lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix bad permission

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-29 13:49:24 +02:00
parent 6bc56b7671
commit e382d49299
3 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/lib/files.lib.php
View File

@ -2243,6 +2243,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
$modulepart = 'user';
}
//print 'dol_check_secure_access_document modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity;
dol_syslog('dol_check_secure_access_document modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity);
// We define $accessallowed and $sqlprotectagainstexternals
@ -2727,7 +2728,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
} elseif ($modulepart == 'export' && !empty($conf->export->dir_temp)) {
// Wrapping for export module
// Note that a test may not be required because we force the dir of download on the directory of the user that export
$accessallowed = $user->rights->export->run;
$accessallowed = $user->rights->export->lire;
$original_file = $conf->export->dir_temp.'/'.$fuser->id.'/'.$original_file;
} elseif ($modulepart == 'import' && !empty($conf->import->dir_temp)) {
// Wrapping for import module

4
htdocs/core/modules/modExport.class.php
View File

@ -78,14 +78,14 @@ class modExport extends DolibarrModules
$r++;
$this->rights[$r][0] = 1201;
$this->rights[$r][1] = 'Lire les exports';
$this->rights[$r][1] = 'Read exports';
$this->rights[$r][2] = 'r';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'lire';
$r++;
$this->rights[$r][0] = 1202;
$this->rights[$r][1] = 'Creer/modifier un export';
$this->rights[$r][1] = 'Creeate/modify export';
$this->rights[$r][2] = 'w';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'creer';

1
htdocs/document.php
View File

@ -207,6 +207,7 @@ if (empty($modulepart)) {
// Check security and set return info with full path of file
$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, $refname);
var_dump($check_access);
$accessallowed = $check_access['accessallowed'];
$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
$fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name