<?php
require_once('../../../config.php');
require_once(FOLDER_RELATIVE_COMMON . 'authorization.php');
require_once(FOLDER_RELATIVE_COMMON . 'database.php');
require_once(FOLDER_RELATIVE_COMMON . 'html.php');
$exitearly = true;
$errors = '';
$stage = isset($_GET['stage']) ? $_GET['stage'] : '';
$request = isset($_GET['request']) ? $_GET['request'] : '';
if ($request == 'xml') {
header('Content-Type: text/xml');
$xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' . "\n";
$xml .= '<root>' . "\n";
if ($stage == 'add') {
// Display parent information.
$parent_id = $_SESSION['id'];
$sql = 'SELECT title FROM Files WHERE id = ?';
$row = databaseGetRow($sql, array($parent_id));
$parent_title = $row['title'];
$xml .= ' <controls_input>' . "\n";
$xml .= ' <record><key>request</key><value>add</value></record>' . "\n";
$xml .= ' <record><key>stage</key><value>' . $stage . '</value></record>' . "\n";
// $xml .= ' <record><key>file_id</key><value>0</value></record>' . "\n";
// $xml .= ' <record><key>folder_title</key><value></value></record>' . "\n";
$xml .= ' <record><key>parent_id</key><value>' . $parent_id . '</value></record>' . "\n";
$xml .= ' <record><key>file_or_folder</key><value>file</value></record>' . "\n";
$xml .= ' </controls_input>' . "\n";
} else if ($stage == 'edit') {
$file_id = $_SESSION['id'];
$sql = 'SELECT title, path, parent_id, is_file FROM Files WHERE id = ?';
$row = databaseGetRow($sql, array($file_id));
$file_title = $row['title'];
$file_path = $row['path'];
// $folder_title = $row['title'];
$parent_id = $row['parent_id'];
$condition = $row['is_file'];
if ($condition == 'N') {
$file_or_folder = 'folder';
} else {
$file_or_folder = 'file';
}
$xml .= ' <controls_input>' . "\n";
$xml .= ' <record><key>request</key><value>edit</value></record>' . "\n";
$xml .= ' <record><key>stage</key><value>' . $stage . '</value></record>' . "\n";
$xml .= ' <record><key>file_id</key><value>' . $file_id . '</value></record>' . "\n";
$xml .= ' <record><key>file_title</key><value>' . $file_title . '</value></record>' . "\n";
// $xml .= ' <record><key>folder_title</key><value>' . $folder_title . '</value></record>' . "\n";
$xml .= ' <record><key>parent_id</key><value>' . $parent_id . '</value></record>' . "\n";
$xml .= ' <record><key>file_or_folder</key><value>' . $file_or_folder . '</value></record>' . "\n";
$xml .= ' </controls_input>' . "\n";
};
$xml .= '</root>' . "\n";
echo $xml;
exit;
}
if ($request == 'add') {
if ($stage == 'add') {
$file_or_folder = $_POST['file_or_folder'];
if ($file_or_folder == null) $file_or_folder = '';
// Grab the parent path (needed for files and folders).
$parent_id = $_POST['parent_id'];
$parent_path = databaseGetValue('SELECT path FROM Files WHERE id = ?', array($parent_id));
if ($file_or_folder == 'folder') {
$title = stripslashes($_POST['folder_title']);
$path = $parent_path . cleanFolderName($title);
// Create the new folder path in the filesystem.
$pass = mkdir($path, 0774);
if ($pass) {
// Insert the new folder path into the database.
$sql = 'INSERT INTO Files (id, parent_id, is_file, title, path) VALUES ( ?, ?, ?, ?, ? )';
databaseExecuteReturnId($sql, array(0, $parent_id, 'N', $title, $path), 'files_id_seq');
} else {
$errors .= 'Failed creating new directory.' . "\n";
}
}
if ($file_or_folder == 'file') {
$counter = 0;
// Loop thru each file and move it from the temp dir to the upload dir.
foreach ($_FILES['userfile']['error'] as $key => $error) {
$counter++;
$title = $_FILES['userfile']['name'][$key];
switch ($error) {
case UPLOAD_ERR_OK:
$tempname = $_FILES['userfile']['tmp_name'][$key];
$extension = strtolower(ereg_replace('^.+\\.([^.]+)$', '\\1', $title));
$filename = date('Y-m-d-His') . "-$counter.$extension";
$invalid = strpos($extension, 'php');
if ($invalid === false) {
// Insert the new file path into the database.
$path = $parent_path . $filename;
$sql = 'INSERT INTO Files (parent_id, is_file, title, path) VALUES ( ?, ?, ?, ? )';
databaseExecute($sql, array($parent_id, 'Y', $title, $path));
$success = move_uploaded_file($tempname, $path);
if ($success) {
$success = chmod($path, 01774);
if (!$success) $errors .= "Unable to change permissions on uploaded file.<br />\n";
} else {
$errors .= "Unable to upload file $temp_title; reason unknown.<br />\n";
}
} else {
$errors .= "File '$title' has a php extension and is unsafe to upload.\n";
}
break;
case UPLOAD_ERR_INI_SIZE:
$errors .= "File '$title' size exceeds upload max (set on the server).\n";
break;
case UPLOAD_ERR_FORM_SIZE:
$errors .= "File '$title' size exceeds upload max (set on form).\n";
break;
case UPLOAD_ERR_PARTIAL:
$errors .= "File '$title' was only partially uploaded. Please retry.\n";
break;
case UPLOAD_ERR_NO_TMP_DIR:
$errors .= "No temporary directory, unable to upload '$title'.\n";
break;
case UPLOAD_ERR_NO_FILE:
// No file attempted to upload -> not an error!
break;
}
}
}
} else {
// Send user to the 'add' form.
