Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX Download of files with hashp when files are into user dir

Browse Source
This commit is contained in:
Laurent Destailleur 2018-12-17 15:35:20 +01:00
parent 17b2fd295f
commit 4e940ebaf1
3 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/lib/files.lib.php
View File

@ -2119,6 +2119,9 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
if (empty($conf->multicompany->enabled)) $entity=1;
else $entity=0;
}
// Fix modulepart
if ($modulepart == 'users') $modulepart='user';
dol_syslog('modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity);
// We define $accessallowed and $sqlprotectagainstexternals
$accessallowed=0;

12
htdocs/document.php
View File

@ -38,7 +38,7 @@ if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1');
if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
// For direct external download link, we don't need to load/check we are into a login session
if (isset($_GET["hashp"]))
if (isset($_GET["hashp"]) && ! defined("NOLOGIN"))
{
if (! defined("NOLOGIN")) define("NOLOGIN",1);
if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
@ -122,8 +122,14 @@ if (! empty($hashp))
if ($result > 0)
{
$tmp = explode('/', $ecmfile->filepath, 2); // $ecmfile->filepath is relative to document directory
$moduleparttocheck = $tmp[0];
if ($modulepart) // Not required for link using public hashp
// filepath can be 'users/X' or 'X/propale/PR11111'
if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
{
$tmp = explode('/', $tmp[1], 2);
}
$moduleparttocheck = $tmp[0]; // moduleparttocheck is first part of path
if ($modulepart) // Not required, so often not defined, for link using public hashp parameter.
{
if ($moduleparttocheck == $modulepart)
{

10
htdocs/viewimage.php
View File

@ -131,8 +131,14 @@ if (! empty($hashp))
if ($result > 0)
{
$tmp = explode('/', $ecmfile->filepath, 2); // $ecmfile->filepath is relative to document directory
$moduleparttocheck = $tmp[0];
if ($modulepart) // Not required for link using public hashp
// filepath can be 'users/X' or 'X/propale/PR11111'
if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
{
$tmp = explode('/', $tmp[1], 2);
}
$moduleparttocheck = $tmp[0]; // moduleparttocheck is first part of path
if ($modulepart) // Not required, so often not defined, for link using public hashp parameter.
{
if ($moduleparttocheck == $modulepart)
{