lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: Use entity

Browse Source
This commit is contained in:
Laurent Destailleur 2013-04-25 10:22:08 +02:00
parent 86ea79c860
commit 023b6f2e8b
4 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/lib/files.lib.php
View File

@ -1233,13 +1233,15 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$
*
* @param string $modulepart Module of document
* @param string $original_file Relative path with filename
* @param string $entity Restrict onto entity
* @return mixed Array with access information : accessallowed & sqlprotectagainstexternals & original_file (as full path name)
*/
function dol_check_secure_access_document($modulepart,$original_file)
function dol_check_secure_access_document($modulepart,$original_file,$entity)
{
global $user, $conf;
if (empty($modulepart)) return 'ErrorBadParameter';
if (empty($entity)) $entity=0;
// We define $accessallowed and $sqlprotectagainstexternals
$accessallowed=0;

2
htdocs/document.php
View File

@ -96,7 +96,7 @@ $refname=basename(dirname($original_file)."/");
// Security check
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
$check_access = dol_check_secure_access_document($modulepart,$original_file);
$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity);
$accessallowed = $check_access['accessallowed'];
$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
$original_file = $check_access['original_file'];

2
htdocs/viewimage.php
View File

@ -100,7 +100,7 @@ $original_file = str_replace("../","/", $original_file);
// Security check
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
$check_access = dol_check_secure_access_document($modulepart,$original_file);
$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity);
$accessallowed = $check_access['accessallowed'];
$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
$original_file = $check_access['original_file'];

18
htdocs/webservices/server_other.php
View File

@ -192,7 +192,7 @@ function getDocument($authentication, $modulepart, $file)
$error=0;
// Properties of doc
$original_file = $file;
$original_file = $file;
$type=dol_mimetype($original_file);
$relativefilepath = $ref . "/";
$relativepath = $relativefilepath . $ref.'.pdf';
@ -221,10 +221,10 @@ function getDocument($authentication, $modulepart, $file)
$refname=basename(dirname($original_file)."/");
// Security check
$accessallowed=0;
$check_access = dol_check_secure_access_document($modulepart,$original_file);
$accessallowed=$check_access['accessallowed'];
$check_access = dol_check_secure_access_document($modulepart,$original_file,$conf->entity);
$accessallowed = $check_access['accessallowed'];
$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
$original_file = $check_access['original_file'];
// Basic protection (against external users only)
if ($fuser->societe_id > 0)
@ -277,27 +277,27 @@ function getDocument($authentication, $modulepart, $file)
if(file_exists($original_file))
{
dol_syslog("Function: getDocument $original_file $filename content-type=$type");
$file=$fileparams['fullname'];
$filename = basename($file);
$f = fopen($original_file,'r');
$content_file = fread($f,filesize($original_file));
$objectret = array(
'filename' => basename($original_file),
'mimetype' => dol_mimetype($original_file),
'content' => base64_encode($content_file),
'length' => filesize($original_file)
);
// Create return object
$objectresp = array(
'result'=>array('result_code'=>'OK', 'result_label'=>''),
'document'=>$objectret
);
}
else
else
{
dol_syslog("File doesn't exist ".$original_file);
$errorcode='NOT_FOUND';