plugins/SpecialUpdownload.php
author Dan
Sun, 04 May 2008 21:57:48 -0400
changeset 541 acb7e23b6ffa
parent 536 218a627eb53e
child 564 a1c450a911a6
permissions -rw-r--r--
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.

<?php
/**!info**
{
  "Plugin Name"  : "plugin_specialupdownload_title",
  "Plugin URI"   : "http://enanocms.org/",
  "Description"  : "plugin_specialupdownload_desc",
  "Author"       : "Dan Fuhry",
  "Version"      : "1.1.3",
  "Author URI"   : "http://enanocms.org/"
}
**!*/

/*
 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
 * Version 1.1.4 (Caoineag alpha 4)
 * Copyright (C) 2006-2008 Dan Fuhry
 * SpecialUpdownload.php - handles uploading and downloading of user-uploaded files - possibly the most rigorously security-enforcing script in all of Enano, although sessions.php comes in a close second
 *
 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
 */
 
global $db, $session, $paths, $template, $plugins; // Common objects

$plugins->attachHook('session_started', '
  global $paths;
    $paths->add_page(Array(
      \'name\'=>\'specialpage_upload_file\',
      \'urlname\'=>\'UploadFile\',
      \'namespace\'=>\'Special\',
      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',
      ));
    
    $paths->add_page(Array(
      \'name\'=>\'specialpage_download_file\',
      \'urlname\'=>\'DownloadFile\',
      \'namespace\'=>\'Special\',
      \'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\',
      ));
    ');

function page_Special_UploadFile()
{
  global $db, $session, $paths, $template, $plugins; // Common objects
  global $lang;
  global $mime_types;
  if(getConfig('enable_uploads')!='1') { die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('upload_err_disabled_site') . '</p>'); }
  if ( !$session->get_permissions('upload_files') )
  {
    die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('upload_err_disabled_acl') . '</p>');
  }
  if(isset($_POST['doit']))
  {
    if(isset($_FILES['data']))
    {
      $file =& $_FILES['data'];
    }
    else
    {
      $file = false;
    }
    if ( !is_array($file) )
    {
      die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_cant_get_file_meta') . '</p>');
    }
    if ( $file['size'] == 0 || $file['size'] > (int)getConfig('max_file_size') )
    {
      die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_too_big_or_small') . '</p>');
    }
    
    $types = fetch_allowed_extensions();
    $ext = strtolower(substr($file['name'], strrpos($file['name'], '.')+1, strlen($file['name'])));
    if ( !isset($types[$ext]) || ( isset($types[$ext]) && !$types[$ext] ) )
    {
      die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_banned_ext', array('ext' => htmlspecialchars($ext))) . '</p>');
    }
    $type = $mime_types[$ext];
    //$type = explode(';', $type); $type = $type[0];
    //if(!in_array($type, $allowed_mime_types)) die_friendly('Upload failed', '<p>The file type "'.$type.'" is not allowed.</p>');
    if($_POST['rename'] != '')
    {
      $filename = $_POST['rename'];
    }
    else
    {
      $filename = $file['name'];
    }
    $bad_chars = Array(':', '\\', '/', '<', '>', '|', '*', '?', '"', '#', '+');
    foreach($bad_chars as $ch)
    {
      if(strstr($filename, $ch) || preg_match('/^([ ]+)$/is', $filename))
      {
        die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_banned_chars') . '</p>');
      }
    }
    
    if ( isset ( $paths->pages[ $paths->nslist['File'] . $filename ] ) && !isset ( $_POST['update'] ) )
    {
      $upload_link = makeUrlNS('Special', 'UploadFile/'.$filename);
      die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_already_exists', array('upload_link' => $upload_link)) . '</p>');
    }
    else if ( isset($_POST['update']) && 
            ( !isset($paths->pages[$paths->nslist['File'].$filename]) ||
             (isset($paths->pages[$paths->nslist['File'].$filename]) &&
               $paths->pages[$paths->nslist['File'].$filename]['protected'] == 1 )
             )
           )
    {
      die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_replace_protected') . '</p>');
    }
    
    $utime = time();
           
    $filename = $db->escape($filename);
    $ext = substr($filename, strrpos($filename, '.'), strlen($filename));
    $flen = filesize($file['tmp_name']);
    
