dolibarr 20.0.0
security.lib.php File Reference

Set of function used for dolibarr security (common function included into filefunc.inc.php) Warning, this file must not depends on other library files, except function.lib.php because it is used at low code level. More...

Go to the source code of this file.

Functions

 dol_encode ($chain, $key='1')
 Encode a string with base 64 algorithm + specific delta change.
 
 dol_decode ($chain, $key='1')
 Decode a base 64 encoded + specific delta change.
 
 dolGetRandomBytes ($length)
 Return a string of random bytes (hexa string) with length = $length for cryptographic purposes.
 
 dolEncrypt ($chain, $key='', $ciphering='AES-256-CTR', $forceseed='')
 Encode a string with a symmetric encryption.
 
 dolDecrypt ($chain, $key='')
 Decode a string with a symmetric encryption.
 
 dol_hash ($chain, $type='0', $nosalt=0)
 Returns a hash (non reversible encryption) of a string.
 
 dol_verifyHash ($chain, $hash, $type='0')
 Compute a hash and compare it to the given one For backward compatibility reasons, if the hash is not in the password_hash format, we will try to match against md5 and sha1md5 If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function.
 
 dolGetLdapPasswordHash ($password, $type='md5')
 Returns a specific ldap hash of a password.
 
 restrictedArea (User $user, $features, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $isdraft=0, $mode=0)
 Check permissions of a user to show a page and an object.
 
 checkUserAccessToObject ($user, array $featuresarray, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='', $dbt_select='rowid', $parenttableforentity='')
 Check that access by a given user to an object is ok.
 
 httponly_accessforbidden ($message='1', $http_response_code=403, $stringalreadysanitized=0)
 Show a message to say access is forbidden and stop program.
 
 accessforbidden ($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
 Show a message to say access is forbidden and stop program.
 
 getMaxFileSizeArray ()
 Return the max allowed for file upload.
 

Detailed Description

Set of function used for dolibarr security (common function included into filefunc.inc.php) Warning, this file must not depends on other library files, except function.lib.php because it is used at low code level.

Definition in file security.lib.php.

Function Documentation

◆ accessforbidden()

accessforbidden ( $message = '',
$printheader = 1,
$printfooter = 1,
$showonlymessage = 0,
$params = null )

Show a message to say access is forbidden and stop program.

This includes HTTP and HTML header and footer (except if $printheader and $printfooter is 0, use this case inside an already started page). Calling this function terminate execution of PHP.

Parameters
string$messageForce error message
int$printheaderShow header before
int$printfooterShow footer after
int$showonlymessageShow only message parameter. Otherwise add more information.
array | null$paramsMore parameters provided to hook
Returns
void
See also
httponly_accessforbidden()

Definition at line 1207 of file security.lib.php.

References $object, llxFooter(), llxHeader(), and llxHeaderVierge().

Referenced by FormCardWebPortal\init(), and restrictedArea().

◆ checkUserAccessToObject()

checkUserAccessToObject ( $user,
array $featuresarray,
$object = 0,
$tableandshare = '',
$feature2 = '',
$dbt_keyfield = '',
$dbt_select = 'rowid',
$parenttableforentity = '' )

Check that access by a given user to an object is ok.

This function is also called by restrictedArea() that check before if module is enabled and if permission of user for $action is ok.

Parameters
User$userUser to check
array$featuresarrayFeatures/modules to check. Example: ('user','service','member','project','task',...)
int | string | Object$objectFull object or object ID or list of object id. For example if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
string$tableandshare'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
array | string$feature2Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
string$dbt_keyfieldField name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA.
string$dbt_selectField name for select if not rowid. Not used if objectid is null (optional).
string$parenttableforentityParent table for entity. Example 'fk_website@website'
Returns
bool True if user has access, False otherwise
See also
restrictedArea()

Definition at line 852 of file security.lib.php.

References $object, dol_print_error(), dol_syslog(), getDolGlobalInt(), and getDolGlobalString().

Referenced by DolibarrApi\_checkAccessToResource(), dol_check_secure_access_document(), and restrictedArea().

◆ dol_decode()

dol_decode ( $chain,
$key = '1' )

Decode a base 64 encoded + specific delta change.

