dolibarr  21.0.0-alpha
fileserver.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2018 Destailleur Laurent <eldy@users.sourceforge.net>
3  * Copyright (C) 2019 Regis Houssin <regis.houssin@inodbox.com>
4  * Copyright (C) 2024 MDW <mdeweerd@users.noreply.github.com>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program. If not, see <https://www.gnu.org/licenses/>.
18  *
19  * You can test with the WebDav client cadaver:
20  * cadaver http://myurl/dav/fileserver.php
21  */
22 
29 if (!defined('NOTOKENRENEWAL')) {
30  define('NOTOKENRENEWAL', '1');
31 }
32 if (!defined('NOREQUIREMENU')) {
33  define('NOREQUIREMENU', '1'); // If there is no menu to show
34 }
35 if (!defined('NOREQUIREHTML')) {
36  define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
37 }
38 if (!defined('NOREQUIREAJAX')) {
39  define('NOREQUIREAJAX', '1');
40 }
41 if (!defined('NOLOGIN')) {
42  define("NOLOGIN", 1); // This means this output page does not require to be logged.
43 }
44 if (!defined('NOCSRFCHECK')) {
45  define("NOCSRFCHECK", 1); // We accept to go on this page from external web site.
46 }
47 
48 require "../main.inc.php";
49 require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
50 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
51 require_once DOL_DOCUMENT_ROOT.'/dav/dav.class.php';
52 require_once DOL_DOCUMENT_ROOT.'/dav/dav.lib.php';
53 
54 require_once DOL_DOCUMENT_ROOT.'/includes/sabre/autoload.php';
55 //require_once DOL_DOCUMENT_ROOT.'/includes/autoload.php';
56 
57 
58 $user = new User($db);
59 if (isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_USER'] != '') {
60  $user->fetch('', $_SERVER['PHP_AUTH_USER']);
61  $user->getrights();
62 }
63 
64 // Load translation files required by the page
65 $langs->loadLangs(array("main", "other"));
66 
67 
68 if (empty($conf->dav->enabled)) {
70 }
71 
72 // Restrict API to some IPs
73 if (getDolGlobalString('DAV_RESTRICT_ON_IP')) {
74  $allowedip = explode(' ', getDolGlobalString('DAV_RESTRICT_ON_IP'));
75  $ipremote = getUserRemoteIP();
76  if (!in_array($ipremote, $allowedip)) {
77  dol_syslog('Remote ip is '.$ipremote.', not into list ' . getDolGlobalString('DAV_RESTRICT_ON_IP'));
78  print 'DAV not allowed from the IP '.$ipremote;
79  header('HTTP/1.1 503 DAV not allowed from your IP '.$ipremote);
80  exit(0);
81  }
82 }
83 
84 
85 $entity = (GETPOSTINT('entity') ? GETPOSTINT('entity') : (!empty($conf->entity) ? $conf->entity : 1));
86 
87 // settings
88 $publicDir = $conf->dav->multidir_output[$entity].'/public';
89 $privateDir = $conf->dav->multidir_output[$entity].'/private';
90 $ecmDir = $conf->ecm->multidir_output[$entity];
91 $tmpDir = $conf->dav->multidir_output[$entity]; // We need root dir, not a dir that can be deleted
92 //var_dump($tmpDir);mkdir($tmpDir);exit;
93 
94 
95 // Authentication callback function
96 $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(
102  static function ($username, $password) {
103  global $user, $conf;
104  global $dolibarr_main_authentication, $dolibarr_auto_user;
105 
106  if (empty($user->login)) {
107  dol_syslog("Failed to authenticate to DAV, login is not provided", LOG_WARNING);
108  return false;
109  }
110  if ($user->socid > 0) {
111  dol_syslog("Failed to authenticate to DAV, user is an external user", LOG_WARNING);
112  return false;
113  }
114  if ($user->login != $username) {
115  dol_syslog("Failed to authenticate to DAV, login does not match the login of loaded user", LOG_WARNING);
116  return false;
117  }
118 
119  // Authentication mode
120  if (empty($dolibarr_main_authentication)) {
121  $dolibarr_main_authentication = 'dolibarr';
122  }
123 
124  // Authentication mode: forceuser
125  if ($dolibarr_main_authentication == 'forceuser') {
126  if (empty($dolibarr_auto_user)) {
127  $dolibarr_auto_user = 'auto';
128  }
129  if ($dolibarr_auto_user != $username) {
130  dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. DAV usage is forbidden in this mode.");
131  return false;
132  }
133  }
134 
135  $authmode = explode(',', $dolibarr_main_authentication);
136  $entity = (GETPOSTINT('entity') ? GETPOSTINT('entity') : (!empty($conf->entity) ? $conf->entity : 1));
137 
138  if (checkLoginPassEntity($username, $password, $entity, $authmode, 'dav') != $username) {
139  return false;
140  }
141 
142  // Check if user status is enabled
143  if ($user->statut != $user::STATUS_ENABLED) {
144  // Status is disabled
145  dol_syslog("The user has been disabled.");
146  return false;
147  }
148 
149  // Check if session was unvalidated by a password change
150  if (($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"])) {
151  // Session is no more valid
152  dol_syslog("The user has a date for session invalidation = ".$user->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions.");
153  return false;
154  }
155 
156  // Check date validity
157  if ($user->isNotIntoValidityDateRange()) {
158  // User validity dates are no more valid
159  dol_syslog("The user login has a validity between [".$user->datestartvalidity." and ".$user->dateendvalidity."], current date is ".dol_now());
160  return false;
161  }
162 
163  return true;
164  }
165 );
166 
167 $authBackend->setRealm(constant('DOL_APPLICATION_TITLE').' - WebDAV');
168 
169 
170 
171 
172 
173 /*
174  * Actions and View
175  */
176 
177 // Create the root node
178 // Setting up the directory tree //
179 $nodes = array();
180 
181 // Enable directories and features according to DAV setup
182 // Public dir
183 if (getDolGlobalString('DAV_ALLOW_PUBLIC_DIR')) {
184  $nodes[] = new \Sabre\DAV\FS\Directory($publicDir);
185 }
186 // Private dir
187 $nodes[] = new \Sabre\DAV\FS\Directory($privateDir);
188 // ECM dir
189 if (isModEnabled('ecm') && getDolGlobalString('DAV_ALLOW_ECM_DIR')) {
190  $nodes[] = new \Sabre\DAV\FS\Directory($ecmDir);
191 }
192 
193 
194 
195 // Principals Backend
196 //$principalBackend = new \Sabre\DAVACL\PrincipalBackend\Dolibarr($user,$db);
197 // /principals
198 //$nodes[] = new \Sabre\DAVACL\PrincipalCollection($principalBackend);
199 // CardDav & CalDav Backend
200 //$carddavBackend = new \Sabre\CardDAV\Backend\Dolibarr($user,$db,$langs);
201 //$caldavBackend = new \Sabre\CalDAV\Backend\Dolibarr($user,$db,$langs, $cdavLib);
202 // /addressbook
203 //$nodes[] = new \Sabre\CardDAV\AddressBookRoot($principalBackend, $carddavBackend);
204 // /calendars
205 //$nodes[] = new \Sabre\CalDAV\CalendarRoot($principalBackend, $caldavBackend);
206 
207 
208 // The rootnode needs in turn to be passed to the server class
209 $server = new \Sabre\DAV\Server($nodes);
210 
211 // If you want to run the SabreDAV server in a custom location (using mod_rewrite for instance)
212 // You can override the baseUri here.
213 $baseUri = DOL_URL_ROOT.'/dav/fileserver.php/';
214 if (isset($baseUri)) {
215  $server->setBaseUri($baseUri);
216 }
217 
218 // Add authentication function
219 if ((!getDolGlobalString('DAV_ALLOW_PUBLIC_DIR')
220  || !preg_match('/'.preg_quote(DOL_URL_ROOT.'/dav/fileserver.php/public', '/').'/', $_SERVER["PHP_SELF"]))
221  && !preg_match('/^sabreAction=asset&assetName=[a-zA-Z0-9%\-\/]+\.(png|css|woff|ico|ttf)$/', $_SERVER["QUERY_STRING"]) // URL for Sabre browser resources
222 ) {
223  //var_dump($_SERVER["QUERY_STRING"]);exit;
224  $server->addPlugin(new \Sabre\DAV\Auth\Plugin($authBackend));
225 }
226 // Support for LOCK and UNLOCK
227 $lockBackend = new \Sabre\DAV\Locks\Backend\File($tmpDir.'/.locksdb');
228 $lockPlugin = new \Sabre\DAV\Locks\Plugin($lockBackend);
229 $server->addPlugin($lockPlugin);
230 
231 // Support for the html browser
232 if (!getDolGlobalString('DAV_DISABLE_BROWSER')) {
233  $browser = new \Sabre\DAV\Browser\Plugin();
234  $server->addPlugin($browser);
235 }
236 
237 // Automatically guess (some) contenttypes, based on extension
238 //$server->addPlugin(new \Sabre\DAV\Browser\GuessContentType());
239 
240 //$server->addPlugin(new \Sabre\CardDAV\Plugin());
241 //$server->addPlugin(new \Sabre\CalDAV\Plugin());
242 //$server->addPlugin(new \Sabre\DAVACL\Plugin());
243 
244 // Temporary file filter
245 /*$tempFF = new \Sabre\DAV\TemporaryFileFilterPlugin($tmpDir);
246 $server->addPlugin($tempFF);
247 */
248 
249 // And off we go!
250 $server->start();
251 
252 if (is_object($db)) {
253  $db->close();
254 }
Class to manage Dolibarr users.
Definition: user.class.php:50
GETPOSTINT($paramname, $method=0)
Return the value of a $_GET or $_POST supervariable, converted into integer.
dol_now($mode='auto')
Return date for now.
getDolGlobalString($key, $default='')
Return dolibarr global constant string value.
getUserRemoteIP()
Return the IP of remote user.
isModEnabled($module)
Is Dolibarr module enabled.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
if(!defined( 'CSRFCHECK_WITH_TOKEN'))
checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $authmode, $context='')
Return a login if login/pass was successful.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.