Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX #hunterb812ea22-0c02-46fe-b89f-04519dfb1ebd

Browse Source
This commit is contained in:
Laurent Destailleur
2022-02-22 21:24:34 +01:00
parent c63e2c2981
commit 209ab708d4
4 changed files with 115 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
htdocs/core/lib/files.lib.php
View File

@@ -2348,15 +2348,15 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
$accessallowed = ($user->admin && basename($original_file) == $original_file && preg_match('/^dolibarr.*\.log$/', basename($original_file)));
$original_file = $dolibarr_main_data_root.'/'.$original_file;
} elseif ($modulepart == 'doctemplates' && !empty($dolibarr_main_data_root)) {
// Wrapping for *.log files, like when used with url http://.../document.php?modulepart=logs&file=dolibarr.log
// Wrapping for doctemplates
$accessallowed = $user->admin;
$original_file = $dolibarr_main_data_root.'/doctemplates/'.$original_file;
} elseif ($modulepart == 'doctemplateswebsite' && !empty($dolibarr_main_data_root)) {
// Wrapping for *.zip files, like when used with url http://.../document.php?modulepart=packages&file=module_myfile.zip
// Wrapping for doctemplates of websites
$accessallowed = ($fuser->rights->website->write && preg_match('/\.jpg$/i', basename($original_file)));
$original_file = $dolibarr_main_data_root.'/doctemplates/websites/'.$original_file;
} elseif ($modulepart == 'packages' && !empty($dolibarr_main_data_root)) {
// Wrapping for *.zip files, like when used with url http://.../document.php?modulepart=packages&file=module_myfile.zip
// Wrapping for *.zip package files, like when used with url http://.../document.php?modulepart=packages&file=module_myfile.zip
// Dir for custom dirs
$tmp = explode(',', $dolibarr_main_document_root_alt);
$dirins = $tmp[0];
@@ -2369,11 +2369,17 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
$original_file = $conf->mycompany->dir_output.'/'.$original_file;
} elseif ($modulepart == 'userphoto' && !empty($conf->user->dir_output)) {
// Wrapping for users photos
$accessallowed = 1;
$accessallowed = 0;
if (preg_match('/^\d+\/photos\//', $original_file)) {
$accessallowed = 1;
}
$original_file = $conf->user->dir_output.'/'.$original_file;
} elseif ($modulepart == 'memberphoto' && !empty($conf->adherent->dir_output)) {
// Wrapping for members photos
$accessallowed = 1;
$accessallowed = 0;
if (preg_match('/^\d+\/photos\//', $original_file)) {
$accessallowed = 1;
}
$original_file = $conf->adherent->dir_output.'/'.$original_file;
} elseif ($modulepart == 'apercufacture' && !empty($conf->facture->multidir_output[$entity])) {
// Wrapping pour les apercu factures
@@ -2448,7 +2454,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
}
$original_file = $conf->expensereport->dir_output.'/'.$original_file;
} elseif (($modulepart == 'apercuexpensereport') && !empty($conf->expensereport->dir_output)) {
// Wrapping pour les apercu supplier invoice
// Wrapping pour les apercu expense report
if ($fuser->rights->expensereport->{$lire}) {
$accessallowed = 1;
}