Qual: Uniformize permission code between viewimage.php and document.php

2013-05-16 15:46:54 +02:00 · 2013-05-16 15:46:54 +02:00 · 393ad1447a
commit 393ad1447a
parent ad5a350073
4 changed files with 37 additions and 28 deletions
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@ -1221,7 +1221,7 @@ function dol_uncompress($inputfile,$outputdir)
 * @param 	string	$dir			Directory to scan
 * @param	string	$regexfilter	Regex filter to restrict list. This regex value must be escaped for '/', since this char is used for preg_match function
 * @param	string	$excludefilter  Array of Regex for exclude filter (example: array('\.meta$','^\.')). This regex value must be escaped for '/', since this char is used for preg_match function
- *  @param	int		$nohook			Disable all hooks
+ * @param	int		$nohook			Disable all hooks
 * @return	string					Full path to most recent file
 */
 function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$','^\.'),$nohook=false)
@ -1236,11 +1236,12 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$
 * @param	string	$modulepart			Module of document
 * @param	string	$original_file		Relative path with filename
 * @param	string	$entity				Restrict onto entity
+ * @param	string	$refname			Ref of object to check permission for external users (autodetect if not provided)
 * @return	mixed						Array with access information : accessallowed & sqlprotectagainstexternals & original_file (as full path name)
 */
-function dol_check_secure_access_document($modulepart,$original_file,$entity)
+function dol_check_secure_access_document($modulepart,$original_file,$entity,$refname='')
 {
-	global $user, $conf;
+	global $user, $conf, $db;

 	if (empty($modulepart)) return 'ErrorBadParameter';
 	if (empty($entity)) $entity=0;
@ -1250,6 +1251,9 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 	$sqlprotectagainstexternals='';
 	$ret=array();

+	// find the subdirectory name as the reference
+	if (empty($refname)) $refname=basename(dirname($original_file)."/");
+	
 	// Wrapping for some images
 	if ($modulepart == 'companylogo')
 	{
@ -1425,7 +1429,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->societe->multidir_output[$entity].'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT rowid as fk_soc FROM ".MAIN_DB_PREFIX."societe WHERE rowid='".$refname."' AND entity IN (".getEntity('societe', 1).")";
+		$sqlprotectagainstexternals = "SELECT rowid as fk_soc FROM ".MAIN_DB_PREFIX."societe WHERE rowid='".$db->escape($refname)."' AND entity IN (".getEntity('societe', 1).")";
 	}

 	// Wrapping for invoices
@ -1436,7 +1440,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->facture->dir_output.'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$refname."' AND entity=".$conf->entity;
+		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}

 	else if ($modulepart == 'unpaid')
@ -1456,7 +1460,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->ficheinter->dir_output.'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity;
+		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}

 	// Wrapping pour les deplacements et notes de frais
@ -1467,7 +1471,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->deplacement->dir_output.'/'.$original_file;
-		//$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity;
+		//$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}
 	// Wrapping pour les propales
 	else if ($modulepart == 'propal')
@ -1478,7 +1482,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 		}

 		$original_file=$conf->propal->dir_output.'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$refname."' AND entity=".$conf->entity;
+		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}

 	// Wrapping pour les commandes
@ -1489,7 +1493,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->commande->dir_output.'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$refname."' AND entity=".$conf->entity;
+		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}

 	// Wrapping pour les projets
@ -1500,7 +1504,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->projet->dir_output.'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$refname."' AND entity=".$conf->entity;
+		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}

 	// Wrapping pour les commandes fournisseurs
@ -1511,7 +1515,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->fournisseur->commande->dir_output.'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande_fournisseur WHERE ref='".$refname."' AND entity=".$conf->entity;
+		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande_fournisseur WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}

