mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-06 17:48:25 +01:00
FIX #yogosha12266
This commit is contained in:
Laurent Destailleur
@@ -51,7 +51,7 @@ if ($result > 0) {
|
|||||||
} elseif ($result < 0) {
|
} elseif ($result < 0) {
|
||||||
dol_print_error('', $object->error, $object->errors);
|
dol_print_error('', $object->error, $object->errors);
|
||||||
} elseif ($result == 0) {
|
} elseif ($result == 0) {
|
||||||
accessforbidden($langs->trans('ErrorRecordNotFound'));
|
accessforbidden('ErrorRecordNotFound');
|
||||||
}
|
}
|
||||||
|
|
||||||
$hookmanager->initHooks(array('globaljournal', $object->nature.'journal'));
|
$hookmanager->initHooks(array('globaljournal', $object->nature.'journal'));
|
||||||
|
|||||||
@@ -35,8 +35,8 @@ if (!$user->admin) {
|
|||||||
|
|
||||||
$action = GETPOST('action', 'aZ09');
|
$action = GETPOST('action', 'aZ09');
|
||||||
|
|
||||||
if (!in_array('clicktodial', $conf->modules)) {
|
if (!isModEnabled('clicktodial')) {
|
||||||
accessforbidden($langs->trans("WarningModuleNotActive", $langs->transnoentitiesnoconv("Module58Name")));
|
accessforbidden($langs->transnoentitiesnoconv("WarningModuleNotActive", $langs->transnoentitiesnoconv("Module58Name")));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -76,6 +76,8 @@ if (preg_match('/\/api\/index\.php/', $_SERVER["PHP_SELF"])) {
|
|||||||
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
|
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
|
||||||
header('Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
|
header('Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
|
||||||
}
|
}
|
||||||
|
header('X-Frame-Options: SAMEORIGIN');
|
||||||
|
|
||||||
|
|
||||||
$res = 0;
|
$res = 0;
|
||||||
if (!$res && file_exists("../main.inc.php")) {
|
if (!$res && file_exists("../main.inc.php")) {
|
||||||
|
|||||||
@@ -563,7 +563,7 @@ if ($type == Categorie::TYPE_PRODUCT) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("ProductsAndServices"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'products');
|
print_barre_liste($langs->trans("ProductsAndServices"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'products');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -643,7 +643,7 @@ if ($type == Categorie::TYPE_CUSTOMER) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Customers"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'companies');
|
print_barre_liste($langs->trans("Customers"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'companies');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -724,7 +724,7 @@ if ($type == Categorie::TYPE_SUPPLIER) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Suppliers"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'companies');
|
print_barre_liste($langs->trans("Suppliers"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'companies');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -808,7 +808,7 @@ if ($type == Categorie::TYPE_MEMBER) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Member"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'members');
|
print_barre_liste($langs->trans("Member"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'members');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -895,7 +895,7 @@ if ($type == Categorie::TYPE_CONTACT) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Contact"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'contact');
|
print_barre_liste($langs->trans("Contact"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'contact');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -977,7 +977,7 @@ if ($type == Categorie::TYPE_ACCOUNT) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Banque"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'bank');
|
print_barre_liste($langs->trans("Banque"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'bank');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1060,7 +1060,7 @@ if ($type == Categorie::TYPE_PROJECT) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Project"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'project');
|
print_barre_liste($langs->trans("Project"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'project');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1137,7 +1137,7 @@ if ($type == Categorie::TYPE_USER) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Users"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'user');
|
print_barre_liste($langs->trans("Users"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'user');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1201,7 +1201,7 @@ if ($type == Categorie::TYPE_WAREHOUSE) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Warehouse"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'stock');
|
print_barre_liste($langs->trans("Warehouse"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'stock');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1280,7 +1280,7 @@ if ($type == Categorie::TYPE_TICKET) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print_barre_liste($langs->trans("Ticket"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'ticket');
|
print_barre_liste($langs->trans("Ticket"), null, $_SERVER["PHP_SELF"], '', '', '', '', '', '', 'ticket');
|
||||||
accessforbidden($langs->trans("NotEnoughPermissions"), 0, 0);
|
accessforbidden("NotEnoughPermissions", 0, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -27,10 +27,6 @@
|
|||||||
* \brief Page to list actions
|
* \brief Page to list actions
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if (!defined("NOREDIRECTBYMAINTOLOGIN")) {
|
|
||||||
define('NOREDIRECTBYMAINTOLOGIN', 1);
|
|
||||||
}
|
|
||||||
|
|
||||||
require '../../main.inc.php';
|
require '../../main.inc.php';
|
||||||
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
|
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
|
||||||
require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
|
require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
/*
|
/* Copyright (C) 2015-2022 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||||
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify
|
* This program is free software; you can redistribute it and/or modify
|
||||||
* it under the terms of the GNU General Public License as published by
|
* it under the terms of the GNU General Public License as published by
|
||||||
* the Free Software Foundation; either version 3 of the License, or
|
* the Free Software Foundation; either version 3 of the License, or
|
||||||
@@ -65,13 +66,15 @@ if (!empty($user->socid)) {
|
|||||||
$socid = $user->socid;
|
$socid = $user->socid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//$user->rights->societe->lire = 0;$user->rights->fournisseur->lire = 0;
