--- loncom/interface/portfolio.pm 2017/05/19 23:41:28 1.258
+++ loncom/interface/portfolio.pm 2023/12/28 15:57:27 1.267
@@ -1,7 +1,7 @@
# The LearningOnline Network
# portfolio browser
#
-# $Id: portfolio.pm,v 1.258 2017/05/19 23:41:28 raeburn Exp $
+# $Id: portfolio.pm,v 1.267 2023/12/28 15:57:27 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -121,8 +121,8 @@ END
.'<fieldset>'
.'<legend>'.$lt{'upload_label'}.'</legend>'
.$groupitem
- .'<input name="uploaddoc" type="file" class="flUpload" />'
- .'<input type="hidden" id="free_space" value="'.$free_space.'" />'
+ .'<input name="uploaddoc" type="file" class="LC_flUpload" />'
+ .'<input type="hidden" id="LC_free_space" value="'.$free_space.'" />'
.'<input type="hidden" name="currentpath" value="'.$current_path.'" />'
.'<input type="hidden" name="action" value="'.$env{"form.action"}.'" />'
.'<input type="hidden" name="symb" value="'.$env{"form.symb"}.'" />'
@@ -267,13 +267,16 @@ sub display_directory_line {
sub display_directory {
my ($r,$url,$current_path,$is_empty,$dir_list,$group,$can_upload,
- $can_modify,$can_delete,$can_setacl)=@_;
+ $can_modify,$can_delete,$can_setacl,$can_viewacl)=@_;
my $iconpath= $r->dir_config('lonIconsURL') . "/";
my $select_mode;
my $checked_files;
my $port_path = &get_port_path();
my ($uname,$udom) = &get_name_dom($group);
- my $access_admin_text = &mt('View Status');
+ my $access_admin_text;
+ if ($can_viewacl) {
+ $access_admin_text = &mt('View Status');
+ }
if ($can_setacl) {
$access_admin_text = &mt('View/Change Status');
}
@@ -514,7 +517,7 @@ sub display_directory {
}
}
&display_directory_line($r,$select_mode, $filename, $mtime, $size, $css_class, $line,
- \%access_controls, $curr_access,$now, $version_flag, $href_location,
+ \%access_controls, $curr_access, $now, $version_flag, $href_location,
$url, $current_path, $access_admin_text);
if ($show_versions) {
foreach my $dir_line (@{ $versioned{$fullpath} }) {
@@ -887,7 +890,7 @@ sub access_for_renamed {
}
sub display_access {
- my ($r,$url,$group,$can_setacl,$port_path,$action) = @_;
+ my ($r,$url,$group,$can_setacl,$can_viewacl,$port_path,$action) = @_;
my ($uname,$udom) = &get_name_dom($group);
my $file_name = $env{'form.currentpath'}.$env{'form.access'};
$file_name = &prepend_group($file_name);
@@ -897,6 +900,8 @@ sub display_access {
my $aclcount = keys(%access_controls);
my ($header,$info);
if ($action eq 'chgaccess') {
+ my $uhome = &Apache::lonnet::homeserver($uname,$udom);
+ my $prefix = &Apache::lonnet::url_prefix($r,$udom,$uhome,'web');
$header =
'<h2>'
.&mt('Allowing others to retrieve file: [_1]'
@@ -909,13 +914,13 @@ sub display_access {
$info .= '</li><li>'.&mt('Passphrase-protected files do not require log-in, but will require the viewer to enter the passphrase you set.');
$info .= '</li><li>'.&explain_conditionals();
$info .= '</li></ul>'.
