diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php index a987f16a8c7..e4bf213c4eb 100644 --- a/htdocs/core/ajax/ajaxdirpreview.php +++ b/htdocs/core/ajax/ajaxdirpreview.php @@ -133,14 +133,19 @@ if (preg_match('/\.\./', $upload_dir) || preg_match('/[<>|]/', $upload_dir)) { exit; } +if (empty($modulepart)) { + $modulepart = $module; +} + // Check permissions if ($modulepart == 'ecm') { - if (!$user->rights->ecm->read) { + if (!$user->hasRight('ecm', 'read')) { accessforbidden(); } -} -if ($modulepart == 'medias') { +} elseif ($modulepart == 'medias' || $modulepart == 'website') { // Always allowed +} else { + accessforbidden(); } @@ -174,7 +179,7 @@ if (!dol_is_dir($upload_dir)) { exit;*/ } -print ''."\n"; +print ''."\n"; //print ''."\n"; $param = ($sortfield ? '&sortfield='.urlencode($sortfield) : '').($sortorder ? '&sortorder='.urlencode($sortorder) : ''); diff --git a/htdocs/core/ajax/ajaxdirtree.php b/htdocs/core/ajax/ajaxdirtree.php index c8b42bbf0e8..b3ffbc9232a 100644 --- a/htdocs/core/ajax/ajaxdirtree.php +++ b/htdocs/core/ajax/ajaxdirtree.php @@ -84,7 +84,7 @@ $fullpathselecteddir = ''; if ($modulepart == 'ecm') { $fullpathselecteddir = $conf->ecm->dir_output.'/'.($selecteddir != '/' ? $selecteddir : ''); $fullpathpreopened = $conf->ecm->dir_output.'/'.($preopened != '/' ? $preopened : ''); -} elseif ($modulepart == 'medias') { +} elseif ($modulepart == 'medias' || $modulepart == 'website') { $fullpathselecteddir = $dolibarr_main_data_root.'/medias/'.($selecteddir != '/' ? $selecteddir : ''); $fullpathpreopened = $dolibarr_main_data_root.'/medias/'.($preopened != '/' ? $preopened : ''); } @@ -99,15 +99,27 @@ if (preg_match('/\.\./', $fullpathselecteddir) || preg_match('/[<>|]/', $fullpat exit; } +if (empty($modulepart)) { + $modulepart = $module; +} + // Check permissions if ($modulepart == 'ecm') { - if (!$user->rights->ecm->read) { + if (!$user->hasRight('ecm', 'read')) { accessforbidden(); } -} elseif ($modulepart == 'medias') { +} elseif ($modulepart == 'medias' || $modulepart == 'website') { // Always allowed +} else { + accessforbidden(); } +/* + * Actions + */ + +// None + /* * View diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index eed0450e49f..b383a6eb7c2 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -270,7 +270,6 @@ if (!empty($_SERVER['DOCUMENT_ROOT']) && substr($_SERVER['DOCUMENT_ROOT'], -6) ! set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); } - // Include the conf.php and functions.lib.php and security.lib.php. This defined the constants like DOL_DOCUMENT_ROOT, DOL_DATA_ROOT, DOL_URL_ROOT... require_once 'filefunc.inc.php'; @@ -640,11 +639,15 @@ $modulepart = explode("/", $_SERVER["PHP_SELF"]); if (is_array($modulepart) && count($modulepart) > 0) { foreach ($conf->modules as $module) { if (in_array($module, $modulepart)) { - $conf->modulepart = $module; + $modulepart = $module; break; } } } +if (is_array($modulepart)) { + $modulepart = ''; +} + /* * Phase authentication / login @@ -3106,7 +3109,7 @@ function main_area($title = '') print ''; print ''; if ($conf->global->MAIN_SHOW_LOGO && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && !empty($conf->global->MAIN_INFO_SOCIETE_LOGO)) { - print ''; + print ''; } print ''."\n"; print ''.dol_escape_htmltag($conf->global->MAIN_INFO_SOCIETE_NOM).''."\n";