From 11096a54539045081a758a1fdfec76320a09e013 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 28 Aug 2021 00:53:13 +0200 Subject: [PATCH] Add hook checkSecureAccess. It replaces mymodule_SUBPERMCATEGORY_FOR_DOCUMENTS and mymodule_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS --- htdocs/core/lib/files.lib.php | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 330e260a327..ba4b115e830 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2269,8 +2269,9 @@ function dol_most_recent_file($dir, $regexfilter = '', $excludefilter = array('( */ function dol_check_secure_access_document($modulepart, $original_file, $entity, $fuser = '', $refname = '', $mode = 'read') { - global $conf, $db, $user; + global $conf, $db, $user, $hookmanager; global $dolibarr_main_data_root, $dolibarr_main_document_root_alt; + global $object; if (!is_object($fuser)) { $fuser = $user; @@ -2927,6 +2928,25 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, } } + $parameters = array( + 'modulepart' => $modulepart, + 'original_file' => $original_file, + 'entity' => $entity, + 'fuser' => $fuser, + 'refname' => '', + 'mode' => $mode + ); + $reshook = $hookmanager->executeHooks('checkSecureAccess', $parameters, $object); + if ($reshook > 0) { + if (!empty($hookmanager->resArray['accessallowed'])) { + $accessallowed = $hookmanager->resArray['accessallowed']; + } + if (!empty($hookmanager->resArray['sqlprotectagainstexternals'])) { + $sqlprotectagainstexternals = $hookmanager->resArray['sqlprotectagainstexternals']; + } + } + + /* // For modules who wants to manage different levels of permissions for documents $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS'; if (!empty($conf->global->$subPermCategoryConstName)) { @@ -2939,9 +2959,11 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, // Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query. $sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS'; if (!empty($conf->global->$sqlProtectConstName)) { // If module want to define its own $sqlprotectagainstexternals - // Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; + // Example: mymodule_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; + // TODO Replace this with a hook eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";'); } + */ } $ret = array(