';
- if (!$message) {
+ if (empty($message)) {
print $langs->trans("ErrorForbidden");
} else {
print $langs->trans($message);
diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php
index b07bb66b46c..f179ea9ed36 100644
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -33,10 +33,8 @@ if (empty($conf) || !is_object($conf)) {
// DDOS protection
$size = (empty($_SERVER['CONTENT_LENGTH']) ? 0 : (int) $_SERVER['CONTENT_LENGTH']);
if ($size > 10000) {
- http_response_code(413);
$langs->loadLangs(array("errors", "install"));
- accessforbidden('
'.$langs->trans("ErrorRequestTooLarge").'.
'.$langs->trans("ClickHereToGoToApp").'', 0, 0, 1);
- exit;
+ httponly_accessforbidden('
'.$langs->trans("ErrorRequestTooLarge").'.
'.$langs->trans("ClickHereToGoToApp").'', 413, 1);
}
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php
index 6d52cfff267..9aaba5745bb 100644
--- a/htdocs/core/tpl/passwordforgotten.tpl.php
+++ b/htdocs/core/tpl/passwordforgotten.tpl.php
@@ -30,10 +30,8 @@ if (empty($conf) || !is_object($conf)) {
// DDOS protection
$size = (int) $_SERVER['CONTENT_LENGTH'];
if ($size > 10000) {
- http_response_code(413);
$langs->loadLangs(array("errors", "install"));
- accessforbidden('
'.$langs->trans("ErrorRequestTooLarge").'
'.$langs->trans("ClickHereToGoToApp").'', 0, 0, 1);
- exit;
+ httponly_accessforbidden('
'.$langs->trans("ErrorRequestTooLarge").'
'.$langs->trans("ClickHereToGoToApp").'', 413, 1);
}
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php
index 3bbfe225bee..2bdc9080b78 100644
--- a/htdocs/core/website.inc.php
+++ b/htdocs/core/website.inc.php
@@ -75,6 +75,18 @@ if ($pageid > 0) {
if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status) && !defined('USEDOLIBARRSERVER'))) {
$weblangs->load("website");
+
+ // Security options
+
+ // X-Content-Type-Options
+ header("X-Content-Type-Options: nosniff");
+
+ // X-Frame-Options
+ if (empty($websitepage->allowed_in_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
+ header("X-Frame-Options: SAMEORIGIN");
+ }
+
+ //httponly_accessforbidden('
'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'', 404, 1);
http_response_code(404);
print '
'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'';
exit;
@@ -198,9 +210,21 @@ if ($_SERVER['PHP_SELF'] != DOL_URL_ROOT.'/website/index.php') { // If we browsi
}
}
-// Show off line message
+// Show off line message when all website is off
if (!defined('USEDOLIBARREDITOR') && empty($website->status)) {
+ // Security options
+
+ // X-Content-Type-Options
+ header("X-Content-Type-Options: nosniff");
+
+ // X-Frame-Options
+ if (empty($websitepage->allowed_in_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
+ header("X-Frame-Options: SAMEORIGIN");
+ }
+
$weblangs->load("website");
+
+ //httponly_accessforbidden('
'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'', 503, 1);
http_response_code(503);
print '
'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'';
exit;
diff --git a/htdocs/document.php b/htdocs/document.php
index 65e5cce7e5f..4f6652fafda 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -104,10 +104,10 @@ $entity = GETPOST('entity', 'int') ?GETPOST('entity', 'int') : $conf->entity;
// Security check
if (empty($modulepart) && empty($hashp)) {
- accessforbidden('Bad link. Bad value for parameter modulepart', 0, 0, 1);
+ httponly_accessforbidden('Bad link. Bad value for parameter modulepart', 400);
}
if (empty($original_file) && empty($hashp)) {
- accessforbidden('Bad link. Missing identification to find file (original_file or hashp)', 0, 0, 1);
+ httponly_accessforbidden('Bad link. Missing identification to find file (original_file or hashp)', 400);
}
if ($modulepart == 'fckeditor') {
$modulepart = 'medias'; // For backward compatibility
@@ -158,7 +158,7 @@ if (!empty($hashp)) {
$original_file = (($tmp[1] ? $tmp[1].'/' : '').$ecmfile->filename); // this is relative to module dir
//var_dump($original_file); exit;
} else {
- accessforbidden('Bad link. File is from another module part.', 0, 0, 1);
+ httponly_accessforbidden('Bad link. File is from another module part.', 403);
}
} else {
$modulepart = $moduleparttocheck;
@@ -171,7 +171,7 @@ if (!empty($hashp)) {
}
} else {
$langs->load("errors");
- accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 0, 0, 1);
+ httponly_accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 403, 1);
}
}
diff --git a/htdocs/eventorganization/conferenceorboothattendee_note.php b/htdocs/eventorganization/conferenceorboothattendee_note.php
index b6e343e4496..adc4a1683b8 100644
--- a/htdocs/eventorganization/conferenceorboothattendee_note.php
+++ b/htdocs/eventorganization/conferenceorboothattendee_note.php
@@ -38,7 +38,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
diff --git a/htdocs/hrm/position.php b/htdocs/hrm/position.php
index 2659321e5fc..24ce9ec3b51 100644
--- a/htdocs/hrm/position.php
+++ b/htdocs/hrm/position.php
@@ -41,7 +41,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
diff --git a/htdocs/hrm/skill_tab.php b/htdocs/hrm/skill_tab.php
index c48a7c405c6..393e20ba3c4 100644
--- a/htdocs/hrm/skill_tab.php
+++ b/htdocs/hrm/skill_tab.php
@@ -64,7 +64,9 @@ if (in_array($objecttype, $TAuthorizedObjects)) {
} elseif ($objecttype == "user") {
$object = new User($db);
}
-} else accessforbidden($langs->trans('ErrorBadObjectType'));
+} else {
+ accessforbidden('ErrorBadObjectType');
+}
$hookmanager->initHooks(array('skilltab', 'globalcard')); // Note that conf->hooks_modules contains array
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 06ff00e474f..6d89923f20e 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -547,12 +547,12 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
) {
// If token is not provided or empty, error (we are in case it is mandatory)
if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
+ top_httphead();
if (GETPOST('uploadform', 'int')) {
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large or not provided.");
$langs->loadLangs(array("errors", "install"));
print $langs->trans("ErrorFileSizeTooLarge").' ';
print $langs->trans("ErrorGoBackAndCorrectParameters");
- die;
} else {
http_response_code(403);
if (defined('CSRFCHECK_WITH_TOKEN')) {
@@ -567,8 +567,8 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
}
print " into setup).\n";
}
- die;
}
+ die;
}
}
@@ -851,12 +851,16 @@ if (!defined('NOLOGIN')) {
// No data to test login, so we show the login page.
