0byt3m1n1
Path:
/
data
/
applications
/
aps.bak
/
webcalendar
/
1.2.3-0
/
standard
/
htdocs
/
[
Home
]
File: doc.php
<?php /* $Id: doc.php,v 1.20.2.3 2007/11/12 15:40:30 umcesrjones Exp $ * * Description: * Obtain a binary object from the database and send it back to * the browser using the correct mime type. * * Input Parameters: * blid(*) - The unique identifier for this blob * (*) required field */ include_once 'includes/init.php'; include_once 'includes/classes/Doc.class'; $blid = getValue ( 'blid', '-?[0-9]+', true ); $error = $res = ''; $invalidIDStr = translate ( 'Invalid entry id XXX.' ); if ( empty ( $blid ) ) $error = translate ( 'Invalid blob id' ); else { $res = dbi_execute ( Doc::getSQLForDocId ( $blid ) ); if ( ! $res ) $error = db_error (); } if ( empty ( $error ) ) { $row = dbi_fetch_row ( $res ); if ( ! $row ) $error = str_replace ( 'XXX', $blid, $invalidIDStr ); else { $doc =& new Doc ( $row ); $description = $doc->getDescription (); $filedata = $doc->getData (); $filename = $doc->getName (); $id = $doc->getId (); $mimetype = $doc->getMimeType (); $owner = $doc->getLogin (); $size = $doc->getSize (); $type = $doc->getType (); } dbi_free_result ( $res ); } // Make sure this user is allowed to look at this file. // If the blob is associated with an event, then the user must be able // to view the event in order to access this file. // TODO: move all this code (and code in view_entry.php) to a common // function named can_view_event or something similar. $can_view = false; $is_my_event = false; $is_private = $is_confidential = false; $log = getGetValue ( 'log' ); $show_log = ! empty ( $log ); if ( empty ( $id ) ) $can_view = true; // not associated with an event if ( ! empty ( $id ) && empty ( $error ) ) { if ( $is_admin || $is_nonuser_admin || $is_assistant ) $can_view = true; if ( empty ( $id ) || $id <= 0 || ! is_numeric ( $id ) ) $error = str_replace ( 'XXX', $id, $invalidIDStr ); if ( empty ( $error ) ) { // is this user a participant or the creator of the event? $res = dbi_execute ( 'SELECT we.cal_id FROM webcal_entry we, webcal_entry_user weu WHERE we.cal_id = weu.cal_id AND we.cal_id = ? AND ( we.cal_create_by = ? OR weu.cal_login = ? )', array ( $id, $login, $login ) ); if ( $res ) { $row = dbi_fetch_row ( $res ); if ( $row && $row[0] > 0 ) { $can_view = true; $is_my_event = true; } dbi_free_result ( $res ); } if ( ($login != '__public__') && ($PUBLIC_ACCESS_OTHERS == 'Y') ) { $can_view = true; } if ( ! $can_view ) { $check_group = false; // if not a participant in the event, must be allowed to look at // other user's calendar. if ( $login == '__public__' ) { if ( $PUBLIC_ACCESS_OTHERS == 'Y' ) $check_group = true; } else { if ( $ALLOW_VIEW_OTHER == 'Y' ) $check_group = true; } // If $check_group is true now, it means this user can look at the // event only if they are in the same group as some of the people in // the event. // This gets kind of tricky. If there is a participant from a different // group, do we still show it? For now, the answer is no. // This could be configurable somehow, but how many lines of text would // it need in the admin page to describe this scenario? Would confuse // 99.9% of users. // In summary, make sure at least one event participant is in one of // this user's groups. $my_users = get_my_users (); $cnt = count ( $my_users ); if ( is_array ( $my_users ) && $cnt ) { $sql = 'SELECT we.cal_id FROM webcal_entry we, webcal_entry_user weu WHERE we.cal_id = weu.cal_id AND we.cal_id = ? AND weu.cal_login IN ( '; $query_params = array (); $query_params[] = $id; for ( $i = 0; $i < $cnt; $i++ ) { if ( $i > 0 ) { $sql .= ', '; } $sql .= '?'; $query_params[] = $my_users[$i]['cal_login']; } $res = dbi_execute ( $sql . ' )', $query_params ); if ( $res ) { $row = dbi_fetch_row ( $res ); if ( $row && $row[0] > 0 ) $can_view = true; dbi_free_result ( $res ); } } // If we didn't indicate we need to check groups, then this user // can't view this event. if ( ! $check_group && ! access_is_enabled () ) $can_view = false; } } $hide_details = ( $login == '__public__' && ! empty ( $OVERRIDE_PUBLIC ) && $OVERRIDE_PUBLIC == 'Y' ); // If they still cannot view, make sure they are not looking at a nonuser // calendar event where the nonuser is the _only_ participant. if ( empty ( $error ) && ! $can_view && ! empty ( $NONUSER_ENABLED ) && $NONUSER_ENABLED == 'Y' ) { $nonusers = get_nonuser_cals (); $nonuser_lookup = array (); for ( $i = 0, $cnt = count ( $nonusers ); $i < $cnt; $i++ ) { $nonuser_lookup[$nonusers[$i]['cal_login']] = 1; } $res = dbi_execute ( 'SELECT cal_login FROM webcal_entry_user WHERE cal_id = ? AND cal_status in ( \'A\', \'W\' )', array ( $id ) ); $found_nonuser_cal = $found_reg_user = false; if ( $res ) { while ( $row = dbi_fetch_row ( $res ) ) { if ( ! empty ( $nonuser_lookup[$row[0]] ) ) $found_nonuser_cal = true; else $found_reg_user = true; } dbi_free_result ( $res ); } // Does this event contain only nonuser calendars as participants? // If so, then grant access. if ( $found_nonuser_cal && ! $found_reg_user ) $can_view = true; } if ( empty ( $error ) && ! $can_view ) $error = print_not_auth (8); } if ( ! empty ( $error ) ) { print_header (); echo print_error ( $error, true) . print_trailer (); exit; } $disp = ( $type == 'A' ? 'attachment' : 'inline' ); // Print out data now. Header ( 'Content-Length: ' . $size ); Header ( 'Content-Type: ' . $mimetype ); $description = preg_replace ( "/\n\r\t+/", ' ', $description ); Header ( 'Content-Description: ' . $description ); // Don't allow spaces in filenames. //$filename = preg_replace ( "/\n\r\t+/", "_", $filename ); //Header ( "Content-Disposition: $disp; filename=$filename" ); Header ( 'Content-Disposition: filename=' . $filename ); echo $filedata; exit; ?>