Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
D
dolibarr
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Software_Artifact_Infrastructure_Repository
dolibarr
Commits
0ec4b3bc
Commit
0ec4b3bc
authored
12 years ago
by
Laurent Destailleur
Browse files
Options
Downloads
Plain Diff
Merge branch '3.4' of
https://github.com/Dolibarr/dolibarr.git
into 3.4
parents
285ea8da
f89860e0
No related branches found
No related tags found
No related merge requests found
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
htdocs/core/lib/files.lib.php
+58
-55
58 additions, 55 deletions
htdocs/core/lib/files.lib.php
htdocs/webservices/server_other.php
+1
-1
1 addition, 1 deletion
htdocs/webservices/server_other.php
with
59 additions
and
56 deletions
htdocs/core/lib/files.lib.php
+
58
−
55
View file @
0ec4b3bc
...
@@ -1235,13 +1235,16 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$
...
@@ -1235,13 +1235,16 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$
*
*
* @param string $modulepart Module of document
* @param string $modulepart Module of document
* @param string $original_file Relative path with filename
* @param string $original_file Relative path with filename
* @param User $fuser User object (forced)
* @param string $entity Restrict onto entity
* @param string $entity Restrict onto entity
* @return mixed Array with access information : accessallowed & sqlprotectagainstexternals & original_file (as full path name)
* @return mixed Array with access information : accessallowed & sqlprotectagainstexternals & original_file (as full path name)
*/
*/
function
dol_check_secure_access_document
(
$modulepart
,
$original_file
,
$entity
)
function
dol_check_secure_access_document
(
$modulepart
,
$original_file
,
$entity
,
$fuser
=
''
)
{
{
global
$user
,
$conf
;
global
$user
,
$conf
;
if
(
!
is_object
(
$fuser
))
$fuser
=
$user
;
if
(
empty
(
$modulepart
))
return
'ErrorBadParameter'
;
if
(
empty
(
$modulepart
))
return
'ErrorBadParameter'
;
if
(
empty
(
$entity
))
$entity
=
0
;
if
(
empty
(
$entity
))
$entity
=
0
;
dol_syslog
(
'$modulepart='
.
$modulepart
.
' $original_file= '
.
$original_file
);
dol_syslog
(
'$modulepart='
.
$modulepart
.
' $original_file= '
.
$original_file
);
...
@@ -1271,101 +1274,101 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1271,101 +1274,101 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les apercu factures
// Wrapping pour les apercu factures
elseif
(
$modulepart
==
'apercufacture'
)
elseif
(
$modulepart
==
'apercufacture'
)
{
{
if
(
$user
->
rights
->
facture
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
facture
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
facture
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
facture
->
dir_output
.
'/'
.
$original_file
;
}
}
// Wrapping pour les apercu propal
// Wrapping pour les apercu propal
elseif
(
$modulepart
==
'apercupropal'
)
elseif
(
$modulepart
==
'apercupropal'
)
{
{
if
(
$user
->
rights
->
propale
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
propale
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
propal
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
propal
->
dir_output
.
'/'
.
$original_file
;
}
}
// Wrapping pour les apercu commande
// Wrapping pour les apercu commande
elseif
(
$modulepart
==
'apercucommande'
)
elseif
(
$modulepart
==
'apercucommande'
)
{
{
if
(
$user
->
rights
->
commande
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
commande
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
commande
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
commande
->
dir_output
.
'/'
.
$original_file
;
}
}
// Wrapping pour les apercu intervention
// Wrapping pour les apercu intervention
elseif
(
$modulepart
==
'apercufichinter'
)
elseif
(
$modulepart
==
'apercufichinter'
)
{
{
if
(
$user
->
rights
->
ficheinter
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
ficheinter
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
ficheinter
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
ficheinter
->
dir_output
.
'/'
.
$original_file
;
}
}
// Wrapping pour les images des stats propales
// Wrapping pour les images des stats propales
elseif
(
$modulepart
==
'propalstats'
)
elseif
(
$modulepart
==
'propalstats'
)
{
{
if
(
$user
->
rights
->
propale
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
propale
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
propal
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
propal
->
dir_temp
.
