Some quick questions to avoid forgetting them:

1) Will them be under the control of FileAPI (or, as they are now, fixed local storage)?

- dataroot/temp - dataroot/lang - dataroot/cache - dataroot/environment - dataroot/filter - dataroot/rss - dataroot/search - dataroot/sessions - dataroot/upgradelogs

Martin Dougiamas 03:20, 28 April 2008 (CDT) : I don't see these as being in the API - I've updated the spec.

2) Assuming we'll have a cool OOP FileAPI...

- a) Will it support different FileAPI classes (to be able to store in other systems) ? - b) Will it support multiple FileAPI classes working together (like the Repo) ?

Martin Dougiamas 03:20, 28 April 2008 (CDT) : Hmm, I suppose it makes sense to switch the backend from local file storage to specify something else (eg database storage) but multiple File storage places doesn't make sense to me, that is the Repository API and the Portfolio API.

3) I've annotated in red some things that have sounded strange in my first look.

Martin Dougiamas 03:20, 28 April 2008 (CDT) : Thanks, all fixed.

4) Are we going to have "directory records" in the implementation, or that is going to be handled exclusively by the "moodlepath" column?

Martin Dougiamas 03:20, 28 April 2008 (CDT) : Good point. I was thinking of moodlepath only but I wonder if directory records might be more efficient. New table, I guess.

5) One general question... are we going to "force" all modules to be "autocontained" ? How are we going to handle resources, for example (with all those css, links, images..). In general how are we going to handle multiple-file packages?

Martin Dougiamas 03:20, 28 April 2008 (CDT) : they'll be a set of files, probably in a "directory" specified by moodlepath of directory record. What problems do you see? Should we retain better knowledge of the original group of files?

That's all for now, ciao4niao :-) Eloy Lafuente (stronk7) 21:27, 5 April 2008 (CDT)

Making Storage 'content addressable'

One opportunity which this API opens up is the possibility of making the actual storage of files 'content addressable' . That is, if two users upload the same image for example, only store this file once on disk. This brings benefits in reducing the amount of storage and improving caching (especially in increasingly common situations the moodle data store served from a NFS directory or other remote storage similar). To do this we could use a hash like sha-1 on the file and store the file on disk named by its hash (rather than some arbitary id). Then when someone uploads the same file as has already been uploaded, the hash matches and we just point the database record to the same file on disk. This technique is increasingly being used by enterprise-style repositories as well as things like git. I can see the major benefits in things like scorm packages other such things which have 100's of small duplicate files stored multiple times per package and course, so sometimes you can have the same image file stored 20 different times across 20 different packages in one course, which is then duplicated for multiple classes etcetc. --Dan Poltawski 07:32, 1 June 2008 (CDT)

Excellent idea, Dan, it's in   Martin Dougiamas 01:43, 20 June 2008 (CDT)

Specific File Attachments?

We have entries for 'moduleinstance', do we need entries to identify files per other attachments? Such as forum posts, wiki attachments, database attachments, assignment submissions? Mike Churchward 16:27, 9 June 2008 (CDT)

I'm not sure if we need to have such links back to the exact forum post 
or glossary entry.  The idea is that the forum posts (say) would reference 
the file->id.  Would it be useful to have back links too ...?   
Martin Dougiamas 22:30, 22  June 2008 (CDT)

Squid

Consider proxy support. --Helen Foster 16:53, 9 June 2008 (CDT)

Expanding on this from the hackfest discussion - since we are hashing for storage anyway, we could serve the sha1 hash as the Etag for every file quite easily. --Dan Poltawski 04:16, 25 June 2008 (CDT)

Agree, although I'd rehash it, to avoid exposing info about internal "filenames" in new storage over the web. Bit paranoid but ... Eloy Lafuente (stronk7) 04:27, 25 June 2008 (CDT)

Batch uploads (zips)

Should we require that file API (optionally) require some form of batch file upload or zip/unzip function? Mike Churchward 17:14, 9 June 2008 (CDT)

Yeah, it definitely needs to handle zipped files nicely ... Martin Dougiamas 22:33, 22  June 2008 (CDT)

Image preview

Would be a great addition to the file manager if possible.

