Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-09 17:32:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix url for barcode of profile should use securekey.

Browse Source
This commit is contained in:
Laurent Destailleur
2025-06-02 00:10:36 +02:00
parent 5771b6bd1f
commit a151e3d7b5
2 changed files with 31 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/public/users/view.php
View File

@@ -307,6 +307,7 @@ if (getDolGlobalString('USER_IMAGE_PUBLIC_INTERFACE')) {
print '</div>';
}
// url for the download .vcf file link
$urlforqrcode = $object->getOnlineVirtualCardUrl('vcard');
$socialnetworksdict = getArrayOfSocialNetworks();
@@ -319,10 +320,17 @@ if ($showbarcode) {
$filename = $v->buildVCardString($object, $company, $langs, '', $outdir);
$encodedsecurekey = dol_hash($conf->file->instance_unique_id.'uservirtualcard'.$object->id.'-'.$object->login, 'md5');
if (isModEnabled('multicompany')) {
$entity_qr = '&entity='.((int) $conf->entity);
} else {
$entity_qr = '';
}
print '<br>';
print '<div class="floatleft inline-block valignmiddle paddingleft paddingright">';
//print '<!-- filename = '.dol_escape_htmltag($filename).' -->';
print '<img style="max-width: 100%" src="'.$dolibarr_main_url_root.'/viewimage.php?modulepart=barcode&entity='.((int) $conf->entity).'&generator=tcpdfbarcode&encoding=QRCODE&code='.urlencode(basename($filename)).'">';
print '<img style="max-width: 100%" src="'.$dolibarr_main_url_root.'/viewimage.php?modulepart=barcode'.$entity_qr.'&generator=tcpdfbarcode&encoding=QRCODE&code='.urlencode(basename($filename)).'&securekey='.$encodedsecurekey.'">';
print '</div>';
print '<br>';
}

26
htdocs/viewimage.php
View File

@@ -353,14 +353,32 @@ if ($modulepart == 'barcode') {
$reg = array();
if (preg_match('/^virtualcard_([^_]+)_(\d+)\.vcf$/', $code, $reg)) {
$vcffile = '';
if ($reg[1] == 'user') {
$id = 0;
$login = '';
if ($reg[1] == 'user' && (int) $reg[2] > 0) {
$vcffile = $conf->user->dir_temp.'/'.$code;
} elseif ($reg[1] == 'contact') {
$id = (int) $reg[2];
$tmpuser = new User($db);
$tmpuser->fetch($id);
$login = $tmpuser->login;
} elseif ($reg[1] == 'contact' && (int) $reg[2] > 0) {
$vcffile = $conf->contact->dir_temp.'/'.$code;
$id = (int) $reg[2];
}
if ($vcffile) {
$code = file_get_contents($vcffile);
$code = '';
if ($vcffile && $id) {
// Case of use of viewimage to get the barcode for user pubic profile,
// we must check the securekey that protet against forging url
if ($reg[1] == 'user' && (int) $reg[2] > 0) {
$encodedsecurekey = dol_hash($conf->file->instance_unique_id.'uservirtualcard'.$id.'-'.$login, 'md5');
if ($encodedsecurekey != GETPOST('securekey')) {
$code = 'badvalueforsecurekey';
}
}
if (empty($code)) {
$code = file_get_contents($vcffile);
}
}
}