Merge branch 'master' of github.com:chamilo/chamilo-lms

Author: ywarnier

public/documentation/installation_guide.html

@@ -40,7 +40,7 @@ <h2>1. Requirements</h2>
       <li>xml</li>
       <li>zip</li>
       <li>zlib</li>
-      <li>ldap (optional, but mandatory in dev env)</li>
+      <li>ldap</li>
       <li>redis (optional)</li>
       <li>xapian (optional)</li>
   </ul>
@@ -96,7 +96,15 @@ <h3>2.5. Installation wizard</h3>
     <h3>2.6. Sessions and Redis</h3>
     <a id="web-install-sessions" class="anchor"></a>
       In this beta version, there are known issues with sessions not getting updated fast enough, which can be solved (temporarily) by using a Redis server. Check the command line instructions for more about this. This is a temporary situation that we expect to fix before the stable release.
-
+   
+    <h3>2.7. Clean up</h3>h3>
+    <a id="web-cleanup" class="anchor"></a>
+    As recommended by the installer's last page, make sure you change permissions on the config/ dir and the .env file, and you delete the public/main/install/ folder.
+    <pre>
+        sudo chown -R root: config/ .env
+        sudo rm -r public/main/install/
+    </pre>
+    
   <h2>3. Command line installation</h2>
   <a id="cli-install" class="anchor"></a>
 
@@ -106,7 +114,7 @@ <h3>3.1. Software stack</h3>
 <pre>
 sudo -s
 apt update && apt -y upgrade
-apt -y install apache2 libapache2-mod-php8.3 mariadb-client mariadb-server redis-server php8.3-{bcmath,curl,exif,gd,iconv,intl,mbstring,mysql,opcache,soap,xml,zip,redis}
+apt -y install apache2 libapache2-mod-php8.3 mariadb-client mariadb-server redis-server php8.3-{bcmath,curl,exif,gd,iconv,intl,ldap,mbstring,mysql,opcache,soap,xml,zip,redis}
 a2enmod rewrite
 cd /var/www/
 mkdir chamilo
@@ -116,7 +124,7 @@ <h3>3.1. Software stack</h3>
 rm chamilo2.0.0-beta.1.tar.gz
 cd chamilo
 touch .env
-chown -R www-data: var .env
+chown -R www-data: var/ config/ .env
 mysql -u root -e "GRANT ALL PRIVILEGES ON chamilo.* TO chamilo@localhost IDENTIFIED BY '[choose a password here]'";
 mysql -u root -e "FLUSH PRIVILEGES;"
 mysql_secure_installation
@@ -179,7 +187,7 @@ <h3>3.3. Web server</h3>
 systemctl restart apache2</pre>
     <h3>3.4. Files permissions</h3>
     <a id="cli-install-permissions" class="anchor"></a>
-    Make sure the following files and folders are writeable by the web server. Set permissions to 0770 for example:
+    Make sure the following files and folders are writeable by the web server during the installation. Set permissions to 0770 or the owner to www-data, for example:
     <ul>
         <li>var/</li>
         <li>config/</li>
@@ -202,6 +210,14 @@ <h3>3.6. Installation wizard</h3>
     You should now be able to direct your browser to your URL (e.g. <em>[http://my.chamilo.local]</em>).<br>
     Chamilo will pick it up from there and offer the installation wizard to help guide you through the rest of the process.
 
+    <h3>3.7. Clean up</h3>h3>
+    <a id="cli-cleanup" class="anchor"></a>
+    As recommended by the installer's last page, make sure you change permissions on the config/ dir and the .env file, and you delete the public/main/install/ folder.
+    <pre>
+        sudo chown -R root: config/ .env
+        sudo rm -r public/main/install/
+    </pre>
+
   <h2>4. Command line upgrade from 1.11.*</h2>
   <a id="cli-upgrade" class="anchor"></a>
     <h3>4.1. Database</h3>
@@ -263,7 +279,7 @@ <h4>6.2.1. WampServer</h4>
         <a href="https://www.wampserver.com/">Download</a> and install WampServer (accept default options if in doubt).<br>
         Restart WampServer to make these changes effective.<br>
         Open http://localhost/ in your browser. If the WampServer welcome screen with server configuration info appears, it means WampServer is working.<br>
-        Click on the WampServer icon in your status bar and go to PHP -&gt; Extensions. Make sure all the following extensions are enabled: php_curl, php_gd, php_intl, php_mbstring, php_mysqli, php_soap, php_xml, php_zip<br>
+        Click on the WampServer icon in your status bar and go to PHP -&gt; Extensions. Make sure all the following extensions are enabled: php_curl, php_gd, php_intl, php_ldap, php_mbstring, php_mysqli, php_soap, php_xml, php_zip<br>
         Edit C:\wamp64\bin\php\php8.3\php.ini, locate ";extension=sodium" and remove the ";" from the beginning of the line.<br>
         Also, update the "memory_limit" setting from "128M" to "2048M" and a few other settings as shown below.<br>
 <pre>

src/CoreBundle/Controller/Api/DownloadSelectedDocumentsAction.php

@@ -77,6 +77,10 @@ function () use ($documents, $zipName): void {
                     $this->addNodeToZip($zip, $node);
                 }
 
