TOPIC:

Yes, I got xenith.js to display the 'url' it was using in the ajax call. It showed: website_code/php/templates/get_template_xml.php?file=USER-FILES/762-jhorne-Nottingham/preview.xml&time=1702384192962

The file is valid XML and contains the 'learningObject' being looked for.

What has happened to me before is that the XML contains an invalid character (for example soft-hyphen).
You can use a tool like xmllint to check for that.

Thanks for that. Yes I tried xmllint and it reported no problems with the file.

Without looking further at the ajax call I am wondering if the URL is incorrect in that it doesn't lead with a '/' character. That would probably give a not found error.

Okay, I have found the problem.

xenith.js calls 'get_template_xml.php' with the USER-FILES pathname. No problem with that.
What I hadn't noticed was the very last line of 'get_template_xml.php' which also returns a 'Not found!' message. It is this that is actually being returned.
It is returned because, as mentioned our USER-FILES are held on shared storage - that is USER-FILES is a symlink off to another directory. But 'get_template_xml.php' compares that directory name against the path it is given in xenith.js, and they aren't the same.

The browser log shows (after modifying get_template_xml.php to print the pathnames):

Uncaught Error: Invalid XML: Not found! Realpath is: /mnt/share-1/xerte/USER-FILES/762-jhorne-Nottingham/preview.xml Full unsafe path is: /var/www/html/xerte-3.12/USER-FILES/762-jhorne-Nottingham/preview.xml

I suspect that if I copied my own USER-FILES onto the server local disk rather than using the share, then it would work (no share/symlink involved)

Yes, Xerte does several checks to prevent people from doing path traversal (using ../../ in paths etc) to prevent users from being able to download things like database.php or /etc/passwd

I have patched the 'get_template_xml.php' file to cater for our case. Basically it checks the given pathname to see if '..' is present in it. If it is, then an error is returned, if is not present then the file contents are returned. I can now see my projects, and preview or edit them.

I have attached a diff patch file.