Skodak's rants

The API should be split into several independent parts:

1. File serving API
   1. file.php
   2. pluginfile.php
   3. userfile.php
   4. rssfile.php
2. File storage API
   1. optional access control
   2. optional repo sync
3. File management API
   1. File browsing
   2. File linking (editor integration)
   3. Upload from repository

File serving API

Deals with serving of files - browser requests file, Moodle sends it back. We have three main files. It is important to setup slasharguments on server (file.php/some/thing/xxx.jpg), any content that relies on relative links can not work without it (scorm, uploaded html pages, etc.).

file.php

Serves course files. It would be nice to have some special hardcoded protection of backup files - preventing of backup file downloads/uploads; backups contain a lot of personal info, we could block restoring of backups from other sites too.

Implements basic file access. Ideally only images and files linked from course sections should be there, no XSS protection required - we expect javascript, sw, etc. there, no way to make it "secure". The access control is not critical any more if we move most most of the files into modules

The file name and parameter structure is critical for backwards compatibility.

/file.php/courseid/dir/dir/filename.ext

pluginfile.php

(aka modfile.php) Sends module, block, question files.

• modules decide about access control
• optional XSS protection - student submitted files must not be served with normal headers, we have to force download instead; ideally there should be second wwwroot for serving of untrusted files
• only internal links to selected areas are supported - you can link images in summary area, but not the assignment submissions

Absolute file links need to be rewritten if html editing allowed in module. The links are stored internally as relative links. Before editing or display the internal link representation is converted to absolute links using simple str_replace() @@thipluginlink/summary@@/image.jpg --> /pluginfile.php/assignmentcontextid/summary/image.jpg, it is converted back to internal links before saving.

Can the distinct file areas supported by one plugin be declared somehow in order add some information about them? For example, I think it can be interesting to declare:

• assignment_summary:
  • relpath='summary'
  • userdata=false
  • anotherproperty=anothervalue
• assignment_submission:
  • relpath='submission/@@USERID@@'
  • userdata=false
  • anotherproperty=anothervalue
• and so on...

And then, when the editor "receives" one "assignment_summary" areaname, if knows what to show and so on? Also that info could be useful to know, in backup & restore if some fileareas have to be processed or no (userdata=false). Or also, when reconstructing the links (str_replace() above). And will cause to have a well defined list of fileareas by module, instead of coding them in a free way (prone to errors). Eloy Lafuente (stronk7) 16:35, 28 June 2008 (CDT)

Something like this will be part of file management API, hardcoding this in file storage would make it less flexible imo Petr Skoda (skodak)

/pluginfile.php/contextid/areaname/arbitrary/params/or/dirs/filename.ext

pluginfile.php detects the type of plugin from context table, fetches basic info (like $course or $cm if appropriate) and calls plugin function (or later method) which does the access control and finally sends the file to user. areaname separates files by type and divides the context into several subtrees - for example summary files (images used in module intros), post attachments, etc.

assignment example

/pluginfile.php/assignmentcontextid/summary/someimage.jpg
/pluginfile.php/assignmentcontextid/submission/userid/attachmentname.ext
/pluginfile.php/assignmentcontextid/extra/allsubmissionfiles.zip

Uhm... all those files together? What's going to differentiate the "submission" path in the example above from the "summary" path? Is it supposed that the editor, or the filemanager won't allow , for example to pick-up one file from the "submission" area to be used in the summary of one assignment and only the "summary" area will be showed? That means multiple file managers by context and it's against the clean "one file manager per context" agreed below Eloy Lafuente (stronk7) 21:28, 26 June 2008 (CDT)

Yes Eloy, the different areas (summary, submission) etc. have different uses, different access control. There are two types of file manager - the two pane file manager which lists all contexts+areas user may access, and minimalistic manager in html editor which shows only subset of areas from current plugin (because you can not link anything else).

scorm example

/pluginfile.php/scormcontextid/summary/someimage.jpg
/pluginfile.php/scormcontextid/content/revisionnumber/dir/somescormfile.js

The revision counter is incremented when any file changes in order to prevent caching problems. The lifetime should be adjustable in module settings.

quiz example

pluginfile.php/quizcontextid/summary/niceimage.jpg
pluginfile.php/quizcontextid/report/type/export.ods

questions example

pluginfile.php/SYSCONTEXTID/question/questionid/file.jpg

blog example

Blog entries or notes in general do not have context id (because they live in system context, SYSCONTEXTID bellow is the id of system context). The note attachments are always served with XSS protection on, ideally we should use separate wwwroot for this. Access control can be hardcoded.

/pluginfile.php/SYSCONTEXTID/blog/blogenryid/attachmentname.ext

userfile.php

Personal file storage, intended as an online storage of work in progress like assignments before the submission.