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." - action=".GETPOST('action', 'aZ09')." - actionlogin=".GETPOST('actionlogin', 'aZ09')." - showing the login form and exit", LOG_INFO);
if (defined('NOREDIRECTBYMAINTOLOGIN')) {
+ // When used with NOREDIRECTBYMAINTOLOGIN set, the http header must already be set when including the main.
+ // See example with selectsearchbox.php. This case is reserverd for the selectesearchbox.php so we can
+ // report a message to ask to login when search ajax component is used after a timeout.
+ //top_httphead();
return 'ERROR_NOT_LOGGED';
} else {
if ($_SERVER["HTTP_USER_AGENT"] == 'securitytest') {
http_response_code(401); // It makes easier to understand if session was broken during security tests
}
- dol_loginfunction($langs, $conf, (!empty($mysoc) ? $mysoc : ''));
+ dol_loginfunction($langs, $conf, (!empty($mysoc) ? $mysoc : '')); // This include http headers
}
exit;
}
@@ -1242,8 +1246,7 @@ if (!defined('NOLOGIN')) {
// If not active, we refuse the user
$langs->loadLangs(array("errors", "other"));
dol_syslog("Authentication KO as login is disabled", LOG_NOTICE);
- accessforbidden($langs->trans("ErrorLoginDisabled"));
- exit;
+ accessforbidden("ErrorLoginDisabled");
}
// Load permissions
diff --git a/htdocs/modulebuilder/index.php b/htdocs/modulebuilder/index.php
index 7e086887a37..688f8235174 100644
--- a/htdocs/modulebuilder/index.php
+++ b/htdocs/modulebuilder/index.php
@@ -81,10 +81,10 @@ $idmodule= GETPOST('idmodule', 'alpha');
// Security check
if (!isModEnabled('modulebuilder')) {
- accessforbidden();
+ accessforbidden('Module ModuleBuilder not enabled');
}
if (!$user->admin && empty($conf->global->MODULEBUILDER_FOREVERYONE)) {
- accessforbidden($langs->trans('ModuleBuilderNotAllowed'));
+ accessforbidden('ModuleBuilderNotAllowed');
}
diff --git a/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php b/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php
index 290048785fd..280f62dc2c1 100644
--- a/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php
+++ b/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php
@@ -46,12 +46,8 @@ class mailing_mailinglist_mymodule_myobject extends MailingTargets
*/
public function __construct($db)
{
- global $conf;
-
$this->db = $db;
- if (is_array($conf->modules)) {
- $this->enabled = in_array('mymodule', $conf->modules) ? 1 : 0;
- }
+ $this->enabled = isModEnabled('mymodule');
}
diff --git a/htdocs/modulebuilder/template/myobject_agenda.php b/htdocs/modulebuilder/template/myobject_agenda.php
index 6cc99f4f34d..0a397dceaa6 100644
--- a/htdocs/modulebuilder/template/myobject_agenda.php
+++ b/htdocs/modulebuilder/template/myobject_agenda.php
@@ -38,7 +38,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
diff --git a/htdocs/modulebuilder/template/myobject_card.php b/htdocs/modulebuilder/template/myobject_card.php
index 7ecce8c745f..aa2680ea568 100644
--- a/htdocs/modulebuilder/template/myobject_card.php
+++ b/htdocs/modulebuilder/template/myobject_card.php
@@ -38,7 +38,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
@@ -248,8 +247,7 @@ llxHeader('', $title, $help_url);
// Part to create
if ($action == 'create') {
if (empty($permissiontoadd)) {
- accessforbidden($langs->trans('NotEnoughPermissions'), 0, 1);
- exit;
+ accessforbidden('NotEnoughPermissions', 0, 1);
}
print load_fiche_titre($langs->trans("NewObject", $langs->transnoentitiesnoconv("MyObject")), '', 'object_'.$object->picto);
diff --git a/htdocs/modulebuilder/template/myobject_document.php b/htdocs/modulebuilder/template/myobject_document.php
index d06eb61ba0e..4a4b68391bc 100644
--- a/htdocs/modulebuilder/template/myobject_document.php
+++ b/htdocs/modulebuilder/template/myobject_document.php
@@ -38,7 +38,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
@@ -143,7 +142,13 @@ if ($enablepermissioncheck) {
if (!isModEnabled("mymodule")) {
accessforbidden();
}
-if (!$permissiontoread) accessforbidden();
+if (!$permissiontoread) {
+ accessforbidden();
+}
+if (empty($object->id)) {
+ accessforbidden();
+}
+
/*
@@ -164,100 +169,94 @@ $help_url = '';
//$help_url='EN:Module_Third_Parties|FR:Module_Tiers|ES:Empresas';
llxHeader('', $title, $help_url);
-if ($object->id) {
- /*
- * Show tabs
- */
- $head = myobjectPrepareHead($object);
+// Show tabs
+$head = myobjectPrepareHead($object);
- print dol_get_fiche_head($head, 'document', $langs->trans("MyObject"), -1, $object->picto);
+print dol_get_fiche_head($head, 'document', $langs->trans("MyObject"), -1, $object->picto);
- // Build file list
- $filearray = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview.*\.png)$', $sortfield, (strtolower($sortorder) == 'desc' ?SORT_DESC:SORT_ASC), 1);
- $totalsize = 0;
- foreach ($filearray as $key => $file) {
- $totalsize += $file['size'];
- }
-
- // Object card
- // ------------------------------------------------------------
- $linkback = '
'.$langs->trans("BackToList").'';
-
- $morehtmlref = '
';
- /*
- // Ref customer
- $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
- $morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', null, null, '', 1);