- &mt('A listing of files viewable without log-in is available at: ')."<a href=\"/adm/$udom/$uname/aboutme/portfolio\">".&Apache::lonnet::absolute_url($ENV{'SERVER_NAME'})."/adm/$udom/$uname/aboutme/portfolio</a>.<br />";
+ &mt('A listing of files viewable without log-in is available at: ')."<a href=\"$prefix/adm/$udom/$uname/aboutme/portfolio\">$prefix/adm/$udom/$uname/aboutme/portfolio</a>.<br />";
if ($group eq '') {
$info .= &mt("For logged in users a 'Display file listing' link will also appear (when there are viewable files) on your personal information page:");
} else {
$info .= &mt("For logged in users a 'Display file listing' link will also appear (when there are viewable files) on the course information page:");
}
- $info .= "<br /><a href=\"/adm/$udom/$uname/aboutme\">".&Apache::lonnet::absolute_url($ENV{'SERVER_NAME'})."/adm/$udom/$uname/aboutme</a><br />";
+ $info .= "<br /><a href=\"$prefix/adm/$udom/$uname/aboutme\">$prefix/adm/$udom/$uname/aboutme</a><br />";
if ($group ne '') {
$info .= &mt("Users with course editing rights may add a 'Group Portfolio' item using the Course Editor (Collaboration tab), to provide access to viewable group portfolio files.").'<br />';
}
@@ -936,13 +941,21 @@ sub display_access {
'cancel' => &mt('Return to directory'),
};
&close_form($r,$url,$button_text);
- } else {
+ } elsif ($can_viewacl) {
$r->print($header);
if ($aclcount) {
$r->print($info);
}
&view_access_settings($r,$url,$access_controls{$file_name},$aclcount);
+ } else {
+ $r->print($header);
+ $r->print(&mt('You do not have sufficient privileges to view access controls').'<br />');
}
+ my %anchor_fields = (
+ 'currentpath' => $env{'form.currentpath'}
+ );
+ $r->print('<br />'.&make_anchor($url, \%anchor_fields, &mt('Return to directory')));
+ return;
}
sub explain_conditionals {
@@ -2513,6 +2526,7 @@ sub missing_priv {
delete => 'delete files',
rename => 'rename files',
setacl => 'set access controls for files',
+ viewacl => 'view access controls for files',
);
my $escpath = &HTML::Entities::encode($env{'form.currentpath'},'&<>"');
my $rtnlink = '<a href="'.$url;
@@ -2549,13 +2563,15 @@ sub coursegrp_portfolio_header {
}
&Apache::lonhtmlcommon::add_breadcrumb
({href=>"/adm/$cdom/$cnum/$env{'form.group'}/smppg?ref=$env{'form.ref'}",
- text=>"$ucgpterm: $grp_desc",
- title=>"Go to group's home page"},
+ text=>&mt('Group').": $grp_desc",
+ title=>&mt("Go to group's home page"),
+ no_mt=>1},
{href=>"/adm/coursegrp_portfolio?".&group_args(),
text=>"Group Portfolio",
title=>"Display group portfolio"});
my $output = &Apache::lonhtmlcommon::breadcrumbs(
- &mt('[_1] portfolio files - [_2]',$gpterm,$grp_desc));
+ &mt('Group portfolio files - [_1]',$grp_desc),
+ undef,undef,undef,undef,1);
return $output;
}
@@ -2615,6 +2631,45 @@ sub free_space {
return $free_space;
}
+sub valid_container {
+ my ($uname,$udom,$group) = @_;
+ my $container_prefix;
+ if ($group ne '') {
+ $container_prefix = "/uploaded/$udom/$uname/groups/$group/portfolio";
+ } else {
+ $container_prefix = "/uploaded/$udom/$uname/portfolio";
+ }
+ if ($env{'form.currentpath'}) {
+ $container_prefix .= $env{'form.currentpath'};
+ } else {
+ $container_prefix .= '/';
+ }
+ if ($env{'form.container'} =~ m{^\Q$container_prefix\E(.+)$}) {
+ my $filename = $1;
+ if ($filename eq &Apache::lonnet::clean_filename($filename)) {
+ return 1;
+ }
+ }
+ return;
+}
+
+sub invalid_parms {
+ my ($r,$url,$currentpath) = @_;
+ my $escpath = &HTML::Entities::encode($currentpath,'&<>"');
+ my $rtnlink = '<a href="'.$url;
+ if ($url =~ /\?/) {