|
||||||
|
//restrictedArea($user, 'societe', $id);
|
||||||
|
|
||||||
if (in_array($field, array('status'))) {
|
if (in_array($field, array('status'))) {
|
||||||
restrictedArea($user, $element, $id);
|
restrictedArea($user, $element, $id);
|
||||||
} elseif ($element == 'product' && in_array($field, array('tosell', 'tobuy', 'tobatch'))) { // Special case for products
|
} elseif ($element == 'product' && in_array($field, array('tosell', 'tobuy', 'tobatch'))) { // Special case for products
|
||||||
restrictedArea($user, 'produit|service', $id, 'product&product', '', '', 'rowid');
|
restrictedArea($user, 'produit|service', $id, 'product&product', '', '', 'rowid');
|
||||||
} else {
|
} else {
|
||||||
accessforbidden("Bad value for combination of parameters element/field.", 0, 0, 1);
|
httponly_accessforbidden("Bad value for combination of parameters element/field.");
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -40,6 +40,7 @@ if (!isset($usedbyinclude) || empty($usedbyinclude)) {
|
|||||||
define('NOREQUIREAJAX', '1');
|
define('NOREQUIREAJAX', '1');
|
||||||
}
|
}
|
||||||
if (!defined('NOREDIRECTBYMAINTOLOGIN')) {
|
if (!defined('NOREDIRECTBYMAINTOLOGIN')) {
|
||||||
|
// Disable redirect to main login because the selectsearch must not ask a login
|
||||||
define('NOREDIRECTBYMAINTOLOGIN', '1');
|
define('NOREDIRECTBYMAINTOLOGIN', '1');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -4955,8 +4955,9 @@ function dol_print_error($db = '', $error = '', $errors = null)
|
|||||||
$out .= "<br>\n";
|
$out .= "<br>\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return a http error code if possible
|
// Return a http header with error code if possible
|
||||||
if (!headers_sent()) {
|
if (!headers_sent()) {
|
||||||
|
top_httphead();
|
||||||
http_response_code(500);
|
http_response_code(500);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -329,11 +329,11 @@ function dolGetLdapPasswordHash($password, $type = 'md5')
|
|||||||
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
|
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
|
||||||
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
|
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
|
||||||
* @param int $isdraft 1=The object with id=$objectid is a draft
|
* @param int $isdraft 1=The object with id=$objectid is a draft
|
||||||
* @param int $mode Mode (0=default, 1=return with not die)
|
* @param int $mode Mode (0=default, 1=return without dieing)
|
||||||
* @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
|
* @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
|
||||||
* @see dol_check_secure_access_document(), checkUserAccessToObject()
|
* @see dol_check_secure_access_document(), checkUserAccessToObject()
|
||||||
*/
|
*/
|
||||||
function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
|
function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
|
||||||
{
|
{
|
||||||
global $db, $conf;
|
global $db, $conf;
|
||||||
global $hookmanager;
|
global $hookmanager;
|
||||||
@@ -1024,22 +1024,27 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
|
|||||||
*
|
*
|
||||||
* @param string $message Force error message
|
* @param string $message Force error message
|
||||||
* @param int $http_response_code HTTP response code
|
* @param int $http_response_code HTTP response code
|
||||||
|
* @param int $stringalreadysanitized 1 if string is already sanitized with HTML entities
|
||||||
* @return void
|
* @return void
|
||||||
* @see accessforbidden()
|
* @see accessforbidden()
|
||||||
*/
|
*/
|
||||||
function httponly_accessforbidden($message = 1, $http_response_code = 403)
|
function httponly_accessforbidden($message = 1, $http_response_code = 403, $stringalreadysanitized = 0)
|
||||||
{
|
{
|
||||||
top_httphead('text/html');
|
top_httphead();
|
||||||
http_response_code($http_response_code);
|
http_response_code($http_response_code);
|
||||||
|
|
||||||
|
if ($stringalreadysanitized) {
|
||||||
|
print $message;
|
||||||
|
} else {
|
||||||
print htmlentities($message);
|
print htmlentities($message);
|
||||||
|
}
|
||||||
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Show a message to say access is forbidden and stop program.
|
* Show a message to say access is forbidden and stop program.
|
||||||
* This includes HTTP and HTML header and footer.
|
* This includes HTTP and HTML header and footer (except if $printheader and $printfooter is 0, use this case inside an already started page).
|
||||||
* Calling this function terminate execution of PHP.
|
* Calling this function terminate execution of PHP.
|
||||||
*
|
*
|
||||||
* @param string $message Force error message
|
* @param string $message Force error message
|
||||||
@@ -1070,7 +1075,7 @@ function accessforbidden($message = '', $printheader = 1, $printfooter = 1, $sho
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
print '<div class="error">';
|
print '<div class="error">';
|
||||||
if (!$message) {
|
if (empty($message)) {
|
||||||
print $langs->trans("ErrorForbidden");
|
print $langs->trans("ErrorForbidden");
|
||||||
} else {
|
} else {
|
||||||
print $langs->trans($message);
|
print $langs->trans($message);
|
||||||
|
|||||||
@@ -33,10 +33,8 @@ if (empty($conf) || !is_object($conf)) {
|
|||||||
// DDOS protection
|
// DDOS protection
|
||||||
$size = (empty($_SERVER['CONTENT_LENGTH']) ? 0 : (int) $_SERVER['CONTENT_LENGTH']);
|
$size = (empty($_SERVER['CONTENT_LENGTH']) ? 0 : (int) $_SERVER['CONTENT_LENGTH']);
|
||||||
if ($size > 10000) {
|
if ($size > 10000) {
|
||||||
http_response_code(413);
|
|
||||||
$langs->loadLangs(array("errors", "install"));
|
$langs->loadLangs(array("errors", "install"));
|
||||||
accessforbidden('<center>'.$langs->trans("ErrorRequestTooLarge").'.<br><a href="'.DOL_URL_ROOT.'">'.$langs->trans("ClickHereToGoToApp").'</a></center>', 0, 0, 1);
|
httponly_accessforbidden('<center>'.$langs->trans("ErrorRequestTooLarge").'.<br><a href="'.DOL_URL_ROOT.'">'.$langs->trans("ClickHereToGoToApp").'</a></center>', 413, 1);
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
||||||
|
|||||||
@@ -30,10 +30,8 @@ if (empty($conf) || !is_object($conf)) {
|
|||||||
// DDOS protection
|
// DDOS protection
|
||||||
$size = (int) $_SERVER['CONTENT_LENGTH'];
|
$size = (int) $_SERVER['CONTENT_LENGTH'];
|
||||||
if ($size > 10000) {
|
if ($size > 10000) {
|
||||||
http_response_code(413);
|
|
||||||
$langs->loadLangs(array("errors", "install"));
|
$langs->loadLangs(array("errors", "install"));
|
||||||
accessforbidden('<center>'.$langs->trans("ErrorRequestTooLarge").'<br><a href="'.DOL_URL_ROOT.'">'.$langs->trans("ClickHereToGoToApp").'</a></center>', 0, 0, 1);
|
