dolibarr 20.0.2
security.lib.php
Go to the documentation of this file.
1<?php
2/* Copyright (C) 2008-2021 Laurent Destailleur <eldy@users.sourceforge.net>
3 * Copyright (C) 2008-2021 Regis Houssin <regis.houssin@inodbox.com>
4 * Copyright (C) 2020 Ferran Marcet <fmarcet@2byte.es>
5 * Copyright (C) 2024 MDW <mdeweerd@users.noreply.github.com>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <https://www.gnu.org/licenses/>.
19 * or see https://www.gnu.org/
20 */
21
39function dol_encode($chain, $key = '1')
40{
41 if (is_numeric($key) && $key == '1') { // rule 1 is offset of 17 for char
42 $output_tab = array();
43 $strlength = dol_strlen($chain);
44 for ($i = 0; $i < $strlength; $i++) {
45 $output_tab[$i] = chr(ord(substr($chain, $i, 1)) + 17);
46 }
47 $chain = implode("", $output_tab);
48 } elseif ($key) {
49 $result = '';
50 $strlength = dol_strlen($chain);
51 for ($i = 0; $i < $strlength; $i++) {
52 $keychar = substr($key, ($i % strlen($key)) - 1, 1);
53 $result .= chr(ord(substr($chain, $i, 1)) + (ord($keychar) - 65));
54 }
55 $chain = $result;
56 }
57
58 return base64_encode($chain);
59}
60
70function dol_decode($chain, $key = '1')
71{
72 $chain = base64_decode($chain);
73
74 if (is_numeric($key) && $key == '1') { // rule 1 is offset of 17 for char
75 $output_tab = array();
76 $strlength = dol_strlen($chain);
77 for ($i = 0; $i < $strlength; $i++) {
78 $output_tab[$i] = chr(ord(substr($chain, $i, 1)) - 17);
79 }
80
81 $chain = implode("", $output_tab);
82 } elseif ($key) {
83 $result = '';
84 $strlength = dol_strlen($chain);
85 for ($i = 0; $i < $strlength; $i++) {
86 $keychar = substr($key, ($i % strlen($key)) - 1, 1);
87 $result .= chr(ord(substr($chain, $i, 1)) - (ord($keychar) - 65));
88 }
89 $chain = $result;
90 }
91
92 return $chain;
93}
94
101function dolGetRandomBytes($length)
102{
103 if (function_exists('random_bytes')) { // Available with PHP 7 only.
104 return bin2hex(random_bytes((int) floor($length / 2))); // the bin2hex will double the number of bytes so we take length / 2
105 }
106
107 return bin2hex(openssl_random_pseudo_bytes((int) floor($length / 2))); // the bin2hex will double the number of bytes so we take length / 2. May be very slow on Windows.
108}
109
123function dolEncrypt($chain, $key = '', $ciphering = 'AES-256-CTR', $forceseed = '')
124{
125 global $conf;
126 global $dolibarr_disable_dolcrypt_for_debug;
127
128 if ($chain === '' || is_null($chain)) {
129 return '';
130 }
131
132 $reg = array();
133 if (preg_match('/^dolcrypt:([^:]+):(.+)$/', $chain, $reg)) {
134 // The $chain is already a encrypted string
135 return $chain;
136 }
137
138 if (empty($key)) {
139 $key = $conf->file->instance_unique_id;
140 }
141 if (empty($ciphering)) {
142 $ciphering = 'AES-256-CTR';
143 }
144
145 $newchain = $chain;
146
147 if (function_exists('openssl_encrypt') && empty($dolibarr_disable_dolcrypt_for_debug)) {
148 if (empty($key)) {
149 return $chain;
150 }
151
152 $ivlen = 16;
153 if (function_exists('openssl_cipher_iv_length')) {
154 $ivlen = openssl_cipher_iv_length($ciphering);
155 }
156 if ($ivlen === false || $ivlen < 1 || $ivlen > 32) {
157 $ivlen = 16;
158 }
159 if (empty($forceseed)) {
160 $ivseed = dolGetRandomBytes($ivlen);
161 } else {
162 $ivseed = dol_substr(md5($forceseed), 0, $ivlen, 'ascii', 1);
163 }
164
165 $newchain = openssl_encrypt($chain, $ciphering, $key, 0, $ivseed);
166 return 'dolcrypt:'.$ciphering.':'.$ivseed.':'.$newchain;
167 } else {
168 return $chain;
169 }
170}
171
182function dolDecrypt($chain, $key = '')
183{
184 global $conf;
185
186 if ($chain === '' || is_null($chain)) {
187 return '';
188 }
189
190 if (empty($key)) {
191 if (!empty($conf->file->dolcrypt_key)) {
192 // If dolcrypt_key is defined, we used it in priority
193 $key = $conf->file->dolcrypt_key;
194 } else {
195 // We fall back on the instance_unique_id
196 $key = !empty($conf->file->instance_unique_id) ? $conf->file->instance_unique_id : "";
197 }
198 }
199
200 //var_dump('key='.$key);
201 $reg = array();
202 if (preg_match('/^dolcrypt:([^:]+):(.+)$/', $chain, $reg)) {
203 // Do not enable this log, except during debug
204 //dol_syslog("We try to decrypt the chain: ".$chain, LOG_DEBUG);
205
206 $ciphering = $reg[1];
207 if (function_exists('openssl_decrypt')) {
208 if (empty($key)) {
209 dol_syslog("Error dolDecrypt decrypt key is empty", LOG_WARNING);
210 return $chain;
211 }
212 $tmpexplode = explode(':', $reg[2]);
213 if (!empty($tmpexplode[1]) && is_string($tmpexplode[0])) {
214 $newchain = openssl_decrypt($tmpexplode[1], $ciphering, $key, 0, $tmpexplode[0]);
215 } else {
216 $newchain = openssl_decrypt((string) $tmpexplode[0], $ciphering, $key, 0, '');
217 }
218 } else {
219 dol_syslog("Error dolDecrypt openssl_decrypt is not available", LOG_ERR);
220 return $chain;
221 }
222 return $newchain;
223 } else {
224 return $chain;
225 }
226}
227
