ilm_security.php 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217
  1. <?php
  2. /**
  3. * This file is used to allow a more secure access to the iLM file contents.
  4. *
  5. * ATTENTION: DO NOT USE any 'print' (or 'echo') other then the one that print the iLM file content.
  6. * Otherwise the iLM will receive this printed message as its file (probably nothing will be shown).
  7. *
  8. * How:
  9. * The principle is to allow a single access to the file content, providing a "token" that is erased on the first use.
  10. * Every access to the content, by any iLM, must be provided by this vehicle.
  11. *
  12. * Why:
  13. * The iLM must requires the file content by a GET connection. But if the file content is opened,
  14. * this means that the user (usually the learner) can get access to it by copying the URL directly.
  15. * In this case, if the iLM is based on "model answer" (like iGeom), the learner can open a local version of iLM
  16. * with this "model answer" (iGeom provides a special format to exercises to avoid this).
  17. *
  18. * Table 'iassign_security': id iassign_statementid userid file timecreated view
  19. *
  20. * TODO : the insertion in 'iassign_security' table must be provided by functions inside this code (not in './mod/iassign/locallib.php'
  21. *
  22. * @author Patricia Alves Rodrigues
  23. * @author Leônidas O. Brandão
  24. * @version v 1.0 2010/12/10
  25. * @package mod_iassign_ilm
  26. * @since 2012/03/10
  27. * @by iMatica (<a href="http://www.matematica.br">iMath</a>) - Computer Science Dep. of IME-USP (Brazil)
  28. *
  29. * <b>License</b>
  30. * - http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  31. */
  32. require_once("../../config.php");
  33. global $DB;
  34. //Debug: debug iLM security scheme
  35. //Debug: ATTENTION, this requests the directory './mod/iassign/ilm_debug/' with write permition to www-data !!!!
  36. $DEBUG = 0; //Debug: help to debug, register data in file 'MOODLE/mod/iassign/ilm_debug/YYYY_mm_dd_m_s_int'
  37. class ilm_security {
  38. // Table 'iassign_security' : id iassign_statementid userid file timecreated view
  39. /// Warning message
  40. static function warning_message_iassign ($strcode) { // errado no 'locallib.php' sempre com constante 'error_view_without_actiontype'!!!
  41. return "<div classs='warning' style='display:inline; font-weight: bold; color:#a00'>" . get_string($strcode, 'iassign') . "</div>\n";
  42. }
  43. // @calledby here : after print $strFileContent;
  44. static function remove_records ($userid) { //, $iassign_statementid
  45. if (!isset($userid) || !isset($iassign_statementid)) {
  46. // self::warning_message_iassign('???');
  47. print self::warning_message_iassign('error_security_no_userid'); // 'Internal error: must be informed the user identification. Inform the Administrator.'
  48. return null;
  49. }
  50. if (!isset($iassign_statementid) || $iassign_statementid<1)
  51. $array_param = array("userid" => $userid); // erase all entries of this user
  52. else
  53. $array_param = array("userid" => $userid, "iassign_statementid" => $iassign_statementid);
  54. $DB->delete_records("iassign_security", $array_param); // erase only for this iAssign activity
  55. }
  56. // @calledby locallib.php : class ilm : function view_iLM($iassign_statement_activity_item, $student_answer, $enderecoPOST, $view)
  57. static function remove_old_iLM_security_entries ($userid) { // substituir 'locallib' de mesmo nome!
  58. global $DB;
  59. // This is an additional security: erase eventually old entries in 'iassign_security' table (do not remove '$iassign_statementid' since it is going to be used "now")
  60. $result = $DB->delete_records_select("iassign_security", "userid=" . $userid . " AND view>1", null);
  61. }
  62. // $id_iLM_security = $this->write_iLM_security($iassign_statement_activity_item->id, $content_or_id_from_ilm_security); // insert in 'iassign_security'
  63. /// Function to give a single access to an iLM content avoi (after used, 'view()', after 'view_iLM(...)', will erase the entry)
  64. // @calledby locallib.php : class ilm_manager : function preview_ilm($courseid, $iassign_ilm): $id_iLM_security = ilm_security::write_iLM_security($USER->id, $timecreated, -1, $content_or_id_from_ilm_security);
  65. // ? @calledby locallib.php : class iassign : function view() : ...