httponly_accessforbidden('<center>'.$langs->trans("ErrorRequestTooLarge").'<br><a href="'.DOL_URL_ROOT.'">'.$langs->trans("ClickHereToGoToApp").'</a></center>', 413, 1);
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
||||||
|
|||||||
@@ -75,6 +75,18 @@ if ($pageid > 0) {
|
|||||||
|
|
||||||
if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status) && !defined('USEDOLIBARRSERVER'))) {
|
if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status) && !defined('USEDOLIBARRSERVER'))) {
|
||||||
$weblangs->load("website");
|
$weblangs->load("website");
|
||||||
|
|
||||||
|
// Security options
|
||||||
|
|
||||||
|
// X-Content-Type-Options
|
||||||
|
header("X-Content-Type-Options: nosniff");
|
||||||
|
|
||||||
|
// X-Frame-Options
|
||||||
|
if (empty($websitepage->allowed_in_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
|
||||||
|
header("X-Frame-Options: SAMEORIGIN");
|
||||||
|
}
|
||||||
|
|
||||||
|
//httponly_accessforbidden('<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>', 404, 1);
|
||||||
http_response_code(404);
|
http_response_code(404);
|
||||||
print '<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>';
|
print '<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>';
|
||||||
exit;
|
exit;
|
||||||
@@ -198,9 +210,21 @@ if ($_SERVER['PHP_SELF'] != DOL_URL_ROOT.'/website/index.php') { // If we browsi
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Show off line message
|
// Show off line message when all website is off
|
||||||
if (!defined('USEDOLIBARREDITOR') && empty($website->status)) {
|
if (!defined('USEDOLIBARREDITOR') && empty($website->status)) {
|
||||||
|
// Security options
|
||||||
|
|
||||||
|
// X-Content-Type-Options
|
||||||
|
header("X-Content-Type-Options: nosniff");
|
||||||
|
|
||||||
|
// X-Frame-Options
|
||||||
|
if (empty($websitepage->allowed_in_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
|
||||||
|
header("X-Frame-Options: SAMEORIGIN");
|
||||||
|
}
|
||||||
|
|
||||||
$weblangs->load("website");
|
$weblangs->load("website");
|
||||||
|
|
||||||
|
//httponly_accessforbidden('<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>', 503, 1);
|
||||||
http_response_code(503);
|
http_response_code(503);
|
||||||
print '<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>';
|
print '<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>';
|
||||||
exit;
|
exit;
|
||||||
|
|||||||
@@ -104,10 +104,10 @@ $entity = GETPOST('entity', 'int') ?GETPOST('entity', 'int') : $conf->entity;
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($modulepart) && empty($hashp)) {
|
if (empty($modulepart) && empty($hashp)) {
|
||||||
accessforbidden('Bad link. Bad value for parameter modulepart', 0, 0, 1);
|
httponly_accessforbidden('Bad link. Bad value for parameter modulepart', 400);
|
||||||
}
|
}
|
||||||
if (empty($original_file) && empty($hashp)) {
|
if (empty($original_file) && empty($hashp)) {
|
||||||
accessforbidden('Bad link. Missing identification to find file (original_file or hashp)', 0, 0, 1);
|
httponly_accessforbidden('Bad link. Missing identification to find file (original_file or hashp)', 400);
|
||||||
}
|
}
|
||||||
if ($modulepart == 'fckeditor') {
|
if ($modulepart == 'fckeditor') {
|
||||||
$modulepart = 'medias'; // For backward compatibility
|
$modulepart = 'medias'; // For backward compatibility
|
||||||
@@ -158,7 +158,7 @@ if (!empty($hashp)) {
|
|||||||
$original_file = (($tmp[1] ? $tmp[1].'/' : '').$ecmfile->filename); // this is relative to module dir
|
$original_file = (($tmp[1] ? $tmp[1].'/' : '').$ecmfile->filename); // this is relative to module dir
|
||||||
//var_dump($original_file); exit;
|
//var_dump($original_file); exit;
|
||||||
} else {
|
} else {
|
||||||
accessforbidden('Bad link. File is from another module part.', 0, 0, 1);
|
httponly_accessforbidden('Bad link. File is from another module part.', 403);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$modulepart = $moduleparttocheck;
|
$modulepart = $moduleparttocheck;
|
||||||
@@ -171,7 +171,7 @@ if (!empty($hashp)) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$langs->load("errors");
|
$langs->load("errors");
|
||||||
accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 0, 0, 1);
|
httponly_accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 403, 1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -38,7 +38,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
|
|
||||||
|
|||||||
@@ -41,7 +41,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
|
|
||||||
|
|||||||
@@ -64,7 +64,9 @@ if (in_array($objecttype, $TAuthorizedObjects)) {
|
|||||||
} elseif ($objecttype == "user") {
|
} elseif ($objecttype == "user") {
|
||||||
$object = new User($db);
|
$object = new User($db);
|
||||||
}
|
}
|
||||||
} else accessforbidden($langs->trans('ErrorBadObjectType'));
|
} else {
|
||||||
|
accessforbidden('ErrorBadObjectType');
|
||||||
|
}
|
||||||
|
|
||||||
$hookmanager->initHooks(array('skilltab', 'globalcard')); // Note that conf->hooks_modules contains array
|
$hookmanager->initHooks(array('skilltab', 'globalcard')); // Note that conf->hooks_modules contains array
|
||||||
|
|
||||||
|
|||||||
@@ -547,12 +547,12 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
|
|||||||
) {
|
) {
|
||||||
// If token is not provided or empty, error (we are in case it is mandatory)
|
// If token is not provided or empty, error (we are in case it is mandatory)
|
||||||
if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
|
if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
|
||||||
|
top_httphead();
|
||||||
if (GETPOST('uploadform', 'int')) {
|
if (GETPOST('uploadform', 'int')) {
|
||||||
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large or not provided.");
|
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large or not provided.");
|
||||||
$langs->loadLangs(array("errors", "install"));
|
$langs->loadLangs(array("errors", "install"));
|
||||||
print $langs->trans("ErrorFileSizeTooLarge").' ';
|
print $langs->trans("ErrorFileSizeTooLarge").' ';
|
||||||
print $langs->trans("ErrorGoBackAndCorrectParameters");
|
print $langs->trans("ErrorGoBackAndCorrectParameters");
|
||||||
die;
|
|
||||||
} else {
|
} else {
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
if (defined('CSRFCHECK_WITH_TOKEN')) {
|
if (defined('CSRFCHECK_WITH_TOKEN')) {
|
||||||
@@ -567,8 +567,8 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
|
|||||||
}
|
}
|
||||||
print " into setup).\n";
|
print " into setup).\n";
|
||||||
}
|
}
|
||||||
die;
|
|
||||||
}
|
}
|
||||||
|
die;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -851,12 +851,16 @@ if (!defined('NOLOGIN')) {
|
|||||||
// No data to test login, so we show the login page.
