--- loncom/interface/portfolio.pm	2016/08/07 23:14:30	1.254.2.1
+++ loncom/interface/portfolio.pm	2023/01/23 18:09:36	1.254.2.6.2.1
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # portfolio browser
 #
-# $Id: portfolio.pm,v 1.254.2.1 2016/08/07 23:14:30 raeburn Exp $
+# $Id: portfolio.pm,v 1.254.2.6.2.1 2023/01/23 18:09:36 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -112,13 +112,17 @@ sub display_common {
 END
         }
 
+        # Find space available before uploading
+        my $free_space = &free_space($group);
+
         # Upload File
         $r->print('<div class="LC_left_float">'
                  .'<form method="post" enctype="multipart/form-data" action="'.$escuri.'">'
                  .'<fieldset>'
                  .'<legend>'.$lt{'upload_label'}.'</legend>'
                  .$groupitem 
-                 .'<input name="uploaddoc" type="file" />'
+                 .'<input name="uploaddoc" type="file" class="LC_flUpload" />'
+                 .'<input type="hidden" id="LC_free_space" value="'.$free_space.'" />'
                  .'<input type="hidden" name="currentpath" value="'.$current_path.'" />'
                  .'<input type="hidden" name="action" value="'.$env{"form.action"}.'" />'
                  .'<input type="hidden" name="symb" value="'.$env{"form.symb"}.'" />'
@@ -893,6 +897,8 @@ sub display_access {
     my $aclcount = keys(%access_controls);
     my ($header,$info);
     if ($action eq 'chgaccess') {
+        my $uhome = &Apache::lonnet::homeserver($uname,$udom);
+        my $prefix = &Apache::lonnet::url_prefix($r,$udom,$uhome,'web');
         $header =
             '<h2>'
             .&mt('Allowing others to retrieve file: [_1]'
@@ -905,13 +911,13 @@ sub display_access {
         $info .= '</li><li>'.&mt('Passphrase-protected files do not require log-in, but will require the viewer to enter the passphrase you set.');
         $info .= '</li><li>'.&explain_conditionals();
         $info .= '</li></ul>'.
-                  &mt('A listing of files viewable without log-in is available at: ')."<a href=\"/adm/$udom/$uname/aboutme/portfolio\">".&Apache::lonnet::absolute_url($ENV{'SERVER_NAME'})."/adm/$udom/$uname/aboutme/portfolio</a>.<br />";
+                  &mt('A listing of files viewable without log-in is available at: ')."<a href=\"$prefix/adm/$udom/$uname/aboutme/portfolio\">$prefix/adm/$udom/$uname/aboutme/portfolio</a>.<br />";
         if ($group eq '') {
             $info .= &mt("For logged in users a 'Display file listing' link will also appear (when there are viewable files) on your personal information page:");
         } else {
             $info .= &mt("For logged in users a 'Display file listing' link will also appear (when there are viewable files) on the course information page:");
         }
-        $info .= "<br /><a href=\"/adm/$udom/$uname/aboutme\">".&Apache::lonnet::absolute_url($ENV{'SERVER_NAME'})."/adm/$udom/$uname/aboutme</a><br />";
+        $info .= "<br /><a href=\"$prefix/adm/$udom/$uname/aboutme\">$prefix/adm/$udom/$uname/aboutme</a><br />";
         if ($group ne '') {
             $info .= &mt("Users with course editing rights may add a 'Group Portfolio' item using the Course Editor (Collaboration tab), to provide access to viewable group portfolio files.").'<br />';
         }
@@ -1069,7 +1075,7 @@ sub build_access_summary {
                     $r->print(&mt('Users: ').$curr_user_list);
                 } elsif ($scope eq 'ip') {
                     my $curr_ips_list = &sort_ips($content->{'ip'});
-                    $r->print(&mt('IP(s): ').$curr_ips_list);
+                    $r->print(&mt('IP(s):').' '.$curr_ips_list);
                 } else {
                     $r->print('&nbsp;');
                 }
@@ -2545,13 +2551,15 @@ sub coursegrp_portfolio_header {
     }
     &Apache::lonhtmlcommon::add_breadcrumb
         ({href=>"/adm/$cdom/$cnum/$env{'form.group'}/smppg?ref=$env{'form.ref'}",
-          text=>"$ucgpterm: $grp_desc",
-          title=>"Go to group's home page"},
+          text=>&mt('Group').": $grp_desc",
+          title=>&mt("Go to group's home page"),
+          no_mt=>1},
          {href=>"/adm/coursegrp_portfolio?".&group_args(),
           text=>"Group Portfolio",
           title=>"Display group portfolio"});
     my $output = &Apache::lonhtmlcommon::breadcrumbs(
-                         &mt('[_1] portfolio files - [_2]',$gpterm,$grp_desc));
+                         &mt('Group portfolio files - [_1]',$grp_desc),
+                                                     undef,undef,undef,undef,1);
     return $output;
 }
 
