PageRenderTime 47ms CodeModel.GetById 19ms RepoModel.GetById 1ms app.codeStats 0ms

/htdocs/document.php

https://github.com/zeert/dolibarr
PHP | 547 lines | 370 code | 69 blank | 108 comment | 208 complexity | 792ece0341a618ebc2ad2747a9aba338 MD5 | raw file
Possible License(s): LGPL-2.0
  1. <?php
  2. /* Copyright (C) 2004-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  3. * Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
  4. * Copyright (C) 2005 Simon Tosser <simon@kornog-computing.com>
  5. * Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
  6. * Copyright (C) 2010 Pierre Morin <pierre.morin@auguria.net>
  7. * Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
  8. *
  9. * This program is free software; you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation; either version 2 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License
  20. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  21. * or see http://www.gnu.org/
  22. */
  23. /**
  24. * \file htdocs/document.php
  25. * \brief Wrapper to download data files
  26. * \remarks Call of this wrapper is made with URL:
  27. * document.php?modulepart=repfichierconcerne&file=pathrelatifdufichier
  28. */
  29. define('NOTOKENRENEWAL',1); // Disables token renewal
  30. // Pour autre que bittorrent, on charge environnement + info issus de logon (comme le user)
  31. if (isset($_GET["modulepart"]) && $_GET["modulepart"] == 'bittorrent' && ! defined("NOLOGIN"))
  32. {
  33. define("NOLOGIN",1);
  34. define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
  35. }
  36. if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1');
  37. if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1');
  38. if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
  39. /**
  40. * Wrapper, donc header vierge
  41. *
  42. * @return null
  43. */
  44. function llxHeader() { }
  45. require("./main.inc.php"); // Load $user and permissions
  46. require_once(DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php');
  47. $encoding = '';
  48. $action=GETPOST('action','alpha');
  49. $original_file=GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP).
  50. $modulepart=GETPOST('modulepart','alpha');
  51. $urlsource=GETPOST('urlsource','alpha');
  52. $entity=GETPOST('entity')?GETPOST('entity','int'):$conf->entity;
  53. // Security check
  54. if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
  55. /*
  56. * Action
  57. */
  58. // None
  59. /*
  60. * View
  61. */
  62. // Define mime type
  63. $type = 'application/octet-stream';
  64. if (GETPOST('type','alpha')) $type=GETPOST('type','alpha');
  65. else $type=dol_mimetype($original_file);
  66. //print 'X'.$type.'-'.$original_file;exit;
  67. // Define attachment (attachment=true to force choice popup 'open'/'save as')
  68. $attachment = true;
  69. // Text files
  70. if (preg_match('/\.txt$/i',$original_file)) { $attachment = false; }
  71. if (preg_match('/\.csv$/i',$original_file)) { $attachment = true; }
  72. if (preg_match('/\.tsv$/i',$original_file)) { $attachment = true; }
  73. // Documents MS office
  74. if (preg_match('/\.doc(x)?$/i',$original_file)) { $attachment = true; }
  75. if (preg_match('/\.dot(x)?$/i',$original_file)) { $attachment = true; }
  76. if (preg_match('/\.mdb$/i',$original_file)) { $attachment = true; }
  77. if (preg_match('/\.ppt(x)?$/i',$original_file)) { $attachment = true; }
  78. if (preg_match('/\.xls(x)?$/i',$original_file)) { $attachment = true; }
  79. // Documents Open office
  80. if (preg_match('/\.odp$/i',$original_file)) { $attachment = true; }
  81. if (preg_match('/\.ods$/i',$original_file)) { $attachment = true; }
  82. if (preg_match('/\.odt$/i',$original_file)) { $attachment = true; }
  83. // Misc
  84. if (preg_match('/\.(html|htm)$/i',$original_file)) { $attachment = false; }
  85. if (preg_match('/\.pdf$/i',$original_file)) { $attachment = true; }
  86. if (preg_match('/\.sql$/i',$original_file)) { $attachment = true; }
  87. // Images
  88. if (preg_match('/\.jpg$/i',$original_file)) { $attachment = true; }
