From b5e66cc4920958159a3491c37da4e144624f0ff6 Mon Sep 17 00:00:00 2001 From: jfefe Date: Mon, 22 Apr 2013 15:00:29 +0200 Subject: [PATCH] Mutualize code for security check when accessing a document by document.php and bywebservice --- htdocs/core/lib/files.lib.php | 358 ++++++++++++++++++++++++++++ htdocs/document.php | 341 +------------------------- htdocs/webservices/server_other.php | 47 +--- 3 files changed, 366 insertions(+), 380 deletions(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 02d3cc16a76..9aea97696ec 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1228,4 +1228,362 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$ return $tmparray[0]; } +/** + * Security check when accessing to a document (used in document.php and webservices) + * @param string $modulepart module of document + * @param string $original_file relative path with filename + * @return mixed Array with access information : accessallowed & sqlprotectagainstexternals + */ +function dol_check_secure_access_document($modulepart,&$original_file) +{ + global $user, $conf; + + $accessallowed=0; + $sqlprotectagainstexternals=''; + $ret=array(); + + if ($modulepart) + { + // On fait une verification des droits et on definit le repertoire concerne + + // Wrapping for third parties + if ($modulepart == 'company' || $modulepart == 'societe') + { + if ($user->rights->societe->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->societe->multidir_output[$entity].'/'.$original_file; + $sqlprotectagainstexternals = "SELECT rowid as fk_soc FROM ".MAIN_DB_PREFIX."societe WHERE rowid='".$refname."' AND entity IN (".getEntity('societe', 1).")"; + } + + // Wrapping for invoices + else if ($modulepart == 'facture' || $modulepart == 'invoice') + { + if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->facture->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + else if ($modulepart == 'unpaid') + { + if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->facture->dir_output.'/unpaid/temp/'.$original_file; + } + + // Wrapping pour les fiches intervention + else if ($modulepart == 'ficheinter') + { + if ($user->rights->ficheinter->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->ficheinter->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les deplacements et notes de frais + else if ($modulepart == 'deplacement') + { + if ($user->rights->deplacement->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->deplacement->dir_output.'/'.$original_file; + //$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les prelevements + else if ($modulepart == 'prelevement') + { + if ($user->rights->prelevement->bons->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->prelevement->dir_output.'/'.$original_file; + } + + // Wrapping pour les propales + else if ($modulepart == 'propal') + { + if ($user->rights->propale->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + + $original_file=$conf->propal->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les commandes + else if ($modulepart == 'commande' || $modulepart == 'order') + { + if ($user->rights->commande->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->commande->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les projets + else if ($modulepart == 'project') + { + if ($user->rights->projet->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->projet->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les commandes fournisseurs + else if ($modulepart == 'commande_fournisseur' || $modulepart == 'order_supplier') + { + if ($user->rights->fournisseur->commande->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->fournisseur->commande->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande_fournisseur WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les factures fournisseurs + else if ($modulepart == 'facture_fournisseur' || $modulepart == 'invoice_supplier') + { + if ($user->rights->fournisseur->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->fournisseur->facture->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture_fourn WHERE facnumber='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les rapport de paiements + else if ($modulepart == 'facture_paiement') + { + if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + if ($user->societe_id > 0) $original_file=$conf->facture->dir_output.'/payments/private/'.$user->id.'/'.$original_file; + else $original_file=$conf->facture->dir_output.'/payments/'.$original_file; + } + + // Wrapping pour les exports de compta + else if ($modulepart == 'export_compta') + { + if ($user->rights->compta->ventilation->creer || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->compta->dir_output.'/'.$original_file; + } + + // Wrapping pour les expedition + else if ($modulepart == 'expedition') + { + if ($user->rights->expedition->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->expedition->dir_output."/sending/".$original_file; + } + + // Wrapping pour les bons de livraison + else if ($modulepart == 'livraison') + { + if ($user->rights->expedition->livraison->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->expedition->dir_output."/receipt/".$original_file; + } + + // Wrapping pour les actions + else if ($modulepart == 'actions') + { + if ($user->rights->agenda->myactions->read || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->agenda->dir_output.'/'.$original_file; + } + + // Wrapping pour les actions + else if ($modulepart == 'actionsreport') + { + if ($user->rights->agenda->allactions->read || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file = $conf->agenda->dir_temp."/".$original_file; + } + + // Wrapping pour les produits et services + else if ($modulepart == 'produit' || $modulepart == 'service') + { + if (($user->rights->produit->lire || $user->rights->service->lire) || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + if (! empty($conf->product->enabled)) $original_file=$conf->product->multidir_output[$entity].'/'.$original_file; + elseif (! empty($conf->service->enabled)) $original_file=$conf->service->multidir_output[$entity].'/'.$original_file; + } + + // Wrapping pour les contrats + else if ($modulepart == 'contract') + { + if ($user->rights->contrat->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->contrat->dir_output.'/'.$original_file; + } + + // Wrapping pour les dons + else if ($modulepart == 'donation') + { + if ($user->rights->don->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->don->dir_output.'/'.$original_file; + } + + // Wrapping pour les remises de cheques + else if ($modulepart == 'remisecheque') + { + if ($user->rights->banque->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + + $original_file=$conf->banque->dir_output.'/bordereau/'.get_exdir(basename($original_file,".pdf"),2,1).$original_file; + } + + // Wrapping for export module + else if ($modulepart == 'export') + { + // Aucun test necessaire car on force le rep de download sur + // le rep export qui est propre a l'utilisateur + $accessallowed=1; + $original_file=$conf->export->dir_temp.'/'.$user->id.'/'.$original_file; + } + + // Wrapping for import module + else if ($modulepart == 'import') + { + // Aucun test necessaire car on force le rep de download sur + // le rep export qui est propre a l'utilisateur + $accessallowed=1; + $original_file=$conf->import->dir_temp.'/'.$original_file; + } + + // Wrapping pour l'editeur wysiwyg + else if ($modulepart == 'editor') + { + // Aucun test necessaire car on force le rep de download sur + // le rep export qui est propre a l'utilisateur + $accessallowed=1; + $original_file=$conf->fckeditor->dir_output.'/'.$original_file; + } + + // Wrapping pour les backups + else if ($modulepart == 'systemtools') + { + if ($user->admin) + { + $accessallowed=1; + } + $original_file=$conf->admin->dir_output.'/'.$original_file; + } + + // Wrapping for upload file test + else if ($modulepart == 'admin_temp') + { + if ($user->admin) + $accessallowed=1; + $original_file=$conf->admin->dir_temp.'/'.$original_file; + } + + // Wrapping pour BitTorrent + else if ($modulepart == 'bittorrent') + { + $accessallowed=1; + $dir='files'; + if ($type == 'application/x-bittorrent') $dir='torrents'; + $original_file=$conf->bittorrent->dir_output.'/'.$dir.'/'.$original_file; + } + + // Wrapping pour Foundation module + else if ($modulepart == 'member') + { + if ($user->rights->adherent->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->adherent->dir_output.'/'.$original_file; + } + + // Wrapping for Scanner + else if ($modulepart == 'scanner_user_temp') + { + $accessallowed=1; + $original_file=$conf->scanner->dir_temp.'/'.$user->id.'/'.$original_file; + } + + // Generic wrapping + else + { + // For dir temp + $dir_temp=false; + if (preg_match('/\_temp$/i', $modulepart)) { + $modulepart = str_replace('_temp', '', $modulepart); + $dir_temp=true; + } + // Define $accessallowed + if (($user->rights->$modulepart->lire) || ($user->rights->$modulepart->read) || ($user->rights->$modulepart->download)) $accessallowed=1; // No subpermission, we have checked on main permission + elseif (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a specimen + elseif ($user->admin) $accessallowed=1; // If user is admin + + // For modules who wants to manage different levels of permissions for documents + $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS'; + if (! empty($conf->global->$subPermCategoryConstName)) + { + $subPermCategory = $conf->global->$subPermCategoryConstName; + if (! empty($subPermCategory) && (($user->rights->$modulepart->$subPermCategory->lire) || ($user->rights->$modulepart->$subPermCategory->read) || ($user->rights->$modulepart->$subPermCategory->download))) + { + $accessallowed=1; + } + } + + // Define $original_file + $dir = $conf->$modulepart->dir_output; + if ($dir_temp) $dir = $conf->$modulepart->dir_temp; + $original_file = $dir.'/'.$original_file; + + // Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query. + $sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS'; + if (! empty($conf->global->$sqlProtectConstName)) // If module want to define its own $sqlprotectagainstexternals + { + // Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$refname."' AND entity=".$conf->entity; + eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";'); + } + } + + $ret = array( + 'accessallowed' => $accessallowed, + 'sqlprotectagainstexternals'=>$sqlprotectagainstexternals + ); + + } + return $ret; +} ?> diff --git a/htdocs/document.php b/htdocs/document.php index 2a04ba28a74..7e7132db901 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -96,344 +96,9 @@ $refname=basename(dirname($original_file)."/"); // Security check $accessallowed=0; -$sqlprotectagainstexternals=''; -if ($modulepart) -{ - // On fait une verification des droits et on definit le repertoire concerne - - // Wrapping for third parties - if ($modulepart == 'company' || $modulepart == 'societe') - { - if ($user->rights->societe->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->societe->multidir_output[$entity].'