Bootswatch, Summernote, and Captcheck mods for Mods for HESK (mods-for-hesk.com). In use at support.netsyms.com.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

download_attachment.php 5.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152
  1. <?php
  2. /**
  3. *
  4. * This file is part of HESK - PHP Help Desk Software.
  5. *
  6. * (c) Copyright Klemen Stirn. All rights reserved.
  7. * https://www.hesk.com
  8. *
  9. * For the full copyright and license agreement information visit
  10. * https://www.hesk.com/eula.php
  11. *
  12. */
  13. define('IN_SCRIPT', 1);
  14. define('HESK_PATH', './');
  15. // Get all the required files and functions
  16. require(HESK_PATH . 'hesk_settings.inc.php');
  17. require(HESK_PATH . 'inc/common.inc.php');
  18. hesk_load_database_functions();
  19. hesk_session_start();
  20. // Are we in maintenance mode? (check customers only)
  21. if (empty($_SESSION['id'])) {
  22. hesk_check_maintenance();
  23. }
  24. // Knowledgebase attachments
  25. if (isset($_GET['kb_att'])) {
  26. // Attachment ID
  27. $att_id = intval(hesk_GET('kb_att')) or hesk_error($hesklang['id_not_valid']);
  28. // Connect to database
  29. hesk_dbConnect();
  30. // Get attachment info
  31. $res = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "kb_attachments` WHERE `att_id`='{$att_id}' LIMIT 1");
  32. if (hesk_dbNumRows($res) != 1) {
  33. hesk_error($hesklang['id_not_valid'] . ' (att_id)');
  34. }
  35. $file = hesk_dbFetchAssoc($res);
  36. // Is this person allowed access to this attachment?
  37. $res = hesk_dbQuery("SELECT `t1`.`type` as `cat_type`, `t2`.`type` as `art_type`
  38. FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "kb_articles` AS `t2`
  39. JOIN `" . hesk_dbEscape($hesk_settings['db_pfix']) . "kb_categories` AS `t1`
  40. ON `t2`.`catid` = `t1`.`id`
  41. WHERE (`t2`.`attachments` LIKE '{$att_id}#%' OR `t2`.`attachments` LIKE '%,{$att_id}#%' )
  42. LIMIT 1");
  43. // If no attachment found, throw an error
  44. if (hesk_dbNumRows($res) != 1) {
  45. hesk_error($hesklang['id_not_valid'] . ' (no_art)');
  46. }
  47. $row = hesk_dbFetchAssoc($res);
  48. // Private or draft article or category?
  49. if ($row['cat_type'] || $row['art_type']) {
  50. if (empty($_SESSION['id'])) {
  51. // This is a staff-only attachment
  52. hesk_error($hesklang['attpri']);
  53. } elseif ($row['art_type'] == 2) {
  54. // Need permission to manage KB to access draft attachments
  55. require(HESK_PATH . 'inc/admin_functions.inc.php');
  56. hesk_checkPermission('can_man_kb');
  57. }
  58. }
  59. } // Ticket attachments
  60. else {
  61. // Attachmend ID and ticket tracking ID
  62. $att_id = intval(hesk_GET('att_id', 0)) or die($hesklang['id_not_valid']);
  63. $tic_id = hesk_cleanID() or die("$hesklang[int_error]: $hesklang[no_trackID]");
  64. // Connect to database
  65. hesk_dbConnect();
  66. // Get attachment info
  67. $res = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "attachments` WHERE `att_id`='{$att_id}' LIMIT 1");
  68. if (hesk_dbNumRows($res) != 1) {
  69. hesk_error($hesklang['id_not_valid'] . ' (att_id)');
  70. }
  71. $file = hesk_dbFetchAssoc($res);
  72. // Is ticket ID valid for this attachment?
  73. if ($file['ticket_id'] != $tic_id) {
  74. hesk_error($hesklang['trackID_not_found']);
  75. }
  76. // Verify email address match if needed
  77. if (empty($_SESSION['id'])) {
  78. hesk_verifyEmailMatch($tic_id);
  79. // Only staff may download attachments to notes
  80. if ($file['type']) {
  81. hesk_error($hesklang['perm_deny']);
  82. }
  83. }
  84. // Update the download count
  85. }
  86. // Path of the file on the server
  87. $realpath = $hesk_settings['attach_dir'] . '/' . $file['saved_name'];
  88. if (isset($_GET['kb_att'])) {
  89. $modsForHesk_settings = mfh_getSettings();
  90. $realpath = $modsForHesk_settings['kb_attach_dir'] . '/' . $file['saved_name'];
  91. }
  92. // Perhaps the file has been deleted?
  93. if (!file_exists($realpath)) {
  94. // Let's try the ticket attachment folder. Legacy KB attachments are not automatically migrated.
  95. $realpath = $hesk_settings['attach_dir'] . '/' . $file['saved_name'];
  96. if (!file_exists($realpath)) {
  97. hesk_error($hesklang['attdel']);
  98. }
  99. }
  100. // Update the download count
  101. if (isset($_GET['kb_att'])) {
  102. hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "kb_attachments` SET `download_count` = `download_count` + 1 WHERE `att_id` = '{$att_id}'");
  103. } else {
  104. hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "attachments` SET `download_count` = `download_count` + 1 WHERE `att_id` = '{$att_id}'");
  105. }
  106. // Send the file as an attachment to prevent malicious code from executing
  107. header("Pragma: "); # To fix a bug in IE when running https
  108. header("Cache-Control: "); # To fix a bug in IE when running https
  109. header('Content-Description: File Transfer');
  110. header('Content-Type: application/octet-stream');
  111. header('Content-Length: ' . $file['size']);
  112. header('Content-Disposition: attachment; filename=' . $file['real_name']);
  113. // For larger files use chunks, smaller ones can be read all at once
  114. $chunksize = 1048576; // = 1024 * 1024 (1 Mb)
  115. if ($file['size'] > $chunksize) {
  116. $handle = fopen($realpath, 'rb');
  117. $buffer = '';
  118. while (!feof($handle)) {
  119. set_time_limit(300);
  120. $buffer = fread($handle, $chunksize);
  121. echo $buffer;
  122. flush();
  123. }
  124. fclose($handle);
  125. } else {
  126. readfile($realpath);
  127. }
  128. exit();