dolibarr 19.0.4
website.inc.php
Go to the documentation of this file.
1<?php
2/* Copyright (C) 2017-2019 Laurent Destailleur <eldy@users.sourceforge.net>
3 *
4* This program is free software; you can redistribute it and/or modify
5* it under the terms of the GNU General Public License as published by
6* the Free Software Foundation; either version 3 of the License, or
7* (at your option) any later version.
8*
9* This program is distributed in the hope that it will be useful,
10* but WITHOUT ANY WARRANTY; without even the implied warranty of
11* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12* GNU General Public License for more details.
13*
14* You should have received a copy of the GNU General Public License
15* along with this program. If not, see <https://www.gnu.org/licenses/>.
16* or see https://www.gnu.org/
17*/
18
26// Load website class
27include_once DOL_DOCUMENT_ROOT.'/website/class/website.class.php';
28include_once DOL_DOCUMENT_ROOT.'/website/class/websitepage.class.php';
29
30$website = null;
31$websitepage = null;
32$weblangs = null;
33$pagelangs = null;
34
35// Detection browser (copy of code from main.inc.php)
36if (isset($_SERVER["HTTP_USER_AGENT"]) && is_object($conf) && empty($conf->browser->name)) {
37 $tmp = getBrowserInfo($_SERVER["HTTP_USER_AGENT"]);
38 $conf->browser->name = $tmp['browsername'];
39 $conf->browser->os = $tmp['browseros'];
40 $conf->browser->version = $tmp['browserversion'];
41 $conf->browser->layout = $tmp['layout']; // 'classic', 'phone', 'tablet'
42 //var_dump($conf->browser);
43
44 if ($conf->browser->layout == 'phone') {
45 $conf->dol_no_mouse_hover = 1;
46 }
47}
48// Define $website
49if (!is_object($website)) {
50 $website = new Website($db);
51 $website->fetch(0, $websitekey);
52}
53// Define $websitepage if we have $websitepagefile defined
54if (empty($pageid) && !empty($websitepagefile)) {
55 $pageid = str_replace(array('.tpl.php', 'page'), array('', ''), basename($websitepagefile));
56 if ($pageid == 'index.php') {
57 $pageid = $website->fk_default_home;
58 }
59}
60if (!is_object($websitepage)) {
61 $websitepage = new WebsitePage($db);
62}
63// Define $weblangs
64if (!is_object($weblangs)) {
65 $weblangs = new Translate('', $conf);
66}
67if (!is_object($pagelangs)) {
68 $pagelangs = new Translate('', $conf);
69}
70if (!empty($pageid) && $pageid > 0) {
71 $websitepage->fetch($pageid);
72
73 $weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['weblangs-shortcode'])));
74 $pagelangs->setDefaultLang($websitepage->lang ? $websitepage->lang : $weblangs->shortlang);
75
76 if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status) && !defined('USEDOLIBARRSERVER'))) {
77 $weblangs->load("website");
78
79 // Security options
80
81 // X-Content-Type-Options
82 header("X-Content-Type-Options: nosniff");
83
84 // X-Frame-Options
85 if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
86 header("X-Frame-Options: SAMEORIGIN");
87 }
88
89 //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>', 404, 1);
90 http_response_code(404);
91 print '<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>';
92 exit;
93 }
94}
95
96if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
97 // Security options
98
99 // X-Content-Type-Options
100 header("X-Content-Type-Options: nosniff");
101
102 // X-Frame-Options
103 if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
104 header("X-Frame-Options: SAMEORIGIN");
105 }
106
107 // X-XSS-Protection
108 //header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
109
110 // Content-Security-Policy-Report-Only
111 if (!defined('WEBSITE_MAIN_SECURITY_FORCECSPRO')) {
112 // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
113 // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
114 // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
115 // For example, to restrict everything to itself except img that can be on other servers:
116 // default-src 'self'; img-src *;
117 // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
118 // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
119 //
120 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
121 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
122 $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO');
123
124 if (!is_object($hookmanager)) {
125 include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
126 $hookmanager = new HookManager($db);
127 }
128 $hookmanager->initHooks(array("main"));
129
130 $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'reportonly');
131 $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
132 if ($result > 0) {
133 $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
134 } else {
135 $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
136 }
137
138 if (!empty($contentsecuritypolicy)) {
139 header("Content-Security-Policy-Report-Only: ".$contentsecuritypolicy);
140 }
141 }
142
143 // Content-Security-Policy
144 if (!defined('WEBSITE_MAIN_SECURITY_FORCECSP')) {
