diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 4c3be3cc4d1..f9f6efea8d5 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1642,9 +1642,11 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('(\.meta * @param string $entity Restrict onto entity * @param User $fuser User object (forced) * @param string $refname Ref of object to check permission for external users (autodetect if not provided) + * @param string $more Check permission for 'read' or 'write' * @return mixed Array with access information : 'accessallowed' & 'sqlprotectagainstexternals' & 'original_file' (as a full path name) + * @see restrictedArea */ -function dol_check_secure_access_document($modulepart,$original_file,$entity,$fuser='',$refname='') +function dol_check_secure_access_document($modulepart,$original_file,$entity,$fuser='',$refname='',$mode='read') { global $user, $conf, $db; global $dolibarr_main_data_root; @@ -2246,6 +2248,12 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu // If modulepart=module Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart else { + $lire='lire'; $read='read'; $download='download'; + if ($mode == 'write') + { + $lire='creer'; $read='write'; $download='upload'; + } + if (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a file called specimen. Test must be done before changing $original_file int full path. if ($fuser->admin) $accessallowed=1; // If user is admin @@ -2257,7 +2265,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu dol_print_error('','Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')'); exit; } - if ($fuser->rights->{$reg[1]}->lire || $fuser->rights->{$reg[1]}->read || ($fuser->rights->{$reg[1]}->download)) $accessallowed=1; + if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) $accessallowed=1; $original_file=$conf->{$reg[1]}->dir_temp.'/'.$fuser->id.'/'.$original_file; } else if (preg_match('/^([a-z]+)_temp$/i',$modulepart,$reg)) @@ -2267,7 +2275,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu dol_print_error('','Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')'); exit; } - if ($fuser->rights->{$reg[1]}->lire || $fuser->rights->{$reg[1]}->read || ($fuser->rights->{$reg[1]}->download)) $accessallowed=1; + if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) $accessallowed=1; $original_file=$conf->{$reg[1]}->dir_temp.'/'.$original_file; } else if (preg_match('/^([a-z]+)_user$/i',$modulepart,$reg)) @@ -2277,7 +2285,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu dol_print_error('','Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')'); exit; } - if ($fuser->rights->{$reg[1]}->lire || $fuser->rights->{$reg[1]}->read || ($fuser->rights->{$reg[1]}->download)) $accessallowed=1; + if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) $accessallowed=1; $original_file=$conf->{$reg[1]}->dir_output.'/'.$fuser->id.'/'.$original_file; } else @@ -2297,7 +2305,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } else { - if ($fuser->rights->$modulepart->lire || $fuser->rights->$modulepart->read) $accessallowed=1; + if ($fuser->rights->$modulepart->{$lire} || $fuser->rights->$modulepart->{$read}) $accessallowed=1; $original_file=$conf->$modulepart->dir_output.'/'.$original_file; } } @@ -2307,7 +2315,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu if (! empty($conf->global->$subPermCategoryConstName)) { $subPermCategory = $conf->global->$subPermCategoryConstName; - if (! empty($subPermCategory) && (($fuser->rights->$modulepart->$subPermCategory->lire) || ($fuser->rights->$modulepart->$subPermCategory->read) || ($fuser->rights->$modulepart->$subPermCategory->download))) + if (! empty($subPermCategory) && (($fuser->rights->$modulepart->$subPermCategory->{$lire}) || ($fuser->rights->$modulepart->$subPermCategory->{$read}) || ($fuser->rights->$modulepart->$subPermCategory->{$download}))) { $accessallowed=1; } diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index ccc8a68a5d9..6993ad496ea 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -109,6 +109,7 @@ function dol_hash($chain,$type=0) * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) * @param Canvas $objcanvas Object canvas * @return int Always 1, die process if not allowed + * @see dol_check_secure_access_document */ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null) { diff --git a/test/phpunit/FilesLibTest.php b/test/phpunit/FilesLibTest.php index f9000006b46..ddfcb8ed217 100644 --- a/test/phpunit/FilesLibTest.php +++ b/test/phpunit/FilesLibTest.php @@ -418,4 +418,25 @@ class FilesLibTest extends PHPUnit_Framework_TestCase $this->assertEquals(1,count($founddirs)); } + + /** + * testDolCheckSecureAccessDocument + * + * @return void + */ + public function testDolCheckSecureAccessDocument() + { + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; + + //$dummyuser=new User($db); + //$result=restrictedArea($dummyuser,'societe'); + + //$result=dol_check_secure_access_document($user,'societe'); + //$this->assertEquals(1,$result); + } + }