diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 02d3cc16a76..9aea97696ec 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1228,4 +1228,362 @@ function dol_most_recent_file($dir,$regexfilter='',$excludefilter=array('\.meta$ return $tmparray[0]; } +/** + * Security check when accessing to a document (used in document.php and webservices) + * @param string $modulepart module of document + * @param string $original_file relative path with filename + * @return mixed Array with access information : accessallowed & sqlprotectagainstexternals + */ +function dol_check_secure_access_document($modulepart,&$original_file) +{ + global $user, $conf; + + $accessallowed=0; + $sqlprotectagainstexternals=''; + $ret=array(); + + if ($modulepart) + { + // On fait une verification des droits et on definit le repertoire concerne + + // Wrapping for third parties + if ($modulepart == 'company' || $modulepart == 'societe') + { + if ($user->rights->societe->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->societe->multidir_output[$entity].'/'.$original_file; + $sqlprotectagainstexternals = "SELECT rowid as fk_soc FROM ".MAIN_DB_PREFIX."societe WHERE rowid='".$refname."' AND entity IN (".getEntity('societe', 1).")"; + } + + // Wrapping for invoices + else if ($modulepart == 'facture' || $modulepart == 'invoice') + { + if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->facture->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + else if ($modulepart == 'unpaid') + { + if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->facture->dir_output.'/unpaid/temp/'.$original_file; + } + + // Wrapping pour les fiches intervention + else if ($modulepart == 'ficheinter') + { + if ($user->rights->ficheinter->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->ficheinter->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les deplacements et notes de frais + else if ($modulepart == 'deplacement') + { + if ($user->rights->deplacement->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->deplacement->dir_output.'/'.$original_file; + //$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les prelevements + else if ($modulepart == 'prelevement') + { + if ($user->rights->prelevement->bons->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->prelevement->dir_output.'/'.$original_file; + } + + // Wrapping pour les propales + else if ($modulepart == 'propal') + { + if ($user->rights->propale->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + + $original_file=$conf->propal->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les commandes + else if ($modulepart == 'commande' || $modulepart == 'order') + { + if ($user->rights->commande->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->commande->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les projets + else if ($modulepart == 'project') + { + if ($user->rights->projet->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->projet->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les commandes fournisseurs + else if ($modulepart == 'commande_fournisseur' || $modulepart == 'order_supplier') + { + if ($user->rights->fournisseur->commande->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->fournisseur->commande->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande_fournisseur WHERE ref='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les factures fournisseurs + else if ($modulepart == 'facture_fournisseur' || $modulepart == 'invoice_supplier') + { + if ($user->rights->fournisseur->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->fournisseur->facture->dir_output.'/'.$original_file; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture_fourn WHERE facnumber='".$refname."' AND entity=".$conf->entity; + } + + // Wrapping pour les rapport de paiements + else if ($modulepart == 'facture_paiement') + { + if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + if ($user->societe_id > 0) $original_file=$conf->facture->dir_output.'/payments/private/'.$user->id.'/'.$original_file; + else $original_file=$conf->facture->dir_output.'/payments/'.$original_file; + } + + // Wrapping pour les exports de compta + else if ($modulepart == 'export_compta') + { + if ($user->rights->compta->ventilation->creer || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->compta->dir_output.'