145 // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
146 // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
147 // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
148 // For example, to restrict everything to itself except img that can be on other servers:
149 // default-src 'self'; img-src *;
150 // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
151 // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
152 //
153 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
154 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
155 $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP');
156
157 if (!is_object($hookmanager)) {
158 include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
159 $hookmanager = new HookManager($db);
160 }
161 $hookmanager->initHooks(array("main"));
162
163 $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'active');
164 $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
165 if ($result > 0) {
166 $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
167 } else {
168 $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
169 }
170
171 if (!empty($contentsecuritypolicy)) {
172 header("Content-Security-Policy: ".$contentsecuritypolicy);
173 }
174 }
175
176 // Referrer-Policy
177 if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
178 // The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be
179
180 // For public web sites, we use the same default value than "strict-origin-when-cross-origin"
181 $referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");
182
183 header("Referrer-Policy: ".$referrerpolicy);
184 }
185
186 // Strict-Transport-Security
187 if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
188 // The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
189
190 // Example: "max-age=31536000; includeSubDomains"
191 $sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
192 if (!empty($sts)) {
193 header("Strict-Transport-Security: ".$sts);
194 }
195 }
196
197 // Permissions-Policy (old name was Feature-Policy)
198 if (!defined('WEBSITE_MAIN_SECURITY_FORCEPP')) {
199 // The constant WEBSITE_MAIN_SECURITY_FORCEPP should never be defined by page, but the variable used just after may be
200
201 // Example: "camera: 'none'; microphone: 'none';"
202 $pp = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP');
203 if (!empty($pp)) {
204 header("Permissions-Policy: ".$pp);
205 }
206 }
207}
208
209// A lang was forced, so we change weblangs init
210if (GETPOST('l', 'aZ09')) {
211 $weblangs->setDefaultLang(GETPOST('l', 'aZ09'));
212}
213// A lang was forced, so we check to find if we must make a redirect on translation page
214if ($_SERVER['PHP_SELF'] != DOL_URL_ROOT.'/website/index.php') { // If we browsing page using Dolibarr server or a Native web server
215 //print_r(get_defined_constants(true));exit;
216 if (GETPOST('l', 'aZ09')) {
217 $sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page";
218 $sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp";
219 $sql .= " WHERE wp.fk_website = ".((int) $website->id);
220 $sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid = ".((int) $pageid);
221 if (is_object($websitepage) && $websitepage->fk_page > 0) {
222 $sql .= " OR wp.fk_page = ".((int) $websitepage->fk_page)." OR wp.rowid = ".((int) $websitepage->fk_page);
223 }
224 $sql .= ")";
225 $sql .= " AND wp.lang = '".$db->escape(GETPOST('l', 'aZ09'))."'";
226
227 $resql = $db->query($sql);
228 if ($resql) {
229 $obj = $db->fetch_object($resql);
230 if ($obj) {
231 $newpageid = $obj->rowid;
232 if ($newpageid != $pageid) { // To avoid to make a redirect on same page (infinite loop)
233 if (defined('USEDOLIBARRSERVER')) {
234 header("Location: ".DOL_URL_ROOT.'/public/website/index.php?website='.$websitekey.'&pageid='.$newpageid.'&l='.GETPOST('l', 'aZ09'));
235 exit;
236 } else {
237 $newpageref = $obj->pageurl;
238 header("Location: ".(($obj->lang && $obj->lang != $website->lang) ? '/'.$obj->lang.'/' : '/').$newpageref.'.php?l='.GETPOST('l', 'aZ09'));
239 exit;
240 }
241 }
242 }
243 }
244 }
245}
246
247// Show off line message when all website is off
248if (!defined('USEDOLIBARREDITOR') && empty($website->status)) {
249 // Security options
250
251 // X-Content-Type-Options
252 header("X-Content-Type-Options: nosniff");
253
254 // X-Frame-Options
255 if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
256 header("X-Frame-Options: SAMEORIGIN");
257 }
258
259 $weblangs->load("website");
260
261 //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>', 503, 1);
262 http_response_code(503);
263 print '<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>';
264 exit;
265}
Class to manage hooks.
Class to manage translations.
Class Website.
Class Websitepage.
getBrowserInfo($user_agent)
Return information about user browser.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
getDolGlobalString($key, $default='')
Return dolibarr global constant string value.