diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 2607f4b2c58..337b0fdc460 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1803,120 +1803,122 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu // find the subdirectory name as the reference if (empty($refname)) $refname=basename(dirname($original_file)."/"); + $relative_original_file = $original_file; + // Wrapping for some images - if ($modulepart == 'companylogo') + if ($modulepart == 'companylogo' && !empty($conf->mycompany->dir_output)) { $accessallowed=1; $original_file=$conf->mycompany->dir_output.'/logos/'.$original_file; } // Wrapping for users photos - elseif ($modulepart == 'userphoto') + elseif ($modulepart == 'userphoto' && !empty($conf->user->dir_output)) { $accessallowed=1; $original_file=$conf->user->dir_output.'/'.$original_file; } // Wrapping for members photos - elseif ($modulepart == 'memberphoto') + elseif ($modulepart == 'memberphoto' && !empty($conf->adherent->dir_output)) { $accessallowed=1; $original_file=$conf->adherent->dir_output.'/'.$original_file; } // Wrapping pour les apercu factures - elseif ($modulepart == 'apercufacture') + elseif ($modulepart == 'apercufacture' && !empty($conf->facture->dir_output)) { if ($fuser->rights->facture->lire) $accessallowed=1; $original_file=$conf->facture->dir_output.'/'.$original_file; } // Wrapping pour les apercu propal - elseif ($modulepart == 'apercupropal') + elseif ($modulepart == 'apercupropal' && !empty($conf->propal->dir_output)) { if ($fuser->rights->propale->lire) $accessallowed=1; $original_file=$conf->propal->dir_output.'/'.$original_file; } // Wrapping pour les apercu commande - elseif ($modulepart == 'apercucommande') + elseif ($modulepart == 'apercucommande' && !empty($conf->commande->dir_output)) { if ($fuser->rights->commande->lire) $accessallowed=1; $original_file=$conf->commande->dir_output.'/'.$original_file; } // Wrapping pour les apercu intervention - elseif ($modulepart == 'apercufichinter') + elseif ($modulepart == 'apercufichinter' && !empty($conf->ficheinter->dir_output)) { if ($fuser->rights->ficheinter->lire) $accessallowed=1; $original_file=$conf->ficheinter->dir_output.'/'.$original_file; } // Wrapping pour les images des stats propales - elseif ($modulepart == 'propalstats') + elseif ($modulepart == 'propalstats' && !empty($conf->propal->dir_temp)) { if ($fuser->rights->propale->lire) $accessallowed=1; $original_file=$conf->propal->dir_temp.'/'.$original_file; } // Wrapping pour les images des stats commandes - elseif ($modulepart == 'orderstats') + elseif ($modulepart == 'orderstats' && !empty($conf->commande->dir_temp)) { if ($fuser->rights->commande->lire) $accessallowed=1; $original_file=$conf->commande->dir_temp.'/'.$original_file; } - elseif ($modulepart == 'orderstatssupplier') + elseif ($modulepart == 'orderstatssupplier' && !empty($conf->fournisseur->dir_output)) { if ($fuser->rights->fournisseur->commande->lire) $accessallowed=1; $original_file=$conf->fournisseur->dir_output.'/commande/temp/'.$original_file; } // Wrapping pour les images des stats factures - elseif ($modulepart == 'billstats') + elseif ($modulepart == 'billstats' && !empty($conf->facture->dir_temp)) { if ($fuser->rights->facture->lire) $accessallowed=1; $original_file=$conf->facture->dir_temp.'/'.$original_file; } - elseif ($modulepart == 'billstatssupplier') + elseif ($modulepart == 'billstatssupplier' && !empty($conf->fournisseur->dir_output)) { if ($fuser->rights->fournisseur->facture->lire) $accessallowed=1; $original_file=$conf->fournisseur->dir_output.'/facture/temp/'.$original_file; } // Wrapping pour les images des stats expeditions - elseif ($modulepart == 'expeditionstats') + elseif ($modulepart == 'expeditionstats' && !empty($conf->expedition->dir_temp)) { if ($fuser->rights->expedition->lire) $accessallowed=1; $original_file=$conf->expedition->dir_temp.'/'.$original_file; } // Wrapping pour les images des stats expeditions - elseif ($modulepart == 'tripsexpensesstats') + elseif ($modulepart == 'tripsexpensesstats' && !empty($conf->deplacement->dir_temp)) { if ($fuser->rights->deplacement->lire) $accessallowed=1; $original_file=$conf->deplacement->dir_temp.'/'.$original_file; } // Wrapping pour les images des stats expeditions - elseif ($modulepart == 'memberstats') + elseif ($modulepart == 'memberstats' && !empty($conf->adherent->dir_temp)) { if ($fuser->rights->adherent->lire) $accessallowed=1; $original_file=$conf->adherent->dir_temp.'/'.$original_file; } // Wrapping pour les images des stats produits - elseif (preg_match('/^productstats_/i',$modulepart)) + elseif (preg_match('/^productstats_/i',$modulepart) && !empty($conf->product->dir_temp)) { if ($fuser->rights->produit->lire || $fuser->rights->service->lire) $accessallowed=1; $original_file=(!empty($conf->product->multidir_temp[$entity])?