  89. if (preg_match('/\.jpeg$/i',$original_file)) { $attachment = true; }
  90. if (preg_match('/\.png$/i',$original_file)) { $attachment = true; }
  91. if (preg_match('/\.gif$/i',$original_file)) { $attachment = true; }
  92. if (preg_match('/\.bmp$/i',$original_file)) { $attachment = true; }
  93. if (preg_match('/\.tiff$/i',$original_file)) { $attachment = true; }
  94. // Calendar
  95. if (preg_match('/\.vcs$/i',$original_file)) { $attachment = true; }
  96. if (preg_match('/\.ics$/i',$original_file)) { $attachment = true; }
  97. if (GETPOST("attachment")) { $attachment = true; }
  98. if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false;
  99. //print "XX".$attachment;exit;
  100. // Suppression de la chaine de caractere ../ dans $original_file
  101. $original_file = str_replace("../","/", $original_file);
  102. // find the subdirectory name as the reference
  103. $refname=basename(dirname($original_file)."/");
  104. // Security check
  105. $accessallowed=0;
  106. $sqlprotectagainstexternals='';
  107. if ($modulepart)
  108. {
  109. // On fait une verification des droits et on definit le repertoire concerne
  110. // Wrapping for third parties
  111. if ($modulepart == 'company' || $modulepart == 'societe')
  112. {
  113. if ($user->rights->societe->lire || preg_match('/^specimen/i',$original_file))
  114. {
  115. $accessallowed=1;
  116. }
  117. $original_file=$conf->societe->multidir_output[$entity].'/'.$original_file;
  118. $sqlprotectagainstexternals = "SELECT rowid as fk_soc FROM ".MAIN_DB_PREFIX."societe WHERE rowid='".$refname."' AND entity IN (".getEntity('societe', 1).")";
  119. }
  120. // Wrapping for invoices
  121. else if ($modulepart == 'facture' || $modulepart == 'invoice')
  122. {
  123. if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file))
  124. {
  125. $accessallowed=1;
  126. }
  127. $original_file=$conf->facture->dir_output.'/'.$original_file;
  128. $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$refname."' AND entity=".$conf->entity;
  129. }
  130. else if ($modulepart == 'unpaid')
  131. {
  132. if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file))
  133. {
  134. $accessallowed=1;
  135. }
  136. $original_file=$conf->facture->dir_output.'/unpaid/temp/'.$original_file;
  137. }
  138. // Wrapping pour les fiches intervention
  139. else if ($modulepart == 'ficheinter')
  140. {
  141. if ($user->rights->ficheinter->lire || preg_match('/^specimen/i',$original_file))
  142. {
  143. $accessallowed=1;
  144. }
  145. $original_file=$conf->ficheinter->dir_output.'/'.$original_file;
  146. $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."fichinter WHERE ref='".$refname."' AND entity=".$conf->entity;
  147. }
  148. // Wrapping pour les prelevements
  149. else if ($modulepart == 'prelevement')
  150. {
  151. if ($user->rights->prelevement->bons->lire || preg_match('/^specimen/i',$original_file))
  152. {
  153. $accessallowed=1;
  154. }
  155. $original_file=$conf->prelevement->dir_output.'/'.$original_file;
  156. }
  157. // Wrapping pour les propales
  158. else if ($modulepart == 'propal')
  159. {
  160. if ($user->rights->propale->lire || preg_match('/^specimen/i',$original_file))
  161. {
  162. $accessallowed=1;
  163. }
  164. $original_file=$conf->propal->dir_output.'/'.$original_file;
  165. $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$refname."' AND entity=".$conf->entity;
  166. }
  167. // Wrapping pour les commandes
  168. else if ($modulepart == 'commande' || $modulepart == 'order')
  169. {
  170. if ($user->rights->commande->lire || preg_match('/^specimen/i',$original_file))
  171. {
  172. $accessallowed=1;
  173. }
  174. $original_file=$conf->commande->dir_output.'/'.$original_file;
  175. $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$refname."' AND entity=".$conf->entity;
  176. }
  177. // Wrapping pour les projets
  178. else if ($modulepart == 'project')
  179. {
  180. if ($user->rights->projet->lire || preg_match('/^specimen/i',$original_file))
  181. {
  182. $accessallowed=1;
  183. }
  184. $original_file=$conf->projet->dir_output.'/'.$original_file;
  185. $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$refname."' AND entity=".$conf->entity;
  186. }
  187. // Wrapping pour les commandes fournisseurs
  188. else if ($modulepart == 'commande_fournisseur' || $modulepart == 'order_supplier')
  189. {
  190. if ($user->rights->fournisseur->commande->lire || preg_match('/^specimen/i',$original_file))
  191. {
  192. $accessallowed=1;
  193. }
  194. $original_file=$conf->fournisseur->commande->dir_output.'/'.$original_file;
  195. $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande_fournisseur WHERE ref='".$refname."' AND entity=".$conf->entity;
  196. }
  197. // Wrapping pour les factures fournisseurs
  198. else if ($modulepart == 'facture_fournisseur' || $modulepart == 'invoice_supplier')
  199. {
  200. if ($user->rights->fournisseur->facture->lire || preg_match('/^specimen/i',$original_file))
  201. {
  202. $accessallowed=1;
  203. }
  204. $original_file=$conf->fournisseur->facture->dir_output.'/'.$original_file;
  205. $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture_fourn WHERE facnumber='".$refname."' AND entity=".$conf->entity;
  206. }
  207. // Wrapping pour les rapport de paiements
  208. else if ($modulepart == 'facture_paiement')
  209. {
  210. if ($user->rights->facture->lire || preg_match('/^specimen/i',$original_file))
  211. {
  212. $accessallowed=1;
  213. }
  214. if ($user->societe_id > 0) $original_file=$conf->facture->dir_output.'/payments/private/'.$user->id.'/'.$original_file;
  215. else $original_file=$conf->facture->dir_output.'/payments/'.$original_file;
  216. }
  217. // Wrapping pour les exports de compta
  218. else if ($modulepart == 'export_compta')
  219. {
  220. if ($user->rights->compta->ventilation->creer || preg_match('/^specimen/i',$original_file))
  221. {
  222. $accessallowed=1;
  223. }
  224. $original_file=$conf->compta->dir_output.'/'.$original_file;
  225. }
  226. // Wrapping pour les expedition
  227. else if ($modulepart == 'expedition')
  228. {
  229. if ($user->rights->expedition->lire || preg_match('/^specimen/i',$original_file))
  230. {
  231. $accessallowed=1;
  232. }
  233. $original_file=$conf->expedition->dir_output."/sending/".$original_file;
  234. }
  235. // Wrapping pour les bons de livraison
  236. else if ($modulepart == 'livraison')
  237. {
  238. if ($user->rights->expedition->livraison->lire || preg_match('/^specimen/i',$original_file))
  239. {
  240. $accessallowed=1;
  241. }
  242. $original_file=$conf->expedition->dir_output."/receipt/".$original_file;
  243. }
  244. // Wrapping pour les actions
  245. else if ($modulepart == 'actions')
  246. {
  247. if ($user->rights->agenda->myactions->read || preg_match('/^specimen/i',$original_file))
  248. {
  249. $accessallowed=1;
  250. }
  251. $original_file=$conf->agenda->dir_output.'/'.$original_file;
  252. }
  253. // Wrapping pour les actions
  254. else if ($modulepart == 'actionsreport')
  255. {
  256. if ($user->rights->agenda->allactions->read || preg_match('/^specimen/i',$original_file))
  257. {
  258. $accessallowed=1;
  259. }
  260. $original_file = $conf->agenda->dir_temp."/".$original_file;
  261. }
  262. // Wrapping pour les produits et services
  263. else if ($modulepart == 'produit' || $modulepart == 'service')
  264. {
  265. if (($user->rights->produit->lire || $user->rights->service->lire) || preg_match('/^specimen/i',$original_file))
  266. {
  267. $accessallowed=1;
  268. }
  269. if ($conf->product->enabled) $original_file=$conf->product->multidir_output[$entity].'/'.$original_file;
  270. elseif ($conf->service->enabled) $original_file=$conf->service->multidir_output[$entity].'/'.$original_file;
  271. }
  272. // Wrapping pour les contrats
  273. else if ($modulepart == 'contract')
  274. {
  275. if ($user->rights->contrat->lire || preg_match('/^specimen/i',$original_file))
  276. {
  277. $accessallowed=1;
  278. }
  279. $original_file=$conf->contrat->dir_output.'/'.$original_file;
  280. }
  281. // Wrapping pour les documents generaux
  282. else if ($modulepart == 'ged')
  283. {
  284. if ($user->rights->document->lire)
  285. {
  286. $accessallowed=1;
  287. }
  288. $original_file= $conf->ged->dir_output.'/'.$original_file;
  289. }
  290. // Wrapping pour les dons
  291. else if ($modulepart == 'donation')
  292. {
  293. if ($user->rights->don->lire || preg_match('/^specimen/i',$original_file))
  294. {
  295. $accessallowed=1;
  296. }
  297. $original_file=$conf->don->dir_output.'/'.$original_file;
  298. }
  299. // Wrapping pour les remises de cheques
  300. else if ($modulepart == 'remisecheque')
  301. {
  302. if ($user->rights->banque->lire || preg_match('/^specimen/i',$original_file))
  303. {
  304. $accessallowed=1;
  305. }
  306. $original_file=$conf->banque->dir_output.'/bordereau/'.get_exdir(basename($original_file,".pdf"),2,1).$original_file;
  307. }
  308. // Wrapping for export module
  309. else if ($modulepart == 'export')
  310. {
  311. // Aucun test necessaire car on force le rep de download sur
  312. // le rep export qui est propre a l'utilisateur
  313. $accessallowed=1;
  314. $original_file=$conf->export->dir_temp.'/'.$user->id.'/'.$original_file;
  315. }
  316. // Wrapping for import module
  317. else if ($modulepart == 'import')
  318. {
  319. // Aucun test necessaire car on force le rep de download sur
  320. // le rep export qui est propre a l'utilisateur
  321. $accessallowed=1;
  322. $original_file=$conf->import->dir_temp.'/'.$original_file;
  323. }
  324. // Wrapping pour l'editeur wysiwyg
  325. else if ($modulepart == 'editor')
  326. {
  327. // Aucun test necessaire car on force le rep de download sur
  328. // le rep export qui est propre a l'utilisateur
  329. $accessallowed=1;
  330. $original_file=$conf->fckeditor->dir_output.'/'.$original_file;
  331. }
  332. // Wrapping pour les backups
  333. else if ($modulepart == 'systemtools')
  334. {
  335. if ($user->admin)
  336. {
  337. $accessallowed=1;
  338. }
  339. $original_file=$conf->admin->dir_output.'/'.$original_file;
  340. }
  341. // Wrapping pour BitTorrent
  342. else if ($modulepart == 'bittorrent')
  343. {
  344. $accessallowed=1;
  345. $dir='files';
  346. if ($type == 'application/x-bittorrent') $dir='torrents';
  347. $original_file=$conf->bittorrent->dir_output.'/'.$dir.'/'.$original_file;
  348. }
  349. // Wrapping pour Foundation module
  350. else if ($modulepart == 'member')
  351. {
  352. if ($user->rights->adherent->lire || preg_match('/^specimen/i',$original_file))
  353. {
  354. $accessallowed=1;
  355. }
  356. $original_file=$conf->adherent->dir_output.'/'.$original_file;
  357. }
  358. // Wrapping for Scanner
  359. else if ($modulepart == 'scanner_user_temp')
  360. {
  361. $accessallowed=1;
  362. $original_file=$conf->scanner->dir_temp.'/'.$user->id.'/'.$original_file;
  363. }
  364. // Generic wrapping
  365. else
  366. {
  367. // Define $accessallowed
  368. if (($user->rights->$modulepart->lire) || ($user->rights->$modulepart->read) || ($user->rights->$modulepart->download)) $accessallowed=1; // No subpermission, we have checked on main permission
  369. elseif (preg_match('/^specimen/i',$original_file)) $accessallowed=1; // If link to a specimen
  370. elseif ($user->admin) $accessallowed=1; // If user is admin
  371. // For modules who wants to manage different levels of permissions for documents
  372. $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS';
  373. if (! empty($conf->global->$subPermCategoryConstName))
  374. {
  375. $subPermCategory = $conf->global->$subPermCategoryConstName;
  376. if (! empty($subPermCategory) && (($user->rights->$modulepart->$subPermCategory->lire) || ($user->rights->$modulepart->$subPermCategory->read) || ($user->rights->$modulepart->$subPermCategory->download)))
  377. {
  378. $accessallowed=1;
  379. }
  380. }
  381. // Define $original_file
  382. $original_file=$conf->$modulepart->dir_output.'/'.$original_file;
  383. // Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query.
  384. $sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS';
  385. if (! empty($conf->global->$sqlProtectConstName)) // If module want to define its own $sqlprotectagainstexternals
  386. {
  387. // Example: mymodule__SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$refname."' AND entity=".$conf->entity;
  388. eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";');
  389. }
  390. }
  391. }
  392. // Basic protection (against external users only)
  393. if ($user->societe_id > 0)
  394. {
  395. if ($sqlprotectagainstexternals)
  396. {
  397. $resql = $db->query($sqlprotectagainstexternals);
  398. if ($resql)
  399. {
  400. $num=$db->num_rows($resql);
  401. $i=0;
  402. while ($i < $num)
  403. {
  404. $obj = $db->fetch_object($resql);
  405. if ($user->societe_id != $obj->fk_soc)
  406. {
  407. $accessallowed=0;
  408. break;
  409. }
  410. $i++;
  411. }
  412. }
  413. }
  414. }
  415. // Security:
  416. // Limite acces si droits non corrects
  417. if (! $accessallowed)
  418. {
  419. accessforbidden();
  420. }
  421. // Security:
  422. // On interdit les remontees de repertoire ainsi que les pipe dans
  423. // les noms de fichiers.
  424. if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file))
  425. {
  426. dol_syslog("Refused to deliver file ".$original_file);
  427. $file=basename($original_file); // Do no show plain path of original_file in shown error message
  428. dol_print_error(0,$langs->trans("ErrorFileNameInvalid",$file));
  429. exit;
  430. }
  431. // TODO Remove this. Some part of code still use it.
  432. if ($action == 'remove_file') // Remove a file
  433. {
  434. clearstatcache();
  435. dol_syslog("document.php remove $original_file $urlsource", LOG_DEBUG);
  436. // This test should be useless. We keep it to find bug more easily
  437. $original_file_osencoded=dol_osencode($original_file); // New file name encoded in OS encoding charset
  438. if (! file_exists($original_file_osencoded))
  439. {
  440. $file=basename($original_file); // Do no show plain path of original_file in shown error message
  441. dol_print_error(0,$langs->trans("ErrorFileDoesNotExists",$file));
  442. exit;
  443. }
  444. $ret=dol_delete_file($original_file);
  445. if ($ret) setEventMessage($langs->trans("FileWasRemoved", GETPOST('urlfile')));
  446. else setEventMessage($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), 'errors');
  447. dol_syslog("document.php back to ".urldecode($urlsource), LOG_DEBUG);
  448. header("Location: ".urldecode($urlsource));
  449. return;
  450. }
  451. else // Open and return file
  452. {
  453. clearstatcache();
  454. $filename = basename($original_file);
  455. // Output file on browser
  456. dol_syslog("document.php download $original_file $filename content-type=$type");
  457. $original_file_osencoded=dol_osencode($original_file); // New file name encoded in OS encoding charset
  458. // This test if file exists should be useless. We keep it to find bug more easily
  459. if (! file_exists($original_file_osencoded))
  460. {
  461. dol_print_error(0,$langs->trans("ErrorFileDoesNotExists",$original_file));
  462. exit;
  463. }
  464. // Les drois sont ok et fichier trouve, on l'envoie
  465. header('Content-Description: File Transfer');
  466. if ($encoding) header('Content-Encoding: '.$encoding);
  467. if ($type) header('Content-Type: '.$type.(preg_match('/text/',$type)?'; charset="'.$conf->file->character_set_client:''));
  468. if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"');
  469. else header('Content-Disposition: inline; filename="'.$filename.'"');
  470. header('Content-Length: ' . dol_filesize($original_file));
  471. // Ajout directives pour resoudre bug IE
  472. header('Cache-Control: Public, must-revalidate');
  473. header('Pragma: public');
  474. //ob_clean();
  475. //flush();
  476. readfile($original_file_osencoded);
  477. }
  478. ?>