This function is called by filefunc.inc.php at each page call.

Parameters
string$chainstring to decode
string$keyrule to use for delta ('0', '1' or 'myownkey')
Returns
string decoded string
See also
dol_encode()

Definition at line 70 of file security.lib.php.

References dol_strlen().

Referenced by encodedecode_dbpassconf(), and print_paybox_redirect().

◆ dol_encode()

dol_encode ( $chain,
$key = '1' )

Encode a string with base 64 algorithm + specific delta change.

Parameters
string$chainstring to encode
string$keyrule to use for delta ('0', '1' or 'myownkey')
Returns
string encoded string
See also
dol_decode()

Definition at line 39 of file security.lib.php.

References dol_strlen().

Referenced by encodedecode_dbpassconf().

◆ dol_hash()

dol_hash ( $chain,
$type = '0',
$nosalt = 0 )

Returns a hash (non reversible encryption) of a string.

If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function (recommended value is 'password_hash') If constant MAIN_SECURITY_SALT is defined, we use it as a salt (used only if hashing algorithm is something else than 'password_hash').

Parameters
string$chainString to hash
string$typeType of hash ('0':auto will use MAIN_SECURITY_HASH_ALGO else md5, '1':sha1, '2':sha1+md5, '3':md5, '4': for OpenLdap, '5':sha256, '6':password_hash). Use 'md5' if hash is not needed for security purpose. For security need, prefer 'auto'.
int$nosaltDo not include any salt
Returns
string Hash of string
See also
getRandomPassword(), dol_verifyHash()

Definition at line 240 of file security.lib.php.

References dolGetLdapPasswordHash(), and getDolGlobalString().

Referenced by Adherent\_load_ldap_info(), User\_load_ldap_info(), MailmanSpip\add_to_spip(), MailingTargets\addTargetsToDatabase(), ActionComm\build_exportfile(), BlockedLog\checkSignature(), BlockedLog\create(), EcmFiles\create(), CommonObject\createCommon(), dol_check_secure_access_document(), dol_verifyHash(), ConferenceOrBooth\fetch(), CMailFile\findHtmlImages(), Context\generateNewToken(), User\getOnlineVirtualCardUrl(), BlockedLog\getSignature(), Login\index(), CommonObject\insertExtraFields(), RssParser\parser(), User\send_password(), DataPolicy\sendMailDataPolicyAdherent(), DataPolicy\sendMailDataPolicyCompany(), DataPolicy\sendMailDataPolicyContact(), SMTPs\setAttachment(), SMTPs\setBodyContent(), SMTPs\setImageInline(), Adherent\setPassword(), User\setPassword(), Form\showphoto(), EcmFiles\update(), CommonObject\updateExtraField(), pdf_eagle\write_file(), pdf_espadon\write_file(), pdf_rouget\write_file(), pdf_squille\write_file(), modPhpbarcode\writeBarCode(), and modTcpdfbarcode\writeBarCode().

◆ dol_verifyHash()

dol_verifyHash ( $chain,
$hash,
$type = '0' )

Compute a hash and compare it to the given one For backward compatibility reasons, if the hash is not in the password_hash format, we will try to match against md5 and sha1md5 If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function.

If constant MAIN_SECURITY_SALT is defined, we use it as a salt.

Parameters
string$chainString to hash (not hashed string)
string$hashhash to compare
string$typeType of hash ('0':auto, '1':sha1, '2':sha1+md5, '3':md5, '4': for OpenLdap, '5':sha256). Use '3' here, if hash is not needed for security purpose, for security need, prefer '0'.
Returns
bool True if the computed hash is the same as the given one
See also
dol_hash()

Definition at line 286 of file security.lib.php.

References dol_hash(), dol_strlen(), dol_verifyHash(), and getDolGlobalString().

Referenced by check_user_password_dolibarr(), check_user_password_googleoauth(), dol_verifyHash(), Context\getThirdPartyAccountFromLogin(), and User\update().

◆ dolDecrypt()

dolDecrypt ( $chain,
$key = '' )

Decode a string with a symmetric encryption.

Used to decrypt sensitive data saved into database. Note: If a backup is restored onto another instance with a different $conf->file->instance_unique_id, then decoded value will differ.

