Debug the security page

htdocs/admin/security_file.php

@@ -153,7 +153,7 @@ if (ini_get('safe_mode') && !empty($conf->global->MAIN_ANTIVIRUS_COMMAND))
 		dol_syslog("safe_mode is on, basedir is ".$basedir.", safe_mode_exec_dir is ".ini_get('safe_mode_exec_dir'), LOG_WARNING);
 	}
 }
-print '<input type="text" name="MAIN_ANTIVIRUS_COMMAND" class="minwidth500imp" value="'.(!empty($conf->global->MAIN_ANTIVIRUS_COMMAND) ?dol_escape_htmltag($conf->global->MAIN_ANTIVIRUS_COMMAND) : '').'">';
+print '<input type="text" '.(defined('MAIN_ANTIVIRUS_COMMAND') ? 'disabled' : '').' name="MAIN_ANTIVIRUS_COMMAND" class="minwidth500imp" value="'.(!empty($conf->global->MAIN_ANTIVIRUS_COMMAND) ?dol_escape_htmltag($conf->global->MAIN_ANTIVIRUS_COMMAND) : '').'">';
 if (defined('MAIN_ANTIVIRUS_COMMAND')) {
 	print '<br><span class="opacitymedium">'.$langs->trans("ValueIsForcedBySystem").'</span>';
 }

htdocs/admin/system/about.php

@@ -83,6 +83,7 @@ print '<li>';
 print '<a target="_blank" href="https://www.dolibarr.org/" rel="external">'.$langs->trans("OfficialWebSite").'</a>';
 print '</li>';
 // Show local site
+/*
 if (preg_match('/^fr_/i', $langs->getDefaultLang()))
 {
 	print '<li>';
@@ -112,7 +113,7 @@ if (preg_match('/^de_/i', $langs->getDefaultLang()))
 	print '<li>';
 	print '<a target="_blank" href="https://www.dolibarr.de/" rel="external">'.$langs->trans("OfficialWebSiteLocal", $langs->transnoentitiesnoconv("Germany")).'</a>';
 	print '</li>';
-}
+}*/
 print '<li>';
 print '<a target="_blank" href="https://wiki.dolibarr.org/" rel="external">'.$langs->trans("OfficialWiki").'</a>';
 print '</li>';
@@ -168,7 +169,7 @@ print $langs->trans("OtherResources").':';
 print '<ul>';
 
 $url = 'https://saas.dolibarr.org'; $title = $langs->trans("OfficialWebHostingService");
-if (preg_match('/^fr_/i', $langs->getDefaultLang())) $url = 'https://wiki.dolibarr.org/index.php/Solutions_de_Cloud';
+if (preg_match('/^fr_/i', $langs->getDefaultLang())) $url = 'https://wiki.dolibarr.org/index.php/Solutions_Cloud_pour_Dolibarr_ERP_CRM';
 if (preg_match('/^es_/i', $langs->getDefaultLang())) $url = 'https://wiki.dolibarr.org/index.php/Soluciones_en_la_Nube';
 print '<li>';
 print '<a target="_blank" href="'.$url.'" rel="external">'.$title.'</a>';

htdocs/admin/system/perf.php

@@ -62,7 +62,7 @@ print "<br><strong>Web server</strong> - ".$langs->trans("Version").": ".$_SERVE
 print '<br>';
 print '<strong>'.$langs->trans("XDebug").'</strong>: ';
 $test = !function_exists('xdebug_is_enabled');
-if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled");
+if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotSlowedDownByThis");
 else {
 	print img_picto('', 'warning').' '.$langs->trans("ModuleActivated", $langs->transnoentities("XDebug"));
 	print ' - '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php">XDebug admin page</a>';
@@ -73,7 +73,7 @@ print '<br>';
 print '<br>';
 print '<strong>'.$langs->trans("Syslog").'</strong>: ';
 $test = empty($conf->syslog->enabled);
-if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled");
+if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotSlowedDownByThis");
 else {
 	print img_picto('', 'warning').' '.$langs->trans("ModuleActivated", $langs->transnoentities("Syslog"));
 	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
@@ -84,7 +84,7 @@ print '<br>';
 print '<br>';
 print '<strong>'.$langs->trans("DebugBar").'</strong>: ';
 $test = empty($conf->debugbar->enabled);
-if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled");
+if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotSlowedDownByThis");
 else {
 	print img_picto('', 'warning').' '.$langs->trans("ModuleActivated", $langs->transnoentities("DebugBar"));
 	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';

htdocs/admin/system/security.php

@@ -66,32 +66,40 @@ print "<strong>PHP safe_mode</strong> = ".(ini_get('safe_mode') ? ini_get('safe_
 print "<strong>PHP open_basedir</strong> = ".(ini_get('open_basedir') ? ini_get('open_basedir') : yn(0))."<br>\n";
 print '<br>';
 