240function dol_hash($chain, $type = '0', $nosalt = 0)
241{
242 // No need to add salt for password_hash
243 if (($type == '0' || $type == 'auto') && getDolGlobalString('MAIN_SECURITY_HASH_ALGO') && getDolGlobalString('MAIN_SECURITY_HASH_ALGO') == 'password_hash' && function_exists('password_hash')) {
244 return password_hash($chain, PASSWORD_DEFAULT);
245 }
246
247 // Salt value
248 if (getDolGlobalString('MAIN_SECURITY_SALT') && $type != '4' && $type !== 'openldap' && empty($nosalt)) {
249 $chain = getDolGlobalString('MAIN_SECURITY_SALT') . $chain;
250 }
251
252 if ($type == '1' || $type == 'sha1') {
253 return sha1($chain);
254 } elseif ($type == '2' || $type == 'sha1md5') {
255 return sha1(md5($chain));
256 } elseif ($type == '3' || $type == 'md5') { // For hashing with no need of security
257 return md5($chain);
258 } elseif ($type == '4' || $type == 'openldap') {
259 return dolGetLdapPasswordHash($chain, getDolGlobalString('LDAP_PASSWORD_HASH_TYPE', 'md5'));
260 } elseif ($type == '5' || $type == 'sha256') {
261 return hash('sha256', $chain);
262 } elseif ($type == '6' || $type == 'password_hash') {
263 return password_hash($chain, PASSWORD_DEFAULT);
264 } elseif (getDolGlobalString('MAIN_SECURITY_HASH_ALGO') == 'sha1') {
265 return sha1($chain);
266 } elseif (getDolGlobalString('MAIN_SECURITY_HASH_ALGO') == 'sha1md5') {
267 return sha1(md5($chain));
268 }
269
270 // No particular encoding defined, use default
271 return md5($chain);
272}
273
286function dol_verifyHash($chain, $hash, $type = '0')
287{
288 if ($type == '0' && getDolGlobalString('MAIN_SECURITY_HASH_ALGO') && getDolGlobalString('MAIN_SECURITY_HASH_ALGO') == 'password_hash' && function_exists('password_verify')) {
289 if (! empty($hash[0]) && $hash[0] == '$') {
290 return password_verify($chain, $hash);
291 } elseif (dol_strlen($hash) == 32) {
292 return dol_verifyHash($chain, $hash, '3'); // md5
293 } elseif (dol_strlen($hash) == 40) {
294 return dol_verifyHash($chain, $hash, '2'); // sha1md5
295 }
296
297 return false;
298 }
299
300 return dol_hash($chain, $type) == $hash;
301}
302
310function dolGetLdapPasswordHash($password, $type = 'md5')
311{
312 if (empty($type)) {
313 $type = 'md5';
314 }
315
316 $salt = substr(sha1((string) time()), 0, 8);
317
318 if ($type === 'md5') {
319 return '{MD5}' . base64_encode(hash("md5", $password, true)); //For OpenLdap with md5 (based on an unencrypted password in base)
320 } elseif ($type === 'md5frommd5') {
321 return '{MD5}' . base64_encode(hex2bin($password)); // Create OpenLDAP MD5 password from Dolibarr MD5 password
322 } elseif ($type === 'smd5') {
323 return "{SMD5}" . base64_encode(hash("md5", $password . $salt, true) . $salt);
324 } elseif ($type === 'sha') {
325 return '{SHA}' . base64_encode(hash("sha1", $password, true));
326 } elseif ($type === 'ssha') {
327 return "{SSHA}" . base64_encode(hash("sha1", $password . $salt, true) . $salt);
328 } elseif ($type === 'sha256') {
329 return "{SHA256}" . base64_encode(hash("sha256", $password, true));
330 } elseif ($type === 'ssha256') {
331 return "{SSHA256}" . base64_encode(hash("sha256", $password . $salt, true) . $salt);
332 } elseif ($type === 'sha384') {
333 return "{SHA384}" . base64_encode(hash("sha384", $password, true));
334 } elseif ($type === 'ssha384') {
335 return "{SSHA384}" . base64_encode(hash("sha384", $password . $salt, true) . $salt);
336 } elseif ($type === 'sha512') {
337 return "{SHA512}" . base64_encode(hash("sha512", $password, true));
338 } elseif ($type === 'ssha512') {
339 return "{SSHA512}" . base64_encode(hash("sha512", $password . $salt, true) . $salt);
340 } elseif ($type === 'crypt') {
341 return '{CRYPT}' . crypt($password, $salt);
342 } elseif ($type === 'clear') {
343 return '{CLEAR}' . $password; // Just for test, plain text password is not secured !
344 }
345 return "";
346}
347
368function restrictedArea(User $user, $features, $object = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
369{
370 global $hookmanager;
371
372 // Define $objectid
373 if (is_object($object)) {
374 $objectid = $object->id;
375 } else {
376 $objectid = $object; // $objectid can be X or 'X,Y,Z'
377 }
378 if ($objectid == "-1") {
379 $objectid = 0;
380 }
381 if ($objectid) {
382 $objectid = preg_replace('/[^0-9\.\,]/', '', (string) $objectid); // For the case value is coming from a non sanitized user input
383 }
384
385 //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
386 /*print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
387 print ", dbtablename=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
388 print ", perm: user->hasRight(".$features.($feature2 ? ",".$feature2 : "").", lire) = ".($feature2 ? $user->hasRight($features, $feature2, 'lire') : $user->hasRight($features, 'lire'))."<br>";
389 */
390
391 $parentfortableentity = '';
392
393 // Fix syntax of $features param to support non standard module names.
