|
dolibarr 18.0.6
|
Set of function used for dolibarr security (common function included into filefunc.inc.php) Warning, this file must not depends on other library files, except function.lib.php because it is used at low code level. More...
Go to the source code of this file.
Functions | |
| dol_encode ($chain, $key='1') | |
| Encode a string with base 64 algorithm + specific delta change. | |
| dol_decode ($chain, $key='1') | |
| Decode a base 64 encoded + specific delta change. | |
| dolGetRandomBytes ($length) | |
| Return a string of random bytes (hexa string) with length = $length fro cryptographic purposes. | |
| dolEncrypt ($chain, $key='', $ciphering='AES-256-CTR', $forceseed='') | |
| Encode a string with a symetric encryption. | |
| dolDecrypt ($chain, $key='') | |
| Decode a string with a symetric encryption. | |
| dol_hash ($chain, $type='0') | |
| Returns a hash (non reversible encryption) of a string. | |
| dol_verifyHash ($chain, $hash, $type='0') | |
| Compute a hash and compare it to the given one For backward compatibility reasons, if the hash is not in the password_hash format, we will try to match against md5 and sha1md5 If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function. | |
| dolGetLdapPasswordHash ($password, $type='md5') | |
| Returns a specific ldap hash of a password. | |
| restrictedArea (User $user, $features, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $isdraft=0, $mode=0) | |
| Check permissions of a user to show a page and an object. | |
| checkUserAccessToObject ($user, array $featuresarray, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='', $dbt_select='rowid', $parenttableforentity='') | |
| Check that access by a given user to an object is ok. | |
| httponly_accessforbidden ($message=1, $http_response_code=403, $stringalreadysanitized=0) | |
| Show a message to say access is forbidden and stop program. | |
| accessforbidden ($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null) | |
| Show a message to say access is forbidden and stop program. | |
| getMaxFileSizeArray () | |
| Return the max allowed for file upload. | |
Set of function used for dolibarr security (common function included into filefunc.inc.php) Warning, this file must not depends on other library files, except function.lib.php because it is used at low code level.
Definition in file security.lib.php.
| accessforbidden | ( | $message = '', | |
| $printheader = 1, | |||
| $printfooter = 1, | |||
| $showonlymessage = 0, | |||
| $params = null ) |
Show a message to say access is forbidden and stop program.
This includes HTTP and HTML header and footer (except if $printheader and $printfooter is 0, use this case inside an already started page). Calling this function terminate execution of PHP.
| string | $message | Force error message |
| int | $printheader | Show header before |
| int | $printfooter | Show footer after |
| int | $showonlymessage | Show only message parameter. Otherwise add more information. |
| array | null | $params | More parameters provided to hook |
Definition at line 1185 of file security.lib.php.
References llxFooter(), llxHeader(), and llxHeaderVierge().
Referenced by restrictedArea().
| checkUserAccessToObject | ( | $user, | |
| array | $featuresarray, | ||
| $object = 0, | |||
| $tableandshare = '', | |||
| $feature2 = '', | |||
| $dbt_keyfield = '', | |||
| $dbt_select = 'rowid', | |||
| $parenttableforentity = '' ) |
Check that access by a given user to an object is ok.
This function is also called by restrictedArea() that check before if module is enabled and if permission of user for $action is ok.
| User | $user | User to check |
| array | $featuresarray | Features/modules to check. Example: ('user','service','member','project','task',...) |
| int | string | Object | $object | Full object or object ID or list of object id. For example if we want to check a particular record (optional) is linked to a owned thirdparty (optional). |
| string | $tableandshare | 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional). |
| array | string | $feature2 | Feature to check, second level of permission (optional). Can be or check with 'level1|level2'. |
| string | $dbt_keyfield | Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA. |
| string | $dbt_select | Field name for select if not rowid. Not used if objectid is null (optional). |
| string | $parenttableforentity | Parent table for entity. Example 'fk_website@website' |
Definition at line 844 of file security.lib.php.
References dol_print_error(), and dol_syslog().