+ $rtnlink .= '&';
+ } else {
+ $rtnlink .= '?';
+ }
+ $rtnlink .= 'currentpath='.$escpath;
+ $rtnlink .= '">'.&mt('Return to directory').'</a>';
+ $r->print('<h3>'.&mt('Action disallowed').'</h3>');
+ $r->print(&mt('Some of the data included with this request were invalid'));
+ $r->print('<br />'.$rtnlink);
+ return;
+}
+
sub handler {
# this handles file management
my $r = shift;
@@ -2627,7 +2682,7 @@ sub handler {
$url = $1.$2;
$caller = $2;
}
- my ($can_modify,$can_delete,$can_upload,$can_setacl);
+ my ($can_modify,$can_delete,$can_upload,$can_setacl,$can_viewacl);
if ($caller eq 'coursegrp_portfolio') {
# Needs to be in a course
if (! ($env{'request.course.fn'})) {
@@ -2671,6 +2726,7 @@ sub handler {
$can_delete = 1;
$can_upload = 1;
$can_setacl = 1;
+ $can_viewacl = 1;
} else {
if (&Apache::lonnet::allowed('agf',$env{'request.course.id'}.'/'.$group)) {
$can_setacl = 1;
@@ -2684,6 +2740,9 @@ sub handler {
if (&Apache::lonnet::allowed('dgf',$env{'request.course.id'}.'/'.$group)) {
$can_delete = 1;
}
+ if (&Apache::lonnet::allowed('rgf',$env{'request.course.id'}.'/'.$group)) {
+ $can_viewacl = 1;
+ }
}
} else {
($uname,$udom) = &get_name_dom();
@@ -2692,7 +2751,11 @@ sub handler {
$can_modify = 1;
$can_delete = 1;
$can_upload = 1;
- $can_setacl = 1;
+ if (&Apache::lonnet::usertools_access('','','portaccess',
+ undef,'tools')) {
+ $can_viewacl = 1;
+ $can_setacl = 1;
+ }
}
my $port_path = &get_port_path();
@@ -2728,8 +2791,9 @@ sub handler {
}
$r->rflush();
# Check if access to portfolio is blocked by one or more blocking events in courses.
+ my $clientip = &Apache::lonnet::get_requestor_ip($r);
my ($blocked,$blocktext) =
- &Apache::loncommon::blocking_status('port',$uname,$udom);
+ &Apache::loncommon::blocking_status('port',$clientip,$uname,$udom);
if ($blocked) {
my $evade_block;
# If portfolio display is in a window popped up from a "Select Portfolio Files"
@@ -2764,6 +2828,21 @@ sub handler {
return OK;
}
}
+ if (($env{'form.currentpath'}) && ($env{'form.currentpath'} ne '/')) {
+ my $clean_currentpath = '/'.&Apache::loncommon::clean_path($env{'form.currentpath'}).'/';
+ unless ($env{'form.currentpath'} eq $clean_currentpath) {
+ &invalid_parms($r,$url);
+ $r->print(&Apache::loncommon::end_page());
+ return OK;
+ }
+ }
+ if ($env{'form.container'}) {
+ unless (&valid_container($uname,$udom,$group)) {
+ &invalid_parms($r,$url,$env{'form.currentpath'});
+ $r->print(&Apache::loncommon::end_page());
+ return OK;
+ }
+ }
if (($env{'form.storeupl'}) & (!$env{'form.uploaddoc.filename'})){
$r->print(
'<p><span class="LC_warning">'
@@ -2857,10 +2936,14 @@ sub handler {
}
} elsif ($env{'form.access'}) {
$env{'form.selectfile'} = $env{'form.access'};
- if (!defined($env{'form.action'})) {
+ if (!defined($env{'form.action'})) {
$env{'form.action'} = 'chgaccess';
}
- &display_access($r,$url,$group,$can_setacl,$port_path,$env{'form.action'});
+ if (($can_viewacl) || ($can_setacl)) {
+ &display_access($r,$url,$group,$can_setacl,$can_viewacl,$port_path,$env{'form.action'});
+ } else {
+ &missing_priv($r,$url,'viewacl');
+ }
} elsif (($env{'form.action'} eq 'chgaccess') ||
($env{'form.action'} eq 'chgconditions')) {
if ($can_setacl) {
@@ -2934,7 +3017,8 @@ sub handler {
&display_common($r,$url,$current_path,$is_empty,$dirlistref,
$can_upload,$group);
&display_directory($r,$url,$current_path,$is_empty,$dirlistref,$group,
- $can_upload,$can_modify,$can_delete,$can_setacl);
+ $can_upload,$can_modify,$can_delete,$can_setacl,
+ $can_viewacl);
}
$r->print(&Apache::loncommon::end_page());
return OK;