394 $originalfeatures = $features;
395 if ($features == 'agenda') {
396 $tableandshare = 'actioncomm&societe';
397 $feature2 = 'myactions|allactions';
398 $dbt_select = 'id';
399 }
400 if ($features == 'bank') {
401 $features = 'banque';
402 }
403 if ($features == 'facturerec') {
404 $features = 'facture';
405 }
406 if ($features == 'supplier_invoicerec') {
407 $features = 'fournisseur';
408 $feature2 = 'facture';
409 }
410 if ($features == 'mo') {
411 $features = 'mrp';
412 }
413 if ($features == 'member') {
414 $features = 'adherent';
415 }
416 if ($features == 'subscription') {
417 $features = 'adherent';
418 $feature2 = 'cotisation';
419 }
420 if ($features == 'website' && is_object($object) && $object->element == 'websitepage') {
421 $parentfortableentity = 'fk_website@website';
422 }
423 if ($features == 'project') {
424 $features = 'projet';
425 }
426 if ($features == 'product') {
427 $features = 'produit';
428 }
429 if ($features == 'productbatch') {
430 $features = 'produit';
431 }
432 if ($features == 'tax') {
433 $feature2 = 'charges';
434 }
435 if ($features == 'workstation') {
436 $feature2 = 'workstation';
437 }
438 if ($features == 'fournisseur') { // When vendor invoice and purchase order are into module 'fournisseur'
439 $features = 'fournisseur';
440 if (is_object($object) && $object->element == 'invoice_supplier') {
441 $feature2 = 'facture';
442 } elseif (is_object($object) && $object->element == 'order_supplier') {
443 $feature2 = 'commande';
444 }
445 }
446 if ($features == 'payment_sc') {
447 $tableandshare = 'paiementcharge';
448 $parentfortableentity = 'fk_charge@chargesociales';
449 }
450
451 //print $features.' - '.$tableandshare.' - '.$feature2.' - '.$dbt_select."\n";
452
453 // Get more permissions checks from hooks
454 $parameters = array('features' => $features, 'originalfeatures' => $originalfeatures, 'objectid' => $objectid, 'dbt_select' => $dbt_select, 'idtype' => $dbt_select, 'isdraft' => $isdraft);
455 if (!empty($hookmanager)) {
456 $reshook = $hookmanager->executeHooks('restrictedArea', $parameters);
457
458 if (isset($hookmanager->resArray['result'])) {
459 if ($hookmanager->resArray['result'] == 0) {
460 if ($mode) {
461 return 0;
462 } else {
463 accessforbidden(); // Module returns 0, so access forbidden
464 }
465 }
466 }
467 if ($reshook > 0) { // No other test done.
468 return 1;
469 }
470 }
471
472 // Features/modules to check (to support the & and | operator)
473 $featuresarray = array($features);
474 if (preg_match('/&/', $features)) {
475 $featuresarray = explode("&", $features);
476 } elseif (preg_match('/\|/', $features)) {
477 $featuresarray = explode("|", $features);
478 }
479
480 // More subfeatures to check
481 if (!empty($feature2)) {
482 $feature2 = explode("|", $feature2);
483 }
484
485 $listofmodules = explode(',', getDolGlobalString('MAIN_MODULES_FOR_EXTERNAL'));
486
487 // Check read permission from module
488 $readok = 1;
489 $nbko = 0;
490 foreach ($featuresarray as $feature) { // first we check nb of test ko
491 $featureforlistofmodule = $feature;
492 if ($featureforlistofmodule == 'produit') {
493 $featureforlistofmodule = 'product';
494 }
495 if ($featureforlistofmodule == 'supplier_proposal') {
496 $featureforlistofmodule = 'supplierproposal';
497 }
498 if (!empty($user->socid) && getDolGlobalString('MAIN_MODULES_FOR_EXTERNAL') && !in_array($featureforlistofmodule, $listofmodules)) { // If limits on modules for external users, module must be into list of modules for external users
499 $readok = 0;
500 $nbko++;
501 continue;
502 }
503
504 if ($feature == 'societe' && (empty($feature2) || !in_array('contact', $feature2))) {
505 if (!$user->hasRight('societe', 'lire') && !$user->hasRight('fournisseur', 'lire')) {
506 $readok = 0;
507 $nbko++;
508 }
509 } elseif (($feature == 'societe' && (!empty($feature2) && in_array('contact', $feature2))) || $feature == 'contact') {
510 if (!$user->hasRight('societe', 'contact', 'lire')) {
511 $readok = 0;
512 $nbko++;
513 }
514 } elseif ($feature == 'produit|service') {
515 if (!$user->hasRight('produit', 'lire') && !$user->hasRight('service', 'lire')) {
516 $readok = 0;
517 $nbko++;
518 }
519 } elseif ($feature == 'prelevement') {
520 if (!$user->hasRight('prelevement', 'bons', 'lire')) {
521 $readok = 0;
522 $nbko++;
523 }
524 } elseif ($feature == 'cheque') {
525 if (!$user->hasRight('banque', 'cheque')) {
526 $readok = 0;
527 $nbko++;
528 }
529 } elseif ($feature == 'projet') {
530 if (!$user->hasRight('projet', 'lire') && !$user->hasRight('projet', 'all', 'lire')) {
531 $readok = 0;
532 $nbko++;
533 }
534 } elseif ($feature == 'payment') {
535 if (!$user->hasRight('facture', 'lire')) {
536 $readok = 0;
537 $nbko++;
538 }
539 } elseif ($feature == 'payment_supplier') {
540 if (!$user->hasRight('fournisseur', 'facture', 'lire')) {
541 $readok = 0;
542 $nbko++;
543 }
544 } elseif ($feature == 'payment_sc') {
545 if (!$user->hasRight('tax', 'charges', 'lire')) {
546 $readok = 0;
547 $nbko++;
548 }
549 } elseif (!empty($feature2)) { // This is for permissions on 2 levels (module->object->read)
550 $tmpreadok = 1;
551 foreach ($feature2 as $subfeature) {
552 if ($subfeature == 'user' && $user->id == $objectid) {
553 continue; // A user can always read its own card
554 }
555 if ($subfeature == 'fiscalyear' && $user->hasRight('accounting', 'fiscalyear', 'write')) {
556 // only one right for fiscalyear
557 $tmpreadok = 1;
558 continue;
559 }
560 if (!empty($subfeature) && !$user->hasRight($feature, $subfeature, 'lire') && !$user->hasRight($feature, $subfeature, 'read')) {
561 $tmpreadok = 0;
562 } elseif (empty($subfeature) && !$user->hasRight($feature, 'lire') && !$user->hasRight($feature, 'read')) {
563 $tmpreadok = 0;
564 } else {
565 $tmpreadok = 1;
566 break;
567 } // Break is to bypass second test if the first is ok
568 }
569 if (!$tmpreadok) { // We found a test on feature that is ko
570 $readok = 0; // All tests are ko (we manage here the and, the or will be managed later using $nbko).
