FIX CWE-269 huntr - download of files of project
This commit is contained in:
Laurent Destailleur
parent
4df70dc3f4
commit
a0418fc17d
@ -1774,11 +1774,16 @@ class FormFile
|
||||
continue; // We do not show orphelins files
|
||||
}
|
||||
|
||||
print '<!-- Line list_of_autoecmfiles '.$key.' -->'."\n";
|
||||
print '<!-- Line list_of_autoecmfiles key='.$key.' -->'."\n";
|
||||
print '<tr class="oddeven">';
|
||||
print '<td>';
|
||||
if ($found > 0 && is_object($this->cache_objects[$modulepart.'_'.$id.'_'.$ref])) {
|
||||
print $this->cache_objects[$modulepart.'_'.$id.'_'.$ref]->getNomUrl(1, 'document');
|
||||
$tmpobject = $this->cache_objects[$modulepart.'_'.$id.'_'.$ref];
|
||||
//if (! in_array($tmpobject->element, array('expensereport'))) {
|
||||
print $tmpobject->getNomUrl(1, 'document');
|
||||
//} else {
|
||||
// print $tmpobject->getNomUrl(1);
|
||||
//}
|
||||
} else {
|
||||
print $langs->trans("ObjectDeleted", ($id ? $id : $ref));
|
||||
}
|
||||
|
||||
@ -2232,7 +2232,8 @@ function dol_most_recent_file($dir, $regexfilter = '', $excludefilter = array('(
|
||||
}
|
||||
|
||||
/**
|
||||
* Security check when accessing to a document (used by document.php, viewimage.php and webservices)
|
||||
* Security check when accessing to a document (used by document.php, viewimage.php and webservices to get documents).
|
||||
* TODO Replace code that set $accesallowed by a call to restrictedArea()
|
||||
*
|
||||
* @param string $modulepart Module of document ('module', 'module_user_temp', 'module_user' or 'module_temp')
|
||||
* @param string $original_file Relative path with filename, relative to modulepart.
|
||||
@ -2612,12 +2613,26 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
|
||||
// Wrapping pour les projets
|
||||
if ($fuser->rights->projet->{$lire} || preg_match('/^specimen/i', $original_file)) {
|
||||
$accessallowed = 1;
|
||||
// If we known $id of project, call checkUserAccessToObject to check permission on properties and contact of project
|
||||
if ($refname && !preg_match('/^specimen/i', $original_file)) {
|
||||
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
|
||||
$tmpproject = new Project($db);
|
||||
$tmpproject->fetch('', $refname);
|
||||
$accessallowed = checkUserAccessToObject($user, array('projet'), $tmpproject->id, 'projet&project', '', '', 'rowid', '');
|
||||
}
|
||||
}
|
||||
$original_file = $conf->projet->dir_output.'/'.$original_file;
|
||||
$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('project').")";
|
||||
} elseif ($modulepart == 'project_task' && !empty($conf->projet->dir_output)) {
|
||||
if ($fuser->rights->projet->{$lire} || preg_match('/^specimen/i', $original_file)) {
|
||||
$accessallowed = 1;
|
||||
// If we known $id of project, call checkUserAccessToObject to check permission on properties and contact of project
|
||||
if ($refname && !preg_match('/^specimen/i', $original_file)) {
|
||||
include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
|
||||
$tmptask = new Task($db);
|
||||
$tmptask->fetch('', $refname);
|
||||
$accessallowed = checkUserAccessToObject($user, array('projet_task'), $tmptask->id, 'projet&project', '', '', 'rowid', '');
|
||||
}
|
||||
}
|
||||
$original_file = $conf->projet->dir_output.'/'.$original_file;
|
||||
$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('project').")";
|
||||
|
||||
@ -183,10 +183,11 @@ function dol_verifyHash($chain, $hash, $type = '0')
|
||||
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
|
||||
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
|
||||
* @param int $isdraft 1=The object with id=$objectid is a draft
|
||||
* @return int Always 1, die process if not allowed
|
||||
* @param int $mode Mode (0=default, 1=return with not die)
|
||||
* @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
|
||||
* @see dol_check_secure_access_document(), checkUserAccessToObject()
|
||||
*/
|
||||
function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0)
|
||||
function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
|
||||
{
|
||||
global $db, $conf;
|
||||
global $hookmanager;
|
||||
@ -231,7 +232,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
|
||||
if (isset($hookmanager->resArray['result'])) {
|
||||
if ($hookmanager->resArray['result'] == 0) {
|
||||
accessforbidden(); // Module returns 0, so access forbidden
|
||||
if ($mode) {
|
||||
return 0;
|
||||
} else {
|
||||
accessforbidden(); // Module returns 0, so access forbidden
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($reshook > 0) { // No other test done.
|
||||
@ -346,7 +351,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
}
|
||||
|
||||
if (!$readok) {
|
||||
accessforbidden();
|
||||
if ($mode) {
|
||||
return 0;
|
||||
} else {
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
//print "Read access is ok";
|
||||
|
||||
@ -435,7 +444,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
}
|
||||
|
||||
if ($wemustcheckpermissionforcreate && !$createok) {
|
||||
accessforbidden();
|
||||
if ($mode) {
|
||||
return 0;
|
||||
} else {
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
//print "Write access is ok";
|
||||
}
|
||||
@ -448,7 +461,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
}
|
||||
|
||||
if (!$createuserok) {
|
||||
accessforbidden();
|
||||
if ($mode) {
|
||||
return 0;
|
||||
} else {
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
//print "Create user access is ok";
|
||||
}
|
||||
@ -523,26 +540,34 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
}
|
||||
|
||||
if (!$deleteok && !($isdraft && $createok)) {
|
||||
accessforbidden();
|
||||
if ($mode) {
|
||||
return 0;
|
||||
} else {
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
//print "Delete access is ok";
|
||||
}
|
||||
|
||||
// If we have a particular object to check permissions on, we check this object
|
||||
// is linked to a company allowed to $user.
|
||||
// If we have a particular object to check permissions on, we check if $user has permission
|
||||
// for this given object (link to company, is contact for project, ...)
|
||||
if (!empty($objectid) && $objectid > 0) {
|
||||
$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select, $parentfortableentity);
|
||||
$params = array('objectid' => $objectid, 'features' => join(',', $featuresarray), 'features2' => $feature2);
|
||||
//print 'checkUserAccessToObject ok='.$ok;
|
||||
return $ok ? 1 : accessforbidden('', 1, 1, 0, $params);
|
||||
if ($mode) {
|
||||
return $ok ? 1 : 0;
|
||||
} else {
|
||||
return $ok ? 1 : accessforbidden('', 1, 1, 0, $params);
|
||||
}
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check access by user to object.
|
||||
* This function is also called by restrictedArea that check before if module is enabled and permissions of user compared to $action.
|
||||
* Check access by user to object is ok.
|
||||
* This function is also called by restrictedArea that check before if module is enabled and if permission of user for $action is ok.
|
||||
*
|
||||
* @param User $user User to check
|
||||
* @param array $featuresarray Features/modules to check. Example: ('user','service','member','project','task',...)
|
||||
@ -555,7 +580,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
* @return bool True if user has access, False otherwise
|
||||
* @see restrictedArea()
|
||||
*/
|
||||
function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
|
||||
function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
|
||||
{
|
||||
global $db, $conf;
|
||||
|
||||
@ -689,6 +714,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
|
||||
$projectstatic = new Project($db);
|
||||
$tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0);
|
||||
|
||||
$tmparray = explode(',', $tmps);
|
||||
if (!in_array($objectid, $tmparray)) {
|
||||
return false;
|
||||
|
||||
@ -440,15 +440,13 @@ if (empty($action) || $action == 'file_manager' || preg_match('/refresh/i', $act
|
||||
continue; // If condition to show is ok
|
||||
}
|
||||
|
||||
$var = false;
|
||||
|
||||
print '<li class="directory collapsed">';
|
||||
if (!empty($conf->use_javascript_ajax) && empty($conf->global->MAIN_ECM_DISABLE_JS)) {
|
||||
print '<a class="fmdirlia jqft ecmjqft" href="'.$_SERVER["PHP_SELF"].'?module='.$val['module'].'">';
|
||||
print '<a class="fmdirlia jqft ecmjqft" href="'.$_SERVER["PHP_SELF"].'?module='.urlencode($val['module']).'">';
|
||||
print $val['label'];
|
||||
print '</a>';
|
||||
} else {
|
||||
print '<a class="fmdirlia jqft ecmjqft" href="'.$_SERVER["PHP_SELF"].'?module='.$val['module'].'">';
|
||||
print '<a class="fmdirlia jqft ecmjqft" href="'.$_SERVER["PHP_SELF"].'?module='.urlencode($val['module']).'">';
|
||||
print $val['label'];
|
||||
print '</a>';
|
||||
}
|
||||
@ -456,7 +454,7 @@ if (empty($action) || $action == 'file_manager' || preg_match('/refresh/i', $act
|
||||
print '<div class="ecmjqft">';
|
||||
// Info
|
||||
$htmltooltip = '<b>'.$langs->trans("ECMSection").'</b>: '.$val['label'].'<br>';
|
||||
$htmltooltip = '<b>'.$langs->trans("Type").'</b>: '.$langs->trans("ECMSectionAuto").'<br>';
|
||||
$htmltooltip .= '<b>'.$langs->trans("Type").'</b>: '.$langs->trans("ECMSectionAuto").'<br>';
|
||||
$htmltooltip .= '<b>'.$langs->trans("ECMCreationUser").'</b>: '.$langs->trans("ECMTypeAuto").'<br>';
|
||||
$htmltooltip .= '<b>'.$langs->trans("Description").'</b>: '.$val['desc'];
|
||||
print $form->textwithpicto('', $htmltooltip, 1, 'info');
|
||||
|
||||
@ -1645,6 +1645,7 @@ class ExpenseReport extends CommonObject
|
||||
* Return clicable name (with picto eventually)
|
||||
*
|
||||
* @param int $withpicto 0=No picto, 1=Include picto into link, 2=Only picto
|
||||
* @param string $option Where point the link ('', 'document', ..)