/'.$original_file; + } + + // Wrapping pour les expedition + else if ($modulepart == 'expedition') + { + if ($user->rights->expedition->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->expedition->dir_output."/sending/".$original_file; + } + + // Wrapping pour les bons de livraison + else if ($modulepart == 'livraison') + { + if ($user->rights->expedition->livraison->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->expedition->dir_output."/receipt/".$original_file; + } + + // Wrapping pour les actions + else if ($modulepart == 'actions') + { + if ($user->rights->agenda->myactions->read || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->agenda->dir_output.'/'.$original_file; + } + + // Wrapping pour les actions + else if ($modulepart == 'actionsreport') + { + if ($user->rights->agenda->allactions->read || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file = $conf->agenda->dir_temp."/".$original_file; + } + + // Wrapping pour les produits et services + else if ($modulepart == 'produit' || $modulepart == 'service') + { + if (($user->rights->produit->lire || $user->rights->service->lire) || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + if (! empty($conf->product->enabled)) $original_file=$conf->product->multidir_output[$entity].'/'.$original_file; + elseif (! empty($conf->service->enabled)) $original_file=$conf->service->multidir_output[$entity].'/'.$original_file; + } + + // Wrapping pour les contrats + else if ($modulepart == 'contract') + { + if ($user->rights->contrat->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->contrat->dir_output.'/'.$original_file; + } + + // Wrapping pour les dons + else if ($modulepart == 'donation') + { + if ($user->rights->don->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->don->dir_output.'/'.$original_file; + } + + // Wrapping pour les remises de cheques + else if ($modulepart == 'remisecheque') + { + if ($user->rights->banque->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + + $original_file=$conf->banque->dir_output.'/bordereau/'.get_exdir(basename($original_file,".pdf"),2,1).$original_file; + } + + // Wrapping for export module + else if ($modulepart == 'export') + { + // Aucun test necessaire car on force le rep de download sur + // le rep export qui est propre a l'utilisateur + $accessallowed=1; + $original_file=$conf->export->dir_temp.'/'.$user->id.'/'.$original_file; + } + + // Wrapping for import module + else if ($modulepart == 'import') + { + // Aucun test necessaire car on force le rep de download sur + // le rep export qui est propre a l'utilisateur + $accessallowed=1; + $original_file=$conf->import->dir_temp.'/'.$original_file; + } + + // Wrapping pour l'editeur wysiwyg + else if ($modulepart == 'editor') + { + // Aucun test necessaire car on force le rep de download sur + // le rep export qui est propre a l'utilisateur + $accessallowed=1; + $original_file=$conf->fckeditor->dir_output.'/'.$original_file; + } + + // Wrapping pour les backups + else if ($modulepart == 'systemtools') + { + if ($user->admin) + { + $accessallowed=1; + } + $original_file=$conf->admin->dir_output.'/'.$original_file; + } + + // Wrapping for upload file test + else if ($modulepart == 'admin_temp') + { + if ($user->admin) + $accessallowed=1; + $original_file=$conf->admin->dir_temp.'/'.$original_file; + } + + // Wrapping pour BitTorrent + else if ($modulepart == 'bittorrent') + { + $accessallowed=1; + $dir='files'; + if ($type == 'application/x-bittorrent') $dir='torrents'; + $original_file=$conf->bittorrent->dir_output.'/'.$dir.'/'.$original_file; + } + + // Wrapping pour Foundation module + else if ($modulepart == 'member') + { + if ($user->rights->adherent->lire || preg_match('/^specimen/i',$original_file)) + { + $accessallowed=1; + } + $original_file=$conf->adherent->dir_output.'/'.$original_file; + } + + // Wrapping for Scanner + else if ($modulepart == 'scanner_user_temp') + { + $accessallowed=1; + $original_file=$conf->scanner->dir_temp.'/'.$user->id.'/'.