571 $nbko++;
572 }
573 } elseif (!empty($feature) && ($feature != 'user' && $feature != 'usergroup')) { // This is permissions on 1 level (module->read)
574 if (!$user->hasRight($feature, 'lire')
575 && !$user->hasRight($feature, 'read')
576 && !$user->hasRight($feature, 'run')) {
577 $readok = 0;
578 $nbko++;
579 }
580 }
581 }
582
583 // If a or and at least one ok
584 if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) {
585 $readok = 1;
586 }
587
588 if (!$readok) {
589 if ($mode) {
590 return 0;
591 } else {
593 }
594 }
595 //print "Read access is ok";
596
597 // Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
598 $createok = 1;
599 $nbko = 0;
600 $wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || in_array(GETPOST('action', 'aZ09'), array('create', 'update', 'set', 'upload', 'add_element_resource', 'confirm_deletebank', 'confirm_delete_linked_resource')) || GETPOST('roworder', 'alpha', 2));
601 $wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete');
602
603 if ($wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft) {
604 foreach ($featuresarray as $feature) {
605 if ($feature == 'contact') {
606 if (!$user->hasRight('societe', 'contact', 'creer')) {
607 $createok = 0;
608 $nbko++;
609 }
610 } elseif ($feature == 'produit|service') {
611 if (!$user->hasRight('produit', 'creer') && !$user->hasRight('service', 'creer')) {
612 $createok = 0;
613 $nbko++;
614 }
615 } elseif ($feature == 'prelevement') {
616 if (!$user->hasRight('prelevement', 'bons', 'creer')) {
617 $createok = 0;
618 $nbko++;
619 }
620 } elseif ($feature == 'commande_fournisseur') {
621 if (!$user->hasRight('fournisseur', 'commande', 'creer') || !$user->hasRight('supplier_order', 'creer')) {
622 $createok = 0;
623 $nbko++;
624 }
625 } elseif ($feature == 'banque') {
626 if (!$user->hasRight('banque', 'modifier')) {
627 $createok = 0;
628 $nbko++;
629 }
630 } elseif ($feature == 'cheque') {
631 if (!$user->hasRight('banque', 'cheque')) {
632 $createok = 0;
633 $nbko++;
634 }
635 } elseif ($feature == 'import') {
636 if (!$user->hasRight('import', 'run')) {
637 $createok = 0;
638 $nbko++;
639 }
640 } elseif ($feature == 'ecm') {
641 if (!$user->hasRight('ecm', 'upload')) {
642 $createok = 0;
643 $nbko++;
644 }
645 } elseif ($feature == 'modulebuilder') {
646 if (!$user->hasRight('modulebuilder', 'run')) {
647 $createok = 0;
648 $nbko++;
649 }
650 } elseif (!empty($feature2)) { // This is for permissions on 2 levels (module->object->write)
651 foreach ($feature2 as $subfeature) {
652 if ($subfeature == 'user' && $user->id == $objectid && $user->hasRight('user', 'self', 'creer')) {
653 continue; // User can edit its own card
654 }
655 if ($subfeature == 'user' && $user->id == $objectid && $user->hasRight('user', 'self', 'password')) {
656 continue; // User can edit its own password
657 }
658 if ($subfeature == 'user' && $user->id != $objectid && $user->hasRight('user', 'user', 'password')) {
659 continue; // User can edit another user's password
660 }
661
662 if (!$user->hasRight($feature, $subfeature, 'creer')
663 && !$user->hasRight($feature, $subfeature, 'write')
664 && !$user->hasRight($feature, $subfeature, 'create')) {
665 $createok = 0;
666 $nbko++;
667 } else {
668 $createok = 1;
669 // Break to bypass second test if the first is ok
670 break;
671 }
672 }
673 } elseif (!empty($feature)) { // This is for permissions on 1 levels (module->write)
674 //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; exit;
675 if (!$user->hasRight($feature, 'creer')
676 && !$user->hasRight($feature, 'write')
677 && !$user->hasRight($feature, 'create')) {
678 $createok = 0;
679 $nbko++;
680 }
681 }
682 }
683
684 // If a or and at least one ok
685 if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) {
686 $createok = 1;
687 }
688
689 if ($wemustcheckpermissionforcreate && !$createok) {
690 if ($mode) {
691 return 0;
692 } else {
694 }
695 }
696 //print "Write access is ok";
697 }
698
699 // Check create user permission
700 $createuserok = 1;
701 if (GETPOST('action', 'aZ09') == 'confirm_create_user' && GETPOST("confirm", 'aZ09') == 'yes') {
702 if (!$user->hasRight('user', 'user', 'creer')) {
703 $createuserok = 0;
704 }
705
706 if (!$createuserok) {
707 if ($mode) {
708 return 0;
709 } else {
711 }
712 }
713 //print "Create user access is ok";
714 }
715
716 // Check delete permission from module
717 $deleteok = 1;
718 $nbko = 0;
719 if ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete') {
720 foreach ($featuresarray as $feature) {
721 if ($feature == 'bookmark') {
722 if (!$user->hasRight('bookmark', 'supprimer')) {
723 if ($user->id != $object->fk_user || !$user->hasRight('bookmark', 'creer')) {
724 $deleteok = 0;
725 }
726 }
727 } elseif ($feature == 'contact') {
728 if (!$user->hasRight('societe', 'contact', 'supprimer')) {
729 $deleteok = 0;
730 }
731 } elseif ($feature == 'produit|service') {
732 if (!$user->hasRight('produit', 'supprimer') && !$user->hasRight('service', 'supprimer')) {
733 $deleteok = 0;
734 }
735 } elseif ($feature == 'commande_fournisseur') {
736 if (!$user->hasRight('fournisseur', 'commande', 'supprimer')) {
737 $deleteok = 0;
738 }
739 } elseif ($feature == 'payment_supplier') { // Permission to delete a payment of an invoice is permission to edit an invoice.