/'.$original_file; - $sqlprotectagainstexternals = "SELECT rowid as fk_soc FROM ".MAIN_DB_PREFIX."societe WHERE rowid='".$refname."' AND entity IN (".getEntity('societe', 1).")"; - } - - // Wrapping for invoices - else if ($modulepart == 'facture' || $modulepart == 'invoice') - { - if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->facture->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - else if ($modulepart == 'unpaid') - { - if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->facture->dir_output.'/unpaid/temp/'.$original_file; - } - - // Wrapping pour les fiches intervention - else if ($modulepart == 'ficheinter') - { - if ($user->rights->ficheinter->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->ficheinter->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les deplacements et notes de frais - else if ($modulepart == 'deplacement') - { - if ($user->rights->deplacement->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->deplacement->dir_output.'/'.$original_file; - //$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les prelevements - else if ($modulepart == 'prelevement') - { - if ($user->rights->prelevement->bons->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->prelevement->dir_output.'/'.$original_file; - } - - // Wrapping pour les propales - else if ($modulepart == 'propal') - { - if ($user->rights->propale->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - - $original_file=$conf->propal->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les commandes - else if ($modulepart == 'commande' || $modulepart == 'order') - { - if ($user->rights->commande->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->commande->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les projets - else if ($modulepart == 'project') - { - if ($user->rights->projet->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->projet->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les commandes fournisseurs - else if ($modulepart == 'commande_fournisseur' || $modulepart == 'order_supplier') - { - if ($user->rights->fournisseur->commande->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->fournisseur->commande->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande_fournisseur WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les factures fournisseurs - else if ($modulepart == 'facture_fournisseur' || $modulepart == 'invoice_supplier') - { - if ($user->rights->fournisseur->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->fournisseur->facture->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture_fourn WHERE facnumber='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les rapport de paiements - else if ($modulepart == 'facture_paiement') - { - if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - if ($user->societe_id > 0) $original_file=$conf->facture->dir_output.'/payments/private/'.$user->id.'/'.$original_file; - else $original_file=$conf->facture->dir_output.'/payments/'.$original_file; - } - - // Wrapping pour les exports de compta - else if ($modulepart == 'export_compta') - { - if ($user->rights->compta->ventilation->creer || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->compta->dir_output.'/'.$original_file; - } - - // Wrapping pour les expedition - else if ($modulepart == 'expedition') - { - if ($user->rights->expedition->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->expedition->dir_output."/sending/".$original_file; - } - - // Wrapping pour les bons de livraison - else if ($modulepart == 'livraison') - { - if ($user->rights->expedition->livraison->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->expedition->dir_output."/receipt/".$original_file; - } - - // Wrapping pour les actions - else if ($modulepart == 'actions') - { - if ($user->rights->agenda->myactions->read || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->agenda->dir_output.'/'.$original_file; - } - - // Wrapping pour les actions - else if ($modulepart == 'actionsreport') - { - if ($user->rights->agenda->allactions->read || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file = $conf->agenda->dir_temp."/".$original_file; - } - - // Wrapping pour les produits et services - else if ($modulepart == 'produit' || $modulepart == 'service') - { - if (($user->rights->produit->lire || $user->rights->service->lire) || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - if (! empty($conf->product->enabled)) $original_file=$conf->product->multidir_output[$entity].'/'.$original_file; - elseif (! empty($conf->service->enabled)) $original_file=$conf->service->multidir_output[$entity].'/'.$original_file; - } - - // Wrapping pour les contrats - else if ($modulepart == 'contract') - { - if ($user->rights->contrat->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->contrat->dir_output.'/'.$original_file; - } - - // Wrapping pour les dons - else if ($modulepart == 'donation') - { - if ($user->rights->don->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->don->dir_output.'/'.$original_file; - } - - // Wrapping pour les remises de cheques - else if ($modulepart == 'remisecheque') - { - if ($user->rights->banque->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - - $original_file=$conf->banque->dir_output.'/bordereau/'.get_exdir(basename($original_file,".pdf"),2,1).