Context Navigation

files_addedit.php

Revision 727, 8.6 KB (checked in by brieb, 2 years ago)
Added more rights look ups to certain pages Fixed several path disclosure errors
Property svn:keywords set to `LastChangedBy LastChangedDate LastChangedRevision`

Line
1	<?php
2	/*
3	$Rev$ \| $LastChangedBy$
4	$LastChangedDate$
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39
40	include("../../include/session.php");
41	include("include/tables.php");
42	include("include/fields.php");
43	include("include/files.php");
44
45	if(!isset($_GET["backurl"])){
46	$thetable = new files($db, "tbld:80b4f38d-b957-bced-c0a0-ed08a0db6475");
47
48	$pageTitle="File";
49	} else {
50	include("include/attachments.php");
51
52	$backurl=$_GET["backurl"];
53	if(isset($_GET["refid"]))
54	$backurl.="?refid=".$_GET["refid"];
55
56	$thetable = new attachments($db, "tbld:80b4f38d-b957-bced-c0a0-ed08a0db6475",$backurl);
57
58	$pageTitle="File Attachment";
59	}
60
61	$therecord = $thetable->processAddEditPage();
62
63	if(!hasRights($therecord["roleid"]))
64	goURL("../../noaccess.php");
65
66	if(isset($therecord["phpbmsStatus"]))
67	$statusmessage = $therecord["phpbmsStatus"];
68
69
70	function getAttachments($db,$uuid){
71	$querystatement = "
72	SELECT
73	`tabledefs`.`displayname`,
74	`attachments`.`recordid`,
75	`attachments`.`creationdate`,
76	`tabledefs`.`editfile`
77	FROM
78	`attachments`INNER JOIN `tabledefs` ON `attachments`.`tabledefid`=`tabledefs`.`uuid`
79	WHERE `attachments`.`fileid`='".$uuid."'
80	";
81	$queryresult=$db->query($querystatement);
82
83	return $queryresult;
84	}
85
86	$phpbms->cssIncludes[] = "pages/files.css";
87	$phpbms->jsIncludes[] = "modules/base/javascript/file.js";
88
89	//Form Elements
90	//==============================================================
91	$theform = new phpbmsForm();
92	$theform->enctype = "multipart/form-data";
93
94	if(isset($therecord["id"])){
95	$theinput = new inputField("name",$therecord["name"],NULL,true,NULL,64,128);
96	$theinput->setAttribute("class","important");
97	$theform->addField($theinput);
98	}
99
100	$theinput = new inputField("type", $therecord["type"], "file type", false, null, 25);
101	$theinput->setAttribute("readonly", "readonly");
102	$theinput->setAttribute("class", "uneditable");
103	$theform->addField($theinput);
104
105	$theinput = new inputRolesList($db,"roleid",$therecord["roleid"],"access (role)");
106	$theform->addField($theinput);
107
108	if(isset($_GET["tabledefid"]) && !isset($therecord["id"])){
109
110	$theinput = new inputSmartSearch($db, "fileid", "Pick File", "", "exisiting file", false, 40);
111	$theform->addField($theinput);
112
113	}//end if
114
115	$thetable->getCustomFieldInfo();
116	$theform->prepCustomFields($db, $thetable->customFieldsQueryResult, $therecord);
117	$theform->jsMerge();
118	//==============================================================
119	//End Form Elements
120
121	include("header.php");
122
123	?><div class="bodyline">
124	<?php $theform->startForm($pageTitle)?>
125
126	<fieldset id="fsAttributes">
127	<legend>Attributes</legend>
128	<p id="roleidP"><?php $theform->showField("roleid")?></p>
129
130	<p><?php $theform->showField("type"); ?></p>
131
132	</fieldset>
133
134	<div id="leftSideDiv">
135	<fieldset>
136	<legend>file</legend>
137	<?php if(isset($_GET["tabledefid"])){?>
138	<input id="attachmentid" name="attachmentid" type="hidden" value="<?php echo $therecord["attachmentid"]?>" />