'/'
.
$original_file
;
}
}
// Wrapping pour les images des stats commandes
// Wrapping pour les images des stats commandes
elseif
(
$modulepart
==
'orderstats'
)
elseif
(
$modulepart
==
'orderstats'
)
{
{
if
(
$user
->
rights
->
commande
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
commande
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
commande
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
commande
->
dir_temp
.
'/'
.
$original_file
;
}
}
elseif
(
$modulepart
==
'orderstatssupplier'
)
elseif
(
$modulepart
==
'orderstatssupplier'
)
{
{
if
(
$user
->
rights
->
fournisseur
->
commande
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
fournisseur
->
commande
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
fournisseur
->
dir_output
.
'/commande/temp/'
.
$original_file
;
$original_file
=
$conf
->
fournisseur
->
dir_output
.
'/commande/temp/'
.
$original_file
;
}
}
// Wrapping pour les images des stats factures
// Wrapping pour les images des stats factures
elseif
(
$modulepart
==
'billstats'
)
elseif
(
$modulepart
==
'billstats'
)
{
{
if
(
$user
->
rights
->
facture
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
facture
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
facture
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
facture
->
dir_temp
.
'/'
.
$original_file
;
}
}
elseif
(
$modulepart
==
'billstatssupplier'
)
elseif
(
$modulepart
==
'billstatssupplier'
)
{
{
if
(
$user
->
rights
->
fournisseur
->
facture
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
fournisseur
->
facture
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
fournisseur
->
dir_output
.
'/facture/temp/'
.
$original_file
;
$original_file
=
$conf
->
fournisseur
->
dir_output
.
'/facture/temp/'
.
$original_file
;
}
}
// Wrapping pour les images des stats expeditions
// Wrapping pour les images des stats expeditions
elseif
(
$modulepart
==
'expeditionstats'
)
elseif
(
$modulepart
==
'expeditionstats'
)
{
{
if
(
$user
->
rights
->
expedition
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
expedition
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
expedition
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
expedition
->
dir_temp
.
'/'
.
$original_file
;
}
}
// Wrapping pour les images des stats expeditions
// Wrapping pour les images des stats expeditions
elseif
(
$modulepart
==
'tripsexpensesstats'
)
elseif
(
$modulepart
==
'tripsexpensesstats'
)
{
{
if
(
$user
->
rights
->
deplacement
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
deplacement
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
deplacement
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
deplacement
->
dir_temp
.
'/'
.
$original_file
;
}
}
// Wrapping pour les images des stats expeditions
// Wrapping pour les images des stats expeditions
elseif
(
$modulepart
==
'memberstats'
)
elseif
(
$modulepart
==
'memberstats'
)
{
{
if
(
$user
->
rights
->
adherent
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
adherent
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
adherent
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
adherent
->
dir_temp
.
'/'
.
$original_file
;
}
}
// Wrapping pour les images des stats produits
// Wrapping pour les images des stats produits
elseif
(
preg_match
(
'/^productstats_/i'
,
$modulepart
))
elseif
(
preg_match
(
'/^productstats_/i'
,
$modulepart
))
{
{
if
(
$user
->
rights
->
produit
->
lire
||
$user
->
rights
->
service
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
produit
->
lire
||
$
f
user
->
rights
->
service
->
lire
)
$accessallowed
=
1
;
$original_file
=
(
!
empty
(
$conf
->
product
->
multidir_temp
[
$entity
])
?
$conf
->
product
->
multidir_temp
[
$entity
]
:
$conf
->
service
->
multidir_temp
[
$entity
])
.
'/'
.
$original_file
;
$original_file
=
(
!
empty
(
$conf
->
product
->
multidir_temp
[
$entity
])
?
$conf
->
product
->
multidir_temp
[
$entity
]
:
$conf
->
service
->
multidir_temp
[
$entity
])
.