  66. // ? @calledby locallib.php : view_iLM($iassign_statement_activity_item, $student_answer, $enderecoPOST, $view) : $id_iLM_security=$this->write_iLM_security($iassign_statement_activity_item->id,$content_or_id_from_ilm_security);
  67. // @param int $iassign_statement_activity_itemid Id of iassign statement, when from iLM 'preview' (there is none activity), -1
  68. // @param Object $file File in use in activity
  69. // @return int Return the id of log
  70. static function write_iLM_security ($userid, $timecreated, $iassign_statementid = -1, $content_or_id_from_ilm_security) { // subst. de locallib!
  71. global $DB;
  72. $newentry = new stdClass();
  73. $newentry->iassign_statementid = $iassign_statementid; // when came from iLM previw => there is none activity, use -1
  74. $newentry->userid = $userid;
  75. $newentry->file = $content_or_id_from_ilm_security;
  76. $newentry->timecreated = $timecreated; // who calls will generate: $timecreated = time(); $token == md5($timecreated);
  77. $newentry->view = 1;
  78. $id_iLM_security = $DB->insert_record("iassign_security", $newentry);
  79. if (!$id_iLM_security) {
  80. print_error('error_security', 'iassign'); // ./lib/setuplib.php: moodle_exception thrown
  81. }
  82. //D echo "ilm_security.php: write_iLM_security(...): acabou de inserir em 'iassign_security' (id_iLM_security=$id_iLM_security)<br/>\n";
  83. //D echo "ilm_security.php: write_iLM_security(...): file=" . $content_or_id_from_ilm_security . "<br/>\n";
  84. //D $aux_iassign_security = $DB->get_records('iassign_security', array('id' => $id_iLM_security));
  85. //D foreach ($aux_iassign_security as $item)
  86. //D echo " * iassign_security.id=" . $item->id . ", iassign_statementid=" . $item->iassign_statementid . ', iassign_security.id=' . $id_iLM_security . "<br/>\n"; //", file=" . $item->file . - tem o conteudo do arquivo
  87. return $id_iLM_security;
  88. }
  89. //D $iassign_iLM_security = $DB->get_record("iassign_security", array("iassign_statementid" => $iassign_statementid));
  90. //D if ($iassign_iLM_security) foreach ($iassign_iLM_security as $item) { echo $iassign_iLM_security->id . " ; " . $iassign_iLM_security->iassign_statementid . " ; " . $iassign_iLM_security->userid . " ; " . $iassign_iLM_security->timecreated . " ; " . $iassign_iLM_security->view . " ; " . $iassign_iLM_security->file . "<br/>\n" }
  91. //D else echo "Apagou!<br/>";
  92. } // class ilm_security
  93. $view = optional_param('view', NULL, PARAM_TEXT); //$view = $_GET['view'];
  94. $token = optional_param('token', NULL, PARAM_TEXT); //$token = $_GET['token'];
  95. $id = optional_param('id', NULL, PARAM_TEXT); //$id = $_GET['id']; //id of the table iassign_security
  96. $stringDebugAux = "";
  97. $strFileContent = "";
  98. // Debug
  99. if ($DEBUG) {
  100. $file_name = "ilm_debug/" . date('Y') . "_" . date('m') . "_" . date('d') . "_" . date('H_i') . "_" . $id;
  101. $file_debug = "id=" . $id . "<br/>\nview=" . $view . "<br/>\ntoken=" . $token;
  102. $stringDebugAux = "user.id=" . $USER->id . ", user.name=" . $USER->firstname . " " . $USER->lastname . "\n";
  103. }
  104. if ($view == -1) { //view free
  105. //xx echo "view==-1: DEBUG=$DEBUG<br/>\n"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
  106. $fs = get_file_storage();
  107. $file = $fs->get_file_by_id($id);
  108. $strFileContent .= $file->get_content();
  109. $stringDebugAux .= "1: file content:" . $strFileContent;
  110. print $strFileContent;
  111. ilm_security::remove_old_iLM_security_entries($USER->id); // for security reason erase the used entry in 'iassign_security' (and others for this user/activity)
  112. }
  113. else {
  114. // Get data from table 'iassign_security'
  115. $iassign_security = $DB->get_record("iassign_security", array("id" => $id)); // id iassign_statementid userid file timecreated view
  116. //xx echo "<br/>iassign_security="; print_r($iassign_security); echo "<br/>"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
  117. if ($DEBUG) {
  118. $strAux = "iassign_security = { id=" . $iassign_security->id . ", " . $iassign_security->iassign_statementid . ", | " . $iassign_security->file . " |, " . $iassign_security->view . " }";
  119. $stringDebugAux .= $strAux;
  120. }
  121. if ($iassign_security) {
  122. $fileid = $iassign_security->file;
  123. if ($iassign_security) { //TODO must be 'if ($fileid)'?
