lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX No use of $_SESSION into master.inc.php

Browse Source
This commit is contained in:
Laurent Destailleur 2020-12-04 23:50:55 +01:00
parent 8455e03a08
commit 613ed8bcfa
4 changed files with 46 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/index.php
View File

@ -101,8 +101,6 @@ if (!empty($conf->global->MAIN_MOTD))
/*
* Dashboard Dolibarr states (statistics)
* Hidden for external users

45
htdocs/main.inc.php
View File

@ -250,8 +250,51 @@ if (!defined('NOSESSION'))
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
session_name($sessionname);
session_start();
// By default conf->entity is 1, but we change this if we ask another value.
if (session_id() && !empty($_SESSION["dol_entity"])) {
// Entity inside an opened session
$conf->entity = $_SESSION["dol_entity"];
} elseif (!empty($_ENV["dol_entity"])) {
// Entity inside a CLI script
$conf->entity = $_ENV["dol_entity"];
} elseif (GETPOSTISSET("loginfunction") && GETPOST("entity", 'int')) {
// Just after a login page
$conf->entity = GETPOST("entity", 'int');
} elseif (defined('DOLENTITY') && is_numeric(constant('DOLENTITY'))) {
// For public page with MultiCompany module
$conf->entity = constant('DOLENTITY');
}
}
// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))
{
$ok = 0;
if ((!session_id() || !isset($_SESSION["dol_login"])) && !isset($_POST["username"]) && !empty($_SERVER["GATEWAY_INTERFACE"])) $ok = 1; // We let working pages if not logged and inside a web browser (login form, to allow login by admin)
elseif (isset($_POST["username"]) && $_POST["username"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working pages that is a login submission (login submit, to allow login by admin)
elseif (defined('NOREQUIREDB')) $ok = 1; // We let working pages that don't need database access (xxx.css.php)
elseif (defined('EVEN_IF_ONLY_LOGIN_ALLOWED')) $ok = 1; // We let working pages that ask to work even if only login enabled (logout.php)
elseif (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working if user is allowed admin
if (!$ok)
{
if (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] != $conf->global->MAIN_ONLY_LOGIN_ALLOWED)
{
print 'Sorry, your application is offline.'."\n";
print 'You are logged with user "'.$_SESSION["dol_login"].'" and only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n";
$nexturl = DOL_URL_ROOT.'/user/logout.php';
print 'Please try later or <a href="'.$nexturl.'">click here to disconnect and change login user</a>...'."\n";
} else {
print 'Sorry, your application is offline. Only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n";
$nexturl = DOL_URL_ROOT.'/';
print 'Please try later or <a href="'.$nexturl.'">click here to change login user</a>...'."\n";
}
exit;
}
}
// Activate end of page function
register_shutdown_function('dol_shutdown');
@ -2586,7 +2629,7 @@ function main_area($title = '')
print '<!-- Begin div class="fiche" -->'."\n".'<div class="fiche">'."\n";
if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) print info_admin($langs->trans("WarningYouAreInMaintenanceMode", $conf->global->MAIN_ONLY_LOGIN_ALLOWED));
if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) print info_admin($langs->trans("WarningYouAreInMaintenanceMode", $conf->global->MAIN_ONLY_LOGIN_ALLOWED), 0, 0, 1, 'warning maintenancemode');
// Permit to add user company information on each printed document by set SHOW_SOCINFO_ON_PRINT
if (!empty($conf->global->SHOW_SOCINFO_ON_PRINT) && GETPOST('optioncss', 'aZ09') == 'print' && empty(GETPOST('disable_show_socinfo_on_print', 'az09')))

28
htdocs/master.inc.php
View File

@ -203,32 +203,6 @@ if (empty($conf->global->MAILING_LIMIT_SENDBYCLI))
$conf->global->MAILING_LIMIT_SENDBYCLI = 0;
}
// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))
{
$ok = 0;
if ((!session_id() || !isset($_SESSION["dol_login"])) && !isset($_POST["username"]) && !empty($_SERVER["GATEWAY_INTERFACE"])) $ok = 1; // We let working pages if not logged and inside a web browser (login form, to allow login by admin)
elseif (isset($_POST["username"]) && $_POST["username"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working pages that is a login submission (login submit, to allow login by admin)
elseif (defined('NOREQUIREDB')) $ok = 1; // We let working pages that don't need database access (xxx.css.php)
elseif (defined('EVEN_IF_ONLY_LOGIN_ALLOWED')) $ok = 1; // We let working pages that ask to work even if only login enabled (logout.php)
elseif (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working if user is allowed admin
if (!$ok)
{
if (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] != $conf->global->MAIN_ONLY_LOGIN_ALLOWED)
{
print 'Sorry, your application is offline.'."\n";
print 'You are logged with user "'.$_SESSION["dol_login"].'" and only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n";
$nexturl = DOL_URL_ROOT.'/user/logout.php';
print 'Please try later or <a href="'.$nexturl.'">click here to disconnect and change login user</a>...'."\n";
} else {
print 'Sorry, your application is offline. Only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n";
$nexturl = DOL_URL_ROOT.'/';
print 'Please try later or <a href="'.$nexturl.'">click here to change login user</a>...'."\n";
}
exit;
}
}
// Create object $mysoc (A thirdparty object that contains properties of companies managed by Dolibarr.
if (!defined('NOREQUIREDB') && !defined('NOREQUIRESOC'))
{
@ -245,7 +219,7 @@ if (!defined('NOREQUIREDB') && !defined('NOREQUIRESOC'))
// Set default language (must be after the setValues setting global $conf->global->MAIN_LANG_DEFAULT. Page main.inc.php will overwrite langs->defaultlang with user value later)
if (!defined('NOREQUIRETRAN'))
{
$langcode = (GETPOST('lang', 'aZ09') ?GETPOST('lang', 'aZ09', 1) : (empty($conf->global->MAIN_LANG_DEFAULT) ? 'auto' : $conf->global->MAIN_LANG_DEFAULT));
$langcode = (GETPOST('lang', 'aZ09') ? GETPOST('lang', 'aZ09', 1) : (empty($conf->global->MAIN_LANG_DEFAULT) ? 'auto' : $conf->global->MAIN_LANG_DEFAULT));
if (defined('MAIN_LANG_DEFAULT')) $langcode = constant('MAIN_LANG_DEFAULT');
$langs->setDefaultLang($langcode);
}

3
htdocs/user/card.php
View File

@ -1840,8 +1840,7 @@ if ($action == 'create' || $action == 'adduserldap')
if ($caneditfield && (empty($conf->multicompany->enabled) || !$user->entity || ($object->entity == $conf->entity) || ($conf->global->MULTICOMPANY_TRANSVERSE_MODE && $conf->entity == 1)))
{
if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))
{
if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) {
print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("DisabledInMonoUserMode")).'">'.$langs->trans("Modify").'</a></div>';
} else {
print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=edit">'.$langs->trans("Modify").'</a></div>';