From 75ad2e82fdb558fb72cdf58429e1f1bb5da0116d Mon Sep 17 00:00:00 2001 From: Eric <1468823+rycks@users.noreply.github.com> Date: Tue, 20 Feb 2024 23:01:16 +0100 Subject: [PATCH 1/4] fix entity if interventions are shared between entities (#28317) --- htdocs/fichinter/class/fichinter.class.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index 0205fec9e39..3bf1c5d5dfd 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -575,7 +575,8 @@ class Fichinter extends CommonObject $sql .= ", date_valid = '".$this->db->idate($now)."'"; $sql .= ", fk_user_valid = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); - $sql .= " AND entity = ".((int) $conf->entity); + $sql .= " AND entity IN (".getEntity('intervention').")"; + $sql .= " AND fk_statut = 0"; dol_syslog(get_class($this)."::setValid", LOG_DEBUG); @@ -603,7 +604,7 @@ class Fichinter extends CommonObject // Now we rename also files into index $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref) + 1).")), filepath = 'ficheinter/".$this->db->escape($this->newref)."'"; - $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; + $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this->ref)."' and entity IN (".getEntity('intervention').")"; $resql = $this->db->query($sql); if (!$resql) { $error++; $this->error = $this->db->lasterror(); From 6defdcd0182f6683f8e0cfc9a47f2091821fefe0 Mon Sep 17 00:00:00 2001 From: Eric <1468823+rycks@users.noreply.github.com> Date: Wed, 21 Feb 2024 17:06:05 +0100 Subject: [PATCH 2/4] better fix with this->entity thanks to regis (#28331) * better fix with this->entity thanks to regis * Update fichinter.class.php --------- Co-authored-by: Laurent Destailleur --- htdocs/fichinter/class/fichinter.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index 3bf1c5d5dfd..b7d7cf92a69 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -575,7 +575,7 @@ class Fichinter extends CommonObject $sql .= ", date_valid = '".$this->db->idate($now)."'"; $sql .= ", fk_user_valid = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); - $sql .= " AND entity IN (".getEntity('intervention').")"; + $sql .= " AND entity = ".((int) $this->entity); $sql .= " AND fk_statut = 0"; @@ -604,7 +604,7 @@ class Fichinter extends CommonObject // Now we rename also files into index $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref) + 1).")), filepath = 'ficheinter/".$this->db->escape($this->newref)."'"; - $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this->ref)."' and entity IN (".getEntity('intervention').")"; + $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this->ref)."' and entity = ".((int) $this->entity); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->error = $this->db->lasterror(); From 52646ee9f50980a690c15e4ffb901f1c851b017a Mon Sep 17 00:00:00 2001 From: Saami PERDRIX <142794129+atm-saamiperdrix@users.noreply.github.com> Date: Thu, 22 Feb 2024 00:10:04 +0100 Subject: [PATCH 3/4] =?UTF-8?q?fix=20aper=C3=A7u/dl=20fichier=20quand=20il?= =?UTF-8?q?=20est=20dans=20{userid}/temp=20(#27211)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- htdocs/core/lib/files.lib.php | 2 +- htdocs/document.php | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 4195dee8dc1..2fab41a2a03 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2295,7 +2295,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, // Find the subdirectory name as the reference. For example original_file='10/myfile.pdf' -> refname='10' if (empty($refname)) { $refname = basename(dirname($original_file)."/"); - if ($refname == 'thumbs') { + if ($refname == 'thumbs' || $refname == 'temp') { // If we get the thumbns directory, we must go one step higher. For example original_file='10/thumbs/myfile_small.jpg' -> refname='10' $refname = basename(dirname(dirname($original_file))."/"); } diff --git a/htdocs/document.php b/htdocs/document.php index c13e8f42a73..532b1a53b52 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -207,7 +207,7 @@ $original_file = str_replace('..\\', '/', $original_file); // Find the subdirectory name as the reference -$refname = basename(dirname($original_file)."/"); +//$refname = basename(dirname($original_file)."/"); // Security check if (empty($modulepart)) { @@ -215,11 +215,10 @@ if (empty($modulepart)) { } // Check security and set return info with full path of file -$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, $refname); +$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, ''); $accessallowed = $check_access['accessallowed']; $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; $fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name -//var_dump($fullpath_original_file);exit; if (!empty($hashp)) { $accessallowed = 1; // When using hashp, link is public so we force $accessallowed @@ -283,7 +282,7 @@ if (!is_object($hookmanager)) { } $hookmanager->initHooks(array('document')); $parameters = array('ecmfile' => $ecmfile, 'modulepart' => $modulepart, 'original_file' => $original_file, - 'entity' => $entity, 'refname' => $refname, 'fullpath_original_file' => $fullpath_original_file, + 'entity' => $entity, 'refname' => '', 'fullpath_original_file' => $fullpath_original_file, 'filename' => $filename, 'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded); $reshook = $hookmanager->executeHooks('downloadDocument', $parameters); // Note that $action and $object may have been if ($reshook < 0) { @@ -293,6 +292,7 @@ if ($reshook < 0) { exit; } + // Permissions are ok and file found, so we return it top_httphead($type); header('Content-Description: File Transfer'); @@ -300,6 +300,7 @@ if ($encoding) { header('Content-Encoding: '.$encoding); } // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, attachment=need user action to open) + if ($attachment) { header('Content-Disposition: attachment; filename="'.$filename.'"'); } else { From f7e8725406653766d05d83b780720e58ab09771d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 22 Feb 2024 00:12:33 +0100 Subject: [PATCH 4/4] Clean code --- htdocs/document.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/htdocs/document.php b/htdocs/document.php index 532b1a53b52..87b8828a4ad 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -206,9 +206,6 @@ $original_file = str_replace('../', '/', $original_file); $original_file = str_replace('..\\', '/', $original_file); -// Find the subdirectory name as the reference -//$refname = basename(dirname($original_file)."/"); - // Security check if (empty($modulepart)) { accessforbidden('Bad value for parameter modulepart'); @@ -282,7 +279,7 @@ if (!is_object($hookmanager)) { } $hookmanager->initHooks(array('document')); $parameters = array('ecmfile' => $ecmfile, 'modulepart' => $modulepart, 'original_file' => $original_file, - 'entity' => $entity, 'refname' => '', 'fullpath_original_file' => $fullpath_original_file, + 'entity' => $entity, 'fullpath_original_file' => $fullpath_original_file, 'filename' => $filename, 'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded); $reshook = $hookmanager->executeHooks('downloadDocument', $parameters); // Note that $action and $object may have been if ($reshook < 0) {