$_SESSION['id'] = $_GET['id'];
$stage = 'add';
$exitearly = false;
}
} else if ($request == 'edit') {
if ($stage == 'edit') {
$file_or_folder = $_POST['file_or_folder'];
if ($file_or_folder == null) $file_or_folder = '';
if ($file_or_folder == 'folder') {
// Grab the original path.
$file_id = $_POST['file_id'];
$row = databaseGetRow('SELECT title, path FROM Files WHERE id = ?', array($file_id));
$orig_title = $row['title'];
$orig_folder = cleanFolderName($orig_title);
$orig_path = $row['path'];
// Figure out the new path.
$new_title = stripslashes($_POST['folder_title']);
$new_folder = cleanFolderName($new_title);
$new_path = substr($orig_path, 0, strlen($orig_path) - strlen($orig_folder)) . $new_folder;
// Don't move if folder already exists and we're not just altering case on the title.
if (is_dir($new_path) && !($orig_path == $new_path)) {
$errors .= "The destination folder path ($new_path) already exists.<br />\n";
$exitearly = true;
} else {
rename($orig_path, $new_path);
// Store the new path to the database.
$sql = 'UPDATE Files SET title = ?, path = ? WHERE id = ?';
databaseExecute($sql, array($new_title, $new_path, $file_id));
// Recursively update the paths on all children.
$sql = "SELECT * FROM Files WHERE id <> ? AND path LIKE ?";
$rows = databaseGetRows($sql, array($file_id, $orig_path . '%'));
foreach ($rows as $row) {
$updated_path = $new_path . substr($row['path'], strlen($orig_path));
databaseExecute('UPDATE Files SET path = ? WHERE id = ?', array($updated_path, $row['id']));
}
}
}
if ($file_or_folder == 'file') {
// Grab the original file's info.
$file_id = $_POST['file_id'];
$sql = 'SELECT title, path from Files where id = ?';
$row = databaseGetRow($sql, array($file_id));
$orig_title = $row['title'];
$orig_path = $row['path'];
// Grab info about the incoming file.
$temp_title = $_FILES['userfile']['name'][0];
$temp_name = $_FILES['userfile']['tmp_name'][0];
// Validate that the extensions at least match prior to uploading.
$extension_orig = strtolower(ereg_replace('^.+\\.([^.]+)$', '\\1', $orig_title));
$extension_temp = strtolower(ereg_replace('^.+\\.([^.]+)$', '\\1', $temp_title));
$valid = ($extension_orig == $extension_temp);
if ($valid) {
$success = move_uploaded_file($temp_name, $orig_path);
if ($success) {
$success = chmod($orig_path, 01774);
if (!$success) $errors .= "Unable to change permissions on uploaded file.<br />\n";
} else {
$errors .= "Unable to upload file $temp_title; reason unknown.<br />\n";
}
} else {
$errors .= "The filename or type of file you attempted to upload does not match the original.<br />\n";
$errors .= "id of " . $file_id . ", files: " . $orig_title . " vs. " . $temp_title;
}
}
} else {
// Send user to the 'edit' form.
$_SESSION['id'] = $_GET['id'];
$stage = 'edit';
$exitearly = false;
}
} else if ($request == 'delete') {
$file_id = $_GET['id'];
if ($file_id != null) {
// Grab the path.
$sql = 'SELECT path, is_file FROM Files WHERE id = ?';
$row = databaseGetRow($sql, array($file_id));
$path = $row['path'];
$is_file = $row['is_file'];
// Delete the file from the filesystem.
if($is_file == 'Y') {
$result = @unlink($path);
} else {
$result = rmdir($path);
}
// Remove the file's record in the database.
if ($result) {
$sql = 'DELETE FROM Files WHERE id = ?';
databaseExecute($sql, array($file_id));
} else {
$errors = "Unable to delelete file or folder; reason unknown.";
}
}
}
if ($exitearly) {
// TODO: find a neat way to out the error messages to the user.
if ($errors != '') {
echo $errors;
exit;
}
header('location:admin_files_list.php');
exit;
}
// Show the files list form.
require_once(FOLDER_RELATIVE_COMMON . 'builder-admin.php');
$header = '<script type="text/javascript" src="admin_files.js"></script>' . "\n";
$onload = "jaxFormSetCallBack(initializePage); jaxFormRegister('admin_files.php?request=xml&stage=$stage');";
$title = 'Files';
$content = 'admin_files.html';
$page = buildAdminPage($header, $onload, $title, $content);
echo $page;
?>