'/'
.
$original_file
;
}
}
// Wrapping for products or services
// Wrapping for products or services
elseif
(
$modulepart
==
'tax'
)
elseif
(
$modulepart
==
'tax'
)
{
{
if
(
$user
->
rights
->
tax
->
charges
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
tax
->
charges
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
tax
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
tax
->
dir_output
.
'/'
.
$original_file
;
}
}
// Wrapping for products or services
// Wrapping for products or services
elseif
(
$modulepart
==
'actions'
)
elseif
(
$modulepart
==
'actions'
)
{
{
if
(
$user
->
rights
->
agenda
->
myactions
->
read
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
agenda
->
myactions
->
read
)
$accessallowed
=
1
;
$original_file
=
$conf
->
agenda
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
agenda
->
dir_output
.
'/'
.
$original_file
;
}
}
// Wrapping for categories
// Wrapping for categories
elseif
(
$modulepart
==
'category'
)
elseif
(
$modulepart
==
'category'
)
{
{
if
(
$user
->
rights
->
categorie
->
lire
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
categorie
->
lire
)
$accessallowed
=
1
;
$original_file
=
$conf
->
categorie
->
multidir_output
[
$entity
]
.
'/'
.
$original_file
;
$original_file
=
$conf
->
categorie
->
multidir_output
[
$entity
]
.
'/'
.
$original_file
;
}
}
// Wrapping pour les prelevements
// Wrapping pour les prelevements
elseif
(
$modulepart
==
'prelevement'
)
elseif
(
$modulepart
==
'prelevement'
)
{
{
if
(
$user
->
rights
->
prelevement
->
bons
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
prelevement
->
bons
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1408,7 +1411,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1408,7 +1411,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
elseif
(
$modulepart
==
'scanner_user_temp'
)
elseif
(
$modulepart
==
'scanner_user_temp'
)
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
$original_file
=
$conf
->
scanner
->
dir_temp
.
'/'
.
$user
->
id
.
'/'
.
$original_file
;
$original_file
=
$conf
->
scanner
->
dir_temp
.
'/'
.
$
f
user
->
id
.
'/'
.
$original_file
;
}
}
// Wrapping pour les images fckeditor
// Wrapping pour les images fckeditor
elseif
(
$modulepart
==
'fckeditor'
)
elseif
(
$modulepart
==
'fckeditor'
)
...
@@ -1420,7 +1423,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1420,7 +1423,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping for third parties
// Wrapping for third parties
else
if
(
$modulepart
==
'company'
||
$modulepart
==
'societe'
)
else
if
(
$modulepart
==
'company'
||
$modulepart
==
'societe'
)
{
{
if
(
$user
->
rights
->
societe
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
societe
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1431,7 +1434,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1431,7 +1434,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping for invoices
// Wrapping for invoices
else
if
(
$modulepart
==
'facture'
||
$modulepart
==
'invoice'
)
else
if
(
$modulepart
==
'facture'
||
$modulepart
==
'invoice'
)
{
{
if
(
$user
->
rights
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1441,7 +1444,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1441,7 +1444,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
else
if
(
$modulepart
==
'unpaid'
)
else
if
(
$modulepart
==
'unpaid'
)
{
{
if
(
$user
->
rights
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1451,7 +1454,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1451,7 +1454,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les fiches intervention
// Wrapping pour les fiches intervention
else
if
(
$modulepart
==
'ficheinter'
)
else
if
(
$modulepart
==
'ficheinter'
)
{
{
if
(
$user
->
rights
->
ficheinter
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
ficheinter
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1462,7 +1465,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1462,7 +1465,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les deplacements et notes de frais
// Wrapping pour les deplacements et notes de frais
else
if
(
$modulepart
==
'deplacement'
)
else
if
(
$modulepart
==
'deplacement'
)
{
{
if
(
$user
->
rights
->
deplacement
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
deplacement
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1472,7 +1475,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1472,7 +1475,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les propales
// Wrapping pour les propales
else
if
(
$modulepart
==
'propal'
)
else
if
(
$modulepart
==
'propal'
)
{
{
if
(
$user
->
rights
->
propale
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
propale
