ATutor

Protecting files that link to unreleased content

• gtilflm
  

  2011-10-14 14:25:00

  Protecting files that link to unreleased content

  Here's the situation I'm hoping to solve. Let's say I have content items called "Unit 1 Test", "Unit 2 Test", etc. In these content pages, there is a link to a .pdf of the actual test (unit_1_test.pdf).
  
  Now, if Unit 2 Test isn't open yet, the savvy student could simply go to the Unit 1 Test content page, click the link for the .pdf and replace "unit_1_test.pdf" with "unit_2_test.pdf" to get access to the test before it's meant to be available.
  
  So, I thought about doing something like this in the get.php file...
  
  [php]
  $referer = $_SERVER['HTTP_REFERER'];
  
  if ($referer == 'http://ATutor.mydomain.com/go.php/' . $_SESSION['course_id'] . '/content.php/cid/***')
  {
  do all the rest of the stuff in get.php....
  [/php]
  
  The goal is to say that if you didn't come from a content page, then we're not going to let you in.
  
  Of course one problem is the *** which I don't know how to deal with. I'm trying to have the *** say "any content page", but I'm not sure how to do that.
  
  
  So, thoughts on my plan overall or perhaps a better way to approach this problem?
  
  Thanks!

• greg
  

  2011-10-14 14:57:15

  Re:

  try
  [php]
  if(!$_GET['cid']){
  
  do something
  
  }
  [/php]

• gtilflm
  

  2011-10-14 16:38:11

  Re:

  Thanks for the tip Greg. Do you see any adverse effects in other areas from doing it this way?
  
  Essentially, is get.php involved in anything else other than retrieving files in the content dir.? Would this effect File Storage, Profile pics., etc.
  
  Thanks.

• gtilflm
  

  2011-10-14 19:43:15

  Re:

  Well, I tried putting your code at the top of get.php and it didn't work.
  
  I actually put an else with it that, if triggered, would echo "fail" and it said fail under all conditions.
  
  Any other ideas?

• greg
  

  2011-10-17 17:03:53

  Re:

  No other ideas at the moment. I'm sure it can be done.
  
  If Cindy is monitoring, perhaps she can offer a suggestion.

• cindy
  

  2011-10-18 12:35:04

  Re:

  The direct modification on get.php to include the checking on "cid" raises a warning on me that it would likely affect other ATutor functionality where get.php is used to fetch file content.
  
  A relatively safe and proper fix is, reinforce the verification in get.php along with the parent caller in this special case that is the pre-test or post-test.
  
  One solution off the top of my head is to send in extra GET arguments to tell get.php,
  
  1. the request is from a test
  2. if the request is from a test, check the sent-along parameter to verify the permission. The parameter could be a token that's generated for the student once he/she satisfies the criteria of viewing pdf or other information that makes sense.

• gtilflm
  

  2011-10-18 22:19:59

  Re:

  Cindy,
  
  I'm sure your suggestion is good, I just don't understand it or know how to implement it. I'm very much a novice at PHP.
  
  Greg: Do you think this is a feature that ATutor would put into a future release?
  
  Thanks.

• greg
  

  2011-10-20 09:20:17

  Re: "Protecting" files that link to unreleased content

  This seems like it would be a good feature to add. You can add it to the tracker and we'll see what we could do about getting this into a future version.
  
  http://atutor.ca/atutor/mantis
  
  It might get added faster though if you're able to find a programmer to make the adjustments, then submit them through GitHub. We have a lot of other priorities right now, so it will likely be a while before we can get to it.
  
  https://github.com/atutor/ATutor

• gtilflm
  

  2011-10-20 09:59:32

  Re:

  Ok. I couldn't login to Manits, so I posted it as a Feature Request.
  
  Thanks.

• kayoda
  

  2011-11-04 22:44:20

  Re:loading graphics

  My content page fails to take graphics or images but only text. How do I resolve this. I need help pls...
  Am running atutor 2.0.2 on widows xp professional. Php version is 5.2