course.id_coach + WHERE session_course.id_session = '.intval($_SESSION['id_session']); + $res_resp = api_sql_query($sql_resp,__FILE__,__LINE__); + while($row_email = Database::fetch_array($res_resp)){ + if(!empty($row_email['myemail'])){ + $emailto[$row_email['myemail']] = $row_email['myemail']; + } + } + + } + if(count($emailto)>0){ + $emailto = implode(',' , $emailto); $emailfromaddr = get_setting('emailAdministrator'); $emailfromname = get_setting('siteName'); $emailsubject = "[".get_setting('siteName')."] "; @@ -828,7 +872,7 @@ if($edit){ //Get the author ID for that document from the item_property table $is_author = false; - $author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=".mysql_real_escape_string($edit); + $author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=".$edit; $author_qry = api_sql_query($author_sql,__FILE__,__LINE__); if(Database::num_rows($author_qry)==1) { @@ -839,7 +883,7 @@ require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php'); require_once (api_get_path(LIBRARY_PATH).'fileDisplay.lib.php'); - $form = new FormValidator('form','POST',api_get_self()."?curdirpath=$cur_dir_path&origin=$origin",'','enctype="multipart/form-data"'); + $form = new FormValidator('form','POST',api_get_self()."?curdirpath=".Security::remove_XSS($cur_dir_path)."&origin=$origin",'','enctype="multipart/form-data"'); if(!empty($error_message)) Display::display_error_message($error_message); @@ -911,7 +955,7 @@ { //create the form that asks for the directory name $new_folder_text = ''; - $new_folder_text .= ''; + $new_folder_text .= ''; $new_folder_text .= get_lang('NewDir') .' '; $new_folder_text .= ''; $new_folder_text .= ''; diff -Naur --exclude='*~' --exclude='*.bak' dokeosorig/whoisonline.php dokeosmod/whoisonline.php --- dokeosorig/whoisonline.php 2007-09-26 21:20:35.000000000 -0500 +++ dokeosmod/whoisonline.php 2008-02-07 17:39:28.000000000 -0500 @@ -61,7 +61,7 @@ $result=api_sql_query($sql,__FILE__,__LINE__); //redirect caller to chat - header("Location: ".$_configuration['code_append']."chat/chat.php?cidReq=".$_cid."&origin=whoisonline&target=$chatid"); + header("Location: ".$_configuration['code_append']."chat/chat.php?cidReq=".$_cid."&origin=whoisonline&target=".Security::remove_XSS($chatid)); exit(); } @@ -79,8 +79,8 @@ $course_url = ''; if(strlen($_GET['cidReq']) > 0) { - $extra_params['cidReq'] = $_GET['cidReq']; - $course_url = '&cidReq='.$_GET['cidReq']; + $extra_params['cidReq'] = Database::escape_string($_GET['cidReq']); + $course_url = '&cidReq='.Security::remove_XSS($_GET['cidReq']); } foreach($user_list as $user) { @@ -119,7 +119,7 @@ { $table_header[] = array(get_lang('SendMessage'),true); } - $sorting_options['column'] = (isset ($_GET['column']) ? $_GET['column'] : 2); + $sorting_options['column'] = (isset ($_GET['column']) ? (int)$_GET['column'] : 2); Display::display_sortable_table($table_header,$table_data,$sorting_options,array('per_page_default'=>count($table_data)),$extra_params); } } @@ -130,10 +130,11 @@ function display_individual_user($user_id) { global $interbreadcrumb; + $safe_user_id = Database::escape_string($user_id); // to prevent a hacking attempt: http://www.dokeos.com/forum/viewtopic.php?t=5363 $user_table=Database::get_main_table(TABLE_MAIN_USER); - $sql = "SELECT * FROM $user_table WHERE user_id='".mysql_real_escape_string($user_id)."'"; + $sql = "SELECT * FROM $user_table WHERE user_id='".$safe_user_id."'"; $result=api_sql_query($sql,__FILE__,__LINE__); if (mysql_num_rows($result)==1) { @@ -248,7 +249,7 @@ { if(0) // if ($_user['user_id'] && $_GET["id"] != $_user['user_id']) { - echo ''.get_lang('SendChatRequest').''; + echo ''.get_lang('SendChatRequest').''; } } } @@ -264,6 +265,11 @@ display_individual_user($_GET['id']); } } + elseif(isset($_GET['id'])) + { + Display::display_header(get_lang('UsersOnLineList')); + api_display_tool_title(get_lang('UsersOnLineList')); + } } else { @@ -279,4 +285,4 @@ ============================================================================== */ Display::display_footer(); -?> \ Pas de fin de ligne à la fin du fichier. +?>