|
// No data to test login, so we show the login page.
|
||||||
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." - action=".GETPOST('action', 'aZ09')." - actionlogin=".GETPOST('actionlogin', 'aZ09')." - showing the login form and exit", LOG_INFO);
|
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." - action=".GETPOST('action', 'aZ09')." - actionlogin=".GETPOST('actionlogin', 'aZ09')." - showing the login form and exit", LOG_INFO);
|
||||||
if (defined('NOREDIRECTBYMAINTOLOGIN')) {
|
if (defined('NOREDIRECTBYMAINTOLOGIN')) {
|
||||||
|
// When used with NOREDIRECTBYMAINTOLOGIN set, the http header must already be set when including the main.
|
||||||
|
// See example with selectsearchbox.php. This case is reserverd for the selectesearchbox.php so we can
|
||||||
|
// report a message to ask to login when search ajax component is used after a timeout.
|
||||||
|
//top_httphead();
|
||||||
return 'ERROR_NOT_LOGGED';
|
return 'ERROR_NOT_LOGGED';
|
||||||
} else {
|
} else {
|
||||||
if ($_SERVER["HTTP_USER_AGENT"] == 'securitytest') {
|
if ($_SERVER["HTTP_USER_AGENT"] == 'securitytest') {
|
||||||
http_response_code(401); // It makes easier to understand if session was broken during security tests
|
http_response_code(401); // It makes easier to understand if session was broken during security tests
|
||||||
}
|
}
|
||||||
dol_loginfunction($langs, $conf, (!empty($mysoc) ? $mysoc : ''));
|
dol_loginfunction($langs, $conf, (!empty($mysoc) ? $mysoc : '')); // This include http headers
|
||||||
}
|
}
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -1242,8 +1246,7 @@ if (!defined('NOLOGIN')) {
|
|||||||
// If not active, we refuse the user
|
// If not active, we refuse the user
|
||||||
$langs->loadLangs(array("errors", "other"));
|
$langs->loadLangs(array("errors", "other"));
|
||||||
dol_syslog("Authentication KO as login is disabled", LOG_NOTICE);
|
dol_syslog("Authentication KO as login is disabled", LOG_NOTICE);
|
||||||
accessforbidden($langs->trans("ErrorLoginDisabled"));
|
accessforbidden("ErrorLoginDisabled");
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load permissions
|
// Load permissions
|
||||||
|
|||||||
@@ -81,10 +81,10 @@ $idmodule= GETPOST('idmodule', 'alpha');
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (!isModEnabled('modulebuilder')) {
|
if (!isModEnabled('modulebuilder')) {
|
||||||
accessforbidden();
|
accessforbidden('Module ModuleBuilder not enabled');
|
||||||
}
|
}
|
||||||
if (!$user->admin && empty($conf->global->MODULEBUILDER_FOREVERYONE)) {
|
if (!$user->admin && empty($conf->global->MODULEBUILDER_FOREVERYONE)) {
|
||||||
accessforbidden($langs->trans('ModuleBuilderNotAllowed'));
|
accessforbidden('ModuleBuilderNotAllowed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -46,12 +46,8 @@ class mailing_mailinglist_mymodule_myobject extends MailingTargets
|
|||||||
*/
|
*/
|
||||||
public function __construct($db)
|
public function __construct($db)
|
||||||
{
|
{
|
||||||
global $conf;
|
|
||||||
|
|
||||||
$this->db = $db;
|
$this->db = $db;
|
||||||
if (is_array($conf->modules)) {
|
$this->enabled = isModEnabled('mymodule');
|
||||||
$this->enabled = in_array('mymodule', $conf->modules) ? 1 : 0;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -38,7 +38,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
|
|||||||
@@ -38,7 +38,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
@@ -248,8 +247,7 @@ llxHeader('', $title, $help_url);
|
|||||||
// Part to create
|
// Part to create
|
||||||
if ($action == 'create') {
|
if ($action == 'create') {
|
||||||
if (empty($permissiontoadd)) {
|
if (empty($permissiontoadd)) {
|
||||||
accessforbidden($langs->trans('NotEnoughPermissions'), 0, 1);
|
accessforbidden('NotEnoughPermissions', 0, 1);
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
print load_fiche_titre($langs->trans("NewObject", $langs->transnoentitiesnoconv("MyObject")), '', 'object_'.$object->picto);
|
print load_fiche_titre($langs->trans("NewObject", $langs->transnoentitiesnoconv("MyObject")), '', 'object_'.$object->picto);
|
||||||
|
|||||||
@@ -38,7 +38,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
@@ -143,7 +142,13 @@ if ($enablepermissioncheck) {
|
|||||||
if (!isModEnabled("mymodule")) {
|
if (!isModEnabled("mymodule")) {
|
||||||
accessforbidden();
|
accessforbidden();
|
||||||
}
|
}
|
||||||
if (!$permissiontoread) accessforbidden();
|
if (!$permissiontoread) {
|
||||||
|
accessforbidden();
|
||||||
|
}
|
||||||
|
if (empty($object->id)) {
|
||||||
|
accessforbidden();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -164,10 +169,7 @@ $help_url = '';
|
|||||||
//$help_url='EN:Module_Third_Parties|FR:Module_Tiers|ES:Empresas';
|
//$help_url='EN:Module_Third_Parties|FR:Module_Tiers|ES:Empresas';
|
||||||
llxHeader('', $title, $help_url);
|
llxHeader('', $title, $help_url);
|
||||||
|
|
||||||
if ($object->id) {
|
// Show tabs
|
||||||
/*
|
|
||||||
* Show tabs
|
|
||||||
*/
|
|
||||||
$head = myobjectPrepareHead($object);
|
$head = myobjectPrepareHead($object);
|
||||||
|
|
||||||
print dol_get_fiche_head($head, 'document', $langs->trans("MyObject"), -1, $object->picto);
|
print dol_get_fiche_head($head, 'document', $langs->trans("MyObject"), -1, $object->picto);
|
||||||
@@ -254,9 +256,6 @@ if ($object->id) {
|
|||||||
$relativepathwithnofile = 'myobject/'.dol_sanitizeFileName($object->ref).'/';
|
$relativepathwithnofile = 'myobject/'.dol_sanitizeFileName($object->ref).'/';
|
||||||
|
|
||||||
include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
|
include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
|
||||||
} else {
|
|
||||||
accessforbidden('', 0, 1);
|
|
||||||
}
|
|
||||||
|
|
||||||
// End of page
|
// End of page
|
||||||
llxFooter();
|
llxFooter();
|
||||||
|
|||||||
@@ -38,7 +38,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
|
|||||||
@@ -38,7 +38,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
//if (! defined("MAIN_SECURITY_FORCECSP")) define('MAIN_SECURITY_FORCECSP', 'none'); // Disable all Content Security Policies
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
|
|||||||
@@ -39,7 +39,6 @@
|
|||||||
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||||
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