    $comments = ( isset($_POST['update']) ) ? $db->escape($_POST['comments']) : $db->escape(RenderMan::preprocess_text($_POST['comments'], false, false));
    $chartag = sha1(microtime());
    $urln = str_replace(' ', '_', $filename);
    
    $key = md5($filename . '_' . ( function_exists('md5_file') ? md5_file($file['tmp_name']) : file_get_contents($file['tmp_name'])));
    $targetname = ENANO_ROOT . '/files/' . $key . $ext;
    
    if(!@move_uploaded_file($file['tmp_name'], $targetname))
    {
      die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_move_failed') . '</p>');
    }
    
    if(getConfig('file_history') != '1')
    {
      if(!$db->sql_query('DELETE FROM  '.table_prefix.'files WHERE filename=\''.$filename.'\' LIMIT 1;')) $db->_die('The old file data could not be deleted.');
    }
    if(!$db->sql_query('INSERT INTO '.table_prefix.'files(time_id,page_id,filename,size,mimetype,file_extension,file_key) VALUES('.$utime.', \''.$urln.'\', \''.$filename.'\', '.$flen.', \''.$type.'\', \''.$ext.'\', \''.$key.'\')')) $db->_die('The file data entry could not be inserted.');
    if(!isset($_POST['update']))
    {
      if(!$db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.$utime.', \''.enano_date('d M Y h:i a').'\', \'page\', \'create\', \''.$session->username.'\', \''.$filename.'\', \''.'File'.'\');')) $db->_die('The page log could not be updated.');
      if(!$db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace,protected,delvotes,delvote_ips) VALUES(\''.$filename.'\', \''.$urln.'\', \'File\', 0, 0, \'\')')) $db->_die('The page listing entry could not be inserted.');
      if(!$db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\''.$urln.'\', \'File\', \''.$comments.'\', \''.$chartag.'\')')) $db->_die('The page text entry could not be inserted.');
    }
    else
    {
      if(!$db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.$utime.', \''.enano_date('d M Y h:i a').'\', \'page\', \'reupload\', \''.$session->username.'\', \''.$filename.'\', \''.'File'.'\', \''.$comments.'\');')) $db->_die('The page log could not be updated.');
    }
    die_friendly($lang->get('upload_success_title'), '<p>' . $lang->get('upload_success_body', array('file_link' => makeUrlNS('File', $filename))) . '</p>');
  }
  else
  {
    $template->header();
    $fn = $paths->getParam(0);
    if ( $fn && !$session->get_permissions('upload_new_version') )
    {
      die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('upload_err_replace_denied') . '<p>');
    }
    ?>
    <p><?php echo $lang->get('upload_intro'); ?></p>
    <p><?php 
      // Get the max file size, and format it in a way that is user-friendly
      
      $fs = getConfig('max_file_size');
      $fs = (int)$fs;
      if($fs >= 1048576)
      {
        $fs = round($fs / 1048576, 1);
        $unitized = $fs . ' ' . $lang->get('etc_unit_megabytes_short');
      }
      elseif($fs >= 1024)
      {
        $fs = round($fs / 1024, 1);
        $unitized = $fs . ' ' . $lang->get('etc_unit_kilobytes_short');
      }
      
      echo $lang->get('upload_max_filesize', array(
          'size' => $unitized
        ));
    ?></p>
    <form action="<?php echo makeUrl($paths->page); ?>" method="post" enctype="multipart/form-data">
      <table border="0" cellspacing="1" cellpadding="4">
        <tr><td><?php echo $lang->get('upload_field_file'); ?></td><td><input name="data" type="file" size="40" /></td></tr>
        <tr><td><?php echo $lang->get('upload_field_renameto'); ?></td><td><input name="rename" type="text" size="40"<?php if($fn) echo ' value="'.$fn.'" readonly="readonly"'; ?> /></td></tr>
        <?php
        if(!$fn) echo '<tr><td>' . $lang->get('upload_field_comments') . '</td><td><textarea name="comments" rows="20" cols="60"></textarea></td></tr>';
        else echo '<tr><td>' . $lang->get('upload_field_reason') . '</td><td><input name="comments" size="50" /></td></tr>';
        ?>
        <tr><td colspan="2" style="text-align: center">
          <?php
          if($fn)
            echo '<input type="hidden" name="update" value="true" />';
          ?>
          <input type="submit" name="doit" value="<?php echo $lang->get('upload_btn_upload'); ?>" />
        </td></tr>
      </table>
    </form>
    <?php
    $template->footer();
  }
}                                                     

function page_Special_DownloadFile()
{
  global $db, $session, $paths, $template, $plugins; // Common objects
  global $lang;
  global $do_gzip;
  $filename = rawurldecode($paths->getParam(0));
  $timeid = $paths->getParam(1);
  if ( $timeid && preg_match('#^([0-9]+)$#', (string)$timeid) )
  {
    $tid = ' AND time_id='.$timeid;
  }
  else
  {
    $tid = '';
  }
  $filename = $db->escape($filename);
  $q = $db->sql_query('SELECT page_id,size,mimetype,time_id,file_extension,file_key FROM '.table_prefix.'files WHERE filename=\''.$filename.'\''.$tid.' ORDER BY time_id DESC;');
  if ( !$q )
  {
    $db->_die('The file data could not be selected.');
  }
  if ( $db->numrows() < 1 )
  {
    header('HTTP/1.1 404 Not Found');
    die_friendly($lang->get('upload_err_not_found_title'), '<p>' . $lang->get('upload_err_not_found_body', array('filename' => htmlspecialchars($filename))) . '</p>');
  }
  $row = $db->fetchrow();
  $db->free_result();
  
  // Check permissions
  $perms = $session->fetch_page_acl($row['page_id'], 'File');
  if ( !$perms->get_permissions('read') )
  {
    die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('etc_access_denied') . '</p>');
  }
  
  $fname = ENANO_ROOT . '/files/' . $row['file_key'] . $row['file_extension'];
  if ( !file_exists($fname) )
  {
    $fname = ENANO_ROOT . '/files/' . $row['file_key'] . '_' . $row['time_id'] . $row['file_extension'];
  }
  if ( !file_exists($fname) )
  {
    die("Uploaded file $fname not found.");
  }
  
  if ( isset($_GET['preview']) && substr($row['mimetype'], 0, 6) == 'image/' )
  {
    // Determine appropriate width and height
    $width  = ( isset($_GET['width'])  ) ? intval($_GET['width'] ) : 320;
    $height = ( isset($_GET['height']) ) ? intval($_GET['height']) : 320;
    $cache_filename = ENANO_ROOT . "/cache/{$filename}-{$row['time_id']}-{$width}x{$height}{$row['file_extension']}";
    if ( file_exists($cache_filename) )
    {
      $fname = $cache_filename;
    }
    else
    {
      $allow_scale = false;
      $orig_fname = $fname;
      // is caching enabled?
      if ( getConfig('cache_thumbs') == '1' )
      {
        $fname = $cache_filename;
        if ( is_writeable(dirname($fname)) )
        {
          $allow_scale = true;
        }
      }
      else
      {
        // Get a temporary file
        // In this case, the file will not be cached and will be scaled each time it's requested
        $temp_dir = sys_get_temp_dir();
        // if tempnam() cannot use the specified directory name, it will fall back on the system default
        $tempname = tempnam($temp_dir, $filename);
        if ( $tempname && is_writeable($tempname) )
        {
          $allow_scale = true;
        }
      }
      if ( $allow_scale )
      {
        $result = scale_image($orig_fname, $fname, $width, $height);
        if ( !$result )
          $fname = $orig_fname;
      }
      else
      {
        $fname = $orig_fname;
      }
    }
  }
  $handle = @fopen($fname, 'r');
  if ( !$handle )
    die('Can\'t open output file for reading');
  
  $len = filesize($fname);
  header('Content-type: '.$row['mimetype']);
  if ( isset($_GET['download']) )
  {
    header('Content-disposition: attachment, filename="' . $filename . '";');
  }
  header('Content-length: '.$len);
  header('Last-Modified: '.enano_date('r', $row['time_id']));
  
  // using this method limits RAM consumption
  while ( !feof($handle) )
  {
    echo fread($handle, 512000);
  }
  fclose($handle);
  
  gzip_output();
  
  exit;
  
}

?>