@@ -2598,6 +2606,58 @@ STATE
     return $state;
 }
 
+# Find space available in a user's portfolio (convert to bytes)
+sub free_space {
+    my ($group) = @_;
+    my $disk_quota = &get_quota($group); # Expressed in kB
+    my ($uname,$udom) = &get_name_dom($group);
+    my $portfolio_root = &get_portfolio_root();
+    my $getpropath = 1;
+    my $current_disk_usage = &Apache::lonnet::diskusage($udom, $uname,
+                             $portfolio_root, $getpropath); # Expressed in kB
+    my $free_space = 1024 * ($disk_quota - $current_disk_usage);
+    return $free_space;
+}
+
+sub valid_container {
+    my ($uname,$udom,$group) = @_;
+    my $container_prefix;
+    if ($group ne '') {
+        $container_prefix = "/uploaded/$udom/$uname/groups/$group/portfolio";
+    } else {
+        $container_prefix = "/uploaded/$udom/$uname/portfolio";
+    }
+    if ($env{'form.currentpath'}) {
+        $container_prefix .= $env{'form.currentpath'};
+    } else {
+        $container_prefix .= '/';
+    }
+    if ($env{'form.container'} =~ m{^\Q$container_prefix\E(.+)$}) {
+        my $filename = $1;
+        if ($filename eq &Apache::lonnet::clean_filename($filename)) {
+            return 1;
+        }
+    }
+    return;
+}
+
+sub invalid_parms {
+    my ($r,$url,$currentpath) = @_;
+    my $escpath = &HTML::Entities::encode($currentpath,'&<>"');
+    my $rtnlink = '<a href="'.$url;
+    if ($url =~ /\?/) {
+        $rtnlink .= '&';
+    } else {
+        $rtnlink .= '?';
+    }
+    $rtnlink .= 'currentpath='.$escpath;
+    $rtnlink .= '">'.&mt('Return to directory').'</a>';
+    $r->print('<h3>'.&mt('Action disallowed').'</h3>');
+    $r->print(&mt('Some of the data included with this request were invalid'));
+    $r->print('<br />'.$rtnlink);
+    return;
+}
+
 sub handler {
     # this handles file management
     my $r = shift;
@@ -2685,16 +2745,19 @@ sub handler {
     # Give the LON-CAPA page header
     my $brcrum = [{href=>"/adm/portfolio",text=>"Portfolio Manager"}];
 
+    my $js = '<script type="text/javascript"
+                src="/res/adm/includes/file_upload.js"></script>';
+
     if ($env{"form.mode"} eq 'selectfile'){
-        $r->print(&Apache::loncommon::start_page($title,undef,
+        $r->print(&Apache::loncommon::start_page($title, $js,
 						 {'only_body' => 1}));
     } elsif ($env{'form.action'} eq 'rolepicker') {
-        $r->print(&Apache::loncommon::start_page('New role-based condition',undef,
+        $r->print(&Apache::loncommon::start_page('New role-based condition', $js,
                                                  {'no_nav_bar'  => 1, }));
     } elsif ($caller eq 'coursegrp_portfolio') {
-        $r->print(&Apache::loncommon::start_page($title));
+        $r->print(&Apache::loncommon::start_page($title, $js));
     } else {
-        $r->print(&Apache::loncommon::start_page($title,undef,
+        $r->print(&Apache::loncommon::start_page($title, $js,
                                                  {'bread_crumbs' => $brcrum}));
         if (!&Apache::lonnet::usertools_access($uname,$udom,'portfolio')) {
             $r->print('<h2>'.&mt('No user portfolio available') .'</h2>'.
@@ -2708,8 +2771,9 @@ sub handler {
     }
     $r->rflush();
     # Check if access to portfolio is blocked by one or more blocking events in courses.
+    my $clientip = &Apache::lonnet::get_requestor_ip($r);
     my ($blocked,$blocktext) = 
-        &Apache::loncommon::blocking_status('port',$uname,$udom);
+        &Apache::loncommon::blocking_status('port',$clientip,$uname,$udom);
     if ($blocked) {
         my $evade_block;
         # If portfolio display is in a window popped up from a "Select Portfolio Files"
@@ -2743,6 +2807,21 @@ sub handler {
             $r->print(&Apache::loncommon::end_page());
             return OK;
         }
+    }
+    if (($env{'form.currentpath'}) && ($env{'form.currentpath'} ne '/')) {
+        my $clean_currentpath = '/'.&Apache::loncommon::clean_path($env{'form.currentpath'}).'/';
+        unless ($env{'form.currentpath'} eq $clean_currentpath) {
+            &invalid_parms($r,$url);
+            $r->print(&Apache::loncommon::end_page());
+            return OK;
+        }
+    }
+    if ($env{'form.container'}) {
+        unless (&valid_container($uname,$udom,$group)) {
+            &invalid_parms($r,$url,$env{'form.currentpath'});
+            $r->print(&Apache::loncommon::end_page());
+            return OK;
+        }
     }
     if (($env{'form.storeupl'}) & (!$env{'form.uploaddoc.filename'})){
    	$r->print(