740 if (!$user->hasRight('fournisseur', 'facture', 'creer')) {
741 $deleteok = 0;
742 }
743 } elseif ($feature == 'payment') {
744 if (!$user->hasRight('facture', 'paiement')) {
745 $deleteok = 0;
746 }
747 } elseif ($feature == 'payment_sc') {
748 if (!$user->hasRight('tax', 'charges', 'creer')) {
749 $deleteok = 0;
750 }
751 } elseif ($feature == 'banque') {
752 if (!$user->hasRight('banque', 'modifier')) {
753 $deleteok = 0;
754 }
755 } elseif ($feature == 'cheque') {
756 if (!$user->hasRight('banque', 'cheque')) {
757 $deleteok = 0;
758 }
759 } elseif ($feature == 'ecm') {
760 if (!$user->hasRight('ecm', 'upload')) {
761 $deleteok = 0;
762 }
763 } elseif ($feature == 'ftp') {
764 if (!$user->hasRight('ftp', 'write')) {
765 $deleteok = 0;
766 }
767 } elseif ($feature == 'salaries') {
768 if (!$user->hasRight('salaries', 'delete')) {
769 $deleteok = 0;
770 }
771 } elseif ($feature == 'adherent') {
772 if (!$user->hasRight('adherent', 'supprimer')) {
773 $deleteok = 0;
774 }
775 } elseif ($feature == 'paymentbybanktransfer') {
776 if (!$user->hasRight('paymentbybanktransfer', 'create')) { // There is no delete permission
777 $deleteok = 0;
778 }
779 } elseif ($feature == 'prelevement') {
780 if (!$user->hasRight('prelevement', 'bons', 'creer')) { // There is no delete permission
781 $deleteok = 0;
782 }
783 } elseif (!empty($feature2)) { // This is for permissions on 2 levels
784 foreach ($feature2 as $subfeature) {
785 if (!$user->hasRight($feature, $subfeature, 'supprimer') && !$user->hasRight($feature, $subfeature, 'delete')) {
786 $deleteok = 0;
787 } else {
788 $deleteok = 1;
789 break;
790 } // For bypass the second test if the first is ok
791 }
792 } elseif (!empty($feature)) { // This is used for permissions on 1 level
793 //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
794 if (!$user->hasRight($feature, 'supprimer')
795 && !$user->hasRight($feature, 'delete')
796 && !$user->hasRight($feature, 'run')) {
797 $deleteok = 0;
798 }
799 }
800 }
801
802 // If a or and at least one ok
803 if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) {
804 $deleteok = 1;
805 }
806
807 if (!$deleteok && !($isdraft && $createok)) {
808 if ($mode) {
809 return 0;
810 } else {
812 }
813 }
814 //print "Delete access is ok";
815 }
816
817 // If we have a particular object to check permissions on, we check if $user has permission
818 // for this given object (link to company, is contact for project, ...)
819 if (!empty($objectid) && $objectid > 0) {
820 $ok = checkUserAccessToObject($user, $featuresarray, $object, $tableandshare, $feature2, $dbt_keyfield, $dbt_select, $parentfortableentity);
821 $params = array('objectid' => $objectid, 'features' => implode(',', $featuresarray), 'features2' => $feature2);
822 //print 'checkUserAccessToObject ok='.$ok;
823 if ($mode) {
824 return $ok ? 1 : 0;
825 } else {
826 if ($ok) {
827 return 1;
828 } else {
829 accessforbidden('', 1, 1, 0, $params);
830 }
831 }
832 }
833
834 return 1;
835}
836
852function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
853{
854 global $db, $conf;
855
856 if (is_object($object)) {
857 $objectid = $object->id;
858 } else {
859 $objectid = $object; // $objectid can be X or 'X,Y,Z'
860 }
861 $objectid = preg_replace('/[^0-9\.\,]/', '', $objectid); // For the case value is coming from a non sanitized user input
862
863 //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
864 //print "user_id=".$user->id.", features=".join(',', $featuresarray).", objectid=".$objectid;
865 //print ", tableandshare=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select."<br>";
866
867 // More parameters
868 $params = explode('&', $tableandshare);
869 $dbtablename = (!empty($params[0]) ? $params[0] : '');
870 $sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename);
871
872 foreach ($featuresarray as $feature) {
873 $sql = '';
874
875 //var_dump($feature);exit;
876
877 // For backward compatibility
878 if ($feature == 'societe' && !empty($feature2) && is_array($feature2) && in_array('contact', $feature2)) {
879 $feature = 'contact';
880 $feature2 = '';
881 }
882 if ($feature == 'member') {
883 $feature = 'adherent';
884 }
885 if ($feature == 'project') {
886 $feature = 'projet';
887 }
888 if ($feature == 'task') {
889 $feature = 'projet_task';
890 }
891 if ($feature == 'eventorganization') {
892 $feature = 'agenda';
893 $dbtablename = 'actioncomm';
894 }
895 if ($feature == 'payment_sc' && empty($parenttableforentity)) {
896 // If we check perm on payment page but $parenttableforentity not defined, we force value on parent table
897 $parenttableforentity = '';
898 $dbtablename = "chargesociales";
899 $feature = "chargesociales";
900 $objectid = $object->fk_charge;
901 }
902
903 $checkonentitydone = 0;
904
905 // Array to define rules of checks to do
906 $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'payment_sc', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment', 'chargesociales', 'knowledgemanagement'); // Test on entity only (Objects with no link to company)
907 $checksoc = array('societe'); // Test for object Societe
908 $checkparentsoc = array('agenda', 'contact', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
909 $checkproject = array('projet', 'project'); // Test for project object
910 $checktask = array('projet_task'); // Test for task object
911 $checkhierarchy = array('expensereport', 'holiday'); // check permission among the hierarchy of user
912 $checkuser = array('bookmark'); // check permission among the fk_user (must be myself or null)
913 $nocheck = array('barcode', 'stock'); // No test
914
915 //$checkdefault = 'all other not already defined'; // Test on entity + link to third party on field $dbt_keyfield. Not allowed if link is empty (Ex: invoice, orders...).
916
917 // If dbtablename not defined, we use same name for table than module name
918 if (empty($dbtablename)) {
919 $dbtablename = $feature;
920 $sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename); // We change dbtablename, so we set sharedelement too.
