From c396dcdfbbeb2180a13f9b756287619edd837aba Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 22 Feb 2024 00:09:45 +0100
Subject: [PATCH] Fix from #27211

---
 htdocs/core/lib/files.lib.php | 4 ++--
 htdocs/document.php           | 7 ++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 7b0ac3e6a78..7152e2778bb 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -2564,7 +2564,7 @@ function dol_most_recent_file($dir, $regexfilter = '', $excludefilter = array('(
  * @param	string		$original_file		Relative path with filename, relative to modulepart.
  * @param	string		$entity				Restrict onto entity (0=no restriction)
  * @param  	User|null	$fuser				User object (forced)
- * @param	string		$refname			Ref of object to check permission for external users (autodetect if not provided) or for hierarchy
+ * @param	string		$refname			Ref of object to check permission for external users (autodetect if not provided by taking the dirname of $original_file) or for hierarchy
  * @param   string  	$mode               Check permission for 'read' or 'write'
  * @return	mixed							Array with access information : 'accessallowed' & 'sqlprotectagainstexternals' & 'original_file' (as a full path name)
  * @see restrictedArea()
@@ -2612,7 +2612,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 	// Find the subdirectory name as the reference. For example original_file='10/myfile.pdf' -> refname='10'
 	if (empty($refname)) {
 		$refname = basename(dirname($original_file)."/");
-		if ($refname == 'thumbs') {
+		if ($refname == 'thumbs' || $refname == 'temp') {
 			// If we get the thumbs directory, we must go one step higher. For example original_file='10/thumbs/myfile_small.jpg' -> refname='10'
 			$refname = basename(dirname(dirname($original_file))."/");
 		}
diff --git a/htdocs/document.php b/htdocs/document.php
index f1d3c187ce1..82fd61a5874 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -209,16 +209,13 @@ $original_file = str_replace('../', '/', $original_file);
 $original_file = str_replace('..\\', '/', $original_file);
 
 
-// Find the subdirectory name as the reference
-$refname = basename(dirname($original_file)."/");
-
 // Security check
 if (empty($modulepart)) {
 	accessforbidden('Bad value for parameter modulepart');
 }
 
 // Check security and set return info with full path of file
-$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, $refname);
+$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $user, '');
 $accessallowed              = $check_access['accessallowed'];
 $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
 $fullpath_original_file     = $check_access['original_file']; // $fullpath_original_file is now a full path name
@@ -282,7 +279,7 @@ if (!file_exists($fullpath_original_file_osencoded)) {
 // Hooks
 $hookmanager->initHooks(array('document'));
 $parameters = array('ecmfile' => $ecmfile, 'modulepart' => $modulepart, 'original_file' => $original_file,
-	'entity' => $entity, 'refname' => $refname, 'fullpath_original_file' => $fullpath_original_file,
+	'entity' => $entity, 'fullpath_original_file' => $fullpath_original_file,
 	'filename' => $filename, 'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded);
 $object = new stdClass();
 $reshook = $hookmanager->executeHooks('downloadDocument', $parameters, $object, $action); // Note that $action and $object may have been