  124. $update = new stdClass();
  125. $update->id = $iassign_security->id;
  126. $update->view = $iassign_security->view + 1;
  127. $DB->update_record("iassign_security", $update);
  128. if ($DEBUG) $stringDebugAux .= " view++ = " . $iassign_security->view . "\n";
  129. //????? apos acertos deixar apenas '$update->view == 2' ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
  130. if ($update->view >= 2 && $token == md5($iassign_security->timecreated)) { //
  131. //Security iLM: remove the entry
  132. // $DB->delete_records("iassign_security", array("id" => $id));
  133. if ($view) {
  134. // If it is view of the exercise, then get it on the Moodle data (usually '/var/moodledata') => file is a number = '*_files.id'
  135. // If it is learner answer get it in data base => file is the iLM file content
  136. // $stringDebugAuxFile = ""; //Debug
  137. $fs = get_file_storage();
  138. $file = $fs->get_file_by_id($fileid);
  139. $strFileContent = $file->get_content();
  140. $stringDebugAuxFile = $file->get_filename() . "/"; //Debug
  141. if ($DEBUG) {
  142. $stringDebugAux .= "view>=2: view=$view: update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\n";
  143. }
  144. } // if ($update->view == 2 && $token == md5($iassign_security->timecreated))
  145. else { // not view - get the student content answer
  146. // *_iassign_security : id iassign_statementid userid file timecreated view (where 'file' is longtext utf8_unicode_ci)
  147. // passei para 'blob'
  148. $strFileContent = $iassign_security->file; //ERROR: usa algum filtro, elimina '.', '/' e outros caracteres
  149. //$strFileContent = $contextid; - tb nao funciona!!
  150. if ($DEBUG) {
  151. $stringDebugAux .= "view>=2: else view=$view: update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\n";
  152. $stringDebugAux .= " " . $iassign_security->id . ", " . $iassign_security->timecreated . "\n";
  153. }
  154. }
  155. // Here is the print to the iLM request the content
  156. print $strFileContent;
  157. ilm_security::remove_old_iLM_security_entries($USER->id); // for security reason erase the used entry in 'iassign_security' (and others for this user/activity)
  158. } // if ($update->view == 2 && $token == md5($iassign_security->timecreated))
  159. else {
  160. if ($DEBUG) {
  161. $countF = 0;
  162. foreach ($files as $thefile) {
  163. $strFileName = $thefile->get_filename(); //Debug
  164. $stringDebugAux .= " " . ($countF++) . ": " . $strFileName . "\n";
  165. $stringDebugAuxFile .= $strFileName . "/"; //Debug
  166. if ($strFileName != '.') {
  167. $strFileContent = $thefile->get_content();
  168. }
  169. }
  170. $stringDebugAux .= "view<=2: NOT update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\nstrFileContent=" . $strFileContent . "\n";
  171. }
  172. }
  173. } // if ($iassign_security)
  174. } // if ($iassign_security)
  175. }
  176. //NAO pode deixar 'echo' aqui, pois o resultado daqui alimentara o iMA! echo "ilm_security.php: file_name=$file_name<br/>";
  177. if ($DEBUG) {
  178. //xxecho "file_name=$file_name"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
  179. $fpointer = fopen($file_name, "w");
  180. $file_debug .= "\nAuxiliary information: " . $stringDebugAux . "";
  181. $file_debug .= "\nContent iLM file: |" . $strFileContent . "|";
  182. fwrite($fpointer, "From: ./mod/iassign/ilm_security.php<br/>\n" . $file_debug);
  183. fclose($fpointer);
  184. }