dolibarr 20.0.0
website.inc.php
Go to the documentation of this file.
1<?php
2/* Copyright (C) 2017-2024 Laurent Destailleur <eldy@users.sourceforge.net>
3 * Copyright (C) 2024 Frédéric France <frederic.france@free.fr>
4 *
5* This program is free software; you can redistribute it and/or modify
6* it under the terms of the GNU General Public License as published by
7* the Free Software Foundation; either version 3 of the License, or
8* (at your option) any later version.
9*
10* This program is distributed in the hope that it will be useful,
11* but WITHOUT ANY WARRANTY; without even the implied warranty of
12* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13* GNU General Public License for more details.
14*
15* You should have received a copy of the GNU General Public License
16* along with this program. If not, see <https://www.gnu.org/licenses/>.
17* or see https://www.gnu.org/
18*/
19
28// Load website class
29include_once DOL_DOCUMENT_ROOT.'/website/class/website.class.php';
30include_once DOL_DOCUMENT_ROOT.'/website/class/websitepage.class.php';
31
32$website = null;
33$websitepage = null;
34$weblangs = null;
35$pagelangs = null;
36
37// Detection browser (copy of code from main.inc.php)
38if (isset($_SERVER["HTTP_USER_AGENT"]) && is_object($conf) && empty($conf->browser->name)) {
39 $tmp = getBrowserInfo($_SERVER["HTTP_USER_AGENT"]);
40 $conf->browser->name = $tmp['browsername'];
41 $conf->browser->os = $tmp['browseros'];
42 $conf->browser->version = $tmp['browserversion'];
43 $conf->browser->layout = $tmp['layout']; // 'classic', 'phone', 'tablet'
44 //var_dump($conf->browser);
45
46 if ($conf->browser->layout == 'phone') {
47 $conf->dol_no_mouse_hover = 1;
48 }
49}
50// Define $website
51if (is_null($website)) {
52 $website = new Website($db);
53 $website->fetch(0, $websitekey);
54}
55// Define $websitepage if we have $websitepagefile defined
56if (empty($pageid) && !empty($websitepagefile)) {
57 $pageid = str_replace(array('.tpl.php', 'page'), array('', ''), basename($websitepagefile));
58 if ($pageid == 'index.php') {
59 $pageid = $website->fk_default_home;
60 }
61}
62if (is_null($websitepage)) {
63 $websitepage = new WebsitePage($db);
64}
65// Define $weblangs
66if (is_null($weblangs)) {
67 $weblangs = new Translate('', $conf);
68}
69if (is_null($pagelangs)) {
70 $pagelangs = new Translate('', $conf);
71}
72if (!empty($pageid) && $pageid > 0) {
73 $websitepage->fetch($pageid);
74
75 // Rule to define weblang of visitor:
76 // 1 - Take parameter lang
77 // 2 - Cookie lang of website (set by a possible js lang selector)
78 // 3 - XX/... found in url page
79 // 4 - auto (so web browser lang)
80 $srclang = GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : '';
81 if (empty($srclang)) {
82 $srclang = (empty($_COOKIE['weblangs-shortcode']) ? '' : preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['weblangs-shortcode']));
83 }
84 if (empty($srclang)) {
85 $reg = array();
86 // With Dolibarr server, url is in parameter pageref
87 if (defined('USEDOLIBARRSERVER') && !empty($_GET['pageref']) && preg_match('/^\/?(\w\w)\//', $_GET['pageref'], $reg) && $reg[1] != 'js') { // We reuse $_GET['pageref'] because $pageref may have been cleaned already from the language code.
88 $srclang = $reg[1];
89 }
90 // With External server, url is in parameter pageref
91 if (defined('USEEXTERNALSERVER') && !empty($_SERVER['PHP_SELF']) && preg_match('/^\/?(\w\w)\//', $_SERVER['PHP_SELF'], $reg) && $reg[1] != 'js') {
92 $srclang = $reg[1];
93 }
94 }
95 if (empty($srclang)) {
96 $srclang= 'auto';
97 }
98 $weblangs->setDefaultLang($srclang);
99
100 $pagelangs->setDefaultLang($websitepage->lang ? $websitepage->lang : $weblangs->shortlang);
101
102 if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status) && !defined('USEDOLIBARRSERVER'))) {
103 $weblangs->load("website");
104
105 // Security options
106
107 // X-Content-Type-Options
108 header("X-Content-Type-Options: nosniff");
109
110 // X-Frame-Options
111 if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
112 header("X-Frame-Options: SAMEORIGIN");
113 }
114
115 //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>', 404, 1);
116 http_response_code(404);
117 print '<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>';
118 exit;
119 }
120}
121
122if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
123 // Security options
124
125 // X-Content-Type-Options
126 header("X-Content-Type-Options: nosniff");
127
128 // X-Frame-Options
129 if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
130 header("X-Frame-Options: SAMEORIGIN");
131 }
132
133 // X-XSS-Protection
134 //header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
135
136 // Content-Security-Policy-Report-Only
137 if (!defined('WEBSITE_MAIN_SECURITY_FORCECSPRO')) {
138 // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
139 // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
140 // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
141 // For example, to restrict everything to itself except img that can be on other servers:
142 // default-src 'self'; img-src *;
143 // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
144 // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
145 //
146 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
147 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
148 $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO');
149
150 if (!is_object($hookmanager)) {
151 include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
152 $hookmanager = new HookManager($db);
153 }
154 $hookmanager->initHooks(array("main"));
155
156 $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'reportonly');
157 $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
158 if ($result > 0) {
159 $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
160 } else {
