Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

FIX Download of files with hashp when files are into user dir

Laurent Destailleur 6 years ago
parent
17b2fd295f
commit
4e940ebaf1
3 changed files with 20 additions and 5 deletions
Split View Show Diff Stats
  1. 3 0
      htdocs/core/lib/files.lib.php
  2. 9 3
      htdocs/document.php
  3. 8 2
      htdocs/viewimage.php

+ 3 - 0
htdocs/core/lib/files.lib.php
View File 

@@ -2119,6 +2119,9 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 
 		if (empty($conf->multicompany->enabled)) $entity=1;
 
 		else $entity=0;
 
 	}
 
+	// Fix modulepart
 
+	if ($modulepart == 'users') $modulepart='user';
 
+
 
 	dol_syslog('modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity);
 
 	// We define $accessallowed and $sqlprotectagainstexternals
 
 	$accessallowed=0;

+ 9 - 3
htdocs/document.php
View File 

@@ -38,7 +38,7 @@ if (! defined('NOREQUIREHTML'))		define('NOREQUIREHTML','1');
 
 if (! defined('NOREQUIREAJAX'))		define('NOREQUIREAJAX','1');
 
 
 // For direct external download link, we don't need to load/check we are into a login session
 
-if (isset($_GET["hashp"]))
 
+if (isset($_GET["hashp"]) && ! defined("NOLOGIN"))
 
 {
 
 	if (! defined("NOLOGIN"))		define("NOLOGIN",1);
 
 	if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.
 
@@ -122,8 +122,14 @@ if (! empty($hashp))
 
 	if ($result > 0)
 
 	{
 
 		$tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory
 
-		$moduleparttocheck = $tmp[0];
 
-		if ($modulepart)	// Not required for link using public hashp
 
+		// filepath can be 'users/X' or 'X/propale/PR11111'
 
+		if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
 
+		{
 
+			$tmp = explode('/', $tmp[1], 2);
 
+		}
 
+		$moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path
 
+
 
+		if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.
 
 		{
 
 			if ($moduleparttocheck == $modulepart)
 
 			{

+ 8 - 2
htdocs/viewimage.php
View File 

@@ -131,8 +131,14 @@ if (! empty($hashp))
 
 	if ($result > 0)
 
 	{
 
 		$tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory
 
-		$moduleparttocheck = $tmp[0];
 
-		if ($modulepart)	// Not required for link using public hashp
 
+		// filepath can be 'users/X' or 'X/propale/PR11111'
 
+		if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
 
+		{
 
+			$tmp = explode('/', $tmp[1], 2);
 
+		}
 
+		$moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path
 
+
 
+		if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.
 
 		{
 
 			if ($moduleparttocheck == $modulepart)
 
 			{