$conf->product->multidir_temp[$entity]:$conf->service->multidir_temp[$entity]).'/'.$original_file; } // Wrapping for products or services - elseif ($modulepart == 'tax') + elseif ($modulepart == 'tax' && !empty($conf->tax->dir_output)) { if ($fuser->rights->tax->charges->lire) $accessallowed=1; $original_file=$conf->tax->dir_output.'/'.$original_file; } // Wrapping for products or services - elseif ($modulepart == 'actions') + elseif ($modulepart == 'actions' && !empty($conf->agenda->dir_output)) { if ($fuser->rights->agenda->myactions->read) $accessallowed=1; $original_file=$conf->agenda->dir_output.'/'.$original_file; } // Wrapping for categories - elseif ($modulepart == 'category') + elseif ($modulepart == 'category' && !empty($conf->categorie->dir_output)) { if ($fuser->rights->categorie->lire) $accessallowed=1; $original_file=$conf->categorie->multidir_output[$entity].'/'.$original_file; } // Wrapping pour les prelevements - elseif ($modulepart == 'prelevement') + elseif ($modulepart == 'prelevement' && !empty($conf->prelevement->dir_output)) { if ($fuser->rights->prelevement->bons->lire || preg_match('/^specimen/i',$original_file)) { @@ -1925,19 +1927,19 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu $original_file=$conf->prelevement->dir_output.'/'.$original_file; } // Wrapping pour les graph energie - elseif ($modulepart == 'graph_stock') + elseif ($modulepart == 'graph_stock' && !empty($conf->stock->dir_temp)) { $accessallowed=1; $original_file=$conf->stock->dir_temp.'/'.$original_file; } // Wrapping pour les graph fournisseurs - elseif ($modulepart == 'graph_fourn') + elseif ($modulepart == 'graph_fourn' && !empty($conf->fournisseur->dir_temp)) { $accessallowed=1; $original_file=$conf->fournisseur->dir_temp.'/'.$original_file; } // Wrapping pour les graph des produits - elseif ($modulepart == 'graph_product') + elseif ($modulepart == 'graph_product' && !empty($conf->product->dir_temp)) { $accessallowed=1; $original_file=$conf->product->multidir_temp[$entity].'/'.$original_file; @@ -1946,32 +1948,31 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu elseif ($modulepart == 'barcode') { $accessallowed=1; - // If viewimage is called for barcode, we try to output an image on the fly, - // with not build of file on disk. + // If viewimage is called for barcode, we try to output an image on the fly, with no build of file on disk. //$original_file=$conf->barcode->dir_temp.'/'.$original_file; $original_file=''; } // Wrapping pour les icones de background des mailings - elseif ($modulepart == 'iconmailing') + elseif ($modulepart == 'iconmailing' && !empty($conf->mailing->dir_temp)) { $accessallowed=1; $original_file=$conf->mailing->dir_temp.'/'.$original_file; } - // Wrapping pour les icones de background des mailings - elseif ($modulepart == 'scanner_user_temp') + // Wrapping pour le scanner + elseif ($modulepart == 'scanner_user_temp' && !empty($conf->scanner->dir_temp)) { $accessallowed=1; $original_file=$conf->scanner->dir_temp.'/'.$fuser->id.'/'.$original_file; } // Wrapping pour les images fckeditor - elseif ($modulepart == 'fckeditor') + elseif ($modulepart == 'fckeditor' && !empty($conf->fckeditor->dir_output)) { $accessallowed=1; $original_file=$conf->fckeditor->dir_output.'/'.$original_file; } // Wrapping for third parties - else if ($modulepart == 'company' || $modulepart == 'societe') + else if (($modulepart == 'company' || $modulepart == 'societe') && !empty($conf->societe->dir_output)) { if ($fuser->rights->societe->lire || preg_match('/^specimen/i',$original_file)) { @@ -1982,7 +1983,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for contact - else if ($modulepart == 'contact') + else if ($modulepart == 'contact' && !empty($conf->societe->dir_output)) { if ($fuser->rights->societe->lire) { @@ -1992,7 +1993,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for invoices - else if ($modulepart == 'facture' || $modulepart == 'invoice') + else if (($modulepart == 'facture' || $modulepart == 'invoice') && !empty($conf->facture->dir_output)) { if ($fuser->rights->facture->lire || preg_match('/^specimen/i',$original_file)) { @@ -2001,7 +2002,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu $original_file=$conf->facture->dir_output.'/'.$original_file; $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; } - else if ($modulepart == 'massfilesarea_facture') + else if ($modulepart == 'massfilesarea_facture' && !empty($conf->facture->dir_output)) { if ($fuser->rights->facture->lire || preg_match('/^specimen/i',$original_file)) { @@ -2010,8 +2011,8 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu $original_file=$conf->facture->dir_output.'