PageRenderTime 165ms CodeModel.GetById 60ms app.highlight 51ms RepoModel.GetById 30ms app.codeStats 0ms

/htdocs/viewimage.php

https://bitbucket.org/speedealing/speedealing
PHP | 416 lines | 281 code | 39 blank | 96 comment | 105 complexity | 14f12363a9122752c543b469703b5c11 MD5 | raw file
  1<?php
  2/* Copyright (C) 2004-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  3 * Copyright (C) 2005-2012 Laurent Destailleur  <eldy@users.sourceforge.net>
  4 * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
  5 *
  6 * This program is free software; you can redistribute it and/or modify
  7 * it under the terms of the GNU General Public License as published by
  8 * the Free Software Foundation; either version 3 of the License, or
  9 * (at your option) any later version.
 10 *
 11 * This program is distributed in the hope that it will be useful,
 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 14 * GNU General Public License for more details.
 15 *
 16 * You should have received a copy of the GNU General Public License
 17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 18 * or see http://www.gnu.org/
 19 */
 20
 21/**
 22 *		\file       htdocs/viewimage.php
 23 *		\brief      Wrapper to show images into Speedealing screens
 24 *      \remarks    Call to wrapper is '<img src="'.DOL_URL_ROOT.'/viewimage.php?modulepart=diroffile&file=relativepathofofile&cache=0">'
 25 */
 26
 27//if (! defined('NOREQUIREUSER'))   define('NOREQUIREUSER','1');	// Not disabled cause need to load personalized language
 28//if (! defined('NOREQUIREDB'))   define('NOREQUIREDB','1');		// Not disabled cause need to load personalized language
 29if (! defined('NOREQUIRESOC'))    define('NOREQUIRESOC','1');
 30if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
 31if (! defined('NOCSRFCHECK'))     define('NOCSRFCHECK','1');
 32if (! defined('NOTOKENRENEWAL'))  define('NOTOKENRENEWAL','1');
 33if (! defined('NOREQUIREMENU'))  define('NOREQUIREMENU','1');
 34if (! defined('NOREQUIREHTML'))  define('NOREQUIREHTML','1');
 35if (! defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX','1');
 36// Pour autre que companylogo, on charge environnement + info issus de logon comme le user
 37if ((isset($_GET["modulepart"]) && $_GET["modulepart"] == 'companylogo') && ! defined("NOLOGIN")) define("NOLOGIN",'1');
 38
 39
 40/**
 41 * Wrapper, donc header vierge
 42 *
 43 * @return  null
 44 */
 45function llxHeader() { }
 46
 47require 'main.inc.php';
 48require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 49
 50
 51$action=GETPOST('action','alpha');
 52$original_file=GETPOST("file");
 53$modulepart=GETPOST('modulepart','alpha');
 54$urlsource=GETPOST("urlsource");
 55$entity=GETPOST('entity','int');
 56if ($entity == '') $entity=1;    // For backward compatibility
 57
 58// Security check
 59if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
 60
 61
 62
 63/*
 64 * Actions
 65 */
 66
 67// None
 68
 69
 70
 71/*
 72 * View
 73 */
 74
 75if (GETPOST("cache"))
 76{
 77    // Important: Following code is to avoid page request by browser and PHP CPU at
 78    // each Speedealing page access.
