XoopsModules25x / xhelp

viewFile.php

<?php declare(strict_types=1);

/*
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

/**
 * @copyright    {@link https://xoops.org/ XOOPS Project}
 * @license      {@link https://www.gnu.org/licenses/gpl-2.0.html GNU GPL 2 or later}
 * @author       Brian Wahoff <ackbarr@xoops.org>
 * @author       Eric Juden <ericj@epcusa.com>
 * @author       XOOPS Development Team
 */

use Xmf\Request;
use XoopsModules\Xhelp;

require __DIR__ . '/header.php';
require_once \dirname(__DIR__, 2) . '/mainfile.php';

if (!defined('XHELP_CONSTANTS_INCLUDED')) {
    require_once XOOPS_ROOT_PATH . '/modules/xhelp/include/constants.php';
}

//require_once XHELP_BASE_PATH . '/functions.php';

global $xoopsUser, $xoopsDB, $xoopsConfig, $xoopsModuleConfig, $xoopsModule, $xoopsTpl, $xoopsRequestUri;
$helper = Xhelp\Helper::getInstance();

if (!$xoopsUser) {
    redirect_header(XOOPS_URL . '/user.php?xoops_redirect=' . htmlspecialchars($xoopsRequestUri, ENT_QUOTES | ENT_HTML5), 3);
}
$xhelp_id = 0;

if (Request::hasVar('id', 'GET')) {
    $xhelp_id = Request::getInt('id', 0, 'GET');
}

$viewFile = false;

/** @var \XoopsModules\Xhelp\FileHandler $fileHandler */
$fileHandler = $helper->getHandler('File');
/** @var \XoopsModules\Xhelp\TicketHandler $ticketHandler */
$ticketHandler = $helper->getHandler('Ticket');
/** @var \XoopsModules\Xhelp\StaffHandler $staffHandler */
$staffHandler = $helper->getHandler('Staff');
$file         = $fileHandler->get($xhelp_id);
$mimeType     = $file->getVar('mimetype');
$ticket       = $ticketHandler->get($file->getVar('ticketid'));

$filename_full = $file->getVar('filename');
if ($file->getVar('responseid') > 0) {
    $removeText = $file->getVar('ticketid') . '_' . $file->getVar('responseid') . '_';
} else {
    $removeText = $file->getVar('ticketid') . '_';
}
$filename = str_replace($removeText, '', $filename_full);

//Security:
// Only Staff Members, Admins, or ticket Submitter should be able to see file
if (userAllowed($ticket, $xoopsUser)) {

It seems like $ticket can also be of type false; however, parameter $ticket of userAllowed() does only seem to accept XoopsModules\Xhelp\Ticket, maybe add an additional type check?

    $viewFile = true;
} elseif ($staffHandler->isStaff($xoopsUser->getVar('uid'))) {
    $viewFile = true;
} elseif ($xoopsUser->isAdmin($xoopsModule->getVar('mid'))) {
    $viewFile = true;
}

if (!$viewFile) {
    $helper->redirect('index.php', 3, _NOPERM);
}

//Check if the file exists
$fileAbsPath = XHELP_UPLOAD_PATH . '/' . $filename_full;

The constant XHELP_UPLOAD_PATH was not found. Maybe you did not declare it correctly or list all dependencies?

if (!file_exists($fileAbsPath)) {
    $helper->redirect('index.php', 3, _XHELP_NO_FILES_ERROR);
}

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: private', false);
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($fileAbsPath));

if (isset($mimeType)) {
    header('Content-Type: ' . $mimeType);
} else {
    header('Content-Type: application/octet-stream');
}

// Add Header to set filename
header('Content-Disposition: attachment; filename=' . $filename);

// Open the file
if (isset($mimeType) && false !== mb_strpos($mimeType, 'text/')) {
    $fp = fopen($fileAbsPath, 'rb');
} else {
    $fp = fopen($fileAbsPath, 'rb');
}

// Write file to browser
fpassthru($fp);

/**
 * @param Xhelp\Ticket $ticket
 * @param XoopsUser    $user
 * @return bool
 */
function userAllowed(Xhelp\Ticket $ticket, XoopsUser $user): bool
{
    $emails = $ticket->getEmails(true);
    foreach ($emails as $email) {
        if ($email->getVar('email') == $user->getVar('email')) {
            return true;
        }
    }

    return false;
}