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1484,7 +1487,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1484,7 +1487,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les commandes
// Wrapping pour les commandes
else
if
(
$modulepart
==
'commande'
||
$modulepart
==
'order'
)
else
if
(
$modulepart
==
'commande'
||
$modulepart
==
'order'
)
{
{
if
(
$user
->
rights
->
commande
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
commande
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1495,7 +1498,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1495,7 +1498,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les projets
// Wrapping pour les projets
else
if
(
$modulepart
==
'project'
)
else
if
(
$modulepart
==
'project'
)
{
{
if
(
$user
->
rights
->
projet
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
projet
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1506,7 +1509,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1506,7 +1509,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les commandes fournisseurs
// Wrapping pour les commandes fournisseurs
else
if
(
$modulepart
==
'commande_fournisseur'
||
$modulepart
==
'order_supplier'
)
else
if
(
$modulepart
==
'commande_fournisseur'
||
$modulepart
==
'order_supplier'
)
{
{
if
(
$user
->
rights
->
fournisseur
->
commande
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
fournisseur
->
commande
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1517,7 +1520,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1517,7 +1520,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les factures fournisseurs
// Wrapping pour les factures fournisseurs
else
if
(
$modulepart
==
'facture_fournisseur'
||
$modulepart
==
'invoice_supplier'
)
else
if
(
$modulepart
==
'facture_fournisseur'
||
$modulepart
==
'invoice_supplier'
)
{
{
if
(
$user
->
rights
->
fournisseur
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
fournisseur
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1528,18 +1531,18 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1528,18 +1531,18 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les rapport de paiements
// Wrapping pour les rapport de paiements
else
if
(
$modulepart
==
'facture_paiement'
)
else
if
(
$modulepart
==
'facture_paiement'
)
{
{
if
(
$user
->
rights
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
facture
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
if
(
$user
->
societe_id
>
0
)
$original_file
=
$conf
->
facture
->
dir_output
.
'/payments/private/'
.
$user
->
id
.
'/'
.
$original_file
;
if
(
$
f
user
->
societe_id
>
0
)
$original_file
=
$conf
->
facture
->
dir_output
.
'/payments/private/'
.
$
f
user
->
id
.
'/'
.
$original_file
;
else
$original_file
=
$conf
->
facture
->
dir_output
.
'/payments/'
.
$original_file
;
else
$original_file
=
$conf
->
facture
->
dir_output
.
'/payments/'
.
$original_file
;
}
}
// Wrapping pour les exports de compta
// Wrapping pour les exports de compta
else
if
(
$modulepart
==
'export_compta'
)
else
if
(
$modulepart
==
'export_compta'
)
{
{
if
(
$user
->
rights
->
compta
->
ventilation
->
creer
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
compta
->
ventilation
->
creer
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1549,7 +1552,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1549,7 +1552,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les expedition
// Wrapping pour les expedition
else
if
(
$modulepart
==
'expedition'
)
else
if
(
$modulepart
==
'expedition'
)
{
{
if
(
$user
->
rights
->
expedition
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
expedition
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1559,7 +1562,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1559,7 +1562,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les bons de livraison
// Wrapping pour les bons de livraison
else
if
(
$modulepart
==
'livraison'
)
else
if
(
$modulepart
==
'livraison'
)
{
{
if
(
$user
->
rights
->
expedition
->
livraison
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
expedition
->
livraison
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1569,7 +1572,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1569,7 +1572,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les actions
// Wrapping pour les actions
else
if
(
$modulepart
==
'actions'
)
else
if
(
$modulepart
==
'actions'
)
{
{
if
(
$user
->
rights
->
agenda
->
myactions
->
read
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
agenda
->
myactions
->
read
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1579,7 +1582,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1579,7 +1582,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les actions