/temp/massgeneration/'.$user->id.'/'.$original_file; } - // Wrapping pour les fiches intervention - else if ($modulepart == 'ficheinter') + // Wrapping for interventions + else if (($modulepart == 'fichinter' || $modulepart == 'ficheinter') && !empty($conf->ficheinter->dir_output)) { if ($fuser->rights->ficheinter->lire || preg_match('/^specimen/i',$original_file)) { @@ -2022,7 +2023,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les deplacements et notes de frais - else if ($modulepart == 'deplacement') + else if ($modulepart == 'deplacement' && !empty($conf->deplacement->dir_output)) { if ($fuser->rights->deplacement->lire || preg_match('/^specimen/i',$original_file)) { @@ -2032,7 +2033,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu //$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; } // Wrapping pour les propales - else if ($modulepart == 'propal') + else if ($modulepart == 'propal' && !empty($conf->propal->dir_output)) { if ($fuser->rights->propale->lire || preg_match('/^specimen/i',$original_file)) { @@ -2044,7 +2045,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les commandes - else if ($modulepart == 'commande' || $modulepart == 'order') + else if (($modulepart == 'commande' || $modulepart == 'order') && !empty($conf->commande->dir_output)) { if ($fuser->rights->commande->lire || preg_match('/^specimen/i',$original_file)) { @@ -2055,7 +2056,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les projets - else if ($modulepart == 'project') + else if ($modulepart == 'project' && !empty($conf->projet->dir_output)) { if ($fuser->rights->projet->lire || preg_match('/^specimen/i',$original_file)) { @@ -2064,7 +2065,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu $original_file=$conf->projet->dir_output.'/'.$original_file; $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; } - else if ($modulepart == 'project_task') + else if ($modulepart == 'project_task' && !empty($conf->projet->dir_output)) { if ($fuser->rights->projet->lire || preg_match('/^specimen/i',$original_file)) { @@ -2073,19 +2074,9 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu $original_file=$conf->projet->dir_output.'/'.$original_file; $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; } - // Wrapping for interventions - else if ($modulepart == 'fichinter') - { - if ($fuser->rights->ficheinter->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->ficheinter->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; - } // Wrapping pour les commandes fournisseurs - else if ($modulepart == 'commande_fournisseur' || $modulepart == 'order_supplier') + else if (($modulepart == 'commande_fournisseur' || $modulepart == 'order_supplier') && !empty($conf->fournisseur->commande->dir_output)) { if ($fuser->rights->fournisseur->commande->lire || preg_match('/^specimen/i',$original_file)) { @@ -2096,7 +2087,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les factures fournisseurs - else if ($modulepart == 'facture_fournisseur' || $modulepart == 'invoice_supplier') + else if (($modulepart == 'facture_fournisseur' || $modulepart == 'invoice_supplier') && !empty($conf->fournisseur->facture->dir_output)) { if ($fuser->rights->fournisseur->facture->lire || preg_match('/^specimen/i',$original_file)) { @@ -2107,7 +2098,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les rapport de paiements - else if ($modulepart == 'facture_paiement') + else if ($modulepart == 'facture_paiement' && !empty($conf->facture->dir_output)) { if ($fuser->rights->facture->lire || preg_match('/^specimen/i',$original_file)) { @@ -2118,7 +2109,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for accounting exports - else if ($modulepart == 'export_compta') + else if ($modulepart == 'export_compta' && !empty($conf->accounting->dir_output)) { if ($fuser->rights->accounting->ventilation->dispatch || preg_match('/^specimen/i',$original_file)) { @@ -2128,7 +2119,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les expedition - else if ($modulepart == 'expedition') + else if ($modulepart == 'expedition' && !empty($conf->expedition->dir_output)) { if ($fuser->rights->expedition->lire || preg_match('/^specimen/i',$original_file)) { @@ -2138,7 +2129,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les bons de livraison - else if ($modulepart == 'livraison') + else if ($modulepart == 'livraison' && !empty($conf->livraison->dir_output)) { if ($fuser->rights->expedition->livraison->lire || preg_match('/^specimen/i',$original_file)) { @@ -2148,7 +2139,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les actions - else if ($modulepart == 'actions') + else if ($modulepart == 'actions' && !empty($conf->agenda->dir_output)) { if ($fuser->rights->agenda->myactions->read || preg_match('/^specimen/i',$original_file)) { @@ -2158,7 +2149,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les actions - else if ($modulepart == 'actionsreport') + else if ($modulepart == 'actionsreport' && !empty($conf->agenda->dir_temp)) { if ($fuser->rights->agenda->allactions->read || preg_match('/^specimen/i',$original_file)) { @@ -2179,7 +2170,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les contrats - else if ($modulepart == 'contract') + else if ($modulepart == 'contract' && !empty($conf->contrat->dir_output)) { if ($fuser->rights->contrat->lire || preg_match('/^specimen/i',$original_file)) { @@ -2189,7 +2180,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les dons - else if ($modulepart == 'donation') + else if ($modulepart == 'donation' && !empty($conf->donation->dir_output)) { if ($fuser->rights->don->lire || preg_match('/^specimen/i',$original_file)) { @@ -2199,7 +2190,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour les remises de cheques - else if ($modulepart == 'remisecheque') + else if ($modulepart == 'remisecheque' && !empty($conf->banque->dir_output)) { if ($fuser->rights->banque->lire || preg_match('/^specimen/i',$original_file)) { @@ -2210,7 +2201,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for bank - else if ($modulepart == 'bank') + else if ($modulepart == 'bank' && !empty($conf->bank->dir_output)) { if ($fuser->rights->banque->lire) { @@ -2220,7 +2211,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for export module - else if ($modulepart == 'export') + else if ($modulepart == 'export' && !empty($conf->export->dir_temp)) { // Aucun test necessaire car on force le rep de download sur // le rep export qui est propre a l'utilisateur @@ -2229,21 +2220,21 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for import module - else if ($modulepart == 'import') + else if ($modulepart == 'import' && !empty($conf->import->dir_temp)) { $accessallowed=1; $original_file=$conf->import->dir_temp.'/'.$original_file; } // Wrapping pour l'editeur wysiwyg - else if ($modulepart == 'editor') + else if ($modulepart == 'editor' && !empty($conf->fckeditor->dir_output)) { $accessallowed=1; $original_file=$conf->fckeditor->dir_output.'/'.$original_file; } // Wrapping for miscellaneous medias files - elseif ($modulepart == 'medias') + elseif ($modulepart == 'medias' && !empty($dolibarr_main_data_root)) { $accessallowed=1; global $dolibarr_main_data_root; @@ -2251,25 +2242,21 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for backups - else if ($modulepart == 'systemtools') + else if ($modulepart == 'systemtools' && !empty($conf->admin->dir_output)) { - if ($fuser->admin) - { - $accessallowed=1; - } + if ($fuser->admin) $accessallowed=1; $original_file=$conf->admin->dir_output.'/'.$original_file; } // Wrapping for upload file test - else if ($modulepart == 'admin_temp') + else if ($modulepart == 'admin_temp' && !empty($conf->admin->dir_temp)) { - if ($fuser->admin) - $accessallowed=1; + if ($fuser->admin) $accessallowed=1; $original_file=$conf->admin->dir_temp.'/'.$original_file; } // Wrapping pour BitTorrent - else if ($modulepart == 'bittorrent') + else if ($modulepart == 'bittorrent' && !empty($conf->bittorrent->dir_output)) { $accessallowed=1; $dir='files'; @@ -2278,7 +2265,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping pour Foundation module - else if ($modulepart == 'member') + else if ($modulepart == 'member' && !empty($conf->adherent->dir_output)) { if ($fuser->rights->adherent->lire || preg_match('/^specimen/i',$original_file)) { @@ -2288,7 +2275,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu } // Wrapping for Scanner - else if ($modulepart == 'scanner_user_temp') + else if ($modulepart == 'scanner_user_temp' && !empty($conf->scanner->dir_temp)) { $accessallowed=1; $original_file=$conf->scanner->dir_temp.'/'.$fuser->id.'/'.$original_file; @@ -2301,6 +2288,9 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu // If modulepart=module Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart else { + if (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a file called specimen. Test must be done before changing $original_file int full path. + if ($fuser->admin) $accessallowed=1; // If user is admin + // Define $accessallowed if (preg_match('/^([a-z]+)_user_temp$/i',$modulepart,$reg)) { @@ -2353,8 +2343,6 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu $original_file=$conf->$modulepart->dir_output.'/'.$original_file; } } - if (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a specimen - if ($fuser->admin) $accessallowed=1; // If user is admin // For modules who wants to manage different levels of permissions for documents $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS';