From 52646ee9f50980a690c15e4ffb901f1c851b017a Mon Sep 17 00:00:00 2001
From: Saami PERDRIX <142794129+atm-saamiperdrix@users.noreply.github.com>
Date: Thu, 22 Feb 2024 00:10:04 +0100
Subject: [PATCH] =?UTF-8?q?fix=20aper=C3=A7u/dl=20fichier=20quand=20il=20e?=
 =?UTF-8?q?st=20dans=20{userid}/temp=20(#27211)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/core/lib/files.lib.php | 2 +-
 htdocs/document.php           | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 4195dee8dc1..2fab41a2a03 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -2295,7 +2295,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 	// Find the subdirectory name as the reference. For example original_file='10/myfile.pdf' -> refname='10'
 	if (empty($refname)) {
 		$refname = basename(dirname($original_file)."/");
-		if ($refname == 'thumbs') {
+		if ($refname == 'thumbs' || $refname == 'temp') {
 			// If we get the thumbns directory, we must go one step higher. For example original_file='10/thumbs/myfile_small.jpg' -> refname='10'
 			$refname = basename(dirname(dirname($original_file))."/");
 		}
diff --git a/htdocs/document.php b/htdocs/document.php
index c13e8f42a73..532b1a53b52 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -207,7 +207,7 @@ $original_file = str_replace('..\\', '/', $original_file);
 
 
 // Find the subdirectory name as the reference
-$refname = basename(dirname($original_file)."/");
+//$refname = basename(dirname($original_file)."/");
 
 // Security check
 if (empty($modulepart)) {
@@ -215,11 +215,10 @@ if (empty($modulepart)) {
 }
 
 // Check security and set return info with full path of file
-$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, $refname);
+$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, '');
 $accessallowed              = $check_access['accessallowed'];
 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
 $fullpath_original_file     = $check_access['original_file']; // $fullpath_original_file is now a full path name
-//var_dump($fullpath_original_file);exit;
 
 if (!empty($hashp)) {
 	$accessallowed = 1; // When using hashp, link is public so we force $accessallowed
@@ -283,7 +282,7 @@ if (!is_object($hookmanager)) {
 }
 $hookmanager->initHooks(array('document'));
 $parameters = array('ecmfile' => $ecmfile, 'modulepart' => $modulepart, 'original_file' => $original_file,
-	'entity' => $entity, 'refname' => $refname, 'fullpath_original_file' => $fullpath_original_file,
+	'entity' => $entity, 'refname' => '', 'fullpath_original_file' => $fullpath_original_file,
 	'filename' => $filename, 'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded);
 $reshook = $hookmanager->executeHooks('downloadDocument', $parameters); // Note that $action and $object may have been
 if ($reshook < 0) {
@@ -293,6 +292,7 @@ if ($reshook < 0) {
 	exit;
 }
 
+
 // Permissions are ok and file found, so we return it
 top_httphead($type);
 header('Content-Description: File Transfer');
@@ -300,6 +300,7 @@ if ($encoding) {
 	header('Content-Encoding: '.$encoding);
 }
 // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, attachment=need user action to open)
+
 if ($attachment) {
 	header('Content-Disposition: attachment; filename="'.$filename.'"');
 } else {