+                if (0 === count($zip->files)) {
+                    $zip->addFile('.empty', '');
+                }
+
                 $zip->finish();
             },
             Response::HTTP_CREATED

src/CoreBundle/Helpers/PageHelper.php

@@ -12,16 +12,34 @@
 use Chamilo\CoreBundle\Entity\User;
 use Chamilo\CoreBundle\Repository\PageCategoryRepository;
 use Chamilo\CoreBundle\Repository\PageRepository;
+use Chamilo\CoreBundle\Repository\SysAnnouncementRepository;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 class PageHelper
 {
     protected PageRepository $pageRepository;
     protected PageCategoryRepository $pageCategoryRepository;
 
-    public function __construct(PageRepository $pageRepository, PageCategoryRepository $pageCategoryRepository)
-    {
+    /**
+     * Repository used to read system announcements (platform news).
+     */
+    protected SysAnnouncementRepository $sysAnnouncementRepository;
+
+    /**
+     * Helper used to retrieve the current AccessUrl.
+     */
+    protected AccessUrlHelper $accessUrlHelper;
+
+    public function __construct(
+        PageRepository $pageRepository,
+        PageCategoryRepository $pageCategoryRepository,
+        SysAnnouncementRepository $sysAnnouncementRepository,
+        AccessUrlHelper $accessUrlHelper
+    ) {
         $this->pageRepository = $pageRepository;
         $this->pageCategoryRepository = $pageCategoryRepository;
+        $this->sysAnnouncementRepository = $sysAnnouncementRepository;
+        $this->accessUrlHelper = $accessUrlHelper;
     }
 
     public function createDefaultPages(User $user, AccessUrl $url, string $locale): bool
@@ -99,8 +117,7 @@ public function createDefaultPages(User $user, AccessUrl $url, string $locale):
 
         $this->pageCategoryRepository->update($footerPrivateCategory);
 
-        // Categories for extra content in admin blocks
-
+        // Categories for extra content in admin blocks.
         foreach (self::getCategoriesForAdminBlocks() as $nameBlock) {
             $usersAdminBlock = (new PageCategory())
                 ->setTitle($nameBlock)
@@ -142,4 +159,68 @@ public static function getCategoriesForAdminBlocks(): array
             'block-admin-chamilo',
         ];
     }
+
+    /**
+     * Checks if a document file URL is effectively exposed through a visible system announcement.
+     *
+     * This centralizes the logic used by different parts of the platform (e.g. voters, controllers)
+     * to decide if a file coming from personal files can be considered "public" because it is
+     * embedded inside a system announcement that is visible to the current user.
+     *
+     * @param string               $pathInfo   Full request path (e.g. /r/document/files/{uuid}/view)
+     * @param string|null          $identifier File identifier extracted from the URL (usually a UUID)
+     * @param UserInterface|null   $user       Current user, or null to behave as anonymous
+     * @param string               $locale     Current locale used to fetch announcements
+     */
+    public function isFilePathExposedByVisibleAnnouncement(
+        string $pathInfo,
+        ?string $identifier,
+        ?UserInterface $user,
+        string $locale
+    ): bool {
+        // Only relax security for the document file viewer route.
+        if ('' === $pathInfo || !str_contains($pathInfo, '/r/document/files/')) {
+            return false;
+        }
+
+        // Normalize user: if no authenticated user is provided, behave as anonymous.
+        if (null === $user) {
+            $anon = new User();
+            $anon->setRoles(['ROLE_ANONYMOUS']);
+            $user = $anon;
+        }
+
+        $accessUrl = $this->accessUrlHelper->getCurrent();
+
+        // Fetch announcements that are visible for the given user, URL and locale.
+        $announcements = $this->sysAnnouncementRepository->getAnnouncements(
+            $user,
+            $accessUrl,
+            $locale
+        );
+
+        foreach ($announcements as $item) {
+            $content = '';
+
+            if (\is_array($item)) {
+                $content = (string) ($item['content'] ?? '');
+            } elseif (\is_object($item) && method_exists($item, 'getContent')) {
+                $content = (string) $item->getContent();
+            }
+
+            if ('' === $content) {
+                continue;
+            }
+
+            // Check if the announcement HTML contains the viewer path or the identifier.
+            if (
+                str_contains($content, $pathInfo)
+                || ($identifier && str_contains($content, $identifier))
+            ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }

src/CoreBundle/Helpers/ResourceAclHelper.php

@@ -0,0 +1,101 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\Helpers;
+
+use Chamilo\CoreBundle\Entity\ResourceLink;
+use Chamilo\CoreBundle\Security\Authorization\Voter\ResourceNodeVoter;
+use Laminas\Permissions\Acl\Acl;
+use Laminas\Permissions\Acl\Resource\GenericResource;
+use Laminas\Permissions\Acl\Role\GenericRole;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Acl\Permission\MaskBuilder;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+readonly class ResourceAclHelper
+{
+    public function __construct(
+        private Security $security,
+    ) { }
+
+    public function isAllowed(
+        string $attribute,
+        ResourceLink $resourceLink,
+        iterable $rights,
+        bool $allowAnonsToView,
+    ): bool {
+        // Creating roles
+        $anon = new GenericRole('IS_AUTHENTICATED_ANONYMOUSLY');
+        $userRole = new GenericRole('ROLE_USER');
+        $student = new GenericRole('ROLE_STUDENT');
+        $teacher = new GenericRole('ROLE_TEACHER');
+        $studentBoss = new GenericRole('ROLE_STUDENT_BOSS');
+
+        $currentStudent = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_STUDENT);
+        $currentTeacher = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_TEACHER);
+
+        $currentStudentGroup = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_GROUP_STUDENT);
+        $currentTeacherGroup = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_GROUP_TEACHER);
+
+        $currentStudentSession = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_STUDENT);
+        $currentTeacherSession = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_TEACHER);
+
+        // Setting Simple ACL.
+        $acl = (new Acl())
+            ->addRole($anon)
+            ->addRole($userRole)
+            ->addRole($student)
+            ->addRole($teacher)
+            ->addRole($studentBoss)
+
+            ->addRole($currentStudent)
+            ->addRole($currentTeacher, ResourceNodeVoter::ROLE_CURRENT_COURSE_STUDENT)
+
+            ->addRole($currentStudentSession)
+            ->addRole($currentTeacherSession, ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_STUDENT)
+
+            ->addRole($currentStudentGroup)
+            ->addRole($currentTeacherGroup, ResourceNodeVoter::ROLE_CURRENT_COURSE_GROUP_STUDENT)
+        ;
+
+        // Add a security resource.
+        $acl->addResource(new GenericResource((string) $resourceLink->getId()));
+
+        // Check all the right this link has.
+        // Set rights from the ResourceRight.
+        foreach ($rights as $right) {
+            $acl->allow($right->getRole(), null, (string) $right->getMask());
+        }
+
+        // Anons can see.
+        if ($allowAnonsToView) {
+            $acl->allow($anon, null, (string) ResourceNodeVoter::getReaderMask());
+        }
+
+        // Asked mask
+        $mask = new MaskBuilder();
+        $mask->add($attribute);
+
+        $askedMask = (string) $mask->get();
+
+        if ($this->security->getToken() instanceof NullToken) {
+            return (bool) $acl->isAllowed('IS_AUTHENTICATED_ANONYMOUSLY', $resourceLink->getId(), $askedMask);
+        }
+
+        $user = $this->security->getUser();
+
+        $roles = $user instanceof UserInterface ? $user->getRoles() : [];
+
+        foreach ($roles as $role) {
+            if ($acl->isAllowed($role, $resourceLink->getId(), $askedMask)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

src/CoreBundle/Helpers/ResourceFileHelper.php

@@ -6,31 +6,37 @@
 
 namespace Chamilo\CoreBundle\Helpers;
 
+use Chamilo\CoreBundle\Entity\AccessUrl;
 use Chamilo\CoreBundle\Entity\ResourceFile;
 use Chamilo\CoreBundle\Entity\ResourceNode;
 use Chamilo\CoreBundle\Settings\SettingsManager;
 
 class ResourceFileHelper
 {
+    private bool $accessUrlSpecificFiles;
+    private ?AccessUrl $currentAccessUrl;
+
     public function __construct(
-        private readonly SettingsManager $settingsManager,
-        private readonly AccessUrlHelper $accessUrlHelper,
-    ) {}
+        SettingsManager $settingsManager,
+        AccessUrlHelper $accessUrlHelper,
+    ) {
+        $this->accessUrlSpecificFiles = $accessUrlHelper->isMultiple()
+            && 'true' === $settingsManager->getSetting('document.access_url_specific_files');
+
+        $this->currentAccessUrl = $accessUrlHelper->getCurrent();
+    }
 
     public function resolveResourceFileByAccessUrl(ResourceNode $resourceNode): ?ResourceFile
     {
         if (!$resourceNode->hasResourceFile()) {
             return null;
         }
 
-        $accessUrlSpecificFiles = 'true' === $this->settingsManager->getSetting('document.access_url_specific_files', true)
-            && $this->accessUrlHelper->isMultiple();
-
         $resourceFile = null;
         $resourceFiles = $resourceNode->getResourceFiles();
 
-        if ($accessUrlSpecificFiles) {
-            $currentUrl = $this->accessUrlHelper->getCurrent()?->getUrl();
+        if ($this->accessUrlSpecificFiles) {
+            $currentUrl = $this->currentAccessUrl?->getUrl();
 
             foreach ($resourceFiles as $file) {
                 if ($file->getAccessUrl() && $file->getAccessUrl()->getUrl() === $currentUrl) {