- // Thirdparty
- $morehtmlref.='
'.$langs->trans('ThirdParty') . ' : ' . (is_object($object->thirdparty) ? $object->thirdparty->getNomUrl(1) : '');
- // Project
- if (!empty($conf->project->enabled))
- {
- $langs->load("projects");
- $morehtmlref.='
'.$langs->trans('Project') . ' ';
- if ($permissiontoadd)
- {
- if ($action != 'classify')
- //$morehtmlref.='
' . img_edit($langs->transnoentitiesnoconv('SetProject')) . ' : ';
- $morehtmlref.=' : ';
- if ($action == 'classify') {
- //$morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'projectid', 0, 0, 1, 1);
- $morehtmlref.='
';
- } else {
- $morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'none', 0, 0, 0, 1);
- }
- } else {
- if (!empty($object->fk_project)) {
- $proj = new Project($db);
- $proj->fetch($object->fk_project);
- $morehtmlref .= ': '.$proj->getNomUrl();
- } else {
- $morehtmlref .= '';
- }
- }
- }*/
- $morehtmlref .= '
';
-
- dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
-
- print '
';
-
- print '
';
- print '
';
-
- // Number of files
- print '| '.$langs->trans("NbOfAttachedFiles").' | '.count($filearray).' |
';
-
- // Total size
- print '| '.$langs->trans("TotalSizeOfAttachedFiles").' | '.$totalsize.' '.$langs->trans("bytes").' |
';
-
- print '
';
-
- print '
';
-
- print dol_get_fiche_end();
-
- $modulepart = 'mymodule';
- //$permissiontoadd = $user->rights->mymodule->myobject->write;
- $permissiontoadd = 1;
- //$permtoedit = $user->rights->mymodule->myobject->write;
- $permtoedit = 1;
- $param = '&id='.$object->id;
-
- //$relativepathwithnofile='myobject/' . dol_sanitizeFileName($object->id).'/';
- $relativepathwithnofile = 'myobject/'.dol_sanitizeFileName($object->ref).'/';
-
- include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
-} else {
- accessforbidden('', 0, 1);
+// Build file list
+$filearray = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview.*\.png)$', $sortfield, (strtolower($sortorder) == 'desc' ?SORT_DESC:SORT_ASC), 1);
+$totalsize = 0;
+foreach ($filearray as $key => $file) {
+ $totalsize += $file['size'];
}
+// Object card
+// ------------------------------------------------------------
+$linkback = '
'.$langs->trans("BackToList").'';
+
+$morehtmlref = '
';
+/*
+ // Ref customer
+ $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
+ $morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', null, null, '', 1);
+ // Thirdparty
+ $morehtmlref.='
'.$langs->trans('ThirdParty') . ' : ' . (is_object($object->thirdparty) ? $object->thirdparty->getNomUrl(1) : '');
+ // Project
+ if (!empty($conf->project->enabled))
+ {
+ $langs->load("projects");
+ $morehtmlref.='
'.$langs->trans('Project') . ' ';
+ if ($permissiontoadd)
+ {
+ if ($action != 'classify')
+ //$morehtmlref.='
' . img_edit($langs->transnoentitiesnoconv('SetProject')) . ' : ';
+ $morehtmlref.=' : ';
+ if ($action == 'classify') {
+ //$morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'projectid', 0, 0, 1, 1);
+ $morehtmlref.='
';
+ } else {
+ $morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'none', 0, 0, 0, 1);
+ }
+ } else {
+ if (!empty($object->fk_project)) {
+ $proj = new Project($db);
+ $proj->fetch($object->fk_project);
+ $morehtmlref .= ': '.$proj->getNomUrl();
+ } else {
+ $morehtmlref .= '';
+ }
+ }
+ }*/
+$morehtmlref .= '
';
+
+dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
+
+print '
';
+
+print '
';
+print '
';
+
+// Number of files
+print '| '.$langs->trans("NbOfAttachedFiles").' | '.count($filearray).' |
';
+
+// Total size
+print '| '.$langs->trans("TotalSizeOfAttachedFiles").' | '.$totalsize.' '.$langs->trans("bytes").' |
';
+
+print '
';
+
+print '
';
+
+print dol_get_fiche_end();
+
+$modulepart = 'mymodule';
+//$permissiontoadd = $user->rights->mymodule->myobject->write;
+$permissiontoadd = 1;
+//$permtoedit = $user->rights->mymodule->myobject->write;
+$permtoedit = 1;
+$param = '&id='.$object->id;
+
+//$relativepathwithnofile='myobject/' . dol_sanitizeFileName($object->id).'/';
+$relativepathwithnofile = 'myobject/'.dol_sanitizeFileName($object->ref).'/';
+
+include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
+
// End of page
llxFooter();
$db->close();
diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php
index 987b58f2369..789a5d2312d 100644
--- a/htdocs/modulebuilder/template/myobject_list.php
+++ b/htdocs/modulebuilder/template/myobject_list.php
@@ -38,7 +38,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
diff --git a/htdocs/modulebuilder/template/myobject_note.php b/htdocs/modulebuilder/template/myobject_note.php
index 6b03ddbf8c6..e97d131551a 100644
--- a/htdocs/modulebuilder/template/myobject_note.php
+++ b/htdocs/modulebuilder/template/myobject_note.php
@@ -38,7 +38,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
diff --git a/htdocs/modulebuilder/template/scripts/mymodule.php b/htdocs/modulebuilder/template/scripts/mymodule.php
index 860c3a54bec..2d9b3aac79c 100644
--- a/htdocs/modulebuilder/template/scripts/mymodule.php
+++ b/htdocs/modulebuilder/template/scripts/mymodule.php
@@ -39,7 +39,6 @@
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
