From 613ed8bcfa372099c1c33bc216f7fe3d3c1faf14 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Dec 2020 23:50:55 +0100 Subject: [PATCH] FIX No use of $_SESSION into master.inc.php --- htdocs/index.php | 2 -- htdocs/main.inc.php | 45 ++++++++++++++++++++++++++++++++++++++++++- htdocs/master.inc.php | 28 +-------------------------- htdocs/user/card.php | 3 +-- 4 files changed, 46 insertions(+), 32 deletions(-) diff --git a/htdocs/index.php b/htdocs/index.php index 33fd93e649e..a4060278c50 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -101,8 +101,6 @@ if (!empty($conf->global->MAIN_MOTD)) - - /* * Dashboard Dolibarr states (statistics) * Hidden for external users diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 90e173ec168..0c54b68734d 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -250,8 +250,51 @@ if (!defined('NOSESSION')) session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start. session_name($sessionname); session_start(); + + // By default conf->entity is 1, but we change this if we ask another value. + if (session_id() && !empty($_SESSION["dol_entity"])) { + // Entity inside an opened session + $conf->entity = $_SESSION["dol_entity"]; + } elseif (!empty($_ENV["dol_entity"])) { + // Entity inside a CLI script + $conf->entity = $_ENV["dol_entity"]; + } elseif (GETPOSTISSET("loginfunction") && GETPOST("entity", 'int')) { + // Just after a login page + $conf->entity = GETPOST("entity", 'int'); + } elseif (defined('DOLENTITY') && is_numeric(constant('DOLENTITY'))) { + // For public page with MultiCompany module + $conf->entity = constant('DOLENTITY'); + } } + +// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed. +if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) +{ + $ok = 0; + if ((!session_id() || !isset($_SESSION["dol_login"])) && !isset($_POST["username"]) && !empty($_SERVER["GATEWAY_INTERFACE"])) $ok = 1; // We let working pages if not logged and inside a web browser (login form, to allow login by admin) + elseif (isset($_POST["username"]) && $_POST["username"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working pages that is a login submission (login submit, to allow login by admin) + elseif (defined('NOREQUIREDB')) $ok = 1; // We let working pages that don't need database access (xxx.css.php) + elseif (defined('EVEN_IF_ONLY_LOGIN_ALLOWED')) $ok = 1; // We let working pages that ask to work even if only login enabled (logout.php) + elseif (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working if user is allowed admin + if (!$ok) + { + if (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] != $conf->global->MAIN_ONLY_LOGIN_ALLOWED) + { + print 'Sorry, your application is offline.'."\n"; + print 'You are logged with user "'.$_SESSION["dol_login"].'" and only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n"; + $nexturl = DOL_URL_ROOT.'/user/logout.php'; + print 'Please try later or click here to disconnect and change login user...'."\n"; + } else { + print 'Sorry, your application is offline. Only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n"; + $nexturl = DOL_URL_ROOT.'/'; + print 'Please try later or click here to change login user...'."\n"; + } + exit; + } +} + + // Activate end of page function register_shutdown_function('dol_shutdown'); @@ -2586,7 +2629,7 @@ function main_area($title = '') print ''."\n".'
'."\n"; - if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) print info_admin($langs->trans("WarningYouAreInMaintenanceMode", $conf->global->MAIN_ONLY_LOGIN_ALLOWED)); + if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) print info_admin($langs->trans("WarningYouAreInMaintenanceMode", $conf->global->MAIN_ONLY_LOGIN_ALLOWED), 0, 0, 1, 'warning maintenancemode'); // Permit to add user company information on each printed document by set SHOW_SOCINFO_ON_PRINT if (!empty($conf->global->SHOW_SOCINFO_ON_PRINT) && GETPOST('optioncss', 'aZ09') == 'print' && empty(GETPOST('disable_show_socinfo_on_print', 'az09'))) diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 5c6f2d9359e..28790c3c5a3 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -203,32 +203,6 @@ if (empty($conf->global->MAILING_LIMIT_SENDBYCLI)) $conf->global->MAILING_LIMIT_SENDBYCLI = 0; } -// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed. -if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) -{ - $ok = 0; - if ((!session_id() || !isset($_SESSION["dol_login"])) && !isset($_POST["username"]) && !empty($_SERVER["GATEWAY_INTERFACE"])) $ok = 1; // We let working pages if not logged and inside a web browser (login form, to allow login by admin) - elseif (isset($_POST["username"]) && $_POST["username"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working pages that is a login submission (login submit, to allow login by admin) - elseif (defined('NOREQUIREDB')) $ok = 1; // We let working pages that don't need database access (xxx.css.php) - elseif (defined('EVEN_IF_ONLY_LOGIN_ALLOWED')) $ok = 1; // We let working pages that ask to work even if only login enabled (logout.php) - elseif (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] == $conf->global->MAIN_ONLY_LOGIN_ALLOWED) $ok = 1; // We let working if user is allowed admin - if (!$ok) - { - if (session_id() && isset($_SESSION["dol_login"]) && $_SESSION["dol_login"] != $conf->global->MAIN_ONLY_LOGIN_ALLOWED) - { - print 'Sorry, your application is offline.'."\n"; - print 'You are logged with user "'.$_SESSION["dol_login"].'" and only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n"; - $nexturl = DOL_URL_ROOT.'/user/logout.php'; - print 'Please try later or click here to disconnect and change login user...'."\n"; - } else { - print 'Sorry, your application is offline. Only administrator user "'.$conf->global->MAIN_ONLY_LOGIN_ALLOWED.'" is allowed to connect for the moment.'."\n"; - $nexturl = DOL_URL_ROOT.'/'; - print 'Please try later or click here to change login user...'."\n"; - } - exit; - } -} - // Create object $mysoc (A thirdparty object that contains properties of companies managed by Dolibarr. if (!defined('NOREQUIREDB') && !defined('NOREQUIRESOC')) { @@ -245,7 +219,7 @@ if (!defined('NOREQUIREDB') && !defined('NOREQUIRESOC')) // Set default language (must be after the setValues setting global $conf->global->MAIN_LANG_DEFAULT. Page main.inc.php will overwrite langs->defaultlang with user value later) if (!defined('NOREQUIRETRAN')) { - $langcode = (GETPOST('lang', 'aZ09') ?GETPOST('lang', 'aZ09', 1) : (empty($conf->global->MAIN_LANG_DEFAULT) ? 'auto' : $conf->global->MAIN_LANG_DEFAULT)); + $langcode = (GETPOST('lang', 'aZ09') ? GETPOST('lang', 'aZ09', 1) : (empty($conf->global->MAIN_LANG_DEFAULT) ? 'auto' : $conf->global->MAIN_LANG_DEFAULT)); if (defined('MAIN_LANG_DEFAULT')) $langcode = constant('MAIN_LANG_DEFAULT'); $langs->setDefaultLang($langcode); } diff --git a/htdocs/user/card.php b/htdocs/user/card.php index ba7cd546d54..8934d8d87ec 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -1840,8 +1840,7 @@ if ($action == 'create' || $action == 'adduserldap') if ($caneditfield && (empty($conf->multicompany->enabled) || !$user->entity || ($object->entity == $conf->entity) || ($conf->global->MULTICOMPANY_TRANSVERSE_MODE && $conf->entity == 1))) { - if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) - { + if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) { print '
'.$langs->trans("Modify").'
'; } else { print '
'.$langs->trans("Modify").'
';