|
||||||
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
|
||||||
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
|
|
||||||
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
|
||||||
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
|
||||||
if (!defined('NOSESSION')) define('NOSESSION', '1'); // On CLI mode, no need to use web sessions
|
if (!defined('NOSESSION')) define('NOSESSION', '1'); // On CLI mode, no need to use web sessions
|
||||||
|
|||||||
@@ -84,7 +84,7 @@ require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->agenda->enabled)) {
|
if (empty($conf->agenda->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Agenda not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Not older than
|
// Not older than
|
||||||
|
|||||||
@@ -75,7 +75,7 @@ $langs->loadLangs(array("admin", "cron", "dict"));
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->cron->enabled)) {
|
if (empty($conf->cron->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Cron not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -51,7 +51,7 @@ $conf->dol_use_jmobile = GETPOST('dol_use_jmobile', 'int');
|
|||||||
// Security check
|
// Security check
|
||||||
global $dolibarr_main_demo;
|
global $dolibarr_main_demo;
|
||||||
if (empty($dolibarr_main_demo)) {
|
if (empty($dolibarr_main_demo)) {
|
||||||
accessforbidden('Parameter dolibarr_main_demo must be defined in conf file with value "default login,default pass" to enable the demo entry page', 0, 0, 1);
|
httponly_accessforbidden('Parameter dolibarr_main_demo must be defined in conf file with value "default login,default pass" to enable the demo entry page');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||||
|
|||||||
@@ -60,7 +60,7 @@ require_once DOL_DOCUMENT_ROOT.'/don/class/don.class.php';
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->don->enabled)) {
|
if (empty($conf->don->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Donation not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -138,7 +138,7 @@ $user->loadDefaultValues();
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->eventorganization->enabled)) {
|
if (empty($conf->eventorganization->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Event organization not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -77,7 +77,7 @@ if ($securekeyreceived != $securekeytocompare) {
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->eventorganization->enabled)) {
|
if (empty($conf->eventorganization->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Event organization not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -86,12 +86,11 @@ $langs->loadLangs(array("main", "members", "companies", "install", "other"));
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->adherent->enabled)) {
|
if (empty($conf->adherent->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Membership not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (empty($conf->global->MEMBER_ENABLE_PUBLIC)) {
|
if (empty($conf->global->MEMBER_ENABLE_PUBLIC)) {
|
||||||
print $langs->trans("Auto subscription form for public visitors has not been enabled");
|
httponly_accessforbidden("Auto subscription form for public visitors has not been enabled");
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||||
|
|||||||
@@ -53,7 +53,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php';
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->adherent->enabled)) {
|
if (empty($conf->adherent->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Memebership no enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -49,7 +49,7 @@ require '../../main.inc.php';
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->adherent->enabled)) {
|
if (empty($conf->adherent->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Membership not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -81,13 +81,6 @@ $ref = $REF = GETPOST("ref", 'alpha');
|
|||||||
if (empty($source)) {
|
if (empty($source)) {
|
||||||
$source = 'proposal';
|
$source = 'proposal';
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!$action) {
|
|
||||||
if ($source && !$ref) {
|
|
||||||
print $langs->trans('ErrorBadParameters')." - ref missing";
|
|
||||||
exit;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (!empty($refusepropal)) {
|
if (!empty($refusepropal)) {
|
||||||
$action = "refusepropal";
|
$action = "refusepropal";
|
||||||
}
|
}
|
||||||
@@ -123,15 +116,12 @@ $urlko = preg_replace('/&$/', '', $urlko); // Remove last &
|
|||||||
$creditor = $mysoc->name;
|
$creditor = $mysoc->name;
|
||||||
|
|
||||||
$type = $source;
|
$type = $source;
|
||||||
if ($source == 'proposal') {
|
|
||||||
require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php';
|
|
||||||
$object = new Propal($db);
|
|
||||||
$result= $object->fetch(0, $ref, '', $entity);
|
|
||||||
} else {
|
|
||||||
accessforbidden('Bad value for source');
|
|
||||||
exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
if (!$action) {
|
||||||
|
if ($source && !$ref) {
|
||||||
|
httponly_accessforbidden($langs->trans('ErrorBadParameters')." - ref missing", 400, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Check securitykey
|
// Check securitykey
|
||||||
$securekeyseed = '';
|
$securekeyseed = '';
|
||||||
@@ -139,10 +129,16 @@ if ($source == 'proposal') {
|
|||||||
$securekeyseed = getDolGlobalString('PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN');
|
$securekeyseed = getDolGlobalString('PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!dol_verifyHash($securekeyseed.$type.$ref.(!isModEnabled('multicompany') ? '' : $entity), $SECUREKEY, '0')) {
|
if (!dol_verifyHash($securekeyseed.$type.$ref.(isModEnabled('multicompany') ? $entity : ''), $SECUREKEY, '0')) {
|
||||||
http_response_code(403);
|
httponly_accessforbidden('Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref), 403, 1);
|
||||||
print 'Bad value for securitykey. Value provided '.dol_escape_htmltag($SECUREKEY).' does not match expected value for ref='.dol_escape_htmltag($ref);
|
}
|
||||||
exit(-1);
|
|
||||||
|
if ($source == 'proposal') {
|
||||||
|
require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php';
|
||||||
|
$object = new Propal($db);
|
||||||
|
$result= $object->fetch(0, $ref, '', $entity);