if (!defined('NOSESSION')) define('NOSESSION', '1'); // On CLI mode, no need to use web sessions
diff --git a/htdocs/public/agenda/agendaexport.php b/htdocs/public/agenda/agendaexport.php
index a0e7ea817a7..fa134da668c 100644
--- a/htdocs/public/agenda/agendaexport.php
+++ b/htdocs/public/agenda/agendaexport.php
@@ -84,7 +84,7 @@ require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
// Security check
if (empty($conf->agenda->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Agenda not enabled');
}
// Not older than
diff --git a/htdocs/public/cron/cron_run_jobs_by_url.php b/htdocs/public/cron/cron_run_jobs_by_url.php
index fa81b8d8bd7..497c68954db 100644
--- a/htdocs/public/cron/cron_run_jobs_by_url.php
+++ b/htdocs/public/cron/cron_run_jobs_by_url.php
@@ -75,7 +75,7 @@ $langs->loadLangs(array("admin", "cron", "dict"));
// Security check
if (empty($conf->cron->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Cron not enabled');
}
diff --git a/htdocs/public/demo/index.php b/htdocs/public/demo/index.php
index 49bde1a2b9b..892eb45870d 100644
--- a/htdocs/public/demo/index.php
+++ b/htdocs/public/demo/index.php
@@ -51,7 +51,7 @@ $conf->dol_use_jmobile = GETPOST('dol_use_jmobile', 'int');
// Security check
global $dolibarr_main_demo;
if (empty($dolibarr_main_demo)) {
- accessforbidden('Parameter dolibarr_main_demo must be defined in conf file with value "default login,default pass" to enable the demo entry page', 0, 0, 1);
+ httponly_accessforbidden('Parameter dolibarr_main_demo must be defined in conf file with value "default login,default pass" to enable the demo entry page');
}
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
diff --git a/htdocs/public/donations/donateurs_code.php b/htdocs/public/donations/donateurs_code.php
index 87db3ee4133..51f7ef7234b 100644
--- a/htdocs/public/donations/donateurs_code.php
+++ b/htdocs/public/donations/donateurs_code.php
@@ -60,7 +60,7 @@ require_once DOL_DOCUMENT_ROOT.'/don/class/don.class.php';
// Security check
if (empty($conf->don->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Donation not enabled');
}
diff --git a/htdocs/public/eventorganization/attendee_new.php b/htdocs/public/eventorganization/attendee_new.php
index 8bb85022b2e..b3eb731ab19 100644
--- a/htdocs/public/eventorganization/attendee_new.php
+++ b/htdocs/public/eventorganization/attendee_new.php
@@ -138,7 +138,7 @@ $user->loadDefaultValues();
// Security check
if (empty($conf->eventorganization->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Event organization not enabled');
}
diff --git a/htdocs/public/eventorganization/subscriptionok.php b/htdocs/public/eventorganization/subscriptionok.php
index 8acf3daba78..248c281a284 100644
--- a/htdocs/public/eventorganization/subscriptionok.php
+++ b/htdocs/public/eventorganization/subscriptionok.php
@@ -77,7 +77,7 @@ if ($securekeyreceived != $securekeytocompare) {
// Security check
if (empty($conf->eventorganization->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Event organization not enabled');
}
diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php
index 2a69b4b0ef0..0a1ebc0600e 100644
--- a/htdocs/public/members/new.php
+++ b/htdocs/public/members/new.php
@@ -86,12 +86,11 @@ $langs->loadLangs(array("main", "members", "companies", "install", "other"));
// Security check
if (empty($conf->adherent->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Membership not enabled');
}
if (empty($conf->global->MEMBER_ENABLE_PUBLIC)) {
- print $langs->trans("Auto subscription form for public visitors has not been enabled");
- exit;
+ httponly_accessforbidden("Auto subscription form for public visitors has not been enabled");
}
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
diff --git a/htdocs/public/members/public_card.php b/htdocs/public/members/public_card.php
index d58b6448edb..067e6ed94ea 100644
--- a/htdocs/public/members/public_card.php
+++ b/htdocs/public/members/public_card.php
@@ -53,7 +53,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php';
// Security check
if (empty($conf->adherent->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Memebership no enabled');
}
diff --git a/htdocs/public/members/public_list.php b/htdocs/public/members/public_list.php
index 178af5fce11..24cdcf5c001 100644
--- a/htdocs/public/members/public_list.php
+++ b/htdocs/public/members/public_list.php
@@ -49,7 +49,7 @@ require '../../main.inc.php';
// Security check
if (empty($conf->adherent->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Membership not enabled');
}
diff --git a/htdocs/public/onlinesign/newonlinesign.php b/htdocs/public/onlinesign/newonlinesign.php
index 65c2faf7918..411a37d6284 100644
--- a/htdocs/public/onlinesign/newonlinesign.php
+++ b/htdocs/public/onlinesign/newonlinesign.php
@@ -81,13 +81,6 @@ $ref = $REF = GETPOST("ref", 'alpha');
if (empty($source)) {
$source = 'proposal';
}
-
-if (!$action) {
- if ($source && !$ref) {
- print $langs->trans('ErrorBadParameters')." - ref missing";
- exit;
- }
-}
if (!empty($refusepropal)) {
$action = "refusepropal";
}
