Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-06 09:02:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX A non admin user can not download files attached to user.

Browse Source
This commit is contained in:
Laurent Destailleur
2017-04-27 00:53:13 +02:00
parent 113d4d1665
commit 95788c9699
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
htdocs/core/lib/files.lib.php
View File

@@ -1385,7 +1385,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
$sqlprotectagainstexternals='';
$ret=array();
// find the subdirectory name as the reference
// Find the subdirectory name as the reference. For exemple original_file='10/myfile.pdf' -> refname='10'
if (empty($refname)) $refname=basename(dirname($original_file)."/");
$relative_original_file = $original_file;
@@ -1553,6 +1553,18 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
$original_file=$conf->fckeditor->dir_output.'/'.$original_file;
}
// Wrapping for users
else if ($modulepart == 'user' && !empty($conf->user->dir_output))
{
$canreaduser=(! empty($fuser->admin) || $fuser->rights->user->user->lire);
if ($user->id == (int) $refname) { $canreaduser=1; } // A user can always read its own card
if ($canreaduser || preg_match('/^specimen/i',$original_file))
{
$accessallowed=1;
}
$original_file=$conf->user->dir_output.'/'.$original_file;
}
// Wrapping for third parties
else if (($modulepart == 'company' || $modulepart == 'societe') && !empty($conf->societe->dir_output))
{