• read/write own files only for now
• option to share with others later
• personal "websites" will not be supported (security)

/userfile.php/userid/dir/dir/filename.ext

rssfile.php

Replaces rss/file.php wchi is kept only for backwards compatibility. RSS files should not require sessions/cookies, urls should contain some sort of security token/key Internally the files may be stored in database or together with other files. Performance improvements - we should support both Etag (cool) and Last-Modified (more used), when we receive If-None-Match/If-Modified-Since => 304

/rssfile.php/contextid/any/parameters/module/wants/rss.xml
/rssfile.php/SYSCONTEXTID/blog/userid/rss.xml

Again modules and plugins decide what gets sent to user.

Temporary files

Temporary files are usually used during the lifetime of one script only. uses:

• exports
• imports
• zipping/unzipping
• processing by executable files (latex, mimetex)

Ideally these files should never use utf-8 (which is a major problem for zipping at the moment). Proposed new sha1 based file storage is not suitable both for performance and technical reasons.

Legacy file storage and serving

Going to use good-old separate directories in $CFG->dataroot.

file serving and storage:

1. user avatars - user/pix.php
2. group avatars - user/pixgroup.php
3. tex, algebra - filter/tex/* and filter/algebra/*
4. rss cache (?full rss rewrite soon?) - backwards compatibility only rss/file.php

only storage:

1. sessions

File storage API

Modules in general work only with local Moodle files. One of the major reason is performance when accessing external repository files. It will be possible to use repositories instead of file uploading and also to keep local files synced with external repository.

File contents are stored in moodledata/filepool indexed using SHA1 hashes instead of file names; file names, relative paths and other metadata will be stored in file(_xxx) database tables. This should be fully abstracted so that modules do not actually know where the files are located. When storing files the content is sent as string or file handle, when reading content it is returned as file handle.

files table

This table contains one entry for every file. Enough information is kept here so that the file can be fully identified and retrieved again if necessary.

note: plural used because file is a reserved word

Field	Type	Default	Info
id	int(10)		autoincrementing
sha1hash	varchar(40)		The sha1 hash of content.
contextid	int(10)		The context id defined in context table - identifies the instance of plugin owning the file.
filearea	varchar(50)		Like "submissions", "intro" and "content" (images and swf linked from summaries), etc.; "blogs" and "userfiles" are special case that live at the system context.
itemid	int(10)		Some plugin specific item id (eg. forum post, blog entry or assignment submission or user id for user files)
filepath	text		relative path to file from module content root, useful in Scorm and Resource mod - most of the mods do not need this
filename	varchar(255)		The full Unicode name of this file (case sensitive)
filesize	int(10)		size of file - bytes
mimetype	varchar(100)	NULL	type of file
userid	int(10)	NULL	Optional - general user id field - meaning depending on plugin
timecreated	int(10)		The time this file was created
timemodified	int(10)		The last time the file was modified

index on "contextid, instanceid, filearea" and "sha1hash"

Plugin type is not specified because it is derived from contextid, items like blog that do not have own context will use own filearea usually from systemcontextid.

files_cleanup table

This table contains candidates for deletion from the file pool.

Field	Type	Default	Info
id	int(10)		autoincrementing
sha1hash	varchar(40)

files_metadata table

This table contains extra metadata about files. Repositories could provide this, or it could be manually edited in the local copy.

Field	Type	Default	Info
id	int(10)		autoincrementing
fileid	int(10)		Id of file.
name	varchar(255)		The name of extra metadata
value	text		Value

files_acl table

This table describes optional ACL for file. This is not required in majority of cases, modules usually hardcode the file access logic, course files should not be used much any more.

Field	Type	Default	Info
id	int(10)		autoincrementing
fileid	int(10)		The file we are defining access for
contextid	int(10)		The context where this file is being published
capability	text		The capability that is required to see this file.

acl notes

• this is missing some concept similar to user/group/others, for example in case of user files typical user can not assign permissions or view them - this becomes useless there
• it is more important to synchronise the availability of file link and the file itself - having link pointing to inaccessible file or file which is accessible when not wanted are both problems
• browser/proxy caching works against us here - "secret" files should not be cached

files_sync table

This table contains information how to synchronise data with repositories. Data would be synchronised from cron.php or on demand from file manager. The sync would be one way only (repository-->local file).

Field	Type	Default	Info
id	int(10)		autoincrementing
fileid	int(10)		Id of file.
repositoryid	int(10)		The repository instance this is associated with, see Repository_API
updates	int(10)		Specifies the update schedule (0 = none, 1 = on demand, other = some period in seconds)
repositorypath	text		The full path to the original file on the repository
timeimportfirst	int(10)		The first time this file was imported into Moodle
timeimportlast	int(10)		The most recent time that this file was imported into Moodle

File content storage

Originally the file storage hierarchy contained a lot of metadata including userids, entry ids, filenames, etc. The file content will now be stored separately from file metadata. It must supports utf8 on all platforms.