|
||||||
|
} else {
|
||||||
|
httponly_accessforbidden($langs->trans('ErrorBadParameters')." - Bad value for source", 400, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ $canbemodified = ((empty($object->date_fin) || $object->date_fin > dol_now()) &&
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->opensurvey->enabled)) {
|
if (empty($conf->opensurvey->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Survey not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -74,7 +74,7 @@ $listofvoters = explode(',', $_SESSION["savevoter"]);
|
|||||||
// Add comment
|
// Add comment
|
||||||
if (GETPOST('ajoutcomment', 'alpha')) {
|
if (GETPOST('ajoutcomment', 'alpha')) {
|
||||||
if (!$canbemodified) {
|
if (!$canbemodified) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('ErrorForbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
$error = 0;
|
$error = 0;
|
||||||
@@ -108,7 +108,7 @@ if (GETPOST('ajoutcomment', 'alpha')) {
|
|||||||
// Add vote
|
// Add vote
|
||||||
if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) { // boutonp for chrome, boutonp_x for firefox
|
if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) { // boutonp for chrome, boutonp_x for firefox
|
||||||
if (!$canbemodified) {
|
if (!$canbemodified) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('ErrorForbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
//Si le nom est bien entré
|
//Si le nom est bien entré
|
||||||
@@ -214,7 +214,7 @@ if ($testmodifier) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!$canbemodified) {
|
if (!$canbemodified) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('ErrorForbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
$idtomodify = GETPOST("idtomodify".$modifier);
|
$idtomodify = GETPOST("idtomodify".$modifier);
|
||||||
@@ -232,7 +232,7 @@ if ($testmodifier) {
|
|||||||
$idcomment = GETPOST('deletecomment', 'int');
|
$idcomment = GETPOST('deletecomment', 'int');
|
||||||
if ($idcomment) {
|
if ($idcomment) {
|
||||||
if (!$canbemodified) {
|
if (!$canbemodified) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('ErrorForbidden');
|
||||||
}
|
}
|
||||||
|
|
||||||
$resql = $object->deleteComment($idcomment);
|
$resql = $object->deleteComment($idcomment);
|
||||||
|
|||||||
@@ -71,12 +71,11 @@ $langs->loadLangs(array("main", "members", "partnership", "companies", "install"
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->partnership->enabled)) {
|
if (empty($conf->partnership->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Partnership not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (empty($conf->global->PARTNERSHIP_ENABLE_PUBLIC)) {
|
if (empty($conf->global->PARTNERSHIP_ENABLE_PUBLIC)) {
|
||||||
print $langs->trans("Auto subscription form for public visitors has not been enabled");
|
httponly_accessforbidden("Auto subscription form for public visitors has not been enabled");
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||||
|
|||||||
@@ -108,7 +108,7 @@ if (!empty($conf->stripe->enabled)) {
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($validpaymentmethod)) {
|
if (empty($validpaymentmethod)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('No valid payment mode');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -138,7 +138,7 @@ if (!empty($conf->stripe->enabled)) {
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($validpaymentmethod)) {
|
if (empty($validpaymentmethod)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('No valid payment mode');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -84,7 +84,7 @@ if ($resultproject < 0) {
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->project->enabled)) {
|
if (empty($conf->project->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Project not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -82,7 +82,7 @@ $user->loadDefaultValues();
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->project->enabled)) {
|
if (empty($conf->project->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Project not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -105,7 +105,7 @@ $arrayofconfboothtype = $cactioncomm->liste_array('', 'id', '', 0, "module='boot
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->eventorganization->enabled)) {
|
if (empty($conf->eventorganization->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Event organization not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -106,7 +106,7 @@ $arrayofconfboothtype = $cactioncomm->liste_array('', 'id', '', 0, "module='conf
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->eventorganization->enabled)) {
|
if (empty($conf->eventorganization->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Event organization not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -91,7 +91,7 @@ if ($resultproject < 0) {
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->eventorganization->enabled)) {
|
if (empty($conf->eventorganization->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Event organization not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -80,7 +80,7 @@ $urlwithroot = DOL_MAIN_URL_ROOT; // This is to use same domain name than curren
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->recruitment->enabled)) {
|
if (empty($conf->recruitment->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Recruitment not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -77,7 +77,7 @@ $urlwithroot = DOL_MAIN_URL_ROOT; // This is to use same domain name than curren
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($conf->recruitment->enabled)) {
|
if (empty($conf->recruitment->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Recruitment not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -49,11 +49,6 @@ require_once DOL_DOCUMENT_ROOT.'/includes/stripe/stripe-php/init.php';
|
|||||||
require_once DOL_DOCUMENT_ROOT.'/stripe/class/stripe.class.php';
|
require_once DOL_DOCUMENT_ROOT.'/stripe/class/stripe.class.php';
|
||||||
|
|
||||||
|
|
||||||
if (empty($conf->stripe->enabled)) {
|
|
||||||
accessforbidden('', 0, 0, 1);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
// You can find your endpoint's secret in your webhook settings
|
// You can find your endpoint's secret in your webhook settings