$original_file; + } + + // Generic wrapping + else + { + // For dir temp + $dir_temp=false; + if (preg_match('/\_temp$/i', $modulepart)) { + $modulepart = str_replace('_temp', '', $modulepart); + $dir_temp=true; + } + // Define $accessallowed + if (($user->rights->$modulepart->lire) || ($user->rights->$modulepart->read) || ($user->rights->$modulepart->download)) $accessallowed=1; // No subpermission, we have checked on main permission + elseif (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a specimen + elseif ($user->admin) $accessallowed=1; // If user is admin + + // For modules who wants to manage different levels of permissions for documents + $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS'; + if (! empty($conf->global->$subPermCategoryConstName)) + { + $subPermCategory = $conf->global->$subPermCategoryConstName; + if (! empty($subPermCategory) && (($user->rights->$modulepart->$subPermCategory->lire) || ($user->rights->$modulepart->$subPermCategory->read) || ($user->rights->$modulepart->$subPermCategory->download))) + { + $accessallowed=1; + } + } + + // Define $original_file + $dir = $conf->$modulepart->dir_output; + if ($dir_temp) $dir = $conf->$modulepart->dir_temp; + $original_file = $dir.'/'.$original_file; + + // Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query. + $sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS'; + if (! empty($conf->global->$sqlProtectConstName)) // If module want to define its own $sqlprotectagainstexternals + { + // Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$refname."' AND entity=".$conf->entity; + eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";'); + } + } + + $ret = array( + 'accessallowed' => $accessallowed, + 'sqlprotectagainstexternals'=>$sqlprotectagainstexternals + ); + + } + return $ret; +} ?> diff --git a/htdocs/document.php b/htdocs/document.php index 2a04ba28a74..7e7132db901 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -96,344 +96,9 @@ $refname=basename(dirname($original_file)."/"); // Security check $accessallowed=0; -$sqlprotectagainstexternals=''; -if ($modulepart) -{ - // On fait une verification des droits et on definit le repertoire concerne - - // Wrapping for third parties - if ($modulepart == 'company' || $modulepart == 'societe') - { - if ($user->rights->societe->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->societe->multidir_output[$entity].'/'.$original_file; - $sqlprotectagainstexternals = "SELECT rowid as fk_soc FROM ".MAIN_DB_PREFIX."societe WHERE rowid='".$refname."' AND entity IN (".getEntity('societe', 1).")"; - } - - // Wrapping for invoices - else if ($modulepart == 'facture' || $modulepart == 'invoice') - { - if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->facture->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - else if ($modulepart == 'unpaid') - { - if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->facture->dir_output.'/unpaid/temp/'.$original_file; - } - - // Wrapping pour les fiches intervention - else if ($modulepart == 'ficheinter') - { - if ($user->rights->ficheinter->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->ficheinter->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les deplacements et notes de frais - else if ($modulepart == 'deplacement') - { - if ($user->rights->deplacement->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->deplacement->dir_output.'/'.$original_file; - //$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les prelevements - else if ($modulepart == 'prelevement') - { - if ($user->rights->prelevement->bons->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->prelevement->dir_output.'/'.$original_file; - } - - // Wrapping pour les propales - else if ($modulepart == 'propal') - { - if ($user->rights->propale->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - - $original_file=$conf->propal->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les commandes - else if ($modulepart == 'commande' || $modulepart == 'order') - { - if ($user->rights->commande->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->commande->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les projets - else if ($modulepart == 'project') - { - if ($user->rights->projet->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->projet->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les commandes fournisseurs - else if ($modulepart == 'commande_fournisseur' || $modulepart == 'order_supplier') - { - if ($user->rights->fournisseur->commande->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->fournisseur->commande->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande_fournisseur WHERE ref='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les factures fournisseurs - else if ($modulepart == 'facture_fournisseur' || $modulepart == 'invoice_supplier') - { - if ($user->rights->fournisseur->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->fournisseur->facture->dir_output.'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture_fourn WHERE facnumber='".$refname."' AND entity=".$conf->entity; - } - - // Wrapping pour les rapport de paiements - else if ($modulepart == 'facture_paiement') - { - if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - if ($user->societe_id > 0) $original_file=$conf->facture->dir_output.'/payments/private/'.$user->id.'/'.$original_file; - else $original_file=$conf->facture->dir_output.'/payments/'.$original_file; - } - - // Wrapping pour les exports de compta - else if ($modulepart == 'export_compta') - { - if ($user->rights->compta->ventilation->creer || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->compta->dir_output.'/'.$original_file; - } - - // Wrapping pour les expedition - else if ($modulepart == 'expedition') - { - if ($user->rights->expedition->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->expedition->dir_output."/sending/".$original_file; - } - - // Wrapping pour les bons de livraison - else if ($modulepart == 'livraison') - { - if ($user->rights->expedition->livraison->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->expedition->dir_output."/receipt/".$original_file; - } - - // Wrapping pour les actions - else if ($modulepart == 'actions') - { - if ($user->rights->agenda->myactions->read || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->agenda->dir_output.'/'.$original_file; - } - - // Wrapping pour les actions - else if ($modulepart == 'actionsreport') - { - if ($user->rights->agenda->allactions->read || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file = $conf->agenda->dir_temp."/".$original_file; - } - - // Wrapping pour les produits et services - else if ($modulepart == 'produit' || $modulepart == 'service') - { - if (($user->rights->produit->lire || $user->rights->service->lire) || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - if (! empty($conf->product->enabled)) $original_file=$conf->product->multidir_output[$entity].'/'.$original_file; - elseif (! empty($conf->service->enabled)) $original_file=$conf->service->multidir_output[$entity].'/'.$original_file; - } - - // Wrapping pour les contrats - else if ($modulepart == 'contract') - { - if ($user->rights->contrat->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->contrat->dir_output.'/'.$original_file; - } - - // Wrapping pour les dons - else if ($modulepart == 'donation') - { - if ($user->rights->don->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->don->dir_output.'/'.$original_file; - } - - // Wrapping pour les remises de cheques - else if ($modulepart == 'remisecheque') - { - if ($user->rights->banque->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - - $original_file=$conf->banque->dir_output.'/bordereau/'.get_exdir(basename($original_file,".pdf"),2,1).$original_file; - } - - // Wrapping for export module - else if ($modulepart == 'export') - { - // Aucun test necessaire car on force le rep de download sur - // le rep export qui est propre a l'utilisateur - $accessallowed=1; - $original_file=$conf->export->dir_temp.'/'.$user->id.'/'.$original_file; - } - - // Wrapping for import module - else if ($modulepart == 'import') - { - // Aucun test necessaire car on force le rep de download sur - // le rep export qui est propre a l'utilisateur - $accessallowed=1; - $original_file=$conf->import->dir_temp.'/'.$original_file; - } - - // Wrapping pour l'editeur wysiwyg - else if ($modulepart == 'editor') - { - // Aucun test necessaire car on force le rep de download sur - // le rep export qui est propre a l'utilisateur - $accessallowed=1; - $original_file=$conf->fckeditor->dir_output.'/'.$original_file; - } - - // Wrapping pour les backups - else if ($modulepart == 'systemtools') - { - if ($user->admin) - { - $accessallowed=1; - } - $original_file=$conf->admin->dir_output.'/'.$original_file; - } - - // Wrapping for upload file test - else if ($modulepart == 'admin_temp') - { - if ($user->admin) - $accessallowed=1; - $original_file=$conf->admin->dir_temp.'/'.$original_file; - } - - // Wrapping pour BitTorrent - else if ($modulepart == 'bittorrent') - { - $accessallowed=1; - $dir='files'; - if ($type == 'application/x-bittorrent') $dir='torrents'; - $original_file=$conf->bittorrent->dir_output.'/'.$dir.'/'.$original_file; - } - - // Wrapping pour Foundation module - else if ($modulepart == 'member') - { - if ($user->rights->adherent->lire || preg_match('/^specimen/i',$original_file)) - { - $accessallowed=1; - } - $original_file=$conf->adherent->dir_output.'/'.$original_file; - } - - // Wrapping for Scanner - else if ($modulepart == 'scanner_user_temp') - { - $accessallowed=1; - $original_file=$conf->scanner->dir_temp.'/'.$user->id.'/'.$original_file; - } - - // Generic wrapping - else - { - // For dir temp - $dir_temp=false; - if (preg_match('/\_temp$/i', $modulepart)) { - $modulepart = str_replace('_temp', '', $modulepart); - $dir_temp=true; - } - // Define $accessallowed - if (($user->rights->$modulepart->lire) || ($user->rights->$modulepart->read) || ($user->rights->$modulepart->download)) $accessallowed=1; // No subpermission, we have checked on main permission - elseif (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a specimen - elseif ($user->admin) $accessallowed=1; // If user is admin - - // For modules who wants to manage different levels of permissions for documents - $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS'; - if (! empty($conf->global->$subPermCategoryConstName)) - { - $subPermCategory = $conf->global->$subPermCategoryConstName; - if (! empty($subPermCategory) && (($user->rights->$modulepart->$subPermCategory->lire) || ($user->rights->$modulepart->$subPermCategory->read) || ($user->rights->$modulepart->$subPermCategory->download))) - { - $accessallowed=1; - } - } - - // Define $original_file - $dir = $conf->$modulepart->dir_output; - if ($dir_temp) $dir = $conf->$modulepart->dir_temp; - $original_file = $dir.'/'.$original_file; - - // Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query. - $sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS'; - if (! empty($conf->global->$sqlProtectConstName)) // If module want to define its own $sqlprotectagainstexternals - { - // Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$refname."' AND entity=".$conf->entity; - eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";'); - } - } -} - +$check_access = dol_check_secure_access_document($modulepart,$original_file); +$accessallowed=$check_access['accessallowed']; +$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; // Basic protection (against external users only) if ($user->societe_id > 0) diff --git a/htdocs/install/mysql/migration/3.2.0-3.3.0.sql b/htdocs/install/mysql/migration/3.2.0-3.3.0.sql index eaf395a6204..f7054bc4184 100755 --- a/htdocs/install/mysql/migration/3.2.0-3.3.0.sql +++ b/htdocs/install/mysql/migration/3.2.0-3.3.0.sql @@ -848,6 +848,8 @@ ALTER TABLE llx_product_price_by_qty ADD CONSTRAINT fk_product_price_by_qty_fk_p ALTER TABLE llx_product_price_by_qty ADD remise_percent DOUBLE NOT NULL DEFAULT '0' AFTER price_ttc; ALTER TABLE llx_product_price_by_qty ADD remise DOUBLE NOT NULL DEFAULT '0' AFTER remise_percent; +ALTER TABLE llx_product_price_by_qty ADD unitprice DOUBLE (24,8) NOT NULL DEFAULT '0' AFTER qty_min; +ALTER TABLE llx_product_price_by_qty CHANGE qty_min quantity DOUBLE NULL DEFAULT NULL; -- Change index name to be compliant with SQL standard, index name must be unique in database schema ALTER TABLE llx_c_actioncomm DROP INDEX code; diff --git a/htdocs/webservices/server_other.php b/htdocs/webservices/server_other.php index 64bc426d144..23c22807002 100644 --- a/htdocs/webservices/server_other.php +++ b/htdocs/webservices/server_other.php @@ -27,7 +27,7 @@ require_once '../master.inc.php'; require_once NUSOAP_PATH.'/nusoap.php'; // Include SOAP require_once DOL_DOCUMENT_ROOT.'