lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Work on dol_check_secure_access_document to support write question

Browse Source
This commit is contained in:
Laurent Destailleur 2017-05-19 20:17:33 +02:00
parent ba5fb700ba
commit 06b37d0e82
3 changed files with 36 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
htdocs/core/lib/files.lib.php
View File

@ -1642,9 +1642,11 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('(\.meta
* @param string $entity Restrict onto entity
* @param User $fuser User object (forced)
* @param string $refname Ref of object to check permission for external users (autodetect if not provided)
* @param string $more Check permission for 'read' or 'write'
* @return mixed Array with access information : 'accessallowed' & 'sqlprotectagainstexternals' & 'original_file' (as a full path name)
* @see restrictedArea
*/
function dol_check_secure_access_document($modulepart,$original_file,$entity,$fuser='',$refname='')
function dol_check_secure_access_document($modulepart,$original_file,$entity,$fuser='',$refname='',$mode='read')
{
global $user, $conf, $db;
global $dolibarr_main_data_root;
@ -2246,6 +2248,12 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
// If modulepart=module Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart
else
{
$lire='lire'; $read='read'; $download='download';
if ($mode == 'write')
{
$lire='creer'; $read='write'; $download='upload';
}
if (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a file called specimen. Test must be done before changing $original_file int full path.
if ($fuser->admin) $accessallowed=1; // If user is admin
@ -2257,7 +2265,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
dol_print_error('','Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')');
exit;
}
if ($fuser->rights->{$reg[1]}->lire || $fuser->rights->{$reg[1]}->read || ($fuser->rights->{$reg[1]}->download)) $accessallowed=1;
if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) $accessallowed=1;
$original_file=$conf->{$reg[1]}->dir_temp.'/'.$fuser->id.'/'.$original_file;
}
else if (preg_match('/^([a-z]+)_temp$/i',$modulepart,$reg))
@ -2267,7 +2275,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
dol_print_error('','Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')');
exit;
}
if ($fuser->rights->{$reg[1]}->lire || $fuser->rights->{$reg[1]}->read || ($fuser->rights->{$reg[1]}->download)) $accessallowed=1;
if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) $accessallowed=1;
$original_file=$conf->{$reg[1]}->dir_temp.'/'.$original_file;
}
else if (preg_match('/^([a-z]+)_user$/i',$modulepart,$reg))
@ -2277,7 +2285,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
dol_print_error('','Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')');
exit;
}
if ($fuser->rights->{$reg[1]}->lire || $fuser->rights->{$reg[1]}->read || ($fuser->rights->{$reg[1]}->download)) $accessallowed=1;
if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) $accessallowed=1;
$original_file=$conf->{$reg[1]}->dir_output.'/'.$fuser->id.'/'.$original_file;
}
else
@ -2297,7 +2305,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
}
else
{
if ($fuser->rights->$modulepart->lire || $fuser->rights->$modulepart->read) $accessallowed=1;
if ($fuser->rights->$modulepart->{$lire} || $fuser->rights->$modulepart->{$read}) $accessallowed=1;
$original_file=$conf->$modulepart->dir_output.'/'.$original_file;
}
}
@ -2307,7 +2315,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity,$fu
if (! empty($conf->global->$subPermCategoryConstName))
{
$subPermCategory = $conf->global->$subPermCategoryConstName;
if (! empty($subPermCategory) && (($fuser->rights->$modulepart->$subPermCategory->lire) || ($fuser->rights->$modulepart->$subPermCategory->read) || ($fuser->rights->$modulepart->$subPermCategory->download)))
if (! empty($subPermCategory) && (($fuser->rights->$modulepart->$subPermCategory->{$lire}) || ($fuser->rights->$modulepart->$subPermCategory->{$read}) || ($fuser->rights->$modulepart->$subPermCategory->{$download})))
{
$accessallowed=1;
}

1
htdocs/core/lib/security.lib.php
View File

@ -109,6 +109,7 @@ function dol_hash($chain,$type=0)
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
* @param Canvas $objcanvas Object canvas
* @return int Always 1, die process if not allowed
* @see dol_check_secure_access_document
*/
function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null)
{

21
test/phpunit/FilesLibTest.php
View File

@ -418,4 +418,25 @@ class FilesLibTest extends PHPUnit_Framework_TestCase
$this->assertEquals(1,count($founddirs));
}
/**
* testDolCheckSecureAccessDocument
*
* @return void
*/
public function testDolCheckSecureAccessDocument()
{
global $conf,$user,$langs,$db;
$conf=$this->savconf;
$user=$this->savuser;
$langs=$this->savlangs;
$db=$this->savdb;
//$dummyuser=new User($db);
//$result=restrictedArea($dummyuser,'societe');
//$result=dol_check_secure_access_document($user,'societe');
//$this->assertEquals(1,$result);
}
}