921 }
922
923 // To avoid an access forbidden with a numeric ref
924 if ($dbt_select != 'rowid' && $dbt_select != 'id') {
925 $objectid = "'".$objectid."'"; // Note: $objectid was already cast into int at begin of this method.
926 }
927 // Check permission for objectid on entity only
928 if (in_array($feature, $check) && $objectid > 0) { // For $objectid = 0, no check
929 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
930 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
931 if (($feature == 'user' || $feature == 'usergroup') && isModEnabled('multicompany')) { // Special for multicompany
932 if (getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) {
933 if ($conf->entity == 1 && $user->admin && !$user->entity) {
934 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
935 $sql .= " AND dbt.entity IS NOT NULL";
936 } else {
937 $sql .= ",".MAIN_DB_PREFIX."usergroup_user as ug";
938 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
939 $sql .= " AND ((ug.fk_user = dbt.rowid";
940 $sql .= " AND ug.entity IN (".getEntity('usergroup')."))";
941 $sql .= " OR dbt.entity = 0)"; // Show always superadmin
942 }
943 } else {
944 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
945 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
946 }
947 } else {
948 $reg = array();
949 if ($parenttableforentity && preg_match('/(.*)@(.*)/', $parenttableforentity, $reg)) {
950 $sql .= ", ".MAIN_DB_PREFIX.$reg[2]." as dbtp";
951 $sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
952 $sql .= " AND dbtp.entity IN (".getEntity($sharedelement, 1).")";
953 } else {
954 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
955 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
956 }
957 }
958 $checkonentitydone = 1;
959 }
960 if (in_array($feature, $checksoc) && $objectid > 0) { // We check feature = checksoc. For $objectid = 0, no check
961 // If external user: Check permission for external users
962 if ($user->socid > 0) {
963 if ($user->socid != $objectid) {
964 return false;
965 }
966 } elseif (isModEnabled("societe") && ($user->hasRight('societe', 'lire') && !$user->hasRight('societe', 'client', 'voir'))) {
967 // If internal user: Check permission for internal users that are restricted on their objects
968 $sql = "SELECT COUNT(sc.fk_soc) as nb";
969 $sql .= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc";
970 $sql .= ", ".MAIN_DB_PREFIX."societe as s)";
971 $sql .= " WHERE sc.fk_soc IN (".$db->sanitize($objectid, 1).")";
972 $sql .= " AND (sc.fk_user = ".((int) $user->id);
973 if (getDolGlobalInt('MAIN_SEE_SUBORDINATES')) {
974 $userschilds = $user->getAllChildIds();
975 $sql .= " OR sc.fk_user IN (".$db->sanitize(implode(',', $userschilds)).")";
976 }
977 $sql .= ")";
978 $sql .= " AND sc.fk_soc = s.rowid";
979 $sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")";
980 } elseif (isModEnabled('multicompany')) {
981 // If multicompany and internal users with all permissions, check user is in correct entity
982 $sql = "SELECT COUNT(s.rowid) as nb";
983 $sql .= " FROM ".MAIN_DB_PREFIX."societe as s";
984 $sql .= " WHERE s.rowid IN (".$db->sanitize($objectid, 1).")";
985 $sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")";
986 }
987
988 $checkonentitydone = 1;
989 }
990 if (in_array($feature, $checkparentsoc) && $objectid > 0) { // Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...).
991 // If external user: Check permission for external users
992 if ($user->socid > 0) {
993 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
994 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
995 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
996 $sql .= " AND dbt.fk_soc = ".((int) $user->socid);
997 } elseif (isModEnabled("societe") && ($user->hasRight('societe', 'lire') && !$user->hasRight('societe', 'client', 'voir'))) {
998 // If internal user: Check permission for internal users that are restricted on their objects
999 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
1000 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1001 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
1002 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
1003 $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
1004 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
1005 } elseif (isModEnabled('multicompany')) {
1006 // If multicompany and internal users with all permissions, check user is in correct entity
1007 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
1008 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1009 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
1010 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
1011 }
1012
1013 $checkonentitydone = 1;
1014 }
1015 if (in_array($feature, $checkproject) && $objectid > 0) {
1016 if (isModEnabled('project') && !$user->hasRight('projet', 'all', 'lire')) {
1017 $projectid = $objectid;
1018
1019 include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
1020 $projectstatic = new Project($db);
1021 $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0);
1022
1023 $tmparray = explode(',', $tmps);
1024 if (!in_array($projectid, $tmparray)) {
1025 return false;
1026 }
1027 } else {
1028 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
1029 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1030 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
1031 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
1032 }
1033 $checkonentitydone = 1;
1034 }
1035 if (in_array($feature, $checktask) && $objectid > 0) {
1036 if (isModEnabled('project') && !$user->hasRight('projet', 'all', 'lire')) {
1037 $task = new Task($db);
1038 $task->fetch($objectid);
1039 $projectid = $task->fk_project;
1040
1041 include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
1042 $projectstatic = new Project($db);
1043 $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0);
1044
1045 $tmparray = explode(',', $tmps);
1046 if (!in_array($projectid, $tmparray)) {
1047 return false;
1048 }
1049 } else {
1050 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
1051 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1052 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
1053 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
1054 }
1055
1056 $checkonentitydone = 1;
1057 }
1058 //var_dump($sql);
1059
1060 if (!$checkonentitydone && !in_array($feature, $nocheck) && $objectid > 0) { // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
1061 // If external user: Check permission for external users
1062 if ($user->socid > 0) {
1063 if (empty($dbt_keyfield)) {
1064 dol_print_error(null, 'Param dbt_keyfield is required but not defined');
1065 }
1066 $sql = "SELECT COUNT(dbt.".$dbt_keyfield.") as nb";
1067 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1068 $sql .= " WHERE dbt.rowid IN (".$db->sanitize($objectid, 1).")";
1069 $sql .= " AND dbt.".$dbt_keyfield." = ".((int) $user->socid);
1070 } elseif (isModEnabled("societe") && !$user->hasRight('societe', 'client', 'voir')) {
1071 // If internal user without permission to see all thirdparties: Check permission for internal users that are restricted on their objects
1072 if ($feature != 'ticket') {
1073 if (empty($dbt_keyfield)) {
1074 dol_print_error(null, 'Param dbt_keyfield is required but not defined');
1075 }
1076 $sql = "SELECT COUNT(sc.fk_soc) as nb";
1077 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1078 $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
1079 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
1080 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
1081 $sql .= " AND sc.fk_soc = dbt.".$dbt_keyfield;
1082 $sql .= " AND (sc.fk_user = ".((int) $user->id);
1083 if (getDolGlobalInt('MAIN_SEE_SUBORDINATES')) {
1084 $userschilds = $user->getAllChildIds();
1085 foreach ($userschilds as $key => $value) {
1086 $sql .= ' OR sc.fk_user = '.((int) $value);
1087 }
1088 }
1089 $sql .= ')';
1090 } else {
1091 // On ticket, the thirdparty is not mandatory, so we need a special test to accept record with no thirdparties.
