123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218 |
- <?php
- /**
- * This file is used to allow a more secure access to the iLM file contents.
- *
- * ATTENTION: DO NOT USE any 'print' (or 'echo') other then the one that print the iLM file content.
- * Otherwise the iLM will receive this printed message as its file (probably nothing will be shown).
- *
- * How:
- * The principle is to allow a single access to the file content, providing a "token" that is erased on the first use.
- * Every access to the content, by any iLM, must be provided by this vehicle.
- *
- * Why:
- * The iLM must requires the file content by a GET connection. But if the file content is opened,
- * this means that the user (usually the learner) can get access to it by copying the URL directly.
- * In this case, if the iLM is based on "model answer" (like iGeom), the learner can open a local version of iLM
- * with this "model answer" (iGeom provides a special format to exercises to avoid this).
- *
- * Table 'iassign_security': id iassign_statementid userid file timecreated view
- *
- * TODO : the insertion in 'iassign_security' table must be provided by functions inside this code (not in './mod/iassign/locallib.php'
- *
- * @author Patricia Alves Rodrigues
- * @author Leônidas O. Brandão
- * @version v 1.1 2017/11/02: fixed error in '$stringDebugAuxFile = "";' (it was with ".=")
- * @version v 1.0 2010/12/10
- * @package mod_iassign_ilm
- * @since 2012/03/10
- * @by iMatica (<a href="http://www.matematica.br">iMath</a>) - Computer Science Dep. of IME-USP (Brazil)
- *
- * <b>License</b>
- * - http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
- */
- require_once("../../config.php");
- global $DB;
- //Debug: debug iLM security scheme
- //Debug: ATTENTION, this requests the directory './mod/iassign/ilm_debug/' with write permition to www-data !!!!
- $DEBUG = 0; //Debug: help to debug, register data in file 'MOODLE/mod/iassign/ilm_debug/YYYY_mm_dd_m_s_int'
- class ilm_security {
- // Table 'iassign_security' : id iassign_statementid userid file timecreated view
- /// Warning message
- static function warning_message_iassign ($strcode) { // errado no 'locallib.php' sempre com constante 'error_view_without_actiontype'!!!
- return "<div classs='warning' style='display:inline; font-weight: bold; color:#a00'>" . get_string($strcode, 'iassign') . "</div>\n";
- }
- // @calledby here : after print $strFileContent;
- static function remove_records ($userid) { //, $iassign_statementid
- if (!isset($userid) || !isset($iassign_statementid)) {
- // self::warning_message_iassign('???');
- print self::warning_message_iassign('error_security_no_userid'); // 'Internal error: must be informed the user identification. Inform the Administrator.'
- return null;
- }
- if (!isset($iassign_statementid) || $iassign_statementid<1)
- $array_param = array("userid" => $userid); // erase all entries of this user
- else
- $array_param = array("userid" => $userid, "iassign_statementid" => $iassign_statementid);
- $DB->delete_records("iassign_security", $array_param); // erase only for this iAssign activity
- }
- // @calledby locallib.php : class ilm : function view_iLM($iassign_statement_activity_item, $student_answer, $enderecoPOST, $view)
- static function remove_old_iLM_security_entries ($userid) { // substituir 'locallib' de mesmo nome!
- global $DB;
- // This is an additional security: erase eventually old entries in 'iassign_security' table (do not remove '$iassign_statementid' since it is going to be used "now")
- $result = $DB->delete_records_select("iassign_security", "userid=" . $userid . " AND view>1", null);
- }
- // $id_iLM_security = $this->write_iLM_security($iassign_statement_activity_item->id, $content_or_id_from_ilm_security); // insert in 'iassign_security'
- /// Function to give a single access to an iLM content avoi (after used, 'view()', after 'view_iLM(...)', will erase the entry)
- // @calledby locallib.php : class ilm_manager : function preview_ilm($courseid, $iassign_ilm): $id_iLM_security = ilm_security::write_iLM_security($USER->id, $timecreated, -1, $content_or_id_from_ilm_security);
- // ? @calledby locallib.php : class iassign : function view() : ...