Referenced by DolibarrApi\_checkAccessToResource(), dol_check_secure_access_document(), and restrictedArea().
| dol_decode | ( | $chain, | |
| $key = '1' ) |
Decode a base 64 encoded + specific delta change.
This function is called by filefunc.inc.php at each page call.
| string | $chain | string to decode |
| string | $key | rule to use for delta ('0', '1' or 'myownkey') |
Definition at line 69 of file security.lib.php.
References dol_strlen().
Referenced by encodedecode_dbpassconf(), and print_paybox_redirect().
| dol_encode | ( | $chain, | |
| $key = '1' ) |
Encode a string with base 64 algorithm + specific delta change.
| string | $chain | string to encode |
| string | $key | rule to use for delta ('0', '1' or 'myownkey') |
Definition at line 38 of file security.lib.php.
References dol_strlen().
Referenced by encodedecode_dbpassconf().
| dol_hash | ( | $chain, | |
| $type = '0' ) |
Returns a hash (non reversible encryption) of a string.
If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function (recommanded value is 'password_hash') If constant MAIN_SECURITY_SALT is defined, we use it as a salt (used only if hashing algorightm is something else than 'password_hash').
| string | $chain | String to hash |
| string | $type | Type of hash ('0':auto will use MAIN_SECURITY_HASH_ALGO else md5, '1':sha1, '2':sha1+md5, '3':md5, '4': for OpenLdap, '5':sha256, '6':password_hash). Use '3' here, if hash is not needed for security purpose, for security need, prefer '0'. |
Definition at line 234 of file security.lib.php.
References dolGetLdapPasswordHash(), and getDolGlobalString().
Referenced by MailmanSpip\add_to_spip(), MailingTargets\addTargetsToDatabase(), BlockedLog\checkSignature(), BlockedLog\create(), EcmFiles\create(), dol_check_secure_access_document(), dol_verifyHash(), ConferenceOrBooth\fetch(), CMailFile\findHtmlImages(), User\getOnlineVirtualCardUrl(), BlockedLog\getSignature(), Login\index(), CommonObject\insertExtraFields(), RssParser\parser(), User\send_password(), DataPolicy\sendMailDataPolicyAdherent(), DataPolicy\sendMailDataPolicyCompany(), DataPolicy\sendMailDataPolicyContact(), SMTPs\setAttachment(), SMTPs\setBodyContent(), SMTPs\setImageInline(), Adherent\setPassword(), User\setPassword(), and EcmFiles\update().
| dol_verifyHash | ( | $chain, | |
| $hash, | |||
| $type = '0' ) |
Compute a hash and compare it to the given one For backward compatibility reasons, if the hash is not in the password_hash format, we will try to match against md5 and sha1md5 If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function.
If constant MAIN_SECURITY_SALT is defined, we use it as a salt.
| string | $chain | String to hash (not hashed string) |
| string | $hash | hash to compare |
| string | $type | Type of hash ('0':auto, '1':sha1, '2':sha1+md5, '3':md5, '4': for OpenLdap, '5':sha256). Use '3' here, if hash is not needed for security purpose, for security need, prefer '0'. |
Definition at line 282 of file security.lib.php.
References dol_hash(), dol_strlen(), and dol_verifyHash().
Referenced by check_user_password_dolibarr(), check_user_password_googleoauth(), dol_verifyHash(), and User\update().
| dolDecrypt | ( | $chain, | |
| $key = '' ) |
Decode a string with a symetric encryption.
Used to decrypt sensitive data saved into database. Note: If a backup is restored onto another instance with a different $conf->file->instance_unique_id, then decoded value will differ.
| string | $chain | string to decode |
| string | $key | If '', we use $conf->file->instance_unique_id |
Definition at line 181 of file security.lib.php.
References dol_syslog().
Referenced by DolibarrApiAccess\__isAllowed(), EmailCollector\create(), dolibarr_get_const(), encodedecode_dbpassconf(), EmailCollector\fetch(), User\fetch(), Conf\setValues(), and EmailCollector\update().
| dolEncrypt | ( | $chain, | |
| $key = '', | |||
| $ciphering = 'AES-256-CTR', | |||
| $forceseed = '' ) |
Encode a string with a symetric encryption.
