mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2026-02-08 17:02:34 +01:00
Allow to view ticket linked files from public interface (#32410)
This commit is contained in:
ThomasNgr-OpenDSI
committed by
GitHub
GitHub
parent
a605244dea
commit
eaa05a482f
@@ -3641,6 +3641,30 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
|
||||
$accessallowed = 1;
|
||||
}
|
||||
$original_file = $conf->member->dir_output.'/'.$original_file;
|
||||
} elseif ($modulepart == 'ticket' && !empty($conf->ticket->multidir_output[$entity])) {
|
||||
// Wrapping for events
|
||||
if ($fuser->hasRight('ticket', $read)) {
|
||||
$accessallowed = 1;
|
||||
}
|
||||
if (!isset($_SESSION['email_customer'])) {
|
||||
$sqlprotectagainstexternals = '';
|
||||
} else {
|
||||
$email_split = explode('@', $_SESSION['email_customer']);
|
||||
|
||||
$sqlprotectagainstexternals = 'SELECT t.rowid, t.fk_soc FROM '.MAIN_DB_PREFIX.'ticket t';
|
||||
$sqlprotectagainstexternals.= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id = t.rowid';
|
||||
$sqlprotectagainstexternals.= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople c ON c.rowid = ec.fk_socpeople';
|
||||
$sqlprotectagainstexternals.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_type_contact tc ON tc.element = "ticket" AND tc.rowid = ec.fk_c_type_contact';
|
||||
$sqlprotectagainstexternals.= ' WHERE t.ref LIKE "'.$db->sanitize($refname).'"';
|
||||
$sqlprotectagainstexternals.= ' AND (';
|
||||
$sqlprotectagainstexternals.= ' (';
|
||||
$sqlprotectagainstexternals.= ' tc.rowid IS NOT NULL';
|
||||
$sqlprotectagainstexternals.= ' AND c.email = "'.$db->sanitize($email_split[0]).'@'.$db->sanitize($email_split[1]).'"';
|
||||
$sqlprotectagainstexternals.= ' )';
|
||||
$sqlprotectagainstexternals.= ' OR t.origin_email = "'.$db->sanitize($email_split[0]).'@'.$db->sanitize($email_split[1]).'"';
|
||||
$sqlprotectagainstexternals.= ' )';
|
||||
}
|
||||
$original_file = $conf->ticket->multidir_output[$entity].'/'.$original_file;
|
||||
// If modulepart=module_user_temp Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart/temp/iduser
|
||||
// If modulepart=module_temp Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart/temp
|
||||
// If modulepart=module_user Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart/iduser
|
||||
|
||||
@@ -74,6 +74,16 @@ if ((isset($_GET["modulepart"]) && $_GET["modulepart"] == 'medias')) {
|
||||
if (!defined("NOIPCHECK")) {
|
||||
define("NOIPCHECK", 1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||
}
|
||||
} elseif (isset($_GET["modulepart"]) && $_GET["modulepart"] == 'ticket' && strpos($_SERVER['HTTP_REFERER'], 'public/ticket') !== false) {
|
||||
if (!defined("NOLOGIN")) {
|
||||
define("NOLOGIN", 1);
|
||||
}
|
||||
if (!defined("NOCSRFCHECK")) {
|
||||
define("NOCSRFCHECK", 1); // We accept to go on this page from external web site.
|
||||
}
|
||||
if (!defined("NOIPCHECK")) {
|
||||
define("NOIPCHECK", 1); // Do not check IP defined into conf $dolibarr_main_restrict_ip
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -295,6 +305,16 @@ if (!empty($hashp)) {
|
||||
}
|
||||
}
|
||||
}
|
||||
} elseif ($modulepart == 'ticket' && !getDolGlobalString('TICKET_EMAIL_MUST_EXISTS')) {
|
||||
if ($sqlprotectagainstexternals) {
|
||||
$resql = $db->query($sqlprotectagainstexternals);
|
||||
if ($resql) {
|
||||
$num = $db->num_rows($resql);
|
||||
if ($num > 0) {
|
||||
$accessallowed = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -344,7 +344,7 @@ class ActionsTicket extends CommonHookActions
|
||||
|
||||
$documents = array();
|
||||
|
||||
$sql = 'SELECT ecm.rowid as id, ecm.src_object_type, ecm.src_object_id';
|
||||
$sql = 'SELECT ecm.rowid as id, ecm.src_object_type, ecm.src_object_id, ecm.agenda_id';
|
||||
$sql .= ', ecm.filepath, ecm.filename, ecm.share';
|
||||
$sql .= ' FROM '.MAIN_DB_PREFIX.'ecm_files ecm';
|
||||
$sql .= " WHERE ecm.filepath = 'agenda/".(int) $arraymsgs['id']."'";
|
||||
@@ -363,7 +363,7 @@ class ActionsTicket extends CommonHookActions
|
||||
$isshared = 0;
|
||||
$footer = '<div class="timeline-documents-container">';
|
||||
foreach ($documents as $doc) {
|
||||
if (!empty($doc->share)) {
|
||||
if (!empty($doc->share) || ($doc->src_object_type == 'ticket')) {
|
||||
$isshared = 1;
|
||||
$footer .= '<span id="document_'.$doc->id.'" class="timeline-documents" ';
|
||||
$footer .= ' data-id="'.$doc->id.'" ';
|
||||
@@ -371,10 +371,23 @@ class ActionsTicket extends CommonHookActions
|
||||
$footer .= ' data-filename="'.dol_escape_htmltag($doc->filename).'" ';
|
||||
$footer .= '>';
|
||||
|
||||
if (empty($doc->agenda_id)) {
|
||||
$dir_ref = $arraymsgs['id'];
|
||||
$modulepart = 'actions';
|
||||
} else {
|
||||
$split_dir = explode('/', $doc->filepath);
|
||||
$modulepart = array_shift($split_dir);
|
||||
$dir_ref = implode('/', $split_dir);
|
||||
}
|
||||
$filePath = DOL_DATA_ROOT.'/'.$doc->filepath.'/'.$doc->filename;
|
||||
$file_relative_path = $dir_ref.'/'.$doc->filename;
|
||||
$mime = dol_mimetype($filePath);
|
||||
$thumb = $arraymsgs['id'].'/thumbs/'.substr($doc->filename, 0, strrpos($doc->filename, '.')).'_mini'.substr($doc->filename, strrpos($doc->filename, '.'));
|
||||
$doclink = DOL_URL_ROOT.'/document.php?hashp='.urlencode($doc->share);
|
||||
$doclink = '';
|
||||
if (!empty($doc->share)) {
|
||||
$doclink = DOL_URL_ROOT.'/document.php?hashp='.urlencode($doc->share);
|
||||
} elseif ($doc->src_object_type == 'ticket') {
|
||||
$doclink = dol_buildpath('document.php', 1).'?modulepart='.$modulepart.'&attachment=0&file='.urlencode($file_relative_path).'&entity='.getEntity('ticket', 0);
|
||||
}
|
||||
|
||||
$mimeAttr = ' mime="'.$mime.'" ';
|
||||
$class = '';
|
||||
|
||||
Reference in New Issue
Block a user