ilm_security.php 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
  1. <?php
  2. /**
  3. * This file is used to allow a more secure access to the iLM file contents.
  4. *
  5. * ATTENTION: DO NOT USE any 'print' (or 'echo') other then the one that print the iLM file content.
  6. * Otherwise the iLM will receive this printed message as its file (probably nothing will be shown).
  7. *
  8. * How:
  9. * The principle is to allow a single access to the file content, providing a "token" that is erased on the first use.
  10. * Every access to the content, by any iLM, must be provided by this vehicle.
  11. *
  12. * Why:
  13. * The iLM must requires the file content by a GET connection. But if the file content is opened,
  14. * this means that the user (usually the learner) can get access to it by copying the URL directly.
  15. * In this case, if the iLM is based on "model answer" (like iGeom), the learner can open a local version of iLM
  16. * with this "model answer" (iGeom provides a special format to exercises to avoid this).
  17. *
  18. * Table 'iassign_security': id iassign_statementid userid file timecreated view
  19. *
  20. * TODO : the insertion in 'iassign_security' table must be provided by functions inside this code (not in './mod/iassign/locallib.php'
  21. *
  22. * @author Patricia Alves Rodrigues
  23. * @author Leônidas O. Brandão
  24. * @version v 1.1 2017/11/02: fixed error in '$stringDebugAuxFile = "";' (it was with ".=")
  25. * @version v 1.0 2010/12/10
  26. * @package mod_iassign_ilm
  27. * @since 2012/03/10
  28. * @by iMatica (<a href="http://www.matematica.br">iMath</a>) - Computer Science Dep. of IME-USP (Brazil)
  29. *
  30. * <b>License</b>
  31. * - http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  32. */
  33. require_once("../../config.php");
  34. global $DB;
  35. //Debug: debug iLM security scheme
  36. //Debug: ATTENTION, this requests the directory './mod/iassign/ilm_debug/' with write permition to www-data !!!!
  37. $DEBUG = 0; //Debug: help to debug, register data in file 'MOODLE/mod/iassign/ilm_debug/YYYY_mm_dd_m_s_int'
  38. class ilm_security {
  39. // Table 'iassign_security' : id iassign_statementid userid file timecreated view
  40. /// Warning message
  41. static function warning_message_iassign ($strcode) { // errado no 'locallib.php' sempre com constante 'error_view_without_actiontype'!!!
  42. return "<div classs='warning' style='display:inline; font-weight: bold; color:#a00'>" . get_string($strcode, 'iassign') . "</div>\n";
  43. }
  44. // @calledby here : after print $strFileContent;
  45. static function remove_records ($userid) { //, $iassign_statementid
  46. if (!isset($userid) || !isset($iassign_statementid)) {
  47. // self::warning_message_iassign('???');
  48. print self::warning_message_iassign('error_security_no_userid'); // 'Internal error: must be informed the user identification. Inform the Administrator.'
  49. return null;
  50. }
  51. if (!isset($iassign_statementid) || $iassign_statementid<1)
  52. $array_param = array("userid" => $userid); // erase all entries of this user
  53. else
  54. $array_param = array("userid" => $userid, "iassign_statementid" => $iassign_statementid);
  55. $DB->delete_records("iassign_security", $array_param); // erase only for this iAssign activity
  56. }
  57. // @calledby locallib.php : class ilm : function view_iLM($iassign_statement_activity_item, $student_answer, $enderecoPOST, $view)
  58. static function remove_old_iLM_security_entries ($userid) { // substituir 'locallib' de mesmo nome!
  59. global $DB;
  60. // This is an additional security: erase eventually old entries in 'iassign_security' table (do not remove '$iassign_statementid' since it is going to be used "now")
  61. $result = $DB->delete_records_select("iassign_security", "userid=" . $userid . " AND view>1", null);
  62. }
  63. // $id_iLM_security = $this->write_iLM_security($iassign_statement_activity_item->id, $content_or_id_from_ilm_security); // insert in 'iassign_security'
  64. /// Function to give a single access to an iLM content avoi (after used, 'view()', after 'view_iLM(...)', will erase the entry)
  65. // @calledby locallib.php : class ilm_manager : function preview_ilm($courseid, $iassign_ilm): $id_iLM_security = ilm_security::write_iLM_security($USER->id, $timecreated, -1, $content_or_id_from_ilm_security);
  66. // ? @calledby locallib.php : class iassign : function view() : ...