 	// Wrapping pour les factures fournisseurs
@ -1522,7 +1526,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 			$accessallowed=1;
 		}
 		$original_file=$conf->fournisseur->facture->dir_output.'/'.$original_file;
-		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture_fourn WHERE facnumber='".$refname."' AND entity=".$conf->entity;
+		$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture_fourn WHERE facnumber='".$db->escape($refname)."' AND entity=".$conf->entity;
 	}

 	// Wrapping pour les rapport de paiements
@ -1755,7 +1759,7 @@ function dol_check_secure_access_document($modulepart,$original_file,$entity)
 		$sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS';
 		if (! empty($conf->global->$sqlProtectConstName))	// If module want to define its own $sqlprotectagainstexternals
 		{
-			// Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$refname."' AND entity=".$conf->entity;
+			// Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
 			eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";');
 		}
 	}
--- a/htdocs/document.php
+++ b/htdocs/document.php
@ -97,7 +97,7 @@ $refname=basename(dirname($original_file)."/");

 // Security check
 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
-$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity);
+$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity,$refname);
 $accessallowed              = $check_access['accessallowed'];
 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
 $original_file              = $check_access['original_file'];
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@ -57,8 +57,7 @@ $action=GETPOST('action','alpha');
 $original_file=GETPOST("file");
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST("urlsource");
-$entity=GETPOST('entity','int');
-if ($entity == '') $entity=1;    // For backward compatibility
+$entity=GETPOST('entity')?GETPOST('entity','int'):$conf->entity;

 // Security check
 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
@ -98,9 +97,12 @@ else $type=dol_mimetype($original_file);
 // Suppression de la chaine de caractere ../ dans $original_file
 $original_file = str_replace("../","/", $original_file);

+// Find the subdirectory name as the reference
+$refname=basename(dirname($original_file)."/");
+
 // Security check
 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
-$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity);
+$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity,$refname);
 $accessallowed              = $check_access['accessallowed'];
 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
 $original_file              = $check_access['original_file'];
--- a/htdocs/webservices/server_other.php
+++ b/htdocs/webservices/server_other.php
@ -173,13 +173,16 @@ function getVersions($authentication)
 }


-/*
+/**
 * Method to get a document by webservice
-* \param 	authentication	array
-* \param 	modulepart		array 	Properties of document
-*
-*/
-function getDocument($authentication, $modulepart, $file)
+ * 
+ * @param 	array	$authentication		Array with permissions
+ * @param 	string	$modulepart		 	Properties of document
+ * @param	string	$file				Relative path
+ * @param	string	$refname			Ref of object to check permission for external users (autodetect if not provided)
+ * @return	void
+ */
+function getDocument($authentication, $modulepart, $file, $refname='')
 {
 	global $db,$conf,$langs,$mysoc;

@ -194,8 +197,8 @@ function getDocument($authentication, $modulepart, $file)
 	// Properties of doc
 	$original_file = $file;
 	$type=dol_mimetype($original_file);
-	$relativefilepath = $ref . "/";
-	$relativepath = $relativefilepath . $ref.'.pdf';
+	//$relativefilepath = $ref . "/";
+	//$relativepath = $relativefilepath . $ref.'.pdf';

 	$accessallowed=0;

@ -218,10 +221,10 @@ function getDocument($authentication, $modulepart, $file)
 		$original_file = str_replace("../","/", $original_file);

 		// find the subdirectory name as the reference
-		$refname=basename(dirname($original_file)."/");
+		if (empty($refname)) $refname=basename(dirname($original_file)."/");

 		// Security check
-		$check_access = dol_check_secure_access_document($modulepart,$original_file,$conf->entity);
+		$check_access = dol_check_secure_access_document($modulepart,$original_file,$conf->entity,$refname);
 		$accessallowed              = $check_access['accessallowed'];
 		$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
 		$original_file              = $check_access['original_file'];
@ -320,4 +323,4 @@ function getDocument($authentication, $modulepart, $file)
 // Return the results.
 $server->service($HTTP_RAW_POST_DATA);

-?>
+?>