1092 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
1093 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1094 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc = dbt.".$dbt_keyfield." AND sc.fk_user = ".((int) $user->id);
1095 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
1096 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
1097 $sql .= " AND (sc.fk_user = ".((int) $user->id)." OR sc.fk_user IS NULL)";
1098 }
1099 } elseif (isModEnabled('multicompany')) {
1100 // If multicompany, and user is an internal user with all permissions, check that object is in correct entity
1101 $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
1102 $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
1103 $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
1104 $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
1105 }
1106 }
1107
1108 // For events, check on users assigned to event
1109 if ($feature === 'agenda' && $objectid > 0) {
1110 // Also check owner or attendee for users without allactions->read
1111 if ($objectid > 0 && !$user->hasRight('agenda', 'allactions', 'read')) {
1112 require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
1113 $action = new ActionComm($db);
1114 $action->fetch($objectid);
1115 if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) {
1116 return false;
1117 }
1118 }
1119 }
1120
1121 // For some object, we also have to check it is in the user hierarchy
1122 // Param $object must be the full object and not a simple id to have this test possible.
1123 if (in_array($feature, $checkhierarchy) && is_object($object) && $objectid > 0) {
1124 $childids = $user->getAllChildIds(1);
1125 $useridtocheck = 0;
1126 if ($feature == 'holiday') {
1127 $useridtocheck = $object->fk_user;
1128 if (!$user->hasRight('holiday', 'readall') && !in_array($useridtocheck, $childids) && !in_array($object->fk_validator, $childids)) {
1129 return false;
1130 }
1131 }
1132 if ($feature == 'expensereport') {
1133 $useridtocheck = $object->fk_user_author;
1134 if (!$user->hasRight('expensereport', 'readall')) {
1135 if (!in_array($useridtocheck, $childids)) {
1136 return false;
1137 }
1138 }
1139 }
1140 }
1141
1142 // For some object, we also have to check it is public or owned by user
1143 // Param $object must be the full object and not a simple id to have this test possible.
1144 if (in_array($feature, $checkuser) && is_object($object) && $objectid > 0) {
1145 $useridtocheck = $object->fk_user;
1146 if (!empty($useridtocheck) && $useridtocheck > 0 && $useridtocheck != $user->id && empty($user->admin)) {
1147 return false;
1148 }
1149 }
1150
1151 if ($sql) {
1152 $resql = $db->query($sql);
1153 if ($resql) {
1154 $obj = $db->fetch_object($resql);
1155 if (!$obj || $obj->nb < count(explode(',', $objectid))) { // error if we found 0 or less record than nb of id provided
1156 return false;
1157 }
1158 } else {
1159 dol_syslog("Bad forged sql in checkUserAccessToObject", LOG_WARNING);
1160 return false;
1161 }
1162 }
1163 }
1164
1165 return true;
1166}
1167
1168
1180function httponly_accessforbidden($message = '1', $http_response_code = 403, $stringalreadysanitized = 0)
1181{
1182 top_httphead();
1183 http_response_code($http_response_code);
1184
1185 if ($stringalreadysanitized) {
1186 print $message;
1187 } else {
1188 print htmlentities($message);
1189 }
1190
1191 exit(1);
1192}
1193
1207function accessforbidden($message = '', $printheader = 1, $printfooter = 1, $showonlymessage = 0, $params = null)
1208{
1209 global $conf, $db, $user, $langs, $hookmanager;
1210 global $action, $object;
1211
1212 if (!is_object($langs)) {
1213 include_once DOL_DOCUMENT_ROOT.'/core/class/translate.class.php';
1214 $langs = new Translate('', $conf);
1215 $langs->setDefaultLang();
1216 }
1217
1218 $langs->loadLangs(array("main", "errors"));
1219
1220 if ($printheader && !defined('NOHEADERNOFOOTER')) {
1221 if (function_exists("llxHeader")) {
1222 llxHeader('');
1223 } elseif (function_exists("llxHeaderVierge")) {
1224 llxHeaderVierge('');
1225 }
1226 print '<div style="padding: 20px">';
1227 }
1228 print '<div class="error">';
1229 if (empty($message)) {
1230 print $langs->trans("ErrorForbidden");
1231 } else {
1232 print $langs->trans($message);
1233 }
1234 print '</div>';
1235 print '<br>';
1236 if (empty($showonlymessage)) {
1237 if (empty($hookmanager)) {
1238 include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
1239 $hookmanager = new HookManager($db);
1240 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
1241 $hookmanager->initHooks(array('main'));
1242 }
1243
1244 $parameters = array('message' => $message, 'params' => $params);
1245 $reshook = $hookmanager->executeHooks('getAccessForbiddenMessage', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
1246 print $hookmanager->resPrint;
1247 if (empty($reshook)) {
1248 $langs->loadLangs(array("errors"));
1249 if ($user->login) {
1250 print $langs->trans("CurrentLogin").': <span class="error">'.$user->login.'</span><br>';
1251 print $langs->trans("ErrorForbidden2", $langs->transnoentitiesnoconv("Home"), $langs->transnoentitiesnoconv("Users"));
1252 print $langs->trans("ErrorForbidden4");
1253 } else {
1254 print $langs->trans("ErrorForbidden3");
1255 }
1256 }
1257 }
1258 if ($printfooter && !defined('NOHEADERNOFOOTER') && function_exists("llxFooter")) {
1259 print '</div>';
1260 llxFooter();
1261 }
1262
1263 exit(0);
1264}
1265
1266
1274{
1275 $max = getDolGlobalString('MAIN_UPLOAD_DOC'); // In Kb
1276
1277 $maxphp = @ini_get('upload_max_filesize'); // In unknown
1278 if (preg_match('/k$/i', $maxphp)) {
1279 $maxphp = preg_replace('/k$/i', '', $maxphp);
1280 $maxphp = $maxphp * 1;
1281 }
1282 if (preg_match('/m$/i', $maxphp)) {
1283 $maxphp = preg_replace('/m$/i', '', $maxphp);
1284 $maxphp = $maxphp * 1024;
1285 }
1286 if (preg_match('/g$/i', $maxphp)) {
1287 $maxphp = preg_replace('/g$/i', '', $maxphp);
1288 $maxphp = $maxphp * 1024 * 1024;
1289 }
1290 if (preg_match('/t$/i', $maxphp)) {
1291 $maxphp = preg_replace('/t$/i', '', $maxphp);
1292 $maxphp = $maxphp * 1024 * 1024 * 1024;
1293 }
1294 $maxphp2 = @ini_get('post_max_size'); // In unknown
1295 if (preg_match('/k$/i', $maxphp2)) {
1296 $maxphp2 = preg_replace('/k$/i', '', $maxphp2);
1297 $maxphp2 = $maxphp2 * 1;
1298 }
1299 if (preg_match('/m$/i', $maxphp2)) {
1300 $maxphp2 = preg_replace('/m$/i', '', $maxphp2);
1301 $maxphp2 = $maxphp2 * 1024;
1302 }
1303 if (preg_match('/g$/i', $maxphp2)) {
1304 $maxphp2 = preg_replace('/g$/i', '', $maxphp2);
1305 $maxphp2 = $maxphp2 * 1024 * 1024;
1306 }
1307 if (preg_match('/t$/i', $maxphp2)) {
1308 $maxphp2 = preg_replace('/t$/i', '', $maxphp2);
1309 $maxphp2 = $maxphp2 * 1024 * 1024 * 1024;
1310 }
1311 // Now $max and $maxphp and $maxphp2 are in Kb
1312 $maxmin = $max;
1313 $maxphptoshow = $maxphptoshowparam = '';
1314 if ($maxphp > 0) {
1315 $maxmin = min($maxmin, $maxphp);
1316 $maxphptoshow = $maxphp;
1317 $maxphptoshowparam = 'upload_max_filesize';
1318 }
1319 if ($maxphp2 > 0) {
1320 $maxmin = min($maxmin, $maxphp2);
1321 if ($maxphp2 < $maxphp) {
1322 $maxphptoshow = $maxphp2;
1323 $maxphptoshowparam = 'post_max_size';
1324 }
1325 }
1326 //var_dump($maxphp.'-'.$maxphp2);
1327 //var_dump($maxmin);
1328
1329 return array('max' => $max, 'maxmin' => $maxmin, 'maxphptoshow' => $maxphptoshow, 'maxphptoshowparam' => $maxphptoshowparam);
1330}
if( $user->socid > 0) if(! $user->hasRight('accounting', 'chartofaccount')) $object
Definition card.php:58
if(!defined( 'NOTOKENRENEWAL')) if(!defined('NOREQUIREMENU')) if(!defined( 'NOREQUIREHTML')) if(!defined('NOREQUIREAJAX')) if(!defined( 'NOLOGIN')) if(!defined('NOCSRFCHECK')) if(!defined( 'NOIPCHECK')) llxHeaderVierge()
Header function.
if(!defined('NOREQUIRESOC')) if(!defined( 'NOREQUIRETRAN')) if(!defined('NOTOKENRENEWAL')) if(!defined( 'NOREQUIREMENU')) if(!defined('NOREQUIREHTML')) if(!defined( 'NOREQUIREAJAX')) llxHeader()
Empty header.
Definition wrapper.php:55
llxFooter()
Empty footer.
Definition wrapper.php:69
Class to manage agenda events (actions)
Class to manage hooks.
Class to manage projects.
Class to manage tasks.
Class to manage translations.
Class to manage Dolibarr users.
dol_strlen($string, $stringencoding='UTF-8')
Make a strlen call.
getDolGlobalInt($key, $default=0)
Return a Dolibarr global constant int value.
dol_substr($string, $start, $length=null, $stringencoding='', $trunconbytes=0)
Make a substring.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
dol_print_error($db=null, $error='', $errors=null)
Displays error message system with all the information to facilitate the diagnosis and the escalation...
getDolGlobalString($key, $default='')
Return dolibarr global constant string value.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
if(!defined( 'NOREQUIREMENU')) if(!empty(GETPOST('seteventmessages', 'alpha'))) if(!function_exists("llxHeader")) top_httphead($contenttype='text/html', $forcenocache=0)
Show HTTP header.
dolEncrypt($chain, $key='', $ciphering='AES-256-CTR', $forceseed='')
Encode a string with a symmetric encryption.
dolGetRandomBytes($length)
Return a string of random bytes (hexa string) with length = $length for cryptographic purposes.
httponly_accessforbidden($message='1', $http_response_code=403, $stringalreadysanitized=0)
Show a message to say access is forbidden and stop program.
dol_encode($chain, $key='1')
Encode a string with base 64 algorithm + specific delta change.
checkUserAccessToObject($user, array $featuresarray, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='', $dbt_select='rowid', $parenttableforentity='')
Check that access by a given user to an object is ok.
dol_verifyHash($chain, $hash, $type='0')
Compute a hash and compare it to the given one For backward compatibility reasons,...
getMaxFileSizeArray()
Return the max allowed for file upload.
restrictedArea(User $user, $features, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $isdraft=0, $mode=0)
Check permissions of a user to show a page and an object.
dol_decode($chain, $key='1')
Decode a base 64 encoded + specific delta change.
dolGetLdapPasswordHash($password, $type='md5')
Returns a specific ldap hash of a password.
dolDecrypt($chain, $key='')
Decode a string with a symmetric encryption.
dol_hash($chain, $type='0', $nosalt=0)
Returns a hash (non reversible encryption) of a string.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.