// Wrapping pour les actions
else
if
(
$modulepart
==
'actionsreport'
)
else
if
(
$modulepart
==
'actionsreport'
)
{
{
if
(
$user
->
rights
->
agenda
->
allactions
->
read
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
agenda
->
allactions
->
read
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1589,7 +1592,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1589,7 +1592,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les produits et services
// Wrapping pour les produits et services
else
if
(
$modulepart
==
'product'
||
$modulepart
==
'produit'
||
$modulepart
==
'service'
)
else
if
(
$modulepart
==
'product'
||
$modulepart
==
'produit'
||
$modulepart
==
'service'
)
{
{
if
((
$user
->
rights
->
produit
->
lire
||
$user
->
rights
->
service
->
lire
)
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
((
$
f
user
->
rights
->
produit
->
lire
||
$
f
user
->
rights
->
service
->
lire
)
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1600,7 +1603,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1600,7 +1603,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les contrats
// Wrapping pour les contrats
else
if
(
$modulepart
==
'contract'
)
else
if
(
$modulepart
==
'contract'
)
{
{
if
(
$user
->
rights
->
contrat
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
contrat
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1610,7 +1613,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1610,7 +1613,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les dons
// Wrapping pour les dons
else
if
(
$modulepart
==
'donation'
)
else
if
(
$modulepart
==
'donation'
)
{
{
if
(
$user
->
rights
->
don
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
don
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1620,7 +1623,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1620,7 +1623,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les remises de cheques
// Wrapping pour les remises de cheques
else
if
(
$modulepart
==
'remisecheque'
)
else
if
(
$modulepart
==
'remisecheque'
)
{
{
if
(
$user
->
rights
->
banque
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
banque
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1634,7 +1637,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1634,7 +1637,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Aucun test necessaire car on force le rep de download sur
// Aucun test necessaire car on force le rep de download sur
// le rep export qui est propre a l'utilisateur
// le rep export qui est propre a l'utilisateur
$accessallowed
=
1
;
$accessallowed
=
1
;
$original_file
=
$conf
->
export
->
dir_temp
.
'/'
.
$user
->
id
.
'/'
.
$original_file
;
$original_file
=
$conf
->
export
->
dir_temp
.
'/'
.
$
f
user
->
id
.
'/'
.
$original_file
;
}
}
// Wrapping for import module
// Wrapping for import module
...
@@ -1658,7 +1661,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1658,7 +1661,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour les backups
// Wrapping pour les backups
else
if
(
$modulepart
==
'systemtools'
)
else
if
(
$modulepart
==
'systemtools'
)
{
{
if
(
$user
->
admin
)
if
(
$
f
user
->
admin
)
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1668,7 +1671,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1668,7 +1671,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping for upload file test
// Wrapping for upload file test
else
if
(
$modulepart
==
'admin_temp'
)
else
if
(
$modulepart
==
'admin_temp'
)
{
{
if
(
$user
->
admin
)
if
(
$
f
user
->
admin
)
$accessallowed
=
1
;
$accessallowed
=
1
;
$original_file
=
$conf
->
admin
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
admin
->
dir_temp
.
'/'
.
$original_file
;
}
}
...
@@ -1685,7 +1688,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1685,7 +1688,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Wrapping pour Foundation module
// Wrapping pour Foundation module
else
if
(
$modulepart
==
'member'
)
else
if
(
$modulepart
==
'member'
)
{
{
if
(
$user
->
rights
->
adherent
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
if
(
$
f
user
->
rights
->
adherent
->
lire
||
preg_match
(
'/^specimen/i'
,
$original_file
))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
@@ -1696,7 +1699,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1696,7 +1699,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
else
if
(
$modulepart
==
'scanner_user_temp'
)
else
if
(
$modulepart
==
'scanner_user_temp'
)
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
$original_file
=
$conf
->
scanner
->
dir_temp
.
'/'
.
$user
->
id
.
'/'
.
$original_file
;
$original_file
=
$conf
->
scanner
->
dir_temp
.
'/'
.
$
f
user
->
id
.
'/'
.