$original_file; - } - - // Wrapping for export module - else if ($modulepart == 'export') - { - // Aucun test necessaire car on force le rep de download sur - // le rep export qui est propre a l'utilisateur - $accessallowed=1; - $original_file=$conf->export->dir_temp.'/'.$user->id.'/'.$original_file; - } - - // Wrapping for import module - else if ($modulepart == 'import') - { - // Aucun test necessaire car on force le rep de download sur - // le rep export qui est propre a l'utilisateur - $accessallowed=1; - $original_file=$conf->import->dir_temp.'/'.$original_file; - } - - // Wrapping pour l'editeur wysiwyg - else if ($modulepart == 'editor') - { - // Aucun test necessaire car on force le rep de download sur - // le rep export qui est propre a l'utilisateur - $accessallowed=1; - $original_file=$conf->fckeditor->dir_output.'/'.$original_file; - } - - // Wrapping pour les backups - else if ($modulepart == 'systemtools') - { - if ($user->admin) - { - $accessallowed=1; - } - $original_file=$conf->admin->dir_output.'/'.$original_file; - } - - // Wrapping for upload file test - else if ($modulepart == 'admin_temp') - { - if ($user->admin) - $accessallowed=1; - $original_file=$conf->admin->dir_temp.'/'.$original_file; - } - - // Wrapping pour BitTorrent - else if ($modulepart == 'bittorrent') - { - $accessallowed=1; - $dir='files'; - if ($type == 'application/x-bittorrent') $dir='torrents'; - $original_file=$conf->bittorrent->dir_output.'/'.$dir.'/'.$original_file; - } - - // Wrapping pour Foundation module - else if ($modulepart == 'member') - { - if ($user->rights->adherent->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->adherent->dir_output.'/'.$original_file; - } - - // Wrapping for Scanner - else if ($modulepart == 'scanner_user_temp') - { - $accessallowed=1; - $original_file=$conf->scanner->dir_temp.'/'.$user->id.'/'.$original_file; - } - - // Generic wrapping - else - { - // For dir temp - $dir_temp=false; - if (preg_match('/\_temp$/i', $modulepart)) { - $modulepart = str_replace('_temp', '', $modulepart); - $dir_temp=true; - } - // Define $accessallowed - if (($user->rights->$modulepart->lire) || ($user->rights->$modulepart->read) || ($user->rights->$modulepart->download)) $accessallowed=1; // No subpermission, we have checked on main permission - elseif (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a specimen - elseif ($user->admin) $accessallowed=1; // If user is admin - - // For modules who wants to manage different levels of permissions for documents - $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS'; - if (! empty($conf->global->$subPermCategoryConstName)) - { - $subPermCategory = $conf->global->$subPermCategoryConstName; - if (! empty($subPermCategory) && (($user->rights->$modulepart->$subPermCategory->lire) || ($user->rights->$modulepart->$subPermCategory->read) || ($user->rights->$modulepart->$subPermCategory->download))) - { - $accessallowed=1; - } - } - - // Define $original_file - $dir = $conf->$modulepart->dir_output; - if ($dir_temp) $dir = $conf->$modulepart->dir_temp; - $original_file = $dir.'/'.$original_file; - - // Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query. - $sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS'; - if (! empty($conf->global->$sqlProtectConstName)) // If module want to define its own $sqlprotectagainstexternals - { - // Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$refname."' AND entity=".$conf->entity; - eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";'); - } - } -} - +$check_access = dol_check_secure_access_document($modulepart,$original_file); +$accessallowed=$check_access['accessallowed']; +$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; // Basic protection (against external users only) if ($user->societe_id > 0) diff --git a/htdocs/webservices/server_other.php b/htdocs/webservices/server_other.php index 3578796838b..23c22807002 100644 --- a/htdocs/webservices/server_other.php +++ b/htdocs/webservices/server_other.php @@ -220,48 +220,11 @@ function getDocument($authentication, $modulepart, $file) // find the subdirectory name as the reference $refname=basename(dirname($original_file)."/"); - // Wrapping for invoices - if ($modulepart == 'facture') - { - if ($fuser->rights->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file = $conf->facture->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$refname."' AND entity=".$conf->entity; - } - // Wrapping pour les propales - else if ($modulepart == 'propal') - { - if ($fuser->rights->propal->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file = $conf->propal->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les commandes - else if ($modulepart == 'commande') - { - if ($fuser->rights->commande->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->commande->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$refname."' AND entity=".$conf->entity; - } - // Wrapping pour generic module - else - { - if ($fuser->rights->$modulepart->read || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->$modulepart->dir_output.'/'.$original_file; - // TODO - //$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."registration WHERE ref='".$refname."' AND entity=".$conf->entity; - } + // Security check + $accessallowed=0; + $check_access = dol_check_secure_access_document($modulepart,$original_file); + $accessallowed=$check_access['accessallowed']; + $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; // Basic protection (against external users only) if ($fuser->societe_id > 0)