  67. // ? @calledby locallib.php : view_iLM($iassign_statement_activity_item, $student_answer, $enderecoPOST, $view) : $id_iLM_security=$this->write_iLM_security($iassign_statement_activity_item->id,$content_or_id_from_ilm_security);
  68. // @param int $iassign_statement_activity_itemid Id of iassign statement, when from iLM 'preview' (there is none activity), -1
  69. // @param Object $file File in use in activity
  70. // @return int Return the id of log
  71. static function write_iLM_security ($userid, $timecreated, $iassign_statementid = -1, $content_or_id_from_ilm_security) { // subst. de locallib!
  72. global $DB;
  73. $newentry = new stdClass();
  74. $newentry->iassign_statementid = $iassign_statementid; // when came from iLM previw => there is none activity, use -1
  75. $newentry->userid = $userid;
  76. $newentry->file = $content_or_id_from_ilm_security;
  77. $newentry->timecreated = $timecreated; // who calls will generate: $timecreated = time(); $token == md5($timecreated);
  78. $newentry->view = 1;
  79. $id_iLM_security = $DB->insert_record("iassign_security", $newentry);
  80. if (!$id_iLM_security) {
  81. print_error('error_security', 'iassign'); // ./lib/setuplib.php: moodle_exception thrown
  82. }
  83. //D echo "ilm_security.php: write_iLM_security(...): acabou de inserir em 'iassign_security' (id_iLM_security=$id_iLM_security)<br/>\n";
  84. //D echo "ilm_security.php: write_iLM_security(...): file=" . $content_or_id_from_ilm_security . "<br/>\n";
  85. //D $aux_iassign_security = $DB->get_records('iassign_security', array('id' => $id_iLM_security));
  86. //D foreach ($aux_iassign_security as $item)
  87. //D echo " * iassign_security.id=" . $item->id . ", iassign_statementid=" . $item->iassign_statementid . ', iassign_security.id=' . $id_iLM_security . "<br/>\n"; //", file=" . $item->file . - tem o conteudo do arquivo
  88. return $id_iLM_security;
  89. }
  90. //D $iassign_iLM_security = $DB->get_record("iassign_security", array("iassign_statementid" => $iassign_statementid));
  91. //D if ($iassign_iLM_security) foreach ($iassign_iLM_security as $item) { echo $iassign_iLM_security->id . " ; " . $iassign_iLM_security->iassign_statementid . " ; " . $iassign_iLM_security->userid . " ; " . $iassign_iLM_security->timecreated . " ; " . $iassign_iLM_security->view . " ; " . $iassign_iLM_security->file . "<br/>\n" }
  92. //D else echo "Apagou!<br/>";
  93. } // class ilm_security
  94. $view = optional_param('view', NULL, PARAM_TEXT); //$view = $_GET['view'];
  95. $token = optional_param('token', NULL, PARAM_TEXT); //$token = $_GET['token'];
  96. $id = optional_param('id', NULL, PARAM_TEXT); //$id = $_GET['id']; //id of the table iassign_security
  97. $stringDebugAux = "";
  98. $strFileContent = "";
  99. // Debug
  100. if ($DEBUG) {
  101. $file_name = "ilm_debug/" . date('Y') . "_" . date('m') . "_" . date('d') . "_" . date('H_i') . "_" . $id;
  102. $file_debug = "id=" . $id . "<br/>\nview=" . $view . "<br/>\ntoken=" . $token;
  103. $stringDebugAux = "user.id=" . $USER->id . ", user.name=" . $USER->firstname . " " . $USER->lastname . "\n";
  104. }
  105. if ($view == -1) { //view free
  106. //xx echo "view==-1: DEBUG=$DEBUG<br/>\n"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
  107. $fs = get_file_storage();
  108. $file = $fs->get_file_by_id($id);
  109. $strFileContent .= $file->get_content();
  110. $stringDebugAux .= "1: file content:" . $strFileContent;
  111. print $strFileContent;
  112. ilm_security::remove_old_iLM_security_entries($USER->id); // for security reason erase the used entry in 'iassign_security' (and others for this user/activity)
  113. }
  114. else {
  115. // Get data from table 'iassign_security'
  116. $iassign_security = $DB->get_record("iassign_security", array("id" => $id)); // id iassign_statementid userid file timecreated view
  117. //xx echo "<br/>iassign_security="; print_r($iassign_security); echo "<br/>"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
  118. if ($DEBUG) {
  119. $strAux = "iassign_security = { id=" . $iassign_security->id . ", " . $iassign_security->iassign_statementid . ", | " . $iassign_security->file . " |, " . $iassign_security->view . " }";
  120. $stringDebugAux .= $strAux;
  121. }
  122. if ($iassign_security) {
  123. $fileid = $iassign_security->file;
  124. if ($iassign_security) { //TODO must be 'if ($fileid)'?
