Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX #yogosha13890

Browse Source
This commit is contained in:
Laurent Destailleur
2022-12-13 18:40:30 +01:00
parent bbeddae5f5
commit b4433ebdf9
3 changed files with 30 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
htdocs/core/ajax/ajaxdirpreview.php
View File

@@ -133,14 +133,19 @@ if (preg_match('/\.\./', $upload_dir) || preg_match('/[<>|]/', $upload_dir)) {
exit;
}
if (empty($modulepart)) {
$modulepart = $module;
}
// Check permissions
if ($modulepart == 'ecm') {
if (!$user->rights->ecm->read) {
if (!$user->hasRight('ecm', 'read')) {
accessforbidden();
}
}
if ($modulepart == 'medias') {
} elseif ($modulepart == 'medias' || $modulepart == 'website') {
// Always allowed
} else {
accessforbidden();
}
@@ -174,7 +179,7 @@ if (!dol_is_dir($upload_dir)) {
exit;*/
}
print '<!-- ajaxdirpreview type='.$type.' -->'."\n";
print '<!-- ajaxdirpreview type='.$type.' module='.$module.' modulepart='.$modulepart.'-->'."\n";
//print '<!-- Page called with mode='.dol_escape_htmltag(isset($mode)?$mode:'').' type='.dol_escape_htmltag($type).' module='.dol_escape_htmltag($module).' url='.dol_escape_htmltag($url).' '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
$param = ($sortfield ? '&sortfield='.urlencode($sortfield) : '').($sortorder ? '&sortorder='.urlencode($sortorder) : '');