|
||||
* @param int $max Max length of shown ref
|
||||
* @param int $short 1=Return just URL
|
||||
* @param string $moretitle Add more text to title tooltip
|
||||
@ -1652,7 +1653,7 @@ class ExpenseReport extends CommonObject
|
||||
* @param int $save_lastsearch_value -1=Auto, 0=No save of lastsearch_values when clicking, 1=Save lastsearch_values whenclicking
|
||||
* @return string String with URL
|
||||
*/
|
||||
public function getNomUrl($withpicto = 0, $max = 0, $short = 0, $moretitle = '', $notooltip = 0, $save_lastsearch_value = -1)
|
||||
public function getNomUrl($withpicto = 0, $option = '', $max = 0, $short = 0, $moretitle = '', $notooltip = 0, $save_lastsearch_value = -1)
|
||||
{
|
||||
global $langs, $conf;
|
||||
|
||||
@ -1684,17 +1685,16 @@ class ExpenseReport extends CommonObject
|
||||
$label .= ' - '.$moretitle;
|
||||
}
|
||||
|
||||
//if ($option != 'nolink')
|
||||
//{
|
||||
// Add param to save lastsearch_values or not
|
||||
if ($option != 'nolink') {
|
||||
// Add param to save lastsearch_values or not
|
||||
$add_save_lastsearch_values = ($save_lastsearch_value == 1 ? 1 : 0);
|
||||
if ($save_lastsearch_value == -1 && preg_match('/list\.php/', $_SERVER["PHP_SELF"])) {
|
||||
$add_save_lastsearch_values = 1;
|
||||
if ($save_lastsearch_value == -1 && preg_match('/list\.php/', $_SERVER["PHP_SELF"])) {
|
||||
$add_save_lastsearch_values = 1;
|
||||
}
|
||||
if ($add_save_lastsearch_values) {
|
||||
$url .= '&save_lastsearch_values=1';
|
||||
}
|
||||
}
|
||||
if ($add_save_lastsearch_values) {
|
||||
$url .= '&save_lastsearch_values=1';
|
||||
}
|
||||
//}
|
||||
|
||||
$ref = $this->ref;
|
||||
if (empty($ref)) {
|
||||
@ -1720,7 +1720,7 @@ class ExpenseReport extends CommonObject
|
||||
$result .= img_object(($notooltip ? '' : $label), $this->picto, ($notooltip ? (($withpicto != 2) ? 'class="paddingright"' : '') : 'class="'.(($withpicto != 2) ? 'paddingright ' : '').'classfortooltip"'), 0, 0, $notooltip ? 0 : 1);
|
||||
}
|
||||
if ($withpicto != 2) {
|
||||
$result .= ($max ?dol_trunc($ref, $max) : $ref);
|
||||
$result .= ($max ? dol_trunc($ref, $max) : $ref);
|
||||
}
|
||||
$result .= $linkend;
|
||||
|
||||
|
||||
@ -274,7 +274,8 @@ class Task extends CommonObject
|
||||
}
|
||||
$sql .= " WHERE ";
|
||||
if (!empty($ref)) {
|
||||
$sql .= "t.ref = '".$this->db->escape($ref)."'";
|
||||
$sql .= "entity IN (".getEntity('project').")";
|
||||
$sql .= " AND t.ref = '".$this->db->escape($ref)."'";
|
||||
} else {
|
||||
$sql .= "t.rowid = ".((int) $id);
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user