Used to encrypt sensitive data into database. Note: If a backup is restored onto another instance with a different $conf->file->instance_unique_id, then decoded value will differ. This function is called for example by dol_set_const() when saving a sensible data into database configuration table llx_const.
| string | $chain | string to encode |
| string | $key | If '', we use $conf->file->instance_unique_id |
| string | $ciphering | Default ciphering algorithm |
| string | $forceseed | To force the seed |
Definition at line 122 of file security.lib.php.
References dol_substr(), and dolGetRandomBytes().
Referenced by DolibarrApiAccess\__isAllowed(), EmailCollector\create(), dolibarr_set_const(), Login\index(), EmailCollector\update(), and User\update().
| dolGetLdapPasswordHash | ( | $password, | |
| $type = 'md5' ) |
Returns a specific ldap hash of a password.
| string | $password | Password to hash |
| string | $type | Type of hash |
Definition at line 308 of file security.lib.php.
Referenced by dol_hash().
| dolGetRandomBytes | ( | $length | ) |
Return a string of random bytes (hexa string) with length = $length fro cryptographic purposes.
| int | $length | Length of random string |
Definition at line 100 of file security.lib.php.
Referenced by dolEncrypt(), and getNonce().
| getMaxFileSizeArray | ( | ) |
Return the max allowed for file upload.
Analyze among: upload_max_filesize, post_max_size, MAIN_UPLOAD_DOC
Definition at line 1249 of file security.lib.php.
Referenced by FormFile\form_attach_new_file(), mailing_xinputfile\formFilter(), FormMail\get_form(), doc_generic_bom_odt\info(), doc_generic_contract_odt\info(), doc_generic_invoice_odt\info(), doc_generic_member_odt\info(), doc_generic_myobject_odt\info(), doc_generic_odt\info(), doc_generic_order_odt\info(), doc_generic_product_odt\info(), doc_generic_proposal_odt\info(), doc_generic_reception_odt\info(), doc_generic_shipment_odt\info(), doc_generic_stock_odt\info(), doc_generic_ticket_odt\info(), doc_generic_user_odt\info(), and Form\showphoto().
| httponly_accessforbidden | ( | $message = 1, | |
| $http_response_code = 403, | |||
| $stringalreadysanitized = 0 ) |
Show a message to say access is forbidden and stop program.
This includes only HTTP header. Calling this function terminate execution of PHP.
| string | $message | Force error message |
| int | $http_response_code | HTTP response code |
| int | $stringalreadysanitized | 1 if string is already sanitized with HTML entities |
Definition at line 1158 of file security.lib.php.
References top_httphead().
| restrictedArea | ( | User | $user, |
| $features, | |||
| $object = 0, | |||
| $tableandshare = '', | |||
| $feature2 = '', | |||
| $dbt_keyfield = 'fk_soc', | |||
| $dbt_select = 'rowid', | |||
| $isdraft = 0, | |||
| $mode = 0 ) |
Check permissions of a user to show a page and an object.
Check read permission. If GETPOST('action','aZ09') defined, we also check write and delete permission. This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user).
| User | $user | User to check |
| string | $features | Features to check (it must be module name or $object->element. Can be a 'or' check with 'levela|levelb'. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) This is used to check permission $user->rights->features->... |
| int | string | Object | $object | Object or Object ID or list of Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). |
| string | $tableandshare | 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional). |
| string | $feature2 | Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'. This is used to check permission $user->rights->features->feature2... |
| string | $dbt_keyfield | Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA. |
| string | $dbt_select | Field rowid name, for select into tableandshare if not "rowid". Not used if objectid is null (optional) |
| int | $isdraft | 1=The object with id=$objectid is a draft |
| int | $mode | Mode (0=default, 1=return without dieing) |
Definition at line 366 of file security.lib.php.
References accessforbidden(), checkUserAccessToObject(), and GETPOST().