Fix: Use entity

023b6f2e · Laurent Destailleur · 86ea79c8 · 023b6f2e · 023b6f2e · 023b6f2e
Commit 023b6f2e authored 11 years ago by Laurent Destailleur
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1233,13 +1233,15 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$
 *
 * @param	string	$modulepart			Module of document
 * @param	string	$original_file		Relative path with filename
+ * @param	string	$entity				Restrict onto entity
 * @return	mixed						Array with access information : accessallowed & sqlprotectagainstexternals & original_file (as full path name)
 */
-function dol_check_secure_access_document($modulepart,$original_file)
+function dol_check_secure_access_document($modulepart,$original_file,$entity)
 {
 	global $user, $conf;
 	if (empty($modulepart)) return 'ErrorBadParameter';
+	if (empty($entity)) $entity=0;
 	// We define $accessallowed and $sqlprotectagainstexternals
 	$accessallowed=0;

--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -96,7 +96,7 @@ $refname=basename(dirname($original_file)."/");
 // Security check
 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
-$check_access = dol_check_secure_access_document($modulepart,$original_file);
+$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity);
 $accessallowed              = $check_access['accessallowed'];
 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
 $original_file              = $check_access['original_file'];

--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -100,7 +100,7 @@ $original_file = str_replace("../","/", $original_file);
 // Security check
 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
-$check_access = dol_check_secure_access_document($modulepart,$original_file);
+$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity);
 $accessallowed              = $check_access['accessallowed'];
 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
 $original_file              = $check_access['original_file'];

--- a/htdocs/webservices/server_other.php
+++ b/htdocs/webservices/server_other.php
@@ -192,7 +192,7 @@ function getDocument($authentication, $modulepart, $file)
 	$error=0;
 	// Properties of doc
-	$original_file = $file;	
+	$original_file = $file;
 	$type=dol_mimetype($original_file);
 	$relativefilepath = $ref . "/";
 	$relativepath = $relativefilepath . $ref.'.pdf';
@@ -221,10 +221,10 @@ function getDocument($authentication, $modulepart, $file)
 		$refname=basename(dirname($original_file)."/");
 		// Security check
-		$accessallowed=0;
+		$check_access = dol_check_secure_access_document($modulepart,$original_file,$conf->entity);
-		$check_access = dol_check_secure_access_document($modulepart,$original_file);
+		$accessallowed              = $check_access['accessallowed'];
-		$accessallowed=$check_access['accessallowed'];
 		$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
+		$original_file              = $check_access['original_file'];
 		// Basic protection (against external users only)
 		if ($fuser->societe_id > 0)
@@ -277,27 +277,27 @@ function getDocument($authentication, $modulepart, $file)
 			if(file_exists($original_file))
 			{
 				dol_syslog("Function: getDocument $original_file $filename content-type=$type");
 				$file=$fileparams['fullname'];
 				$filename = basename($file);
 				$f = fopen($original_file,'r');
 				$content_file = fread($f,filesize($original_file));
 				$objectret = array(
 					'filename' => basename($original_file),
 					'mimetype' => dol_mimetype($original_file),
 					'content' => base64_encode($content_file),
 					'length' => filesize($original_file)
 				);
 				// Create return object
 				$objectresp = array(
 					'result'=>array('result_code'=>'OK', 'result_label'=>''),
 					'document'=>$objectret
 				);
 			}
-			else 
+			else
 			{
 				dol_syslog("File doesn't exist ".$original_file);
 				$errorcode='NOT_FOUND';