|
||||||
if (isset($_GET['connect'])) {
|
if (isset($_GET['connect'])) {
|
||||||
if (isset($_GET['test'])) {
|
if (isset($_GET['test'])) {
|
||||||
@@ -77,10 +72,12 @@ if (isset($_GET['connect'])) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (empty($conf->stripe->enabled)) {
|
||||||
|
httponly_accessforbidden('Module Stripe not enabled');
|
||||||
|
}
|
||||||
|
|
||||||
if (empty($endpoint_secret)) {
|
if (empty($endpoint_secret)) {
|
||||||
print 'Error: Setup of module Stripe not complete for mode '.$service.'. The WEBHOOK_KEY is not defined.';
|
httponly_accessforbidden('Error: Setup of module Stripe not complete for mode '.dol_escape_htmltag($service).'. The WEBHOOK_KEY is not defined.', 400, 1);
|
||||||
http_response_code(400); // PHP 5.4 or greater
|
|
||||||
exit();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS)) {
|
if (!empty($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS)) {
|
||||||
@@ -89,9 +86,7 @@ if (!empty($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS)) {
|
|||||||
$user->fetch($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS);
|
$user->fetch($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS);
|
||||||
$user->getrights();
|
$user->getrights();
|
||||||
} else {
|
} else {
|
||||||
print 'Error: Setup of module Stripe not complete for mode '.$service.'. The STRIPE_USER_ACCOUNT_FOR_ACTIONS is not defined.';
|
httponly_accessforbidden('Error: Setup of module Stripe not complete for mode '.dol_escape_htmltag($service).'. The STRIPE_USER_ACCOUNT_FOR_ACTIONS is not defined.', 400, 1);
|
||||||
http_response_code(400); // PHP 5.4 or greater
|
|
||||||
exit();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -113,12 +108,9 @@ try {
|
|||||||
$event = \Stripe\Webhook::constructEvent($payload, $sig_header, $endpoint_secret);
|
$event = \Stripe\Webhook::constructEvent($payload, $sig_header, $endpoint_secret);
|
||||||
} catch (\UnexpectedValueException $e) {
|
} catch (\UnexpectedValueException $e) {
|
||||||
// Invalid payload
|
// Invalid payload
|
||||||
http_response_code(400); // PHP 5.4 or greater
|
httponly_accessforbidden('Invalid payload', 400);
|
||||||
exit();
|
|
||||||
} catch (\Stripe\Error\SignatureVerification $e) {
|
} catch (\Stripe\Error\SignatureVerification $e) {
|
||||||
// Invalid signature
|
httponly_accessforbidden('Invalid signature', 400);
|
||||||
http_response_code(400); // PHP 5.4 or greater
|
|
||||||
exit();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Do something with $event
|
// Do something with $event
|
||||||
@@ -155,6 +147,7 @@ if (!empty($conf->global->MAIN_APPLICATION_TITLE)) {
|
|||||||
$societeName = $conf->global->MAIN_APPLICATION_TITLE;
|
$societeName = $conf->global->MAIN_APPLICATION_TITLE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
top_httphead();
|
||||||
|
|
||||||
dol_syslog("***** Stripe IPN was called with event->type = ".$event->type);
|
dol_syslog("***** Stripe IPN was called with event->type = ".$event->type);
|
||||||
|
|
||||||
@@ -195,11 +188,10 @@ if ($event->type == 'payout.created') {
|
|||||||
|
|
||||||
$ret = $mailfile->sendfile();
|
$ret = $mailfile->sendfile();
|
||||||
|
|
||||||
http_response_code(200); // PHP 5.4 or greater
|
|
||||||
return 1;
|
return 1;
|
||||||
} else {
|
} else {
|
||||||
$error++;
|
$error++;
|
||||||
http_response_code(500); // PHP 5.4 or greater
|
http_response_code(500);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
} elseif ($event->type == 'payout.paid') {
|
} elseif ($event->type == 'payout.paid') {
|
||||||
@@ -287,7 +279,6 @@ if ($event->type == 'payout.created') {
|
|||||||
|
|
||||||
$ret = $mailfile->sendfile();
|
$ret = $mailfile->sendfile();
|
||||||
|
|
||||||
http_response_code(200);
|
|
||||||
return 1;
|
return 1;
|
||||||
} else {
|
} else {
|
||||||
$error++;
|
$error++;
|
||||||
@@ -396,4 +387,4 @@ if ($event->type == 'payout.created') {
|
|||||||
// This event is deprecated.
|
// This event is deprecated.
|
||||||
}
|
}
|
||||||
|
|
||||||
http_response_code(200);
|
// End of page. Default return HTTP code will be 200
|
||||||
|
|||||||
@@ -91,7 +91,7 @@ if (!empty($conf->global->TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST))
|
|||||||
$extrafields->fetch_name_optionals_label($object->table_element);
|
$extrafields->fetch_name_optionals_label($object->table_element);
|
||||||
|
|
||||||
if (empty($conf->ticket->enabled)) {
|
if (empty($conf->ticket->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Ticket not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ $action = GETPOST('action', 'aZ09');
|
|||||||
$suffix = "";
|
$suffix = "";
|
||||||
|
|
||||||
if (empty($conf->ticket->enabled)) {
|
if (empty($conf->ticket->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Ticket not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -79,7 +79,7 @@ $object = new Ticket($db);
|
|||||||
$hookmanager->initHooks(array('ticketpubliclist', 'globalcard'));
|
$hookmanager->initHooks(array('ticketpubliclist', 'globalcard'));
|
||||||
|
|
||||||
if (empty($conf->ticket->enabled)) {
|
if (empty($conf->ticket->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Ticket not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -73,7 +73,7 @@ if (isset($_SESSION['email_customer'])) {
|
|||||||
$object = new ActionsTicket($db);
|
$object = new ActionsTicket($db);
|
||||||
|
|
||||||
if (empty($conf->ticket->enabled)) {
|
if (empty($conf->ticket->enabled)) {
|
||||||
accessforbidden('', 0, 0, 1);
|
httponly_accessforbidden('Module Ticket not enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -92,7 +92,9 @@ if ($user->socid > 0) {
|
|||||||
}
|
}
|
||||||
$result = restrictedArea($user, 'societe', $object->id, '&societe');
|
$result = restrictedArea($user, 'societe', $object->id, '&societe');
|
||||||
|
|
||||||
$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
|
if (empty($object->id)) {
|
||||||
|
accessforbidden();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -115,17 +117,12 @@ if (!empty($conf->global->MAIN_HTML_TITLE) && preg_match('/thirdpartynameonly/',
|
|||||||
$help_url = 'EN:Module_Third_Parties|FR:Module_Tiers|ES:Empresas';
|
$help_url = 'EN:Module_Third_Parties|FR:Module_Tiers|ES:Empresas';
|
||||||