  125. $update = new stdClass();
  126. $update->id = $iassign_security->id;
  127. $update->view = $iassign_security->view + 1;
  128. $DB->update_record("iassign_security", $update);
  129. if ($DEBUG) $stringDebugAux .= " view++ = " . $iassign_security->view . "\n";
  130. //????? apos acertos deixar apenas '$update->view == 2' ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
  131. if ($update->view >= 2 && $token == md5($iassign_security->timecreated)) { //
  132. //Security iLM: remove the entry
  133. // $DB->delete_records("iassign_security", array("id" => $id));
  134. if ($view) {
  135. // If it is view of the exercise, then get it on the Moodle data (usually '/var/moodledata') => file is a number = '*_files.id'
  136. // If it is learner answer get it in data base => file is the iLM file content
  137. // $stringDebugAuxFile = ""; //Debug
  138. $fs = get_file_storage();
  139. $file = $fs->get_file_by_id($fileid);
  140. $strFileContent = $file->get_content();
  141. $stringDebugAuxFile = $file->get_filename() . "/"; //Debug
  142. if ($DEBUG) {
  143. $stringDebugAux .= "view>=2: view=$view: update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\n";
  144. }
  145. } // if ($update->view == 2 && $token == md5($iassign_security->timecreated))
  146. else { // not view - get the student content answer
  147. // *_iassign_security : id iassign_statementid userid file timecreated view (where 'file' is longtext utf8_unicode_ci)
  148. // passei para 'blob'
  149. $strFileContent = $iassign_security->file; //ERROR: usa algum filtro, elimina '.', '/' e outros caracteres
  150. //$strFileContent = $contextid; - tb nao funciona!!
  151. if ($DEBUG) {
  152. $stringDebugAux .= "view>=2: else view=$view: update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\n";
  153. $stringDebugAux .= " " . $iassign_security->id . ", " . $iassign_security->timecreated . "\n";
  154. }
  155. }
  156. // Here is the print to the iLM request the content
  157. print $strFileContent;
  158. ilm_security::remove_old_iLM_security_entries($USER->id); // for security reason erase the used entry in 'iassign_security' (and others for this user/activity)
  159. } // if ($update->view == 2 && $token == md5($iassign_security->timecreated))
  160. else {
  161. if ($DEBUG) {
  162. $countF = 0;
  163. foreach ($files as $thefile) {
  164. $strFileName = $thefile->get_filename(); //Debug
  165. $stringDebugAux .= " " . ($countF++) . ": " . $strFileName . "\n";
  166. $stringDebugAuxFile = $strFileName . "/"; //Debug
  167. if ($strFileName != '.') {
  168. $strFileContent = $thefile->get_content();
  169. }
  170. }
  171. $stringDebugAux .= "view<=2: NOT update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\nstrFileContent=" . $strFileContent . "\n";
  172. }
  173. }
  174. } // if ($iassign_security)
  175. } // if ($iassign_security)
  176. }
  177. //NAO pode deixar 'echo' aqui, pois o resultado daqui alimentara o iMA! echo "ilm_security.php: file_name=$file_name<br/>";
  178. if ($DEBUG) {
  179. //xxecho "file_name=$file_name"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
  180. $fpointer = fopen($file_name, "w");
  181. $file_debug .= "\nAuxiliary information: " . $stringDebugAux . "";
  182. $file_debug .= "\nContent iLM file: |" . $strFileContent . "|";
  183. fwrite($fpointer, "From: ./mod/iassign/ilm_security.php<br/>\n" . $file_debug);
  184. fclose($fpointer);
  185. }