Parameters
string$chainstring to decode
string$keyIf '', we use $conf->file->instance_unique_id
Returns
string encoded string
Since
v17
See also
dolEncrypt(), dol_hash()

Definition at line 182 of file security.lib.php.

References dol_syslog().

Referenced by DolibarrApiAccess\__isAllowed(), EmailCollector\create(), dolibarr_get_const(), encodedecode_dbpassconf(), EmailCollector\fetch(), User\fetch(), CommonObject\fetch_optionals(), Conf\setValues(), and EmailCollector\update().

◆ dolEncrypt()

dolEncrypt ( $chain,
$key = '',
$ciphering = 'AES-256-CTR',
$forceseed = '' )

Encode a string with a symmetric encryption.

Used to encrypt sensitive data into database. Note: If a backup is restored onto another instance with a different $conf->file->instance_unique_id, then decoded value will differ. This function is called for example by dol_set_const() when saving a sensible data into database configuration table llx_const.

Parameters
string$chainString to encode
string$keyIf '', we use $conf->file->instance_unique_id (so $dolibarr_main_instance_unique_id in conf.php)
string$cipheringDefault ciphering algorithm
string$forceseedTo force the seed
Returns
string encoded string
Since
v17
See also
dolDecrypt(), dol_hash()

Definition at line 123 of file security.lib.php.

References dol_substr(), and dolGetRandomBytes().

Referenced by DolibarrApiAccess\__isAllowed(), EmailCollector\create(), dolibarr_set_const(), Login\index(), CommonObject\insertExtraFields(), EmailCollector\update(), User\update(), and CommonObject\updateExtraField().

◆ dolGetLdapPasswordHash()

dolGetLdapPasswordHash ( $password,
$type = 'md5' )

Returns a specific ldap hash of a password.

Parameters
string$passwordPassword to hash
string$typeType of hash
Returns
string Hash of password

Definition at line 310 of file security.lib.php.

Referenced by Adherent\_load_ldap_info(), User\_load_ldap_info(), and dol_hash().

◆ dolGetRandomBytes()

dolGetRandomBytes ( $length)

Return a string of random bytes (hexa string) with length = $length for cryptographic purposes.

Parameters
int$lengthLength of random string
Returns
string Random string

Definition at line 101 of file security.lib.php.

Referenced by dolEncrypt().

◆ getMaxFileSizeArray()

◆ httponly_accessforbidden()

httponly_accessforbidden ( $message = '1',
$http_response_code = 403,
$stringalreadysanitized = 0 )

Show a message to say access is forbidden and stop program.

This includes only HTTP header. Calling this function terminate execution of PHP.

Parameters
string$messageForce error message
int$http_response_codeHTTP response code
int$stringalreadysanitized1 if string is already sanitized with HTML entities
Returns
void
See also
accessforbidden()

Definition at line 1180 of file security.lib.php.

References top_httphead().

Referenced by DocumentController\init().

◆ restrictedArea()

restrictedArea ( User $user,
$features,
$object = 0,
$tableandshare = '',
$feature2 = '',
$dbt_keyfield = 'fk_soc',
$dbt_select = 'rowid',
$isdraft = 0,
$mode = 0 )

Check permissions of a user to show a page and an object.

Check read permission. If GETPOST('action','aZ09') defined, we also check write and delete permission. This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user).

Parameters
User$userUser to check
string$featuresFeatures to check (it must be module name or $object->element. Can be a 'or' check with 'levela|levelb'. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) This is used to check permission $user->rights->features->...
int | string | Object$objectObject or Object ID or list of Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
string$tableandshare'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
string$feature2Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'. This is used to check permission $user->rights->features->feature2...
string$dbt_keyfieldField name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA.
string$dbt_selectField rowid name, for select into tableandshare if not "rowid". Not used if objectid is null (optional)
int$isdraft1=The object with id=$objectid is a draft
int$modeMode (0=default, 1=return without dying)
Returns
int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
See also
dol_check_secure_access_document(), checkUserAccessToObject()

Definition at line 368 of file security.lib.php.

References $object, accessforbidden(), checkUserAccessToObject(), getDolGlobalString(), and GETPOST().