File database, <a href=""> works, but direct url access in address bar doesn't

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I got a really weird and annoying problem:
I have a file database that people can access, depending of the file status (pending, active, deleted) i allow access to it from different people. For example, pending is available only to owner and admins, active is avail to everyone and delete is not available anymore.
My problem starts here, i did a web page that looks like a file browser, every file uploaded by the current user is diplayed there, its nothing complicated, just a simple html list of the different folders and files.
If you click on the file's link it loads the content-type, filename, reads the file and everything is sent to the user perfectly fine. Now if i take the URL of the link leading to the file and copy paste it in the same window's address bar, the download fails. For example: 

http://dev.palliscience.com/dev_mvg/Palli-Sciences/file_explorer/file.php?element_id=8214
Works perfectly fine if its a link inside of the web site... BUT, if i copy paste this URL in my address bar, it fails. This is no special site with engines rewritting urls its a simple normal file by file website. 

Some other clues:
When i click on the link, IE states the filename, contenttype and source perfectly fine. When i copy paste the url, instead of seeing 

magistra_recipes.sql
text/plain
dev.palliscience.com

i see

file.php?element_id=8113
text/plain
dev.palliscience.com

Both urls are the same but IE reacts differently...
Here is the code of the page... (Line returns may make the code strange dont mind them... there are none in the original file) 

/**********************************************************************/
<?php
include("../include/authentification.php");
include('../includes/base.php');
include('../includes/db.php');
include('../includes/log.php');
include('../includes/lib/lib_filedb.php');

if(($sql = sql_connect()) === false){
exit('Erreur de connection à la base de données. Veuillez réesaayer plus tard merci.'); 
}
log_pageaccess($sql);

//Block access if not in V2
if(!isset($_SESSION['sess_usev2']) || $_SESSION['sess_usev2'] != true){
	header('location: ../profile/trans.php');
	sql_disconnect($sql);
	exit();
}

//Catch element_id
if(!isset($_GET['element_id']) || !is_numeric($_GET['element_id'])){
	$_GET['element_id'] = 0;
}

//Get the element
$element = mysql_fetch_assoc(sql_query('SELECT * FROM filedb_elements WHERE id = "'.sql_escape($_GET['element_id']).'"', $sql)); 

ob_start();
/*print_r($element);
echo '<br><br>';
print_r($active_account);
echo '<br><br>';*/
if($element['sys_status'] == FILEDB_STATUS_ACTIVE){
	echo 'public';
echo 'reading : '.'../filedb/'.$element['id'].substr($element['element_name'], strrpos($element['element_name'], '.')); 
}elseif($element['sys_status'] == FILEDB_STATUS_PENDING){
	echo 'pending - ';
	if($active_account->id == $element['sys_owner']){
		echo 'owner access';
echo 'reading : '.'../filedb/'.$element['id'].substr($element['element_name'], strrpos($element['element_name'], '.')); 
	}else{
		echo 'not owner access - ';
if(($active_account->profile_profileflags & ACCOUNT_ADMIN) == ACCOUNT_ADMIN){ 
			echo 'admin access - ';
echo 'reading : '.'../filedb/'.$element['id'].substr($element['element_name'], strrpos($element['element_name'], '.')); 
		}else{
			echo 'not admin access';
		}
	}
}

$content = ob_get_contents();
ob_end_clean();
$fp = fopen('../filedb/log.txt', 'a');
fwrite($fp, str_replace('<br>', "\r\n", $content));
fclose($fp);

//Check element type and owner
if($element['contenttype'] != 'system/folder'){
//Check for status, if public, anyone can access it, if private, allow access only to admins or owner if(($element['sys_status'] == FILEDB_STATUS_ACTIVE) || (($element['sys_status'] == FILEDB_STATUS_PENDING) && (($active_account->id == $element['sys_owner']) || (($active_account->profile_profileflags & ACCOUNT_ADMIN) == ACCOUNT_ADMIN)))){ 
		//Authorize download// We'll be outputting a PDF
		header('Content-type: '.$element['contenttype']);
		// It will be called downloaded.pdf
header('Content-Disposition: inline; filename="'.$element['element_name'].'"'); 
		// The PDF source is in original.pdf
readfile('../filedb/'.$element['id'].substr($element['element_name'], strrpos($element['element_name'], '.'))); 
	}else{
		//Bad file, can't access it
		header('HTTP/1.0 404 Not Found');
echo 'File not found 0x55498a3ff22 ('.$element['sys_owner'].' / '.$active_account->id.')'; 
	}
}else{
	//Bad file, can't access it
	header('HTTP/1.0 404 Not Found');
	echo 'File not found 0x6ef445a22d1';
}

//Disconnect the database
sql_disconnect($sql);
?>
/******************************************************************************/
log.txt:
/******************************************************************************/
pending - not owner access - admin access - reading : ../filedb/8214.doc
pending - not owner access - admin access - reading : ../filedb/8214.doc
pending - owner accessreading : ../filedb/8211.doc
pending - owner accessreading : ../filedb/8211.doc
/******************************************************************************/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux