Improve in how to show file attachment in record detail and how to ac…

…cess them.
slims · Apr 3, 2017 · 2f2b1af · 2f2b1af
1 parent 21bcda4
commit 2f2b1af
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 27 deletions.
diff --git a/lib/contents/error.inc.php b/lib/contents/error.inc.php
@@ -0,0 +1,50 @@
+<?php
+/**
+ *
+ * Librarian login page
+ * Copyright (C) 2007,2008  Arie Nugraha ([email protected]), Hendro Wicaksono ([email protected])
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ */
+
+// be sure that this file not accessed directly
+if (!defined('INDEX_AUTH')) {
+    die("can not access this file directly");
+} elseif (INDEX_AUTH != 1) { 
+    die("can not access this file directly");
+}
+
+
+$errmsg = NULL;
+if (isset($_GET['errnum'])) {
+    if ($_GET['errnum'] === '601') {
+        $errmsg = '<div class="alert alert-danger" role="alert">You have no authorization to download this file.</div>';
+    } else {
+        $errnum = FALSE;
+    }
+} else {
+    $errnum = FALSE;
+}
+
+#die('disini>');
+
+
+if ((!$errnum) AND (!is_null($errmsg))) {
+    echo $errmsg;
+} else {
+    header("location:index.php");
+}
+
diff --git a/lib/contents/fstream-pdf.inc.php b/lib/contents/fstream-pdf.inc.php
@@ -1,6 +1,6 @@
 <?php
-/**
- * Copyright (C) 2014  Arie Nugraha ([email protected]), Hendro Wicaksono ([email protected])
+/**
+ * Copyright (C) 2014  Arie Nugraha ([email protected]), Hendro Wicaksono ([email protected])
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@
 } elseif (INDEX_AUTH != 1) { 
     die("can not access this file directly");
 }
-
+
 if ($sysconf['allow_pdf_download']) {
   // do nothing
 }
@@ -44,29 +44,28 @@
 if ($file_q->num_rows > 0) {
     $file_loc = REPOBS.str_ireplace('/', DS, $file_d['file_dir']).DS.$file_d['file_name'];
     if (file_exists($file_loc)) {
-
         if ($file_d['access_limit']) {
             if (utility::isMemberLogin()) {
                 $allowed_mem_types = @unserialize($file_d['access_limit']);
                 if (!in_array($_SESSION['m_member_type_id'], $allowed_mem_types)) {
-                    header("location:index.php");
+                    header("location:index.php?p=error&errnum=601");
                     continue;
                 }
             } else {
-                header("location:index.php");
+                $referto = SWB.'index.php?p=member&destination=index.php?p=fstream-pdf&fid='.$fileID.'&bid='.$biblioID;
+                header("location:$referto");
                 continue;
             }
         }
-
         header("Content-Description: File Transfer");
         header('Content-Disposition: attachment; filename="'.basename($file_loc).'"');
         header('Content-Type: '.$file_d['mime_type']);
         readfile($file_loc);
-        exit();
+        exit();
     } else {
       die('<div class="errorBox">File Not Found!</div>');
     }
-} else {
+} else {
   die('<div class="errorBox">File Not Found!</div>');
 }
-exit();
+exit();
diff --git a/lib/contents/fstream.inc.php b/lib/contents/fstream.inc.php
@@ -40,7 +40,7 @@
 $file_d = $file_q->fetch_assoc();
 
 if ($file_q->num_rows > 0) {
-  $file_loc_url = SWB.'/index.php?p=fstream-pdf&fid='.$fileID.'&bid='.$biblioID;
+  $file_loc_url = SWB.'index.php?p=fstream-pdf&fid='.$fileID.'&bid='.$biblioID;
   $file_loc = REPOBS.( $file_d['file_dir']?$file_d['file_dir'].'/':'' ).$file_d['file_name'];
   if (file_exists($file_loc)) {
     // check access limit
@@ -50,11 +50,12 @@
         if (!in_array($_SESSION['m_member_type_id'], $allowed_mem_types)) {
           # Access to file restricted
           # Member logged in but doesnt have privilege to download
-          header("location:index.php");
+          header("location:index.php?p=error&errnum=601");
           exit();
         }
       } else {
-        header("location:index.php");
+        $referto = SWB.'index.php?p=member&destination=index.php?p=fstream&fid='.$fileID.'&bid='.$biblioID;
+        header("location:$referto");
         exit();
         }
       }

diff --git a/lib/contents/member.inc.php b/lib/contents/member.inc.php
@@ -45,6 +45,18 @@
 define('PASSWD_NOT_MATCH', -2);
 define('CANT_UPDATE_PASSWD', -3);
 
+if (isset($_GET['destination'])) {
+    $destination = $_GET['destination'];
+    if (isset($_GET['fid'])) {
+        $destination .= '&fid='.$_GET['fid'];
+    }
+    if (isset($_GET['bid'])) {
+        $destination .= '&bid='.$_GET['bid'];
+    }
+} else {
+    $destination = FALSE;
+}
+
 // if member is logged out
 if (isset($_GET['logout']) && $_GET['logout'] == '1') {
     // write log
@@ -98,7 +110,11 @@
         if ($logon->valid($dbs)) {
             // write log
             utility::writeLogs($dbs, 'member', $username, 'Login', 'Login success for member '.$username.' from address '.$_SERVER['REMOTE_ADDR']);
-            header('Location: index.php?p=member');
+            if ($destination) {
+                header("location:$destination");
+            } else {
+                header('Location: index.php?p=member');
+            }
             exit();
         } else {
             $_member_sql = sprintf('SELECT member_name FROM member
@@ -233,7 +249,7 @@ function procChangePasswordNew($str_user, $str_curr_pass, $str_new_pass, $str_co
     <?php } ?>
     <!-- Captcha preloaded javascript - end -->
     <div class="loginInfo">
-    <form action="index.php?p=member" method="post">
+    <form action="index.php?p=member&destination=<?php echo $destination; ?>" method="post">
     <div class="fieldLabel"><?php echo __('Member ID'); ?></div>
         <div class="login_input"><input type="text" name="memberID" /></div>
     <div class="fieldLabel marginTop"><?php echo __('Password'); ?></div>

diff --git a/lib/detail.inc.php b/lib/detail.inc.php
@@ -126,18 +126,6 @@ public function getAttachments() {
           return false;
         }
         foreach ($this->record_detail['attachments'] as $attachment_d) {
-          // check member type privileges
-          if ($attachment_d['access_limit']) {
-            if (utility::isMemberLogin()) {
-              $allowed_mem_types = @unserialize($attachment_d['access_limit']);
-              if (!in_array($_SESSION['m_member_type_id'], $allowed_mem_types)) {
-                continue;
-              }
-            } else {
-              continue;
-            }
-          }
-          #if (preg_match('@(video|audio|image)/.+@i', $attachment_d['mime_type'])) {
           if ($attachment_d['mime_type'] == 'application/pdf') {
             $_output .= '<li class="attachment-pdf" style="list-style-image: url(images/labels/ebooks.png)" itemscope itemtype="http://schema.org/MediaObject"><a itemprop="name" property="name" class="openPopUp" title="'.$attachment_d['file_title'].'" href="./index.php?p=fstream&fid='.$attachment_d['file_id'].'&bid='.$attachment_d['biblio_id'].'" width="780" height="520">'.$attachment_d['file_title'].'</a>';
             $_output .= '<div class="attachment-desc" itemprop="description" property="description">'.$attachment_d['file_desc'].'</div>';