add security and enable
This commit is contained in:
hystepik
parent
ddf731ea96
commit
098e670008
@ -19,24 +19,28 @@
|
||||
/**
|
||||
* \file htdocs/core/ajax/fileupload.php
|
||||
* \brief File to return Ajax response on file upload
|
||||
*
|
||||
* Option MAIN_USE_JQUERY_FILEUPLOAD must be enabled to have this feature working. Use is NOT secured !
|
||||
*/
|
||||
|
||||
if (!defined('NOTOKENRENEWAL')) {
|
||||
define('NOTOKENRENEWAL', '1');
|
||||
}
|
||||
if (!defined('NOREQUIREMENU')) {
|
||||
define('NOREQUIREMENU', '1'); // If there is no menu to show
|
||||
}
|
||||
if (!defined('NOREQUIREHTML')) {
|
||||
define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
|
||||
}
|
||||
|
||||
if (!defined('NOREQUIREAJAX')) {
|
||||
define('NOREQUIREAJAX', '1');
|
||||
}
|
||||
if (!defined('NOREQUIRESOC')) {
|
||||
define('NOREQUIRESOC', '1');
|
||||
}
|
||||
/*if (!defined('NOREQUIRETRAN')) {
|
||||
define('NOREQUIRETRAN', '1');
|
||||
}*/
|
||||
|
||||
// Load Dolibarr environment
|
||||
require '../../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/class/fileupload.class.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
|
||||
|
||||
error_reporting(E_ALL | E_STRICT);
|
||||
|
||||
@ -44,16 +48,56 @@ error_reporting(E_ALL | E_STRICT);
|
||||
//print_r($_GET);
|
||||
//print 'upload_dir='.GETPOST('upload_dir');
|
||||
|
||||
$fk_element = GETPOST('fk_element', 'int');
|
||||
$element = GETPOST('element', 'alpha');
|
||||
$id = GETPOST('fk_element', 'int');
|
||||
$elementupload = GETPOST('element', 'alpha');
|
||||
$element = $elementupload;
|
||||
|
||||
$upload_handler = new FileUpload(null, $fk_element, $element);
|
||||
|
||||
// Feature not enabled. Warning feature not used and not secured so disabled.
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return;
|
||||
if ($element == "invoice_supplier") {
|
||||
$element = "fournisseur";
|
||||
}
|
||||
|
||||
$object = new GenericObject($db);
|
||||
$tmparray = explode('@', $element);
|
||||
|
||||
if (empty($tmparray[1])) {
|
||||
$subelement = '';
|
||||
|
||||
$object->module = $element;
|
||||
$object->element = $element;
|
||||
$object->table_element = $element;
|
||||
|
||||
// Special case for compatibility
|
||||
if ($object->table_element == 'websitepage') {
|
||||
$object->table_element = 'website_page';
|
||||
}
|
||||
} else {
|
||||
$element = $tmparray[0];
|
||||
$subelement = $tmparray[1];
|
||||
|
||||
$object->module = $element;
|
||||
$object->element = $subelement;
|
||||
$object->table_element = $object->module.'_'.$object->element;
|
||||
}
|
||||
$object->id = $id;
|
||||
|
||||
// Security check
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
|
||||
$module = $object->module;
|
||||
$element = $object->element;
|
||||
$usesublevelpermission = ($module != $element ? $element : '');
|
||||
if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly
|
||||
$usesublevelpermission = '';
|
||||
}
|
||||
$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1);
|
||||
if (!$result) {
|
||||
header('HTTP/1.0 403 Forbidden');
|
||||
exit;
|
||||
}
|
||||
$upload_handler = new FileUpload(null, $id, $elementupload);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -19,8 +19,6 @@
|
||||
/**
|
||||
* \file htdocs/core/class/fileupload.class.php
|
||||
* \brief File to return Ajax response on file upload
|
||||
*
|
||||
* Option MAIN_USE_JQUERY_FILEUPLOAD must be enabled to have feature working. Use is NOT secured !
|
||||
*/
|
||||
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
|
||||
@ -49,11 +47,6 @@ class FileUpload
|
||||
global $object;
|
||||
global $hookmanager;
|
||||
|
||||
// Feature not enabled. Warning feature not used and not secured so disabled.
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return;
|
||||
}
|
||||
|
||||
$hookmanager->initHooks(array('fileupload'));
|
||||
|
||||
$this->fk_element = $fk_element;
|
||||
@ -266,9 +259,6 @@ class FileUpload
|
||||
*/
|
||||
protected function getFileObject($file_name)
|
||||
{
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$file_path = $this->options['upload_dir'].$file_name;
|
||||
if (is_file($file_path) && $file_name[0] !== '.') {
|
||||
@ -310,10 +300,6 @@ class FileUpload
|
||||
{
|
||||
global $maxwidthmini, $maxheightmini;
|
||||
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$file_path = $this->options['upload_dir'].$file_name;
|
||||
$new_file_path = $options['upload_dir'].$file_name;
|
||||
|
||||
@ -345,10 +331,6 @@ class FileUpload
|
||||
*/
|
||||
protected function validate($uploaded_file, $file, $error, $index)
|
||||
{
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($error) {
|
||||
$file->error = $error;
|
||||
return false;
|
||||
@ -464,10 +446,6 @@ class FileUpload
|
||||
*/
|
||||
protected function handleFileUpload($uploaded_file, $name, $size, $type, $error, $index)
|
||||
{
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$file = new stdClass();
|
||||
$file->name = $this->trimFileName($name, $type, $index);
|
||||
$file->mime = dol_mimetype($file->name, '', 2);
|
||||
@ -514,10 +492,6 @@ class FileUpload
|
||||
*/
|
||||
public function get()
|
||||
{
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return;
|
||||
}
|
||||
|
||||
$file_name = isset($_REQUEST['file']) ?