 79    if (empty($dolibarr_nocache))
 80    {
 81        header('Cache-Control: max-age=3600, public, must-revalidate');
 82        header('Pragma: cache');       // This is to avoid having Pragma: no-cache
 83    }
 84    else header('Cache-Control: no-cache');
 85    //print $dolibarr_nocache; exit;
 86}
 87
 88// Define mime type
 89$type = 'application/octet-stream';
 90if (! empty($_GET["type"])) $type=$_GET["type"];
 91else $type=dol_mimetype($original_file);
 92
 93// Suppression de la chaine de caractere ../ dans $original_file
 94$original_file = str_replace("../","/", $original_file);
 95
 96// Security checks
 97if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
 98$accessallowed=0;
 99if ($modulepart)
100{
101    // Check permissions and define directory
102
103    // Wrapping for company logo
104    if ($modulepart == 'companylogo')
105    {
106        $accessallowed=1;
107        $original_file=$conf->mycompany->dir_output.'/logos/'.$original_file;
108    }
109    // Wrapping for users photos
110    elseif ($modulepart == 'userphoto')
111    {
112        $accessallowed=1;
113        $original_file=$conf->user->dir_output.'/'.$original_file;
114    }
115    // Wrapping for members photos
116    elseif ($modulepart == 'memberphoto')
117    {
118        $accessallowed=1;
119        $original_file=$conf->adherent->dir_output.'/'.$original_file;
120    }
121    // Wrapping for members photos
122    elseif ($modulepart == 'member')
123    {
124        $accessallowed=1;
125        $original_file=$conf->adherent->dir_output.'/'.$original_file;
126    }
127    // Wrapping pour les images des societes
128    elseif ($modulepart == 'societe')
129    {
130        $accessallowed=1;
131        $original_file=$conf->societe->multidir_output[$entity].'/'.$original_file;
132    }
133    // Wrapping pour les apercu factures
134    elseif ($modulepart == 'apercufacture')
135    {
136        if ($user->rights->facture->lire) $accessallowed=1;
137        $original_file=$conf->facture->dir_output.'/'.$original_file;
138    }
139    // Wrapping pour les apercu propal
140    elseif ($modulepart == 'apercupropal')
141    {
142        if ($user->rights->propale->lire) $accessallowed=1;
143        $original_file=$conf->propal->dir_output.'/'.$original_file;
144    }
145    // Wrapping pour les apercu commande
146    elseif ($modulepart == 'apercucommande')
147    {
148        if ($user->rights->commande->lire) $accessallowed=1;
149        $original_file=$conf->commande->dir_output.'/'.$original_file;
150    }
151    // Wrapping pour les apercu intervention
152    elseif ($modulepart == 'apercufichinter')
153    {
154        if ($user->rights->ficheinter->lire) $accessallowed=1;
155        $original_file=$conf->ficheinter->dir_output.'/'.$original_file;
156    }
157    // Wrapping pour les images des stats propales
158    elseif ($modulepart == 'propalstats')
159    {
160        if ($user->rights->propale->lire) $accessallowed=1;
161        $original_file=$conf->propal->dir_temp.'/'.$original_file;
162    }
163    // Wrapping pour les images des stats commandes
164    elseif ($modulepart == 'orderstats')
165    {
166        if ($user->rights->commande->lire) $accessallowed=1;
167        $original_file=$conf->commande->dir_temp.'/'.$original_file;
168    }
169    elseif ($modulepart == 'orderstatssupplier')
170    {
171        if ($user->rights->fournisseur->commande->lire) $accessallowed=1;
172        $original_file=$conf->fournisseur->dir_output.'/commande/temp/'.$original_file;
173    }
174    // Wrapping pour les images des stats factures
175    elseif ($modulepart == 'billstats')
176    {
177        if ($user->rights->facture->lire) $accessallowed=1;
178        $original_file=$conf->facture->dir_temp.'/'.$original_file;
179    }
180    elseif ($modulepart == 'billstatssupplier')
181    {
182        if ($user->rights->fournisseur->facture->lire) $accessallowed=1;
183        $original_file=$conf->fournisseur->dir_output.'/facture/temp/'.$original_file;
184    }
185    // Wrapping pour les images des stats expeditions
186    elseif ($modulepart == 'expeditionstats')
187    {
188        if ($user->rights->expedition->lire) $accessallowed=1;
189        $original_file=$conf->expedition->dir_temp.'/'.$original_file;
190    }
191    // Wrapping pour les images des stats expeditions
192    elseif ($modulepart == 'tripsexpensesstats')
193    {
194        if ($user->rights->deplacement->lire) $accessallowed=1;
195        $original_file=$conf->deplacement->dir_temp.'/'.$original_file;
196    }
197    // Wrapping pour les images des stats expeditions
198    elseif ($modulepart == 'memberstats')
199    {
200        if ($user->rights->adherent->lire) $accessallowed=1;
201        $original_file=$conf->adherent->dir_temp.'/'.$original_file;
202    }
203    // Wrapping pour les images des stats produits
204    elseif (preg_match('/^productstats_/i',$modulepart))
205    {
206        if ($user->rights->produit->lire || $user->rights->service->lire) $accessallowed=1;
207        $original_file=(!empty($conf->product->multidir_temp[$entity])?$conf->product->multidir_temp[$entity]:$conf->service->multidir_temp[$entity]).'/'.$original_file;
208    }
209    // Wrapping for products or services
210    elseif ($modulepart == 'product')
211    {
212        if ($user->rights->produit->lire || $user->rights->service->lire) $accessallowed=1;
213        $original_file=(! empty($conf->product->multidir_output[$entity])?$conf->product->multidir_output[$entity]:$conf->service->multidir_output[$entity]).'/'.$original_file;
214    }
215    // Wrapping for products or services
216    elseif ($modulepart == 'tax')
217    {
218        if ($user->rights->tax->charges->lire) $accessallowed=1;
219        $original_file=$conf->tax->dir_output.'/'.$original_file;
220    }
221    // Wrapping for products or services
222    elseif ($modulepart == 'actions')
223    {
224        if ($user->rights->agenda->myactions->read) $accessallowed=1;
225        $original_file=$conf->agenda->dir_output.'/'.$original_file;
226    }
227    // Wrapping for categories
228    elseif ($modulepart == 'category')
229    {
230        if ($user->rights->categorie->lire) $accessallowed=1;
231        $original_file=$conf->categorie->multidir_output[$entity].'/'.$original_file;
232    }
233    // Wrapping pour les prelevements
234    elseif ($modulepart == 'prelevement')
235    {
236        if ($user->rights->prelevement->bons->lire) $accessallowed=1;
237        $original_file=$conf->prelevement->dir_output.'/receipts/'.$original_file;
238    }
239    // Wrapping pour les graph energie
240    elseif ($modulepart == 'graph_stock')
241    {
242        $accessallowed=1;
243        $original_file=$conf->stock->dir_temp.'/'.$original_file;
244    }
245    // Wrapping pour les graph fournisseurs
246    elseif ($modulepart == 'graph_fourn')
247    {
248        $accessallowed=1;
249        $original_file=$conf->fournisseur->dir_temp.'/'.$original_file;
250    }
251    // Wrapping pour les graph des produits
252    elseif ($modulepart == 'graph_product')
253    {
254        $accessallowed=1;
255        $original_file=$conf->product->multidir_temp[$entity].'/'.$original_file;
256    }
257    // Wrapping pour les code barre
258    elseif ($modulepart == 'barcode')
259    {
260        $accessallowed=1;
261        // If viewimage is called for barcode, we try to output an image on the fly,
262        // with not build of file on disk.
263        //$original_file=$conf->barcode->dir_temp.'/'.$original_file;
264        $original_file='';
265    }
266    // Wrapping pour les icones de background des mailings
267    elseif ($modulepart == 'iconmailing')
268    {
269        $accessallowed=1;
270        $original_file=$conf->mailing->dir_temp.'/'.$original_file;
271    }
272    // Wrapping pour les icones de background des mailings
273    elseif ($modulepart == 'scanner_user_temp')
274    {
275        $accessallowed=1;
276        $original_file=$conf->scanner->dir_temp.'/'.$user->id.'/'.$original_file;
277    }
278    // Wrapping pour les images fckeditor
279    elseif ($modulepart == 'fckeditor')
280    {
281        $accessallowed=1;
282        $original_file=$conf->fckeditor->dir_output.'/'.$original_file;
283    }
284
285    // GENERIC Wrapping
286    // If modulepart=module_user_temp	Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart/temp/iduser
287    // If modulepart=module_temp		Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart/temp
288    // If modulepart=module_user		Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart/iduser
289    // If modulepart=module				Allows any module to open a file if file is in directory called DOL_DATA_ROOT/modulepart
290    else
291    {
292        if (preg_match('/^([a-z]+)_user_temp$/i',$modulepart,$reg))
293        {
294            if ($user->rights->$reg[1]->lire || $user->rights->$reg[1]->read) $accessallowed=1;
295            $original_file=$conf->$reg[1]->dir_temp.'/'.$user->id.'/'.$original_file;
296        }
297        else if (preg_match('/^([a-z]+)_temp$/i',$modulepart,$reg))
298        {
299            if ($user->rights->$reg[1]->lire || $user->rights->$reg[1]->read) $accessallowed=1;
300            $original_file=$conf->$reg[1]->dir_temp.'/'.$original_file;
301        }
302        else if (preg_match('/^([a-z]+)_user$/i',$modulepart,$reg))
303        {
304            if ($user->rights->$reg[1]->lire || $user->rights->$reg[1]->read) $accessallowed=1;
305            $original_file=$conf->$reg[1]->dir_output.'/'.$user->id.'/'.$original_file;
306        }
307        else
308        {
309            $perm=GETPOST('perm');
310            $subperm=GETPOST('subperm');
311            if ($perm || $subperm)
312            {
313                if (($perm && ! $subperm && $user->rights->$modulepart->$perm) || ($perm && $subperm && $user->rights->$modulepart->$perm->$subperm)) $accessallowed=1;
314                $original_file=$conf->$modulepart->dir_output.'/'.$original_file;
315            }
316            else
317            {
318                if ($user->rights->$modulepart->lire || $user->rights->$modulepart->read) $accessallowed=1;
319                $original_file=$conf->$modulepart->dir_output.'/'.$original_file;
320            }
321        }
322    }
323}
324
325// Security:
326// Limit access if permissions are wrong
327if (! $accessallowed)
328{
329    accessforbidden();
330}
331
332// Security:
333// On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
334if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file))
335{
336    dol_syslog("Refused to deliver file ".$original_file, LOG_WARNING);
337    // Do no show plain path in shown error message
338    dol_print_error(0,'Error: File '.$_GET["file"].' does not exists');
339    exit;
340}
341
342
343
344if ($modulepart == 'barcode')
345{
346    $generator=GETPOST("generator","alpha");
347    $code=GETPOST("code");
348    $encoding=GETPOST("encoding","alpha");
349    $readable=GETPOST("readable")?GETPOST("readable","alpha"):"Y";
350
351    if (empty($generator) || empty($encoding))
352    {
353        dol_print_error(0,'Error, parameter "generator" or "encoding" not defined');
354        exit;
355    }
356
357    $dirbarcode=array_merge(array("/core/modules/barcode/"),$conf->modules_parts['barcode']);
358
359    $result=0;
360
361    foreach($dirbarcode as $reldir)
362    {
363        $dir=dol_buildpath($reldir,0);
364        $newdir=dol_osencode($dir);
365
366        // Check if directory exists (we do not use dol_is_dir to avoid loading files.lib.php)
367        if (! is_dir($newdir)) continue;
368
369        $result=@include_once $newdir.$generator.'.modules.php';
370        if ($result) break;
371    }
372
373    // Load barcode class
374    $classname = "mod".ucfirst($generator);
375    $module = new $classname($db);
376    if ($module->encodingIsSupported($encoding))
377    {
378        $result=$module->buildBarCode($code,$encoding,$readable);
379    }
380}
381else					// Open and return file
382{
383    clearstatcache();
384
385    // Output files on browser
386    dol_syslog("viewimage.php return file $original_file content-type=$type");
387
388    // This test is to avoid error images when image is not available (for example thumbs).
389    if (! dol_is_file($original_file))
390    {
391        $original_file=DOL_DOCUMENT_ROOT.'/theme/common/nophoto.jpg';
392        /*$error='Error: File '.$_GET["file"].' does not exists or filesystems permissions are not allowed';
393        dol_print_error(0,$error);
394        print $error;
395        exit;*/
396    }
397
398    // Les drois sont ok et fichier trouve
399    if ($type)
400    {
401        header('Content-Disposition: inline; filename="'.basename($original_file).'"');
402        header('Content-type: '.$type);
403    }
404    else
405    {
406        header('Content-Disposition: inline; filename="'.basename($original_file).'"');
407        header('Content-type: image/png');
408    }
409
410    $original_file_osencoded=dol_osencode($original_file);
411    readfile($original_file_osencoded);
412}
413
414
415if (is_object($db)) $db->close();
416?>