--- loncom/interface/portfolio.pm 2016/08/07 23:14:30 1.254.2.1 +++ loncom/interface/portfolio.pm 2017/11/01 02:50:05 1.254.2.2.2.1 @@ -1,7 +1,7 @@ # The LearningOnline Network # portfolio browser # -# $Id: portfolio.pm,v 1.254.2.1 2016/08/07 23:14:30 raeburn Exp $ +# $Id: portfolio.pm,v 1.254.2.2.2.1 2017/11/01 02:50:05 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -1069,7 +1069,7 @@ sub build_access_summary { $r->print(&mt('Users: ').$curr_user_list); } elsif ($scope eq 'ip') { my $curr_ips_list = &sort_ips($content->{'ip'}); - $r->print(&mt('IP(s): ').$curr_ips_list); + $r->print(&mt('IP(s):').' '.$curr_ips_list); } else { $r->print(' '); } @@ -2598,6 +2598,45 @@ STATE return $state; } +sub valid_container { + my ($uname,$udom,$group) = @_; + my $container_prefix; + if ($group ne '') { + $container_prefix = "/uploaded/$udom/$uname/groups/$group/portfolio"; + } else { + $container_prefix = "/uploaded/$udom/$uname/portfolio"; + } + if ($env{'form.currentpath'}) { + $container_prefix .= $env{'form.currentpath'}; + } else { + $container_prefix .= '/'; + } + if ($env{'form.container'} =~ m{^\Q$container_prefix\E(.+)$}) { + my $filename = $1; + if ($filename eq &Apache::lonnet::clean_filename($filename)) { + return 1; + } + } + return; +} + +sub invalid_parms { + my ($r,$url,$currentpath) = @_; + my $escpath = &HTML::Entities::encode($currentpath,'&<>"'); + my $rtnlink = ''.&mt('Return to directory').''; + $r->print('

'.&mt('Action disallowed').'

'); + $r->print(&mt('Some of the data included with this request were invalid')); + $r->print('
'.$rtnlink); + return; +} + sub handler { # this handles file management my $r = shift; @@ -2743,6 +2782,21 @@ sub handler { $r->print(&Apache::loncommon::end_page()); return OK; } + } + if (($env{'form.currentpath'}) && ($env{'form.currentpath'} ne '/')) { + my $clean_currentpath = '/'.&Apache::loncommon::clean_path($env{'form.currentpath'}).'/'; + unless ($env{'form.currentpath'} eq $clean_currentpath) { + &invalid_parms($r,$url); + $r->print(&Apache::loncommon::end_page()); + return OK; + } + } + if ($env{'form.container'}) { + unless (&valid_container($uname,$udom,$group)) { + &invalid_parms($r,$url,$env{'form.currentpath'}); + $r->print(&Apache::loncommon::end_page()); + return OK; + } } if (($env{'form.storeupl'}) & (!$env{'form.uploaddoc.filename'})){ $r->print(