$original_file
;
}
}
// GENERIC Wrapping
// GENERIC Wrapping
...
@@ -1709,18 +1712,18 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1709,18 +1712,18 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
// Define $accessallowed
// Define $accessallowed
if
(
preg_match
(
'/^([a-z]+)_user_temp$/i'
,
$modulepart
,
$reg
))
if
(
preg_match
(
'/^([a-z]+)_user_temp$/i'
,
$modulepart
,
$reg
))
{
{
if
(
$user
->
rights
->
$reg
[
1
]
->
lire
||
$user
->
rights
->
$reg
[
1
]
->
read
||
(
$user
->
rights
->
$reg
[
1
]
->
download
))
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
$reg
[
1
]
->
lire
||
$
f
user
->
rights
->
$reg
[
1
]
->
read
||
(
$
f
user
->
rights
->
$reg
[
1
]
->
download
))
$accessallowed
=
1
;
$original_file
=
$conf
->
$reg
[
1
]
->
dir_temp
.
'/'
.
$user
->
id
.
'/'
.
$original_file
;
$original_file
=
$conf
->
$reg
[
1
]
->
dir_temp
.
'/'
.
$
f
user
->
id
.
'/'
.
$original_file
;
}
}
else
if
(
preg_match
(
'/^([a-z]+)_temp$/i'
,
$modulepart
,
$reg
))
else
if
(
preg_match
(
'/^([a-z]+)_temp$/i'
,
$modulepart
,
$reg
))
{
{
if
(
$user
->
rights
->
$reg
[
1
]
->
lire
||
$user
->
rights
->
$reg
[
1
]
->
read
||
(
$user
->
rights
->
$reg
[
1
]
->
download
))
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
$reg
[
1
]
->
lire
||
$
f
user
->
rights
->
$reg
[
1
]
->
read
||
(
$
f
user
->
rights
->
$reg
[
1
]
->
download
))
$accessallowed
=
1
;
$original_file
=
$conf
->
$reg
[
1
]
->
dir_temp
.
'/'
.
$original_file
;
$original_file
=
$conf
->
$reg
[
1
]
->
dir_temp
.
'/'
.
$original_file
;
}
}
else
if
(
preg_match
(
'/^([a-z]+)_user$/i'
,
$modulepart
,
$reg
))
else
if
(
preg_match
(
'/^([a-z]+)_user$/i'
,
$modulepart
,
$reg
))
{
{
if
(
$user
->
rights
->
$reg
[
1
]
->
lire
||
$user
->
rights
->
$reg
[
1
]
->
read
||
(
$user
->
rights
->
$reg
[
1
]
->
download
))
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
$reg
[
1
]
->
lire
||
$
f
user
->
rights
->
$reg
[
1
]
->
read
||
(
$
f
user
->
rights
->
$reg
[
1
]
->
download
))
$accessallowed
=
1
;
$original_file
=
$conf
->
$reg
[
1
]
->
dir_output
.
'/'
.
$user
->
id
.
'/'
.
$original_file
;
$original_file
=
$conf
->
$reg
[
1
]
->
dir_output
.
'/'
.
$
f
user
->
id
.
'/'
.
$original_file
;
}
}
else
else
{
{
...
@@ -1728,24 +1731,24 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
...
@@ -1728,24 +1731,24 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
$subperm
=
GETPOST
(
'subperm'
);
$subperm
=
GETPOST
(
'subperm'
);
if
(
$perm
||
$subperm
)
if
(
$perm
||
$subperm
)
{
{
if
((
$perm
&&
!
$subperm
&&
$user
->
rights
->
$modulepart
->
$perm
)
||
(
$perm
&&
$subperm
&&
$user
->
rights
->
$modulepart
->
$perm
->
$subperm
))
$accessallowed
=
1
;
if
((
$perm
&&
!
$subperm
&&
$
f
user
->
rights
->
$modulepart
->
$perm
)
||
(
$perm
&&
$subperm
&&
$
f
user
->
rights
->
$modulepart
->
$perm
->
$subperm
))
$accessallowed
=
1
;
$original_file
=
$conf
->
$modulepart
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
$modulepart
->
dir_output
.