@@ -123,15 +116,12 @@ $urlko = preg_replace('/&$/', '', $urlko); // Remove last &
$creditor = $mysoc->name;
$type = $source;
-if ($source == 'proposal') {
- require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php';
- $object = new Propal($db);
- $result= $object->fetch(0, $ref, '', $entity);
-} else {
- accessforbidden('Bad value for source');
- exit;
-}
+if (!$action) {
+ if ($source && !$ref) {
+ httponly_accessforbidden($langs->trans('ErrorBadParameters')." - ref missing", 400, 1);
+ }
+}
// Check securitykey
$securekeyseed = '';
@@ -139,10 +129,16 @@ if ($source == 'proposal') {
$securekeyseed = getDolGlobalString('PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN');
}
-if (!dol_verifyHash($securekeyseed.$type.$ref.(!isModEnabled('multicompany') ? '' : $entity), $SECUREKEY, '0')) {
- http_response_code(403);
- print 'Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref);
- exit(-1);
+if (!dol_verifyHash($securekeyseed.$type.$ref.(isModEnabled('multicompany') ? $entity : ''), $SECUREKEY, '0')) {
+ httponly_accessforbidden('Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref), 403, 1);
+}
+
+if ($source == 'proposal') {
+ require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php';
+ $object = new Propal($db);
+ $result= $object->fetch(0, $ref, '', $entity);
+} else {
+ httponly_accessforbidden($langs->trans('ErrorBadParameters')." - Bad value for source", 400, 1);
}
diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php
index 4853eec496e..3450393b7b7 100644
--- a/htdocs/public/opensurvey/studs.php
+++ b/htdocs/public/opensurvey/studs.php
@@ -59,7 +59,7 @@ $canbemodified = ((empty($object->date_fin) || $object->date_fin > dol_now()) &&
// Security check
if (empty($conf->opensurvey->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Survey not enabled');
}
@@ -74,7 +74,7 @@ $listofvoters = explode(',', $_SESSION["savevoter"]);
// Add comment
if (GETPOST('ajoutcomment', 'alpha')) {
if (!$canbemodified) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('ErrorForbidden');
}
$error = 0;
@@ -108,7 +108,7 @@ if (GETPOST('ajoutcomment', 'alpha')) {
// Add vote
if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) { // boutonp for chrome, boutonp_x for firefox
if (!$canbemodified) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('ErrorForbidden');
}
//Si le nom est bien entré
@@ -214,7 +214,7 @@ if ($testmodifier) {
}
if (!$canbemodified) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('ErrorForbidden');
}
$idtomodify = GETPOST("idtomodify".$modifier);
@@ -232,7 +232,7 @@ if ($testmodifier) {
$idcomment = GETPOST('deletecomment', 'int');
if ($idcomment) {
if (!$canbemodified) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('ErrorForbidden');
}
$resql = $object->deleteComment($idcomment);
diff --git a/htdocs/public/partnership/new.php b/htdocs/public/partnership/new.php
index a50892c9e08..f2706bf0bc9 100644
--- a/htdocs/public/partnership/new.php
+++ b/htdocs/public/partnership/new.php
@@ -71,12 +71,11 @@ $langs->loadLangs(array("main", "members", "partnership", "companies", "install"
// Security check
if (empty($conf->partnership->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Partnership not enabled');
}
if (empty($conf->global->PARTNERSHIP_ENABLE_PUBLIC)) {
- print $langs->trans("Auto subscription form for public visitors has not been enabled");
- exit;
+ httponly_accessforbidden("Auto subscription form for public visitors has not been enabled");
}
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
diff --git a/htdocs/public/payment/paymentko.php b/htdocs/public/payment/paymentko.php
index 606bed0c490..67ad99d46f3 100644
--- a/htdocs/public/payment/paymentko.php
+++ b/htdocs/public/payment/paymentko.php
@@ -108,7 +108,7 @@ if (!empty($conf->stripe->enabled)) {
// Security check
if (empty($validpaymentmethod)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('No valid payment mode');
}
diff --git a/htdocs/public/payment/paymentok.php b/htdocs/public/payment/paymentok.php
index 209e931a75b..fee0e801964 100644
--- a/htdocs/public/payment/paymentok.php
+++ b/htdocs/public/payment/paymentok.php
@@ -138,7 +138,7 @@ if (!empty($conf->stripe->enabled)) {
// Security check
if (empty($validpaymentmethod)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('No valid payment mode');
}
diff --git a/htdocs/public/project/index.php b/htdocs/public/project/index.php
index e5dfeb59a8e..6c8746152c4 100644
--- a/htdocs/public/project/index.php
+++ b/htdocs/public/project/index.php
@@ -84,7 +84,7 @@ if ($resultproject < 0) {
// Security check
if (empty($conf->project->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Project not enabled');
}
diff --git a/htdocs/public/project/new.php b/htdocs/public/project/new.php
index d984b3346d8..3241b6004ca 100644
--- a/htdocs/public/project/new.php
+++ b/htdocs/public/project/new.php
@@ -82,7 +82,7 @@ $user->loadDefaultValues();
// Security check
if (empty($conf->project->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Project not enabled');
}
diff --git a/htdocs/public/project/suggestbooth.php b/htdocs/public/project/suggestbooth.php