File storing:

1. calculate SHA1 hash of content
2. check if file with SHA1 name exists, if not add the file to file pool
3. remove SHA1 from list of deleted files if found there
4. store file in file table, use SHA1 as file pool identifier

File reading:

1. fetch file record from 'file' table - probably using file id or combination of contextid+instanceid
2. fetch content of file

File deleting:

1. delete record from file table, remember file SHA1
2. store the deleted SHA1 in deleted files table, do not remove the physical file yet
3. wait for cron cleanup script to actually delete the file named SHA1 (proper table locking needed to prevent race conditions when adding/deleting files)

File pool details

located in $CFG->dataroot/filepool/, all files can not be stored in one directory due to OS limitations, it uses 3 levels based on first three characters of sha1 hash. It is unlikely that there will be thousands of files with the same first 3 chars in sha1 hash of their content.

This type of storage saves a lot of disk space when storing multiple copies of the same large file. It can also help substantially when synchronising data with external repositories. Another benefit is we can detect inconsistencies in file content.

File read performance is similar to previous code, file write performance will be slower - due to hashing and extra database access.

dataroot 
   /filepool
      /00
      /01
      ...
      /23
        /00
        /01
        ...
        /1e
           /00
           /01
           ...
           /2d
              /231e2dc421be4fcd0172e5afceea3970e2f3d940.jpg
      ...
      /fe
      /ff

File management API

This section describes following:

1. file manager
2. integration with html editor
3. interactions with repos

File manager

Single pane file manager is hard to implement without drag & drop which is notoriously problematic in web based applications. I propose to implement a two pane commander-style file manager. Two pane manager allows you to easily copy/move files between two different contexts (ex: courses).

File manager must not interact directly with filesystem API, instead each module should return traversable tree of files and directories with both real and localised names (localised names are needed for dirs like backupdata).

Originally there was a single file tree for each course. We need to fully separate each module/block from the course files and there might be also independent file areas in modules (ex: module introduction, content files, submissions, post attachments). File area may be defined as a small tree where we can use relative paths. These file areas are hanging from the branches of the context tree (this needs a picture).

Integration with htmleditor

Html editor should be able to browse only relevant files - for example when editing resource introduction only images from into file area of that resource should be available, when editing html resource page only the content area images should be listed.

There are several problem here:

1. when adding new resource its context does not exist yet, we will have to create some table to handle temporary file storage for adding of new stuff, not easy but should be solvable - maybe we could abuse the course context id or store it temporarily in some special user file area
2. we can not use absolute address relinking for pluginfile.php links, instead we can use the absolute links only when editing and before storage convert them to something like @@thispluginfile/intro@@/2112/112/image.jpg before storage. the local links would be converted to full absolute links before display or editing. Not all file areas will support this (ex: linking to assignment submission does not make sense because nobody else may access it anyway). This would allow us to implement image preview in html editor.

Html editor should contain simplified single pane file manager with basic operations only - select file area, browse file area, upload file/copy user file/use repo file, delete. The editor will communicate with modules and core through ajax call to some script specified by module embedding the editor. The callback script would use different logic to construct the tree of files than the File manager, it needs to know only about files that other ppl viewing the resulting html may access.

Interactions with repos

Repositories may serve as a replacement for file uploading. They may be also used to synchronise files between courses. The repo option should be available whenever there is a file upload field, sometimes with extra "keep synchronised" option (this would not make sense for stuff like assignment submissions).

Upgrade, migration and backwards compatibility

It is going to be a pain again like DML/DDL ;-)

Code backwards compatibility

0% backwards compatibility related to file storage. New objects will be mandatory to use. Old $CFG->dataroot/$courseid/ will be empty, $CFG->dataroot/blog/ too, etc.

Content backwards compatibility

Means existing courses should not loose images, flash, etc. Though some new features (like resource sharing - if implemented) may not work with existing data that still uses files from course files area.

There might be a breakage of links due to special characters stripping in uploaded files which will not match the links in uploaded html files any more. This should not be very common I hope.

Migration of content

• resources - move files to new resource content file area; can be done automatically for pdf, image resources; definitely not accurate for uploaded web pages
• questions - image file moved to new are, image tag appended to questions
• moddata files - the easiest part, just move to new storage
• coursefiles - there might be a lot of outdated files :-( :-(
• rss feeds links in readers - will be broken, the new security related code would break it anyway

Moving files to files table and file pool

The migration process must be interruptable because it might take a very long time. The files would be moved from old location, the restarting would be straightforward. Proposed stages:

1. migration of moddata files - assisted by modules (we need correct area names) or automatic for legacy code (the sorting will be done later when upgrade code available)
2. migration of blog attachments
3. migration of course files - finish marked by some $CFG->files_migrated=true;
4. modules may decide to migrate data from coursefiles to pluginfiles - this may bot be always automatic, such as in case of Resource mod :-(

Backup/restore changes

File handling in backups needs to be fully rewritten - list of files in xml + pool of sha1 named files with contents. This solves the utf-8 trouble here, yay!!

Quotas

File size will be stored in files table, we can use simple queries to find out how much space is used, however this may not be accurate because the sha1 hash based storage eliminates duplicate files.

• total course files - find out all contexts used in course, query files table with contextid IN ($listofcontexts)
• module files - find module context and calculate space per file area
• user files quota - inside the personal area only, counting all attachments in all mods might take a while

We could also divide the file size by number of instances that are using it, this might be considered more accurate in some scenarios.

Other

• antivirus scanning + upload manager rewrite/integration with forms lib
• zip compression and extraction

Major problems

List of hard to solve prolbems

unicode zip support

Unicode chars in zip files uploaded by teachers - unfortunately there is no 100% solution that will work for anybody because most zip programs do not support unicode, it is usually garbage in/garbage out which works in some cases only

Latest WinZIP 11.2 and Total Commander seem to support some very limited form of utf-8 encodings of file names. I managed to create a zip file in Windows (Czech locale) and extract them in linux with native PHP zip functions, the only step I needed to add was conversion cp852(DOS charset for Czech locale) -> UTF-8. The native windows zipping did not work for me though, because it does some different borking of charsets.

In any case it seems likely that native PHP support in PHP 5.2.x should be better than current pclzip or infozip binary.

empty directories

Hmm, thinking a bit more about Justin's comment I realised there is no support for empty directories in this proposal. This will require either new table or some hack in files table - maybe we could add files with "." as name and just skip them when iterating directory content.

file overriding

Concept of file overriding does not exist anymore here, the path+filename do not need to be unique - id columns in files table the main identifier of file. We could emulate this or make unique index. Hmmm, we can not make index because sloppy mssql does not allow indexes larger than 900 bytes :-(

Some little comments to be considered (to avoid forgetting them)

• each context will have its own "file manager"
• separate "file manager context" files (FMF) and "internal context" (ICF) files (current modedit files, submissions, attachements...)
• /pluginfile.php/SYSCONTEXTID/{blog|question} and so... will have own FMF too? Or only ICF ?
• rssfile.php: I'd support both Etag (cool) and Last-Modified (more used), when we receive If-None-Match/If-Modified-Since => 304
• Way to migrate
• Way to copy between contexts
• Links = -1 for them
• Deletion strategy (locks, quarantine status...)
• include support for quotas per user, per course, etc
• upgrade process should be interruptable (like the unicode upgrade) so it can be stopped/restarted any time

Justin's thinking out loud

I'm actually working on implementing this along with extending an existing Alfresco integration to work together with the whole File / Repository system and I wanted to get some of my comments and thoughts in here for feedback. Go easy on me. =)

So far I've only got one that I'd like to solicit some feedback on (BTW, if this would be better suited to a forum discussion, let me know):

Not storing the full filepath with each entry in the file table

• For browsing a directory structure, determining things like child directories or a parent directory given a filepath requires a lot of extraneous coding in PHP. I think it might be better served to create a new file_directory table, storing only a directory name, and reference to a parent directory record. The benefits here are that we're storing a lot of duplicate text field values in the file table and browsing through the file picker for local files doesn't require a lot of PHP overhead to calculate links to parent / child directories.
• Given that file permissions are no longer calculated using structured file paths, using the complete, full, path to a given file would most likely never be needed.

• The repositorypath field in the repository_sync table still makes sense, though.

• The file_directory table:

Field	Type	Default	Info
id	int(10)		autoincrementing
parent	int(10)		ID of directory that this record is a child of.
directoryname	varchar(255)		The actual name of this directory.

skodak: filepath is stored in files table - its root is the corresponding filearea, the file manager will use the context tree to find all plugins/courses and ask them to return the list of areas with all those small branches inside it