'/'
.
$original_file
;
}
}
else
else
{
{
if
(
$user
->
rights
->
$modulepart
->
lire
||
$user
->
rights
->
$modulepart
->
read
)
$accessallowed
=
1
;
if
(
$
f
user
->
rights
->
$modulepart
->
lire
||
$
f
user
->
rights
->
$modulepart
->
read
)
$accessallowed
=
1
;
$original_file
=
$conf
->
$modulepart
->
dir_output
.
'/'
.
$original_file
;
$original_file
=
$conf
->
$modulepart
->
dir_output
.
'/'
.
$original_file
;
}
}
}
}
if
(
preg_match
(
'/^specimen/i'
,
$original_file
))
$accessallowed
=
1
;
// If link to a specimen
if
(
preg_match
(
'/^specimen/i'
,
$original_file
))
$accessallowed
=
1
;
// If link to a specimen
if
(
$user
->
admin
)
$accessallowed
=
1
;
// If user is admin
if
(
$
f
user
->
admin
)
$accessallowed
=
1
;
// If user is admin
// For modules who wants to manage different levels of permissions for documents
// For modules who wants to manage different levels of permissions for documents
$subPermCategoryConstName
=
strtoupper
(
$modulepart
)
.
'_SUBPERMCATEGORY_FOR_DOCUMENTS'
;
$subPermCategoryConstName
=
strtoupper
(
$modulepart
)
.
'_SUBPERMCATEGORY_FOR_DOCUMENTS'
;
if
(
!
empty
(
$conf
->
global
->
$subPermCategoryConstName
))
if
(
!
empty
(
$conf
->
global
->
$subPermCategoryConstName
))
{
{
$subPermCategory
=
$conf
->
global
->
$subPermCategoryConstName
;
$subPermCategory
=
$conf
->
global
->
$subPermCategoryConstName
;
if
(
!
empty
(
$subPermCategory
)
&&
((
$user
->
rights
->
$modulepart
->
$subPermCategory
->
lire
)
||
(
$user
->
rights
->
$modulepart
->
$subPermCategory
->
read
)
||
(
$user
->
rights
->
$modulepart
->
$subPermCategory
->
download
)))
if
(
!
empty
(
$subPermCategory
)
&&
((
$
f
user
->
rights
->
$modulepart
->
$subPermCategory
->
lire
)
||
(
$
f
user
->
rights
->
$modulepart
->
$subPermCategory
->
read
)
||
(
$
f
user
->
rights
->
$modulepart
->
$subPermCategory
->
download
)))
{
{
$accessallowed
=
1
;
$accessallowed
=
1
;
}
}
...
...
This diff is collapsed.
Click to expand it.
htdocs/webservices/server_other.php
+
1
−
1
View file @
0ec4b3bc
...
@@ -221,7 +221,7 @@ function getDocument($authentication, $modulepart, $file)
...
@@ -221,7 +221,7 @@ function getDocument($authentication, $modulepart, $file)
$refname
=
basename
(
dirname
(
$original_file
)
.
"/"
);
$refname
=
basename
(
dirname
(
$original_file
)
.
"/"
);
// Security check
// Security check
$check_access
=
dol_check_secure_access_document
(
$modulepart
,
$original_file
,
$conf
->
entity
);
$check_access
=
dol_check_secure_access_document
(
$modulepart
,
$original_file
,
$conf
->
entity
,
$fuser
);
$accessallowed
=
$check_access
[
'accessallowed'
];
$accessallowed
=
$check_access
[
'accessallowed'
];
$sqlprotectagainstexternals
=
$check_access
[
'sqlprotectagainstexternals'
];
$sqlprotectagainstexternals
=
$check_access
[
'sqlprotectagainstexternals'
];
$original_file
=
$check_access
[
'original_file'
];
$original_file
=
$check_access
[
'original_file'
];
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment