Fix protection on tpl to avoid direct url call

2017-12-24 15:07:06 +01:00 · 2017-12-24 15:07:06 +01:00 · 768cc19bbc
commit 768cc19bbc
parent 07f1dd7dae
14 changed files with 111 additions and 1 deletions
--- a/htdocs/core/tpl/bloc_comment.tpl.php
+++ b/htdocs/core/tpl/bloc_comment.tpl.php
@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Require
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
--- a/htdocs/core/tpl/card_presend.tpl.php
+++ b/htdocs/core/tpl/card_presend.tpl.php
@ -16,7 +16,6 @@
 * or see http://www.gnu.org/
 */

-
 /*
 * Code to ouput content when action is presend
 *
@ -26,6 +25,14 @@
 * $diroutput
 */

+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 if ($action == 'presend')
 {
 	$langs->load("mails");
--- a/htdocs/core/tpl/commonfields_add.tpl.php
+++ b/htdocs/core/tpl/commonfields_add.tpl.php
@ -20,6 +20,14 @@
 * $conf
 * $langs
 */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE commonfields_add.tpl.php -->
 <?php
--- a/htdocs/core/tpl/commonfields_edit.tpl.php
+++ b/htdocs/core/tpl/commonfields_edit.tpl.php
@ -20,6 +20,14 @@
 * $conf
 * $langs
 */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE commonfields_edit.tpl.php -->
 <?php
--- a/htdocs/core/tpl/commonfields_view.tpl.php
+++ b/htdocs/core/tpl/commonfields_view.tpl.php
@ -22,6 +22,14 @@
 *
 * $keyforbreak may be defined to key to switch on second column
 */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE commonfields_view.tpl.php -->
 <?php
--- a/htdocs/core/tpl/extrafields_add.tpl.php
+++ b/htdocs/core/tpl/extrafields_add.tpl.php
@ -24,6 +24,14 @@
 * $parameters
 * $cols
 */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE extrafields_add.tpl.php -->
 <?php
--- a/htdocs/core/tpl/extrafields_edit.tpl.php
+++ b/htdocs/core/tpl/extrafields_edit.tpl.php
@ -24,6 +24,14 @@
 * $parameters
 * $cols
 */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE extrafields_edit.tpl.php -->
 <?php
--- a/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to show all columns of extrafields from $obj, $extrafields and $db
 if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
 {
--- a/htdocs/core/tpl/extrafields_list_search_input.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_input.tpl.php
@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to show all columns of extrafields for the search title line
 if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
 {
--- a/htdocs/core/tpl/extrafields_list_search_param.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_param.tpl.php
@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to complete $param for extrafields
 foreach ($search_array_options as $key => $val)
 {
--- a/htdocs/core/tpl/extrafields_list_search_sql.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_sql.tpl.php
@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to complete the sql search criterias from extrafields
 foreach ($search_array_options as $key => $val)
 {
--- a/htdocs/core/tpl/extrafields_list_search_title.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_title.tpl.php
@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to show all columns of extrafields for the title line
 if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
 {
--- a/htdocs/core/tpl/filemanager.tpl.php
+++ b/htdocs/core/tpl/filemanager.tpl.php
@ -17,6 +17,14 @@
 * Output code for the filemanager
 * $module must be defined ('ecm', 'medias', ...)
 */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>

 <!-- BEGIN PHP TEMPLATE core/tpl/filemanager.tpl.php -->
--- a/htdocs/core/tpl/onlinepaymentlinks.tpl.php
+++ b/htdocs/core/tpl/onlinepaymentlinks.tpl.php
@ -15,6 +15,13 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php';

 print '<!-- BEGIN PHP TEMPLATE ONLINEPAYMENTLINKS -->';