llxHeader('', $title, $help_url);
|
llxHeader('', $title, $help_url);
|
||||||
|
|
||||||
if ($object->id) {
|
// Show tabs
|
||||||
/*
|
|
||||||
* Show tabs
|
|
||||||
*/
|
|
||||||
if (!empty($conf->notification->enabled)) {
|
if (!empty($conf->notification->enabled)) {
|
||||||
$langs->load("mails");
|
$langs->load("mails");
|
||||||
}
|
}
|
||||||
$head = societe_prepare_head($object);
|
$head = societe_prepare_head($object);
|
||||||
|
|
||||||
$form = new Form($db);
|
|
||||||
|
|
||||||
print dol_get_fiche_head($head, 'document', $langs->trans("ThirdParty"), -1, 'company');
|
print dol_get_fiche_head($head, 'document', $langs->trans("ThirdParty"), -1, 'company');
|
||||||
|
|
||||||
|
|
||||||
@@ -194,9 +191,6 @@ if ($object->id) {
|
|||||||
$permtoedit = $user->rights->societe->creer;
|
$permtoedit = $user->rights->societe->creer;
|
||||||
$param = '&id='.$object->id;
|
$param = '&id='.$object->id;
|
||||||
include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
|
include DOL_DOCUMENT_ROOT.'/core/tpl/document_actions_post_headers.tpl.php';
|
||||||
} else {
|
|
||||||
accessforbidden('', 0, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
// End of page
|
// End of page
|
||||||
llxFooter();
|
llxFooter();
|
||||||
|
|||||||
@@ -753,7 +753,7 @@ class User extends CommonObject
|
|||||||
//var_dump($module);
|
//var_dump($module);
|
||||||
//var_dump($this->rights->$rightsPath);
|
//var_dump($this->rights->$rightsPath);
|
||||||
//var_dump($conf->modules);
|
//var_dump($conf->modules);
|
||||||
if (!in_array($module, $conf->modules)) {
|
if (!isModEnabled($module)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -138,10 +138,10 @@ $entity = GETPOST('entity', 'int') ?GETPOST('entity', 'int') : $conf->entity;
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($modulepart) && empty($hashp)) {
|
if (empty($modulepart) && empty($hashp)) {
|
||||||
accessforbidden('Bad link. Bad value for parameter modulepart', 0, 0, 1);
|
httponly_accessforbidden('Bad link. Bad value for parameter modulepart', 400);
|
||||||
}
|
}
|
||||||
if (empty($original_file) && empty($hashp) && $modulepart != 'barcode') {
|
if (empty($original_file) && empty($hashp) && $modulepart != 'barcode') {
|
||||||
accessforbidden('Bad link. Missing identification to find file (param file or hashp)', 0, 0, 1);
|
httponly_accessforbidden('Bad link. Missing identification to find file (param file or hashp)', 400);
|
||||||
}
|
}
|
||||||
if ($modulepart == 'fckeditor') {
|
if ($modulepart == 'fckeditor') {
|
||||||
$modulepart = 'medias'; // For backward compatibility
|
$modulepart = 'medias'; // For backward compatibility
|
||||||
@@ -192,7 +192,7 @@ if (!empty($hashp)) {
|
|||||||
$original_file = (($tmp[1] ? $tmp[1].'/' : '').$ecmfile->filename); // this is relative to module dir
|
$original_file = (($tmp[1] ? $tmp[1].'/' : '').$ecmfile->filename); // this is relative to module dir
|
||||||
//var_dump($original_file); exit;
|
//var_dump($original_file); exit;
|
||||||
} else {
|
} else {
|
||||||
accessforbidden('Bad link. File is from another module part.', 0, 0, 1);
|
httponly_accessforbidden('Bad link. File is from another module part.', 403);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$modulepart = $moduleparttocheck;
|
$modulepart = $moduleparttocheck;
|
||||||
@@ -200,7 +200,7 @@ if (!empty($hashp)) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$langs->load("errors");
|
$langs->load("errors");
|
||||||
accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 0, 0, 1);
|
httponly_accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"), 403, 1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -214,11 +214,11 @@ if (GETPOST('type', 'alpha')) {
|
|||||||
|
|
||||||
// Security: This wrapper is for images. We do not allow type/html
|
// Security: This wrapper is for images. We do not allow type/html
|
||||||
if (preg_match('/html/i', $type)) {
|
if (preg_match('/html/i', $type)) {
|
||||||
accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 0, 0, 1);
|
httponly_accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.');
|
||||||
}
|
}
|
||||||
// Security: This wrapper is for images. We do not allow files ending with .noexe
|
// Security: This wrapper is for images. We do not allow files ending with .noexe
|
||||||
if (preg_match('/\.noexe$/i', $original_file)) {
|
if (preg_match('/\.noexe$/i', $original_file)) {
|
||||||
accessforbidden('Error: Using the image wrapper to output a file ending with .noexe is not allowed.', 0, 0, 1);
|
httponly_accessforbidden('Error: Using the image wrapper to output a file ending with .noexe is not allowed.');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Security: Delete string ../ or ..\ into $original_file
|
// Security: Delete string ../ or ..\ into $original_file
|
||||||
@@ -231,12 +231,12 @@ $refname = basename(dirname($original_file)."/");
|
|||||||
|
|
||||||
// Check that file is allowed for view with viewimage.php
|
// Check that file is allowed for view with viewimage.php
|
||||||
if (!empty($original_file) && !dolIsAllowedForPreview($original_file)) {
|
if (!empty($original_file) && !dolIsAllowedForPreview($original_file)) {
|
||||||
accessforbidden('This file is not qualified for preview', 0, 0, 1);
|
httponly_accessforbidden('This file is not qualified for preview', 403);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if (empty($modulepart)) {
|
if (empty($modulepart)) {
|
||||||
accessforbidden('Bad value for parameter modulepart', 0, 0, 1);
|
httponly_accessforbidden('Bad value for parameter modulepart', 400);
|
||||||
}
|
}
|
||||||
|
|
||||||
// When logged in a different entity, medias cannot be accessed because $conf->$module->multidir_output
|
// When logged in a different entity, medias cannot be accessed because $conf->$module->multidir_output
|
||||||
|
|||||||
@@ -191,7 +191,7 @@ llxHeader('', $title, $help_url);
|
|||||||
// Part to create
|
// Part to create
|
||||||
if ($action == 'create') {
|
if ($action == 'create') {
|
||||||
if (empty($permissiontoadd)) {
|
if (empty($permissiontoadd)) {
|
||||||
accessforbidden($langs->trans('NotEnoughPermissions'), 0, 1);
|
accessforbidden('NotEnoughPermissions', 0, 1);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user