mods/_standard/photos/get_photo.php

   1 <?php
   2 /***********************************************************************/
   3 /* ATutor                                                                                                                          */
   4 /***********************************************************************/
   5 /* Copyright (c) 2002-2010                                             */
   6 /* Inclusive Design Institute                                          */
   7 /* http://atutor.ca                                                                                                        */
   8 /*                                                                                                                                         */
   9 /* This program is free software. You can redistribute it and/or           */
  10 /* modify it under the terms of the GNU General Public License             */
  11 /* as published by the Free Software Foundation.                                           */
  12 /***********************************************************************/
  13 // $Id$
  14 define('AT_INCLUDE_PATH', '../../../include/');
  15 @ob_end_clean();
  16 header("Content-Encoding: none");
  17
  18 $_user_location = 'public';
  19
  20 require(AT_INCLUDE_PATH . 'vitals.inc.php');
  21 require(AT_INCLUDE_PATH . 'lib/mime.inc.php');
  22 include (AT_PA_INCLUDE.'classes/PhotoAlbum.class.php');
  23 include (AT_PA_INCLUDE.'lib.inc.php');
  24
  25 $aid = intval($_GET['aid']);    //album id
  26 $pid = intval($_GET['pid']);    //photo id
  27 $ph  = $_GET['ph'];                             //pid hash
  28
  29 //To increase security so users can't freely browse thru the album,
  30 //add a block here to take in an extra $_GET variable that reads the pid_path
  31 //check it against the PhotoFilePath here and see if it matches.
  32 //if not, return a "File not found" image.
  33 //TODO
  34
  35 $pa = new PhotoAlbum($aid);
  36 $album_info = $pa->getAlbumInfo();
  37 $photo_info = $pa->getPhotoInfo($pid);
  38 $album_file_path = getAlbumFilePath($album_info['id'], $album_info['created_date']);
  39 if (isset($_GET['size']) && $_GET['size'] == 'o') {
  40         //if original
  41         $album_file_path .= DIRECTORY_SEPARATOR;
  42 } else {
  43         //if thumbnail
  44         $album_file_path .= '_tn'.DIRECTORY_SEPARATOR;
  45 }
  46 $photo_file_path = getPhotoFilePath($photo_info['id'], $photo_info['name'], $photo_info['created_date']);
  47 $photo_file_hash = getPhotoFilePath($photo_info['id'], '', $photo_info['created_date']);
  48
  49 $file = AT_PA_CONTENT_DIR . $album_file_path . $photo_file_path;
  50
  51 //if file does not exist, quit.
  52 if (!file_exists($file)){
  53         //TODO: Clean files silently, cleaned but garbaged link remains on page.
  54         //Remove node from the DOM tree?
  55         $pa->deletePhoto($pid);
  56         header('HTTP/1.1 404 Not Found', TRUE);
  57         exit;
  58 }
  59 //if hash doesn't match, then don't load the picture.
  60 //to prevent trial and error on URL for photos
  61 if ($ph !== $photo_file_hash){
  62         header('HTTP/1.1 404 Not Found', TRUE);
  63         exit;
  64 }
  65
  66 $pathinfo = pathinfo($file);
  67 $ext = $pathinfo['extension'];
  68 if ($ext == '') {
  69         $ext = 'application/octet-stream';
  70 } else {
  71         $ext = $mime[$ext][0];
  72 }
  73
  74 $real = realpath($file);
  75
  76 if (file_exists($real) && (substr($real, 0, strlen(AT_CONTENT_DIR)) == AT_CONTENT_DIR)) {
  77
  78         header('Content-Disposition: filename="'.$photo_file_path.'"');
  79
  80         /**
  81          * although we can check if mod_xsendfile is installed in apache2
  82          * we can't actually check if it's enabled. also, we can't check if
  83          * it's enabled and installed in lighty, so instead we send the
  84          * header anyway, if it works then the line after it will not
  85          * execute. if it doesn't work, then the line after it will replace
  86          * it so that the full server path is not exposed.
  87          *
  88          * x-sendfile is supported in apache2 and lighttpd 1.5+ (previously
  89          * named x-send-file in lighttpd 1.4)
  90          */
  91         header('x-Sendfile: '.$real);
  92         header('x-Sendfile: ', TRUE); // if we get here then it didn't work
  93
  94         header('Content-Type: '.$ext);
  95
  96         @readfile($real);
  97         exit;
  98 } else {
  99         header('HTTP/1.1 404 Not Found', TRUE);
 100         exit;
 101 }
 102
 103 ?>