index 52193e4fcd4..0c11c82e13b 100644
--- a/htdocs/public/project/suggestbooth.php
+++ b/htdocs/public/project/suggestbooth.php
@@ -105,7 +105,7 @@ $arrayofconfboothtype = $cactioncomm->liste_array('', 'id', '', 0, "module='boot
// Security check
if (empty($conf->eventorganization->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Event organization not enabled');
}
diff --git a/htdocs/public/project/suggestconference.php b/htdocs/public/project/suggestconference.php
index 05cc8e61a82..cfe5bb67fec 100644
--- a/htdocs/public/project/suggestconference.php
+++ b/htdocs/public/project/suggestconference.php
@@ -106,7 +106,7 @@ $arrayofconfboothtype = $cactioncomm->liste_array('', 'id', '', 0, "module='conf
// Security check
if (empty($conf->eventorganization->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Event organization not enabled');
}
diff --git a/htdocs/public/project/viewandvote.php b/htdocs/public/project/viewandvote.php
index 805eb8cfdd1..1c8d1208d1f 100644
--- a/htdocs/public/project/viewandvote.php
+++ b/htdocs/public/project/viewandvote.php
@@ -91,7 +91,7 @@ if ($resultproject < 0) {
// Security check
if (empty($conf->eventorganization->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Event organization not enabled');
}
diff --git a/htdocs/public/recruitment/index.php b/htdocs/public/recruitment/index.php
index 32585c94bb4..5ad954af906 100644
--- a/htdocs/public/recruitment/index.php
+++ b/htdocs/public/recruitment/index.php
@@ -80,7 +80,7 @@ $urlwithroot = DOL_MAIN_URL_ROOT; // This is to use same domain name than curren
// Security check
if (empty($conf->recruitment->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Recruitment not enabled');
}
diff --git a/htdocs/public/recruitment/view.php b/htdocs/public/recruitment/view.php
index 2eaa51ac2fe..0875f33ebdd 100644
--- a/htdocs/public/recruitment/view.php
+++ b/htdocs/public/recruitment/view.php
@@ -77,7 +77,7 @@ $urlwithroot = DOL_MAIN_URL_ROOT; // This is to use same domain name than curren
// Security check
if (empty($conf->recruitment->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Recruitment not enabled');
}
diff --git a/htdocs/public/stripe/ipn.php b/htdocs/public/stripe/ipn.php
index 29e22c72de7..f1571557d83 100644
--- a/htdocs/public/stripe/ipn.php
+++ b/htdocs/public/stripe/ipn.php
@@ -49,11 +49,6 @@ require_once DOL_DOCUMENT_ROOT.'/includes/stripe/stripe-php/init.php';
require_once DOL_DOCUMENT_ROOT.'/stripe/class/stripe.class.php';
-if (empty($conf->stripe->enabled)) {
- accessforbidden('', 0, 0, 1);
-}
-
-
// You can find your endpoint's secret in your webhook settings
if (isset($_GET['connect'])) {
if (isset($_GET['test'])) {
@@ -77,10 +72,12 @@ if (isset($_GET['connect'])) {
}
}
+if (empty($conf->stripe->enabled)) {
+ httponly_accessforbidden('Module Stripe not enabled');
+}
+
if (empty($endpoint_secret)) {
- print 'Error: Setup of module Stripe not complete for mode '.$service.'. The WEBHOOK_KEY is not defined.';
- http_response_code(400); // PHP 5.4 or greater
- exit();
+ httponly_accessforbidden('Error: Setup of module Stripe not complete for mode '.dol_escape_htmltag($service).'. The WEBHOOK_KEY is not defined.', 400, 1);
}
if (!empty($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS)) {
@@ -89,9 +86,7 @@ if (!empty($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS)) {
$user->fetch($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS);
$user->getrights();
} else {
- print 'Error: Setup of module Stripe not complete for mode '.$service.'. The STRIPE_USER_ACCOUNT_FOR_ACTIONS is not defined.';
- http_response_code(400); // PHP 5.4 or greater
- exit();
+ httponly_accessforbidden('Error: Setup of module Stripe not complete for mode '.dol_escape_htmltag($service).'. The STRIPE_USER_ACCOUNT_FOR_ACTIONS is not defined.', 400, 1);
}
@@ -113,12 +108,9 @@ try {
$event = \Stripe\Webhook::constructEvent($payload, $sig_header, $endpoint_secret);
} catch (\UnexpectedValueException $e) {
// Invalid payload
- http_response_code(400); // PHP 5.4 or greater
- exit();
+ httponly_accessforbidden('Invalid payload', 400);
} catch (\Stripe\Error\SignatureVerification $e) {
- // Invalid signature
- http_response_code(400); // PHP 5.4 or greater
- exit();
+ httponly_accessforbidden('Invalid signature', 400);
}
// Do something with $event
@@ -155,6 +147,7 @@ if (!empty($conf->global->MAIN_APPLICATION_TITLE)) {
$societeName = $conf->global->MAIN_APPLICATION_TITLE;
}
+top_httphead();
dol_syslog("***** Stripe IPN was called with event->type = ".$event->type);
@@ -195,11 +188,10 @@ if ($event->type == 'payout.created') {
$ret = $mailfile->sendfile();
- http_response_code(200); // PHP 5.4 or greater
return 1;
} else {
$error++;
- http_response_code(500); // PHP 5.4 or greater
+ http_response_code(500);
return -1;
}
} elseif ($event->type == 'payout.paid') {
@@ -287,7 +279,6 @@ if ($event->type == 'payout.created') {
$ret = $mailfile->sendfile();
- http_response_code(200);
return 1;
} else {
$error++;
@@ -396,4 +387,4 @@ if ($event->type == 'payout.created') {
// This event is deprecated.
}
-http_response_code(200);
+// End of page. Default return HTTP code will be 200
diff --git a/htdocs/public/ticket/create_ticket.php b/htdocs/public/ticket/create_ticket.php
index 7ebbdb05af3..59f12a64482 100644
--- a/htdocs/public/ticket/create_ticket.php
+++ b/htdocs/public/ticket/create_ticket.php
@@ -91,7 +91,7 @@ if (!empty($conf->global->TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST))
$extrafields->fetch_name_optionals_label($object->table_element);
if (empty($conf->ticket->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Ticket not enabled');
}
diff --git a/htdocs/public/ticket/index.php b/htdocs/public/ticket/index.php
index 6332f063541..ae9b281900e 100644
--- a/htdocs/public/ticket/index.php
+++ b/htdocs/public/ticket/index.php
@@ -59,7 +59,7 @@ $action = GETPOST('action', 'aZ09');
$suffix = "";
if (empty($conf->ticket->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Ticket not enabled');
}
diff --git a/htdocs/public/ticket/list.php b/htdocs/public/ticket/list.php
index 7af60f50e83..5730ac424df 100644
--- a/htdocs/public/ticket/list.php
+++ b/htdocs/public/ticket/list.php
@@ -79,7 +79,7 @@ $object = new Ticket($db);
$hookmanager->initHooks(array('ticketpubliclist', 'globalcard'));
if (empty($conf->ticket->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Ticket not enabled');
}
diff --git a/htdocs/public/ticket/view.php b/htdocs/public/ticket/view.php
index de76e2f9904..d46944ebd82 100644
--- a/htdocs/public/ticket/view.php
+++ b/htdocs/public/ticket/view.php
@@ -73,7 +73,7 @@ if (isset($_SESSION['email_customer'])) {
$object = new ActionsTicket($db);
if (empty($conf->ticket->enabled)) {
- accessforbidden('', 0, 0, 1);
+ httponly_accessforbidden('Module Ticket not enabled');
}
diff --git a/htdocs/societe/document.php b/htdocs/societe/document.php
index 92c7efb63d9..fccb1ae3044 100644
--- a/htdocs/societe/document.php
+++ b/htdocs/societe/document.php
@@ -92,7 +92,9 @@ if ($user->socid > 0) {
}
$result = restrictedArea($user, 'societe', $object->id, '&societe');
-$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
+if (empty($object->id)) {
+ accessforbidden();
+}
/*
@@ -115,88 +117,80 @@ if (!empty($conf->global->MAIN_HTML_TITLE) && preg_match('/thirdpartynameonly/',
$help_url = 'EN:Module_Third_Parties|FR:Module_Tiers|ES:Empresas';
llxHeader('', $title, $help_url);
-if ($object->id) {
- /*
- * Show tabs
- */
- if (!empty($conf->notification->enabled)) {
- $langs->load("mails");
- }
- $head = societe_prepare_head($object);
-
- $form = new Form($db);
-
- print dol_get_fiche_head($head, 'document', $langs->trans("ThirdParty"), -1, 'company');
-
-
- // Build file list
- $filearray = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview.*\.png)$', $sortfield, (strtolower($sortorder) == 'desc' ?SORT_DESC:SORT_ASC), 1);
- $totalsize = 0;
- foreach ($filearray as $key => $file) {
- $totalsize += $file['size'];
- }
-
- $linkback = '
'.$langs->trans("BackToList").'';
-
- dol_banner_tab($object, 'socid', $linkback, ($user->socid ? 0 : 1), 'rowid', 'nom');
-
- print '
';
-
- print '
';
- print '
';
-
- // Type Prospect/Customer/Supplier
- print '| '.$langs->trans('NatureOfThirdParty').' | ';
- print $object->getTypeUrl(1);
- print ' |
';
-
- // Prefix
- if (!empty($conf->global->SOCIETE_USEPREFIX)) { // Old not used prefix field
- print '| '.$langs->trans('Prefix').' | '.$object->prefix_comm.' |
';
- }
-
- if ($object->client) {
- print '| ';
- print $langs->trans('CustomerCode').' | ';
- print showValueWithClipboardCPButton(dol_escape_htmltag($object->code_client));
- $tmpcheck = $object->check_codeclient();
- if ($tmpcheck != 0 && $tmpcheck != -5) {
- print ' ('.$langs->trans("WrongCustomerCode").')';
- }
- print ' |
';
- }
-
- if ($object->fournisseur) {
- print '| ';
- print $langs->trans('SupplierCode').' | ';
- print showValueWithClipboardCPButton(dol_escape_htmltag($object->code_fournisseur));
- $tmpcheck = $object->check_codefournisseur();
- if ($tmpcheck != 0 && $tmpcheck != -5) {
- print ' ('.$langs->trans("WrongSupplierCode").')';
- }
- print ' |
';
- }
-
- // Number of files
- print '| '.$langs->trans("NbOfAttachedFiles").' | '.count($filearray).' |
';
-
- // Total size
- print '| '.$langs->trans("TotalSizeOfAttachedFiles").' | '.dol_print_size($totalsize, 1, 1).' |
';
-
- print '
';
-
- print '
';
-
- print dol_get_fiche_end();
-
- $modulepart = 'societe';
- $permissiontoadd = $user->rights->societe->creer;
- $permtoedit = $user->rights->societe->creer;
- $param = '&id='.$object->id;
- include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
-} else {
- accessforbidden('', 0, 0);
+// Show tabs
+if (!empty($conf->notification->enabled)) {
+ $langs->load("mails");
}
+$head = societe_prepare_head($object);
+
+print dol_get_fiche_head($head, 'document', $langs->trans("ThirdParty"), -1, 'company');
+
+
+// Build file list
+$filearray = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview.*\.png)$', $sortfield, (strtolower($sortorder) == 'desc' ?SORT_DESC:SORT_ASC), 1);
+$totalsize = 0;
+foreach ($filearray as $key => $file) {
+ $totalsize += $file['size'];
+}
+
+$linkback = '
'.$langs->trans("BackToList").'';
+
+dol_banner_tab($object, 'socid', $linkback, ($user->socid ? 0 : 1), 'rowid', 'nom');
+
+print '
';
+
+print '
';
+print '
';
+
+// Type Prospect/Customer/Supplier
+print '| '.$langs->trans('NatureOfThirdParty').' | ';
+print $object->getTypeUrl(1);
+print ' |
';
+
+// Prefix
+if (!empty($conf->global->SOCIETE_USEPREFIX)) { // Old not used prefix field
+ print '| '.$langs->trans('Prefix').' | '.$object->prefix_comm.' |
';
+}
+
+if ($object->client) {
+ print '| ';
+ print $langs->trans('CustomerCode').' | ';
+ print showValueWithClipboardCPButton(dol_escape_htmltag($object->code_client));
+ $tmpcheck = $object->check_codeclient();
+ if ($tmpcheck != 0 && $tmpcheck != -5) {
+ print ' ('.$langs->trans("WrongCustomerCode").')';
+ }
+ print ' |
';
+}
+
+if ($object->fournisseur) {
+ print '| ';
+ print $langs->trans('SupplierCode').' | ';
+ print showValueWithClipboardCPButton(dol_escape_htmltag($object->code_fournisseur));
+ $tmpcheck = $object->check_codefournisseur();
+ if ($tmpcheck != 0 && $tmpcheck != -5) {
+ print ' ('.$langs->trans("WrongSupplierCode").')';
+ }
+ print ' |
';
+}
+
+// Number of files
+print '| '.$langs->trans("NbOfAttachedFiles").' | '.count($filearray).' |
';
+
+// Total size
+print '| '.$langs->trans("TotalSizeOfAttachedFiles").' | '.dol_print_size($totalsize, 1, 1).' |
';
+
+print '
';
+
+print '
';
+
+print dol_get_fiche_end();
+
+$modulepart = 'societe';
+$permissiontoadd = $user->rights->societe->creer;
+$permtoedit = $user->rights->societe->creer;
+$param = '&id='.$object->id;
+include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
// End of page
llxFooter();
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index 12b2a52742d..cb61ab6c1b1 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -753,7 +753,7 @@ class User extends CommonObject
//var_dump($module);
//var_dump($this->rights->$rightsPath);
//var_dump($conf->modules);
- if (!in_array($module, $conf->modules)) {
+ if (!isModEnabled($module)) {
return 0;
}
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index f297fed62b4..3b1d60e0e90 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -138,10 +138,10 @@ $entity = GETPOST('entity', 'int') ?GETPOST('entity', 'int') : $conf->entity;
// Security check
if (empty($modulepart) && empty($hashp)) {
- accessforbidden('Bad link. Bad value for parameter modulepart', 0, 0, 1);
+ httponly_accessforbidden('Bad link. Bad value for parameter modulepart', 400);
}
if (empty($original_file) && empty($hashp) && $modulepart != 'barcode') {
- accessforbidden('Bad link. Missing identification to find file (param file or hashp)', 0, 0, 1);
+ httponly_accessforbidden('Bad link. Missing identification to find file (param file or hashp)', 400);
}
if ($modulepart == 'fckeditor') {
$modulepart = 'medias'; // For backward compatibility
@@ -192,7 +192,7 @@ if (!empty($hashp)) {
$original_file = (($tmp[1] ? $tmp[1].'/' : '').$ecmfile->filename); // this is relative to module dir
//var_dump($original_file); exit;
} else {
- accessforbidden('Bad link. File is from another module part.', 0, 0, 1);
+ httponly_accessforbidden('Bad link. File is from another module part.', 403);
}
} else {
$modulepart = $moduleparttocheck;
@@ -200,7 +200,7 @@ if (!empty($hashp)) {
}
} else {
$langs->load("errors");
- accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 0, 0, 1);
+ httponly_accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 403, 1);
}
}
@@ -214,11 +214,11 @@ if (GETPOST('type', 'alpha')) {
// Security: This wrapper is for images. We do not allow type/html
if (preg_match('/html/i', $type)) {
- accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 0, 0, 1);
+ httponly_accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.');
}
// Security: This wrapper is for images. We do not allow files ending with .noexe
if (preg_match('/\.noexe$/i', $original_file)) {
- accessforbidden('Error: Using the image wrapper to output a file ending with .noexe is not allowed.', 0, 0, 1);
+ httponly_accessforbidden('Error: Using the image wrapper to output a file ending with .noexe is not allowed.');
}
// Security: Delete string ../ or ..\ into $original_file
@@ -231,12 +231,12 @@ $refname = basename(dirname($original_file)."/");
// Check that file is allowed for view with viewimage.php
if (!empty($original_file) && !dolIsAllowedForPreview($original_file)) {
- accessforbidden('This file is not qualified for preview', 0, 0, 1);
+ httponly_accessforbidden('This file is not qualified for preview', 403);
}
// Security check
if (empty($modulepart)) {
- accessforbidden('Bad value for parameter modulepart', 0, 0, 1);
+ httponly_accessforbidden('Bad value for parameter modulepart', 400);
}
// When logged in a different entity, medias cannot be accessed because $conf->$module->multidir_output
diff --git a/htdocs/webhook/target_card.php b/htdocs/webhook/target_card.php
index 2b79fd3fced..a2251d7d4a9 100644
--- a/htdocs/webhook/target_card.php
+++ b/htdocs/webhook/target_card.php
@@ -191,7 +191,7 @@ llxHeader('', $title, $help_url);
// Part to create
if ($action == 'create') {
if (empty($permissiontoadd)) {
- accessforbidden($langs->trans('NotEnoughPermissions'), 0, 1);
+ accessforbidden('NotEnoughPermissions', 0, 1);
exit;
}