Merge pull request #20435 from marc-dll/13.0_FIX_medias_access_multicompany

FIX: permit access to medias when logged in a different entity
2022-03-23 15:37:20 +01:00 · 2022-03-23 15:37:20 +01:00 · c44cfb0885
commit c44cfb0885
parent 6617cbc531 100c48372b
1 changed files with 7 additions and 0 deletions
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@ -186,6 +186,13 @@ $refname = basename(dirname($original_file)."/");
 // Security check
 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart', 0, 0, 1);

+// When logged in a different entity, medias cannot be accessed because $conf->$module->multidir_output
+// is not set on the requested entity, but they are public documents, so reset entity
+if ($modulepart === 'medias' && $entity != $conf->entity) {
+    $conf->entity = $entity;
+    $conf->setValues($db);
+}
+
 $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, $refname);
 $accessallowed              = $check_access['accessallowed'];
 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];