+print '<br>';
 print load_fiche_titre($langs->trans("ConfigFile"), '', '');
 
 print '<strong>'.$langs->trans("dolibarr_main_prod").'</strong>: '.$dolibarr_main_prod;
+if (empty($dolibarr_main_prod)) {
+	print img_picto('', 'warning').' &nbsp;  '.$langs->trans("IfYouAreOnAProductionSetThis");
+}
 // dolibarr_main_prod
 
+print '<br>';
 
 print '<br>';
 print '<br>';
+print load_fiche_titre($langs->trans("Permissions"), '', '');
 
-print load_fiche_titre($langs->trans("PermissionsOnFiles"), '', '');
-
-print '<strong>'.$langs->trans("PermissionOnFileInWebRoot").'</strong>: ';
-// TODO
+print '<strong>'.$langs->trans("PermissionsOnFilesInWebRoot").'</strong>: ';
+// TODO Check permission are read only except for custom dir
 print 'TODO';
-
-
 print '<br>';
+
+print '<strong>'.$langs->trans("PermissionsOnFile", 'conf.php').'</strong>: ';
+// TODO Check permission on file conf.php (read only for the web user)
+print 'TODO';
 print '<br>';
 
+print '<br>';
 
+print '<br>';
 print load_fiche_titre($langs->trans("Modules"), '', '');
 
 // XDebug
 print '<strong>'.$langs->trans("XDebug").'</strong>: ';
 $test = !function_exists('xdebug_is_enabled');
-if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled");
+if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
 else {
 	print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedMayExposeInformation", $langs->transnoentities("XDebug"));
 	print ' - '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php">XDebug admin page</a>';
@@ -102,7 +110,7 @@ print '<br>';
 print '<br>';
 print '<strong>'.$langs->trans("Syslog").'</strong>: ';
 $test = empty($conf->syslog->enabled);
-if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled");
+if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
 else {
 	print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedMayExposeInformation", $langs->transnoentities("Syslog"));
 	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
@@ -113,14 +121,15 @@ print '<br>';
 print '<br>';
 print '<strong>'.$langs->trans("DebugBar").'</strong>: ';
 $test = empty($conf->debugbar->enabled);
-if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled");
+if ($test) print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
 else {
 	print img_picto('', 'error').' '.$langs->trans("ModuleActivatedDoNotUseInProduction", $langs->transnoentities("DebugBar"));
 	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
 }
 print '<br>';
-print '<br>';
 
+print '<br>';
+print '<br>';
 print load_fiche_titre($langs->trans("SecuritySetup"), '', '');
 
 //print '<strong>'.$langs->trans("PasswordEncryption").'</strong>: ';
@@ -130,7 +139,13 @@ print '<br>';
 // TODO
 
 print '<strong>'.$langs->trans("AntivirusEnabledOnUpload").'</strong>: ';
-// TODO
+print yn($conf->global->MAIN_ANTIVIRUS_COMMAND ? 1 : 0);
+if (!empty($conf->global->MAIN_ANTIVIRUS_COMMAND)) {
+	print ' &nbsp; - '.$conf->global->MAIN_ANTIVIRUS_COMMAND;
+	if (defined('MAIN_ANTIVIRUS_COMMAND')) {
+		print ' - <span class="opacitymedium">'.$langs->trans("ValueIsForcedBySystem").'</span>';
+	}
+}
 print '<br>';
 
 print '<br>';