/core/lib/ws.lib.php'; require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php'; - +require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; @@ -82,6 +82,21 @@ $server->wsdl->addComplexType( ) ); +// Define WSDL Return object for document +$server->wsdl->addComplexType( + 'document', + 'complexType', + 'struct', + 'all', + '', + array( + 'filename' => array('name'=>'filename','type'=>'xsd:string'), + 'mimetype' => array('name'=>'mimetype','type'=>'xsd:string'), + 'content' => array('name'=>'content','type'=>'xsd:string'), + 'length' => array('name'=>'length','type'=>'xsd:string') + ) +); + // Define other specific objects // None @@ -107,6 +122,20 @@ $server->register( 'WS to get Versions' ); +// Register WSDL +$server->register( + 'getDocument', + // Entry values + array('authentication'=>'tns:authentication', 'modulepart'=>'xsd:string', 'file'=>'xsd:string' ), + // Exit values + array('result'=>'tns:result','document'=>'tns:document'), + $ns, + $ns.'#getDocument', + $styledoc, + $styleuse, + 'WS to get document' +); + // Full methods code @@ -144,6 +173,150 @@ function getVersions($authentication) } +/* + * Method to get a document by webservice +* \param authentication array +* \param modulepart array Properties of document +* +*/ +function getDocument($authentication, $modulepart, $file) +{ + global $db,$conf,$langs,$mysoc; + + dol_syslog("Function: getDocument login=".$authentication['login'].' - modulepart='.$modulepart.' - file='.$file); + + if ($authentication['entity']) $conf->entity=$authentication['entity']; + + $objectresp=array(); + $errorcode='';$errorlabel=''; + $error=0; + + // Properties of doc + $original_file = $file; + $type=dol_mimetype($original_file); + $relativefilepath = $ref . "/"; + $relativepath = $relativefilepath . $ref.'.pdf'; + + $accessallowed=0; + + $fuser=check_authentication($authentication,$error,$errorcode,$errorlabel); + + if ($fuser->societe_id) $socid=$fuser->societe_id; + + // Check parameters + if (! $error && ( ! $file || ! $modulepart ) ) + { + $error++; + $errorcode='BAD_PARAMETERS'; $errorlabel="Parameter file and modulepart must be both provided."; + } + + if (! $error) + { + $fuser->getrights(); + + // Suppression de la chaine de caractere ../ dans $original_file + $original_file = str_replace("../","/", $original_file); + + // find the subdirectory name as the reference + $refname=basename(dirname($original_file)."/"); + + // Security check + $accessallowed=0; + $check_access = dol_check_secure_access_document($modulepart,$original_file); + $accessallowed=$check_access['accessallowed']; + $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; + + // Basic protection (against external users only) + if ($fuser->societe_id > 0) + { + if ($sqlprotectagainstexternals) + { + $resql = $db->query($sqlprotectagainstexternals); + if ($resql) + { + $num=$db->num_rows($resql); + $i=0; + while ($i < $num) + { + $obj = $db->fetch_object($resql); + if ($fuser->societe_id != $obj->fk_soc) + { + $accessallowed=0; + break; + } + $i++; + } + } + } + } + + // Security: + // Limite acces si droits non corrects + if (! $accessallowed) + { + $errorcode='NOT_PERMITTED'; + $errorlabel='Access not allowed'; + $error++; + } + + // Security: + // On interdit les remontees de repertoire ainsi que les pipe dans + // les noms de fichiers. + if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file)) + { + dol_syslog("Refused to deliver file ".$original_file); + $errorcode='REFUSED'; + $errorlabel=''; + $error++; + } + + clearstatcache(); + + if(!$error) + { + if(file_exists($original_file)) + { + dol_syslog("Function: getDocument $original_file $filename content-type=$type"); + + $file=$fileparams['fullname']; + $filename = basename($file); + + $f = fopen($original_file,'r'); + $content_file = fread($f,filesize($original_file)); + + $objectret = array( + 'filename' => basename($original_file), + 'mimetype' => dol_mimetype($original_file), + 'content' => base64_encode($content_file), + 'length' => filesize($original_file) + ); + + // Create return object + $objectresp = array( + 'result'=>array('result_code'=>'OK', 'result_label'=>''), + 'document'=>$objectret + ); + } + else + { + dol_syslog("File doesn't exist ".$original_file); + $errorcode='NOT_FOUND'; + $errorlabel=''; + $error++; + } + } + } + + if ($error) + { + $objectresp = array( + 'result'=>array('result_code' => $errorcode, 'result_label' => $errorlabel) + ); + } + + return $objectresp; +} + // Return the results. $server->service($HTTP_RAW_POST_DATA);