139	<input id="tabledefid" name="tabledefid" type="hidden" value="<?php echo $_GET["tabledefid"]?>" />
140	<input id="recordid" name="recordid" type="hidden" value="<?php echo (integer) $_GET["refid"]?>" />
141	<?php }?>
142
143	<?php if($therecord["id"]) {?>
144	<p>
145	<button type="button" class="Buttons" onclick="document.location='../../servefile.php?i=<?php echo $therecord["id"]?>'">View/Download <?php echo $therecord["name"] ?></button>
146	</p>
147	<p class="big">
148	<?php $theform->showField("name")?><br />
149	<span class="notes">If the file name does <strong>not</strong> include an extension your browser may not be able to download/view the file correctly.</span>
150	</p>
151	<p>
152	<label for="upload">replace file</label><br />
153	<input id="upload" name="upload" type="file" size="64" tabindex="260" />
154	</p>
155	<?php } else {?>
156	<?php if(isset($_GET["tabledefid"])){?>
157	<p><br />
158	<input class="radiochecks" type="radio" name="newexisting" id="newfile" value="new" checked="checked" onclick="switchFile()" /><label for="newfile">new file</label>
159	<input type="radio" class="radiochecks" name="newexisting" id="existingfile" value="existing" onclick="switchFile()" /><label for="existingfile">existing file</label><br />
160	<span class="notes">Choose "existing file" if the file has already been uploaded into phpBMS.</span>
161	</p>
162	<div class="fauxP" id="fileidlabel">
163	<?php $theform->showField("fileid");?>
164	</div>
165	<?php }?>
166	<p id="uploadlabel">
167	<label for="upload">upload new file</label><br />
168	<input id="upload" name="upload" type="file" size="64" tabindex="260" />
169	</p>
170	<?php } ?>
171	<p id="descriptionlabel">
172	<label for="content">description</label><br />
173	<textarea name="description" cols="45" rows="4" id="content"><?php echo htmlQuotes($therecord["description"])?></textarea>
174	</p>
175	</fieldset>
176	<?php
177	if($therecord["id"]) {
178	$attchmentsquery=getAttachments($db,$therecord["uuid"]);
179	if($db->numRows($attchmentsquery)){
180	?>
181	<h2>Record Attachments</h2>
182	<div class="fauxP">
183	<div style="" class="smallQueryTableHolder">
184	<table border="0" cellpadding="0" cellspacing="0" class="smallQueryTable">
185	<tr>
186	<th align="left">table</th>
187	<th align="left" nowrap="nowrap" width="99%">ID</th>
188	<th align="right" nowrap="nowrap">attached</th>
189	<th align="left" nowrap="nowrap"> </th>
190	</tr>
191	<?php
192	while($attachmentrecord=$db->fetchArray($attchmentsquery)){
193	?>
194	<tr>
195	<td nowrap="nowrap"><?php echo $attachmentrecord["displayname"] ?></td>
196	<td><?php echo $attachmentrecord["recordid"] ?></td>
197	<td align="right" nowrap="nowrap"><?php echo formatFromSQLDatetime($attachmentrecord["creationdate"]) ?></td>
198	<td>
199	<button class="graphicButtons buttonEdit" type="button" onclick="document.location='<?php echo APP_PATH.$attachmentrecord["editfile"]."?id=".$attachmentrecord["recordid"] ?>'"><span>edit</span></button>
200	</td>
201	</tr>
202	<?php
203	} ?></table></div></div><?php
204	}
205	}?>
206
207	<?php $theform->showCustomFields($db, $thetable->customFieldsQueryResult) ?>
208
209	</div>
210
211	<?php
212	$theform->showGeneralInfo($phpbms,$therecord);
213	$theform->endForm();
214	?>
215	</div>
216	<?php include("footer.php");?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/base/files_addedit.php

Download in other formats: