} if (isset($_GET["attachment"])) { $attachment = GETPOST("attachment") ? true : false; } if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) { $attachment = false; } // Suppression de la chaine de caractere ../ dans $original_file $original_file = str_replace("../", "/", $original_file); // Find the subdirectory name as the reference $refname = basename(dirname($original_file) . "/"); // Security check if (empty($modulepart)) { accessforbidden('Bad value for parameter modulepart'); } $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname); $accessallowed = $check_access['accessallowed']; $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; $original_file = $check_access['original_file']; // Basic protection (against external users only) if ($user->societe_id > 0) { if ($sqlprotectagainstexternals) { $resql = $db->query($sqlprotectagainstexternals); if ($resql) { $num = $db->num_rows($resql); $i = 0; while ($i < $num) { $obj = $db->fetch_object($resql); if ($user->societe_id != $obj->fk_soc) { $accessallowed = 0; break;
/** * Method to get a document by webservice * * @param array $authentication Array with permissions * @param string $modulepart Properties of document * @param string $file Relative path * @param string $refname Ref of object to check permission for external users (autodetect if not provided) * @return void */ function getDocument($authentication, $modulepart, $file, $refname = '') { global $db, $conf, $langs, $mysoc; dol_syslog("Function: getDocument login="******"/"; //$relativepath = $relativefilepath . $ref.'.pdf'; $accessallowed = 0; $fuser = check_authentication($authentication, $error, $errorcode, $errorlabel); if ($fuser->societe_id) { $socid = $fuser->societe_id; } // Check parameters if (!$error && (!$file || !$modulepart)) { $error++; $errorcode = 'BAD_PARAMETERS'; $errorlabel = "Parameter file and modulepart must be both provided."; } if (!$error) { $fuser->getrights(); // Suppression de la chaine de caractere ../ dans $original_file $original_file = str_replace("../", "/", $original_file); // find the subdirectory name as the reference if (empty($refname)) { $refname = basename(dirname($original_file) . "/"); } // Security check $check_access = dol_check_secure_access_document($modulepart, $original_file, $conf->entity, $fuser, $refname); $accessallowed = $check_access['accessallowed']; $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; $original_file = $check_access['original_file']; // Basic protection (against external users only) if ($fuser->societe_id > 0) { if ($sqlprotectagainstexternals) { $resql = $db->query($sqlprotectagainstexternals); if ($resql) { $num = $db->num_rows($resql); $i = 0; while ($i < $num) { $obj = $db->fetch_object($resql); if ($fuser->societe_id != $obj->fk_soc) { $accessallowed = 0; break; } $i++; } } } } // Security: // Limite acces si droits non corrects if (!$accessallowed) { $errorcode = 'NOT_PERMITTED'; $errorlabel = 'Access not allowed'; $error++; } // Security: // On interdit les remontees de repertoire ainsi que les pipe dans // les noms de fichiers. if (preg_match('/\\.\\./', $original_file) || preg_match('/[<>|]/', $original_file)) { dol_syslog("Refused to deliver file " . $original_file); $errorcode = 'REFUSED'; $errorlabel = ''; $error++; } clearstatcache(); if (!$error) { if (file_exists($original_file)) { dol_syslog("Function: getDocument {$original_file} {$filename} content-type={$type}"); $file = $fileparams['fullname']; $filename = basename($file); $f = fopen($original_file, 'r'); $content_file = fread($f, filesize($original_file)); $objectret = array('filename' => basename($original_file), 'mimetype' => dol_mimetype($original_file), 'content' => base64_encode($content_file), 'length' => filesize($original_file)); // Create return object $objectresp = array('result' => array('result_code' => 'OK', 'result_label' => ''), 'document' => $objectret); } else { dol_syslog("File doesn't exist " . $original_file); $errorcode = 'NOT_FOUND'; $errorlabel = ''; $error++; } } } if ($error) { $objectresp = array('result' => array('result_code' => $errorcode, 'result_label' => $errorlabel)); } return $objectresp; }