Browse Source

FIX Download of files with hashp when files are into user dir

Laurent Destailleur 6 years ago
parent
commit
4e940ebaf1
3 changed files with 20 additions and 5 deletions
  1. 3 0
      htdocs/core/lib/files.lib.php
  2. 9 3
      htdocs/document.php
  3. 8 2
      htdocs/viewimage.php

+ 3 - 0
htdocs/core/lib/files.lib.php

@@ -2119,6 +2119,9 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 		if (empty($conf->multicompany->enabled)) $entity=1;
 		else $entity=0;
 	}
+	// Fix modulepart
+	if ($modulepart == 'users') $modulepart='user';
+
 	dol_syslog('modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity);
 	// We define $accessallowed and $sqlprotectagainstexternals
 	$accessallowed=0;

+ 9 - 3
htdocs/document.php

@@ -38,7 +38,7 @@ if (! defined('NOREQUIREHTML'))		define('NOREQUIREHTML','1');
 if (! defined('NOREQUIREAJAX'))		define('NOREQUIREAJAX','1');
 
 // For direct external download link, we don't need to load/check we are into a login session
-if (isset($_GET["hashp"]))
+if (isset($_GET["hashp"]) && ! defined("NOLOGIN"))
 {
 	if (! defined("NOLOGIN"))		define("NOLOGIN",1);
 	if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.
@@ -122,8 +122,14 @@ if (! empty($hashp))
 	if ($result > 0)
 	{
 		$tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory
-		$moduleparttocheck = $tmp[0];
-		if ($modulepart)	// Not required for link using public hashp
+		// filepath can be 'users/X' or 'X/propale/PR11111'
+		if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
+		{
+			$tmp = explode('/', $tmp[1], 2);
+		}
+		$moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path
+
+		if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.
 		{
 			if ($moduleparttocheck == $modulepart)
 			{

+ 8 - 2
htdocs/viewimage.php

@@ -131,8 +131,14 @@ if (! empty($hashp))
 	if ($result > 0)
 	{
 		$tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory
-		$moduleparttocheck = $tmp[0];
-		if ($modulepart)	// Not required for link using public hashp
+		// filepath can be 'users/X' or 'X/propale/PR11111'
+		if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
+		{
+			$tmp = explode('/', $tmp[1], 2);
+		}
+		$moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path
+
+		if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.
 		{
 			if ($moduleparttocheck == $modulepart)
 			{