- // ? @calledby locallib.php : view_iLM($iassign_statement_activity_item, $student_answer, $enderecoPOST, $view) : $id_iLM_security=$this->write_iLM_security($iassign_statement_activity_item->id,$content_or_id_from_ilm_security);
- // @param int $iassign_statement_activity_itemid Id of iassign statement, when from iLM 'preview' (there is none activity), -1
- // @param Object $file File in use in activity
- // @return int Return the id of log
- static function write_iLM_security ($userid, $timecreated, $iassign_statementid = -1, $content_or_id_from_ilm_security) { // subst. de locallib!
- global $DB;
- $newentry = new stdClass();
- $newentry->iassign_statementid = $iassign_statementid; // when came from iLM previw => there is none activity, use -1
- $newentry->userid = $userid;
- $newentry->file = $content_or_id_from_ilm_security;
- $newentry->timecreated = $timecreated; // who calls will generate: $timecreated = time(); $token == md5($timecreated);
- $newentry->view = 1;
- $id_iLM_security = $DB->insert_record("iassign_security", $newentry);
- if (!$id_iLM_security) {
- print_error('error_security', 'iassign'); // ./lib/setuplib.php: moodle_exception thrown
- }
- //D echo "ilm_security.php: write_iLM_security(...): acabou de inserir em 'iassign_security' (id_iLM_security=$id_iLM_security)<br/>\n";
- //D echo "ilm_security.php: write_iLM_security(...): file=" . $content_or_id_from_ilm_security . "<br/>\n";
- //D $aux_iassign_security = $DB->get_records('iassign_security', array('id' => $id_iLM_security));
- //D foreach ($aux_iassign_security as $item)
- //D echo " * iassign_security.id=" . $item->id . ", iassign_statementid=" . $item->iassign_statementid . ', iassign_security.id=' . $id_iLM_security . "<br/>\n"; //", file=" . $item->file . - tem o conteudo do arquivo
- return $id_iLM_security;
- }
- //D $iassign_iLM_security = $DB->get_record("iassign_security", array("iassign_statementid" => $iassign_statementid));
- //D if ($iassign_iLM_security) foreach ($iassign_iLM_security as $item) { echo $iassign_iLM_security->id . " ; " . $iassign_iLM_security->iassign_statementid . " ; " . $iassign_iLM_security->userid . " ; " . $iassign_iLM_security->timecreated . " ; " . $iassign_iLM_security->view . " ; " . $iassign_iLM_security->file . "<br/>\n" }
- //D else echo "Apagou!<br/>";
- } // class ilm_security
- $view = optional_param('view', NULL, PARAM_TEXT); //$view = $_GET['view'];
- $token = optional_param('token', NULL, PARAM_TEXT); //$token = $_GET['token'];
- $id = optional_param('id', NULL, PARAM_TEXT); //$id = $_GET['id']; //id of the table iassign_security
- $stringDebugAux = "";
- $strFileContent = "";
- // Debug
- if ($DEBUG) {
- $file_name = "ilm_debug/" . date('Y') . "_" . date('m') . "_" . date('d') . "_" . date('H_i') . "_" . $id;
- $file_debug = "id=" . $id . "<br/>\nview=" . $view . "<br/>\ntoken=" . $token;
- $stringDebugAux = "user.id=" . $USER->id . ", user.name=" . $USER->firstname . " " . $USER->lastname . "\n";
- }
- if ($view == -1) { //view free
- //xx echo "view==-1: DEBUG=$DEBUG<br/>\n"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
- $fs = get_file_storage();
- $file = $fs->get_file_by_id($id);
- $strFileContent .= $file->get_content();
- $stringDebugAux .= "1: file content:" . $strFileContent;
- print $strFileContent;
- ilm_security::remove_old_iLM_security_entries($USER->id); // for security reason erase the used entry in 'iassign_security' (and others for this user/activity)
- }
- else {
- // Get data from table 'iassign_security'
- $iassign_security = $DB->get_record("iassign_security", array("id" => $id)); // id iassign_statementid userid file timecreated view
- //xx echo "<br/>iassign_security="; print_r($iassign_security); echo "<br/>"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
- if ($DEBUG) {
- $strAux = "iassign_security = { id=" . $iassign_security->id . ", " . $iassign_security->iassign_statementid . ", | " . $iassign_security->file . " |, " . $iassign_security->view . " }";
- $stringDebugAux .= $strAux;
- }
- if ($iassign_security) {
- $fileid = $iassign_security->file;
- if ($iassign_security) { //TODO must be 'if ($fileid)'?