|
||||
basename(stripslashes($_REQUEST['file'])) : null;
|
||||
if ($file_name) {
|
||||
@ -536,10 +510,6 @@ class FileUpload
|
||||
*/
|
||||
public function post()
|
||||
{
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (isset($_REQUEST['_method']) && $_REQUEST['_method'] === 'DELETE') {
|
||||
return $this->delete();
|
||||
}
|
||||
@ -595,10 +565,6 @@ class FileUpload
|
||||
*/
|
||||
public function delete()
|
||||
{
|
||||
if (!getDolGlobalInt('MAIN_USE_JQUERY_FILEUPLOAD')) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$file_name = isset($_REQUEST['file']) ?
|
||||
basename(stripslashes($_REQUEST['file'])) : null;
|
||||
$file_path = $this->options['upload_dir'].$file_name;
|
||||
|
||||
@ -3365,7 +3365,7 @@ function dragAndDropFileUpload($htmlname)
|
||||
fd.append("fk_element","'.dol_escape_json($object->id).'");
|
||||
fd.append("element","'.dol_escape_json($object->element).'");
|
||||
fd.append("token","'.newToken().'");
|
||||
fd.append("action","uploadfile");
|
||||
fd.append("action","linkit");
|
||||
var dataTransfer = e.originalEvent.dataTransfer;
|
||||
if(dataTransfer.files && dataTransfer.files.length){
|
||||
var droppedFiles = e.originalEvent.dataTransfer.files;
|
||||
@ -3383,11 +3383,14 @@ function dragAndDropFileUpload($htmlname)
|
||||
data:fd,
|
||||
success:function(){
|
||||
console.log("Uploaded.",arguments);
|
||||
window.location.href = "'.$_SERVER["PHP_SELF"].'?id='.dol_escape_json($object->id).'&seteventmessages=uploadFileDragDropSuccess:mesgs";
|
||||
window.location.href = "'.$_SERVER["PHP_SELF"].'?id='.dol_escape_json($object->id).'&seteventmessages=UploadFileDragDropSuccess:mesgs";
|
||||
},
|
||||
error:function(){
|
||||
console.log("Error Uploading.",arguments)
|
||||
window.location.href = "'.$_SERVER["PHP_SELF"].'?id='.dol_escape_json($object->id).'&seteventmessages=uploadFileDragDropError:errors";
|
||||
if (arguments[0].status == 403){
|
||||
window.location.href = "'.$_SERVER["PHP_SELF"].'?id='.dol_escape_json($object->id).'&seteventmessages=ErrorUploadPermissionDenied:errors";
|
||||
}
|
||||
window.location.href = "'.$_SERVER["PHP_SELF"].'?id='.dol_escape_json($object->id).'&seteventmessages=ErrorUploadFileDragDropPermissionDenied:errors";
|
||||
},
|
||||
})
|
||||
});
|
||||
|
||||
@ -2061,7 +2061,7 @@ function dol_get_fiche_head($links = array(), $active = '', $title = '', $notab
|
||||
if (!$notab || $notab == -1 || $notab == -2 || $notab == -3) {
|
||||
$out .= "\n".'<div id="dragDropAreaTabBar" class="tabBar'.($notab == -1 ? '' : ($notab == -2 ? ' tabBarNoTop' : (($notab == -3 ? ' noborderbottom' : '')))).'">'."\n";
|
||||
}
|
||||
if (getDolGlobalString("MAIN_FEATURES_LEVEL") >= 2 && !empty($dragdropfile)) {
|
||||
if (!empty($dragdropfile)) {
|
||||
$out .= dragAndDropFileUpload("dragDropAreaTabBar");
|
||||
}
|
||||
$parameters = array('tabname' => $active, 'out' => $out);
|
||||
|
||||
@ -310,6 +310,8 @@ ErrorFieldExist=The value for <b>%s</b> already exist
|
||||
ErrorEqualModule=Module invalid in <b>%s</b>
|
||||
ErrorFieldValue=Value for <b>%s</b> is incorrect
|
||||
ErrorCoherenceMenu=<b>%s</b> is required when <b>%s</b> is 'left'
|
||||
ErrorUploadFileDragDrop=There was an error while the file(s) upload
|
||||
ErrorUploadFileDragDropPermissionDenied=There was an error while the file(s) upload : Permission denied
|
||||
|
||||
# Warnings
|
||||
WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup.
|
||||
|
||||
@ -1230,5 +1230,4 @@ PublicVirtualCardUrl=Virtual business card page URL
|
||||
PublicVirtualCard=Virtual business card
|
||||
TreeView=Tree view
|
||||
DropFileToAddItToObject=Drop a file to add it to this object
|
||||
uploadFileDragDropSuccess=The file(s) have been uploaded successfully
|
||||
uploadFileDragDropError=There was an error while the file(s) upload
|
||||
UploadFileDragDropSuccess=The file(s) have been uploaded successfully
|
||||
|
||||
Loading…
Reference in New Issue
Block a user