htdocs/core/menus/standard/eldy.lib.php

@@ -763,9 +763,11 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM
 				$newmenu->add('/admin/system/os.php?mainmenu=home&leftmenu=admintools', $langs->trans('InfoOS'), 1);
 				$newmenu->add('/admin/system/web.php?mainmenu=home&leftmenu=admintools', $langs->trans('InfoWebServer'), 1);
 				$newmenu->add('/admin/system/phpinfo.php?mainmenu=home&leftmenu=admintools', $langs->trans('InfoPHP'), 1);
-				//if (function_exists('xdebug_is_enabled')) $newmenu->add('/admin/system/xdebug.php', $langs->trans('XDebug'),1);
 				$newmenu->add('/admin/system/database.php?mainmenu=home&leftmenu=admintools', $langs->trans('InfoDatabase'), 1);
-				//$newmenu->add("/admin/system/perf.php?mainmenu=home&leftmenu=admintools", $langs->trans("InfoPerf"),1);
+				if (!empty($conf->global->MAIN_FEATURES_LEVEL)) {
+					$newmenu->add("/admin/system/perf.php?mainmenu=home&leftmenu=admintools", $langs->trans("InfoPerf"),1);
+					$newmenu->add("/admin/system/security.php?mainmenu=home&leftmenu=admintools", $langs->trans("InfoSecurity"),1);
+				}
 				$newmenu->add("/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools", $langs->trans("Backup"), 1);
 				$newmenu->add("/admin/tools/dolibarr_import.php?mainmenu=home&leftmenu=admintools", $langs->trans("Restore"), 1);
 				$newmenu->add("/admin/tools/update.php?mainmenu=home&leftmenu=admintools", $langs->trans("MenuUpgrade"), 1);

htdocs/langs/en_US/admin.lang

@@ -37,6 +37,8 @@ UnlockNewSessions=Remove connection lock
 YourSession=Your session
 Sessions=Users Sessions
 WebUserGroup=Web server user/group
+PermissionsOnFilesInWebRoot=Permissions on files in web root directory
+PermissionsOnFile=Permissions on file %s
 NoSessionFound=Your PHP configuration seems to not allow listing of active sessions. The directory used to save sessions (<b>%s</b>) may be protected (for example by OS permissions or by PHP directive open_basedir).
 DBStoringCharset=Database charset to store data
 DBSortingCharset=Database charset to sort data
@@ -1179,6 +1181,7 @@ InfoWebServer=About Web Server
 InfoDatabase=About Database
 InfoPHP=About PHP
 InfoPerf=About Performances
+InfoSecurity=About Security
 BrowserName=Browser name
 BrowserOS=Browser OS
 ListOfSecurityEvents=List of Dolibarr security events
@@ -1558,7 +1561,9 @@ LDAPDescValues=Example values are designed for <b>OpenLDAP</b> with following lo
 ForANonAnonymousAccess=For an authenticated access (for a write access for example)
 PerfDolibarr=Performance setup/optimizing report
 YouMayFindPerfAdviceHere=This page provides some checks or advice related to performance.
-NotInstalled=Not installed, so your server is not slowed down by this.
+NotInstalled=Not installed.
+NotSlowedDownByThis=Not slowed down by this.
+NotRiskOfLeakWithThis=Not risk of leak with this.
 ApplicativeCache=Applicative cache
 MemcachedNotAvailable=No applicative cache found. You can enhance performance by installing a cache server Memcached and a module able to use this cache server.<br>More information here <a href="http://wiki.dolibarr.org/index.php/Module_MemCached_EN">http://wiki.dolibarr.org/index.php/Module_MemCached_EN</a>.<br>Note that a lot of web hosting provider does not provide such cache server.
 MemcachedModuleAvailableButNotSetup=Module memcached for applicative cache found but setup of module is not complete.
@@ -2032,6 +2037,8 @@ UseDebugBar=Use the debug bar
 DEBUGBAR_LOGS_LINES_NUMBER=Number of last log lines to keep in console
 WarningValueHigherSlowsDramaticalyOutput=Warning, higher values slows dramaticaly output
 ModuleActivated=Module %s is activated and slows the interface
+IfYouAreOnAProductionSetThis=If you are on a production environment, you should set this property.
+AntivirusEnabledOnUpload=Antivirus enabled on uploaded files
 EXPORTS_SHARE_MODELS=Export models are share with everybody
 ExportSetup=Setup of module Export
 ImportSetup=Setup of module Import
@@ -2069,3 +2076,6 @@ MailToSendEventPush=Event reminder email
 SwitchThisForABetterSecurity=Switching this value to %s is recommended for more security
 DictionaryProductNature= Nature of product
 CountryIfSpecificToOneCountry=Country (if specific to a given country)
+YouMayFindSecurityAdviceHere=You may find security advisory here
+ModuleActivatedMayExposeInformation=This module may expose sensitive data. If you don't need it, disable it.
+ModuleActivatedDoNotUseInProduction=A module designed for the development has been enabled. Do not enable it on a production environment.