- $update = new stdClass();
- $update->id = $iassign_security->id;
- $update->view = $iassign_security->view + 1;
- $DB->update_record("iassign_security", $update);
- if ($DEBUG) $stringDebugAux .= " view++ = " . $iassign_security->view . "\n";
- //????? apos acertos deixar apenas '$update->view == 2' ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
- if ($update->view >= 2 && $token == md5($iassign_security->timecreated)) { //
- //Security iLM: remove the entry
- // $DB->delete_records("iassign_security", array("id" => $id));
- if ($view) {
- // If it is view of the exercise, then get it on the Moodle data (usually '/var/moodledata') => file is a number = '*_files.id'
- // If it is learner answer get it in data base => file is the iLM file content
- // $stringDebugAuxFile = ""; //Debug
- $fs = get_file_storage();
- $file = $fs->get_file_by_id($fileid);
- $strFileContent = $file->get_content();
- $stringDebugAuxFile = $file->get_filename() . "/"; //Debug
- if ($DEBUG) {
- $stringDebugAux .= "view>=2: view=$view: update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\n";
- }
- } // if ($update->view == 2 && $token == md5($iassign_security->timecreated))
- else { // not view - get the student content answer
-
- // *_iassign_security : id iassign_statementid userid file timecreated view (where 'file' is longtext utf8_unicode_ci)
- // passei para 'blob'
- $strFileContent = $iassign_security->file; //ERROR: usa algum filtro, elimina '.', '/' e outros caracteres
- //$strFileContent = $contextid; - tb nao funciona!!
- if ($DEBUG) {
- $stringDebugAux .= "view>=2: else view=$view: update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\n";
- $stringDebugAux .= " " . $iassign_security->id . ", " . $iassign_security->timecreated . "\n";
- }
- }
-
- // Here is the print to the iLM request the content
- print $strFileContent;
- ilm_security::remove_old_iLM_security_entries($USER->id); // for security reason erase the used entry in 'iassign_security' (and others for this user/activity)
- } // if ($update->view == 2 && $token == md5($iassign_security->timecreated))
- else {
- if ($DEBUG) {
- $countF = 0;
- foreach ($files as $thefile) {
- $strFileName = $thefile->get_filename(); //Debug
- $stringDebugAux .= " " . ($countF++) . ": " . $strFileName . "\n";
- $stringDebugAuxFile = $strFileName . "/"; //Debug
- if ($strFileName != '.') {
- $strFileContent = $thefile->get_content();
- }
- }
- $stringDebugAux .= "view<=2: NOT update->view=" . $update->view . "\n" . $token . "=" . md5($iassign_security->timecreated) . "?\nstrFileContent=" . $strFileContent . "\n";
- }
- }
- } // if ($iassign_security)
- } // if ($iassign_security)
- }
- //NAO pode deixar 'echo' aqui, pois o resultado daqui alimentara o iMA! echo "ilm_security.php: file_name=$file_name<br/>";
- if ($DEBUG) {
- //xxecho "file_name=$file_name"; //DO NOT USE, unless by direct access to debug 'ilm_security.php'...
- $fpointer = fopen($file_name, "w");
- $file_debug .= "\nAuxiliary information: " . $stringDebugAux . "";
- $file_debug .= "\nContent iLM file: |" . $strFileContent . "|";
- fwrite($fpointer, "From: ./mod/iassign/ilm_security.php<br/>\n" . $file_debug);
- fclose($fpointer);
- }
|