8 files changed, 88 insertions, 29 deletions

diff --git a/mod/file/pages/file/download.php b/mod/file/pages/file/download.php
new file mode 100644
index 000000000..76c1f1272
--- /dev/null
+++ b/mod/file/pages/file/download.php
@@ -0,0 +1,38 @@
+<?php
+/**
+ * Elgg file download.
+ *
+ * @package ElggFile
+ */
+
+// Get the guid
+$file_guid = get_input("guid");
+
+// Get the file
+$file = get_entity($file_guid);
+if (!$file) {
+	register_error(elgg_echo("file:downloadfailed"));
+	forward();
+}
+
+$mime = $file->getMimeType();
+if (!$mime) {
+	$mime = "application/octet-stream";
+}
+
+$filename = $file->originalfilename;
+
+// fix for IE https issue
+header("Pragma: public");
+
+header("Content-type: $mime");
+if (strpos($mime, "image/") !== false || $mime == "application/pdf") {
+	header("Content-Disposition: inline; filename=\"$filename\"");
+} else {
+	header("Content-Disposition: attachment; filename=\"$filename\"");
+}
+
+ob_clean();
+flush();
+readfile($file->getFilenameOnFilestore());
+exit;
diff --git a/mod/file/pages/file/edit.php b/mod/file/pages/file/edit.php
index 66529af0b..b396c6e9b 100644
--- a/mod/file/pages/file/edit.php
+++ b/mod/file/pages/file/edit.php
@@ -35,7 +35,6 @@ $body = elgg_view_layout('content', array(
 	'content' => $content,
 	'title' => $title,
 	'filter' => '',
-	'buttons' => '',
 ));
 
 echo elgg_view_page($title, $body);
diff --git a/mod/file/pages/file/friends.php b/mod/file/pages/file/friends.php
index 65fc66f62..d55c1e62b 100644
--- a/mod/file/pages/file/friends.php
+++ b/mod/file/pages/file/friends.php
@@ -6,13 +6,17 @@
  */
 
 $owner = elgg_get_page_owner_entity();
+if (!$owner) {
+	forward('', '404');
+}
 
 elgg_push_breadcrumb(elgg_echo('file'), "file/all");
 elgg_push_breadcrumb($owner->name, "file/owner/$owner->username");
 elgg_push_breadcrumb(elgg_echo('friends'));
 
+elgg_register_title_button();
 
-$title = elgg_echo("file:friends", array($owner->name));
+$title = elgg_echo("file:friends");
 
 // offset is grabbed in list_user_friends_objects
 $content = list_user_friends_objects($owner->guid, 'file', 10, false);
diff --git a/mod/file/pages/file/owner.php b/mod/file/pages/file/owner.php
index 69ec30425..99cf62714 100644
--- a/mod/file/pages/file/owner.php
+++ b/mod/file/pages/file/owner.php
@@ -9,34 +9,36 @@
 group_gatekeeper();
 
 $owner = elgg_get_page_owner_entity();
+if (!$owner) {
+	forward('', '404');
+}
 
 elgg_push_breadcrumb(elgg_echo('file'), "file/all");
 elgg_push_breadcrumb($owner->name);
 
+elgg_register_title_button();
+
 $params = array();
 
 if ($owner->guid == elgg_get_logged_in_user_guid()) {
 	// user looking at own files
-	$title = elgg_echo('file:yours');
 	$params['filter_context'] = 'mine';
 } else if (elgg_instanceof($owner, 'user')) {
 	// someone else's files
-	$title = elgg_echo("file:user", array($owner->name));
-	// do not show button or select a tab when viewing someone else's posts
+	// do not show select a tab when viewing someone else's posts
 	$params['filter_context'] = 'none';
-	$params['buttons'] = '';
 } else {
 	// group files
-	$title = elgg_echo("file:user", array($owner->name));
 	$params['filter'] = '';
 }
 
+$title = elgg_echo("file:user", array($owner->name));
+
 // List files
 $content = elgg_list_entities(array(
-	'types' => 'object',
-	'subtypes' => 'file',
+	'type' => 'object',
+	'subtype' => 'file',
 	'container_guid' => $owner->guid,
-	'limit' => 10,
 	'full_view' => FALSE,
 ));
 if (!$content) {
diff --git a/mod/file/pages/file/search.php b/mod/file/pages/file/search.php
index 77c92f444..d60dfb755 100644
--- a/mod/file/pages/file/search.php
+++ b/mod/file/pages/file/search.php
@@ -6,6 +6,11 @@
  */
 
 $page_owner_guid = get_input('page_owner', null);
+
+if ($page_owner_guid !== null) {
+	$page_owner_guid = sanitise_int($page_owner_guid);
+}
+
 if ($page_owner_guid) {
 	elgg_set_page_owner_guid($page_owner_guid);
 }
@@ -15,10 +20,10 @@ group_gatekeeper();
 