161 $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
162 }
163
164 if (!empty($contentsecuritypolicy)) {
165 header("Content-Security-Policy-Report-Only: ".$contentsecuritypolicy);
166 }
167 }
168
169 // Content-Security-Policy
170 if (!defined('WEBSITE_MAIN_SECURITY_FORCECSP')) {
171 // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
172 // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
173 // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
174 // For example, to restrict everything to itself except img that can be on other servers:
175 // default-src 'self'; img-src *;
176 // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
177 // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
178 //
179 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
180 // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
181 $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP');
182
183 if (!is_object($hookmanager)) {
184 include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
185 $hookmanager = new HookManager($db);
186 }
187 $hookmanager->initHooks(array("main"));
188
189 $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'active');
190 $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
191 if ($result > 0) {
192 $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
193 } else {
194 $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
195 }
196
197 if (!empty($contentsecuritypolicy)) {
198 header("Content-Security-Policy: ".$contentsecuritypolicy);
199 }
200 }
201
202 // Referrer-Policy
203 if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
204 // The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be
205
206 // For public web sites, we use the same default value than "strict-origin-when-cross-origin"
207 $referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");
208
209 header("Referrer-Policy: ".$referrerpolicy);
210 }
211
212 // Strict-Transport-Security
213 if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
214 // The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
215
216 // Example: "max-age=31536000; includeSubDomains"
217 $sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
218 if (!empty($sts)) {
219 header("Strict-Transport-Security: ".$sts);
220 }
221 }
222
223 // Permissions-Policy (old name was Feature-Policy)
224 if (!defined('WEBSITE_MAIN_SECURITY_FORCEPP')) {
225 // The constant WEBSITE_MAIN_SECURITY_FORCEPP should never be defined by page, but the variable used just after may be
226
227 // Example: "camera: 'none'; microphone: 'none';"
228 $pp = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP');
229 if (!empty($pp)) {
230 header("Permissions-Policy: ".$pp);
231 }
232 }
233}
234
235// A lang was forced, so we change weblangs init
236if (GETPOST('l', 'aZ09')) {
237 $weblangs->setDefaultLang(GETPOST('l', 'aZ09'));
238}
239// A lang was forced, so we check to find if we must make a redirect on translation page
240if ($_SERVER['PHP_SELF'] != DOL_URL_ROOT.'/website/index.php') { // If we browsing page using Dolibarr server or a Native web server
241 //print_r(get_defined_constants(true));exit;
242 if (GETPOST('l', 'aZ09')) {
243 $sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page";
244 $sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp";
245 $sql .= " WHERE wp.fk_website = ".((int) $website->id);
246 $sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid = ".((int) $pageid);
247 if (is_object($websitepage) && $websitepage->fk_page > 0) {
248 $sql .= " OR wp.fk_page = ".((int) $websitepage->fk_page)." OR wp.rowid = ".((int) $websitepage->fk_page);
249 }
250 $sql .= ")";
251 $sql .= " AND wp.lang = '".$db->escape(GETPOST('l', 'aZ09'))."'";
252
253 $resql = $db->query($sql);
254 if ($resql) {
255 $obj = $db->fetch_object($resql);
256 if ($obj) {
257 $newpageid = $obj->rowid;
258 if ($newpageid != $pageid) { // To avoid to make a redirect on same page (infinite loop)
259 if (defined('USEDOLIBARRSERVER')) {
260 header("Location: ".DOL_URL_ROOT.'/public/website/index.php?website='.$websitekey.'&pageid='.$newpageid.'&l='.GETPOST('l', 'aZ09'));
261 exit;
262 } else {
263 $newpageref = $obj->pageurl;
264 header("Location: ".(($obj->lang && $obj->lang != $website->lang) ? '/'.$obj->lang.'/' : '/').$newpageref.'.php?l='.GETPOST('l', 'aZ09'));
265 exit;
266 }
267 }
268 }
269 }
270 }
271}
272
273// Show off line message when all website is off
274if (!defined('USEDOLIBARREDITOR') && empty($website->status)) {
275 // Security options
276
277 // X-Content-Type-Options
278 header("X-Content-Type-Options: nosniff");
279
280 // X-Frame-Options
281 if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
282 header("X-Frame-Options: SAMEORIGIN");
283 }
284
285 $weblangs->load("website");
286
287 //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>', 503, 1);
288 http_response_code(503);
289 print '<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>';
290 exit;
291}
292
293
294// Get session info and obfuscate session cookie and other variables
295$prefix = dol_getprefix('');
296$sessionname = 'DOLSESSID_'.$prefix;
297//$savsessionid = $_COOKIE[$sessionname];
298
299$_COOKIE[$sessionname] = 'obfuscatedcookie';
300unset($conf->file->instance_unique_id);
301
302unset($dolibarr_main_instance_unique_id);
303unset($dolibarr_main_db_host);
304unset($dolibarr_main_db_port);
305unset($dolibarr_main_db_name);
306unset($dolibarr_main_db_user);
307unset($dolibarr_main_db_pass);
308unset($$dolibarr_main_db_type);
309unset($dolibarr_main_document_root);
310unset($dolibarr_main_document_root_alt);
Class to manage hooks.
Class to manage translations.
Class Website.
Class Websitepage.
getBrowserInfo($user_agent)
Return information about user browser.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
getDolGlobalString($key, $default='')
Return dolibarr global constant string value.