dolibarr  16.0.5
fileserver.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2018 Destailleur Laurent <eldy@users.sourceforge.net>
3  * Copyright (C) 2019 Regis Houssin <regis.houssin@inodbox.com>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 3 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <https://www.gnu.org/licenses/>.
17  *
18  * You can test with the WebDav client cadaver:
19  * cadaver http://myurl/dav/fileserver.php
20  */
21 
28 if (!defined('NOTOKENRENEWAL')) {
29  define('NOTOKENRENEWAL', '1');
30 }
31 if (!defined('NOREQUIREMENU')) {
32  define('NOREQUIREMENU', '1'); // If there is no menu to show
33 }
34 if (!defined('NOREQUIREHTML')) {
35  define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
36 }
37 if (!defined('NOREQUIREAJAX')) {
38  define('NOREQUIREAJAX', '1');
39 }
40 if (!defined('NOLOGIN')) {
41  define("NOLOGIN", 1); // This means this output page does not require to be logged.
42 }
43 if (!defined('NOCSRFCHECK')) {
44  define("NOCSRFCHECK", 1); // We accept to go on this page from external web site.
45 }
46 
47 require "../main.inc.php";
48 require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
49 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
50 require_once DOL_DOCUMENT_ROOT.'/dav/dav.class.php';
51 require_once DOL_DOCUMENT_ROOT.'/dav/dav.lib.php';
52 require_once DOL_DOCUMENT_ROOT.'/includes/sabre/autoload.php';
53 
54 
55 $user = new User($db);
56 if (isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_USER'] != '') {
57  $user->fetch('', $_SERVER['PHP_AUTH_USER']);
58  $user->getrights();
59 }
60 
61 // Load translation files required by the page
62 $langs->loadLangs(array("main", "other"));
63 
64 
65 if (empty($conf->dav->enabled)) {
67 }
68 
69 
70 // Restrict API to some IPs
71 if (!empty($conf->global->DAV_RESTRICT_ON_IP)) {
72  $allowedip = explode(' ', $conf->global->DAV_RESTRICT_ON_IP);
73  $ipremote = getUserRemoteIP();
74  if (!in_array($ipremote, $allowedip)) {
75  dol_syslog('Remote ip is '.$ipremote.', not into list '.$conf->global->DAV_RESTRICT_ON_IP);
76  print 'DAV not allowed from the IP '.$ipremote;
77  header('HTTP/1.1 503 DAV not allowed from your IP '.$ipremote);
78  //print $conf->global->DAV_RESTRICT_ON_IP;
79  exit(0);
80  }
81 }
82 
83 
84 $entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1));
85 
86 // settings
87 $publicDir = $conf->dav->multidir_output[$entity].'/public';
88 $privateDir = $conf->dav->multidir_output[$entity].'/private';
89 $ecmDir = $conf->ecm->multidir_output[$entity];
90 $tmpDir = $conf->dav->multidir_output[$entity]; // We need root dir, not a dir that can be deleted
91 //var_dump($tmpDir);mkdir($tmpDir);exit;
92 
93 
94 // Authentication callback function
95 $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $password) {
96  global $user;
97  global $conf;
98  global $dolibarr_main_authentication, $dolibarr_auto_user;
99 
100  if (empty($user->login)) {
101  dol_syslog("Failed to authenticate to DAV, login is not provided", LOG_WARNING);
102  return false;
103  }
104  if ($user->socid > 0) {
105  dol_syslog("Failed to authenticate to DAV, use is an external user", LOG_WARNING);
106  return false;
107  }
108  if ($user->login != $username) {
109  dol_syslog("Failed to authenticate to DAV, login does not match the login of loaded user", LOG_WARNING);
110  return false;
111  }
112 
113  // Authentication mode
114  if (empty($dolibarr_main_authentication)) {
115  $dolibarr_main_authentication = 'dolibarr';
116  }
117 
118  // Authentication mode: forceuser
119  if ($dolibarr_main_authentication == 'forceuser') {
120  if (empty($dolibarr_auto_user)) {
121  $dolibarr_auto_user = 'auto';
122  }
123  if ($dolibarr_auto_user != $username) {
124  dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. DAV usage is forbidden in this mode.");
125  return false;
126  }
127  }
128 
129  $authmode = explode(',', $dolibarr_main_authentication);
130  $entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1));
131 
132  if (checkLoginPassEntity($username, $password, $entity, $authmode, 'dav') != $username) {
133  return false;
134  }
135 
136  return true;
137 });
138 
139 $authBackend->setRealm(constant('DOL_APPLICATION_TITLE'));
140 
141 
142 
143 
144 
145 /*
146  * Actions and View
147  */
148 
149 // Create the root node
150 // Setting up the directory tree //
151 $nodes = array();
152 
153 // Enable directories and features according to DAV setup
154 // Public dir
155 if (!empty($conf->global->DAV_ALLOW_PUBLIC_DIR)) {
156  $nodes[] = new \Sabre\DAV\FS\Directory($publicDir);
157 }
158 // Private dir
159 $nodes[] = new \Sabre\DAV\FS\Directory($privateDir);
160 // ECM dir
161 if (!empty($conf->ecm->enabled) && !empty($conf->global->DAV_ALLOW_ECM_DIR)) {
162  $nodes[] = new \Sabre\DAV\FS\Directory($ecmDir);
163 }
164 
165 
166 
167 // Principals Backend
168 //$principalBackend = new \Sabre\DAVACL\PrincipalBackend\Dolibarr($user,$db);
169 // /principals
170 //$nodes[] = new \Sabre\DAVACL\PrincipalCollection($principalBackend);
171 // CardDav & CalDav Backend
172 //$carddavBackend = new \Sabre\CardDAV\Backend\Dolibarr($user,$db,$langs);
173 //$caldavBackend = new \Sabre\CalDAV\Backend\Dolibarr($user,$db,$langs, $cdavLib);
174 // /addressbook
175 //$nodes[] = new \Sabre\CardDAV\AddressBookRoot($principalBackend, $carddavBackend);
176 // /calendars
177 //$nodes[] = new \Sabre\CalDAV\CalendarRoot($principalBackend, $caldavBackend);
178 
179 
180 // The rootnode needs in turn to be passed to the server class
181 $server = new \Sabre\DAV\Server($nodes);
182 
183 // If you want to run the SabreDAV server in a custom location (using mod_rewrite for instance)
184 // You can override the baseUri here.
185 $baseUri = DOL_URL_ROOT.'/dav/fileserver.php/';
186 if (isset($baseUri)) {
187  $server->setBaseUri($baseUri);
188 }
189 
190 // Add authentication function
191 if ((empty($conf->global->DAV_ALLOW_PUBLIC_DIR)
192  || !preg_match('/'.preg_quote(DOL_URL_ROOT.'/dav/fileserver.php/public', '/').'/', $_SERVER["PHP_SELF"]))
193  && !preg_match('/^sabreAction=asset&assetName=[a-zA-Z0-9%\-\/]+\.(png|css|woff|ico|ttf)$/', $_SERVER["QUERY_STRING"]) // URL for Sabre browser resources
194  ) {
195  //var_dump($_SERVER["QUERY_STRING"]);exit;
196  $server->addPlugin(new \Sabre\DAV\Auth\Plugin($authBackend));
197 }
198 // Support for LOCK and UNLOCK
199 $lockBackend = new \Sabre\DAV\Locks\Backend\File($tmpDir.'/.locksdb');
200 $lockPlugin = new \Sabre\DAV\Locks\Plugin($lockBackend);
201 $server->addPlugin($lockPlugin);
202 
203 // Support for html frontend
204 if (empty($conf->global->DAV_DISABLE_BROWSER)) {
205  $browser = new \Sabre\DAV\Browser\Plugin();
206  $server->addPlugin($browser);
207 }
208 
209 // Automatically guess (some) contenttypes, based on extension
210 //$server->addPlugin(new \Sabre\DAV\Browser\GuessContentType());
211 
212 //$server->addPlugin(new \Sabre\CardDAV\Plugin());
213 //$server->addPlugin(new \Sabre\CalDAV\Plugin());
214 //$server->addPlugin(new \Sabre\DAVACL\Plugin());
215 
216 // Temporary file filter
217 /*$tempFF = new \Sabre\DAV\TemporaryFileFilterPlugin($tmpDir);
218 $server->addPlugin($tempFF);
219 */
220 
221 // And off we go!
222 $server->exec();
223 
224 if (is_object($db)) {
225  $db->close();
226 }
GETPOST
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
Definition: functions.lib.php:484
checkLoginPassEntity
checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $authmode, $context='')
Return a login if login/pass was successfull.
Definition: security2.lib.php:57
dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
Definition: functions.lib.php:1603
User
Class to manage Dolibarr users.
Definition: user.class.php:44
accessforbidden
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program Calling this function terminate execution ...
Definition: security.lib.php:933
getUserRemoteIP
getUserRemoteIP()
Return the IP of remote user.
Definition: functions.lib.php:3515
if
if(!defined( 'CSRFCHECK_WITH_TOKEN'))
Definition: journals_list.php:25