 // Get input
 $md_type = 'simpletype';
-$tag = get_input('tag');
+// avoid reflected XSS attacks by only allowing alnum characters
+$file_type = preg_replace('[\W]', '', get_input('tag'));
 $listtype = get_input('listtype');
-$friends = get_input('friends', false);
-
+$friends = (bool)get_input('friends', false);
 
 // breadcrumbs
 elgg_push_breadcrumb(elgg_echo('file'), "file/all");
@@ -32,8 +37,8 @@ if ($owner) {
 if ($friends && $owner) {
 	elgg_push_breadcrumb(elgg_echo('friends'), "file/friends/$owner->username");
 }
-if ($tag) {
-	elgg_push_breadcrumb(elgg_echo("file:type:$tag"));
+if ($file_type) {
+	elgg_push_breadcrumb(elgg_echo("file:type:$file_type"));
 } else {
 	elgg_push_breadcrumb(elgg_echo('all'));
 }
@@ -41,10 +46,10 @@ if ($tag) {
 // title
 if (!$owner) {
 	// world files
-	$title = elgg_echo('all') . ' ' . elgg_echo("file:type:$tag");
+	$title = elgg_echo('all') . ' ' . elgg_echo("file:type:$file_type");
 } else {
 	$friend_string = $friends ? elgg_echo('file:title:friends') : '';
-	$type_string = elgg_echo("file:type:$tag");
+	$type_string = elgg_echo("file:type:$file_type");
 	$title = elgg_echo('file:list:title', array($owner->name, $friend_string, $type_string));
 }
 
@@ -69,16 +74,16 @@ if ($listtype == "gallery") {
 }
 
 $params = array(
-	'types' => 'object',
-	'subtypes' => 'file',
+	'type' => 'object',
+	'subtype' => 'file',
 	'container_guid' => $page_owner_guid,
 	'limit' => $limit,
 	'full_view' => false,
 );
 
-if ($tag) {
+if ($file_type) {
 	$params['metadata_name'] = $md_type;
-	$params['metadata_value'] = $tag;
+	$params['metadata_value'] = $file_type;
 	$content = elgg_list_entities_from_metadata($params);
 } else {
 	$content = elgg_list_entities($params);
@@ -86,7 +91,6 @@ if ($tag) {
 
 $body = elgg_view_layout('content', array(
 	'filter' => '',
-	'buttons' => '',
 	'content' => $content,
 	'title' => $title,
 	'sidebar' => $sidebar,
diff --git a/mod/file/pages/file/upload.php b/mod/file/pages/file/upload.php
index d97cc038d..3aa25b6db 100644
--- a/mod/file/pages/file/upload.php
+++ b/mod/file/pages/file/upload.php
@@ -32,7 +32,6 @@ $body = elgg_view_layout('content', array(
 	'content' => $content,
 	'title' => $title,
 	'filter' => '',
-	'buttons' => '',
 ));
 
 echo elgg_view_page($title, $body);
diff --git a/mod/file/pages/file/view.php b/mod/file/pages/file/view.php
index daa2a400e..6c9566a89 100644
--- a/mod/file/pages/file/view.php
+++ b/mod/file/pages/file/view.php
@@ -6,6 +6,11 @@
  */
 
 $file = get_entity(get_input('guid'));
+if (!$file) {
+	register_error(elgg_echo('noaccess'));
+	$_SESSION['last_forward_from'] = current_page_url();
+	forward('');
+}
 
 $owner = elgg_get_page_owner_entity();
 
@@ -22,14 +27,20 @@ $title = $file->title;
 
 elgg_push_breadcrumb($title);
 
-$content = elgg_view_entity($file, true);
+$content = elgg_view_entity($file, array('full_view' => true));
 $content .= elgg_view_comments($file);
 
+elgg_register_menu_item('title', array(
+	'name' => 'download',
+	'text' => elgg_echo('file:download'),
+	'href' => "file/download/$file->guid",
+	'link_class' => 'elgg-button elgg-button-action',
+));
+
 $body = elgg_view_layout('content', array(
 	'content' => $content,
 	'title' => $title,
 	'filter' => '',
-	'header' => '',
 ));
 
 echo elgg_view_page($title, $body);
diff --git a/mod/file/pages/file/world.php b/mod/file/pages/file/world.php
index bfe965084..96c8de785 100644
--- a/mod/file/pages/file/world.php
+++ b/mod/file/pages/file/world.php
@@ -7,16 +7,18 @@
 
 elgg_push_breadcrumb(elgg_echo('file'));
 
-$limit = get_input("limit", 10);
+elgg_register_title_button();
 
 $title = elgg_echo('file:all');
 
 $content = elgg_list_entities(array(
-	'types' => 'object',
-	'subtypes' => 'file',
-	'limit' => $limit,
+	'type' => 'object',
+	'subtype' => 'file',
 	'full_view' => FALSE
 ));
+if (!$content) {
+	$content = elgg_echo('file:none');
+}
 
 $sidebar = file_get_type_cloud();
 $sidebar = elgg_view('file/sidebar');