dolibarr  20.0.0-alpha
website.inc.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2017-2024 Laurent Destailleur <eldy@users.sourceforge.net>
3  *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 3 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <https://www.gnu.org/licenses/>.
16 * or see https://www.gnu.org/
17 */
18 
27 // Load website class
28 include_once DOL_DOCUMENT_ROOT.'/website/class/website.class.php';
29 include_once DOL_DOCUMENT_ROOT.'/website/class/websitepage.class.php';
30 
31 $website = null;
32 $websitepage = null;
33 $weblangs = null;
34 $pagelangs = null;
35 
36 // Detection browser (copy of code from main.inc.php)
37 if (isset($_SERVER["HTTP_USER_AGENT"]) && is_object($conf) && empty($conf->browser->name)) {
38  $tmp = getBrowserInfo($_SERVER["HTTP_USER_AGENT"]);
39  $conf->browser->name = $tmp['browsername'];
40  $conf->browser->os = $tmp['browseros'];
41  $conf->browser->version = $tmp['browserversion'];
42  $conf->browser->layout = $tmp['layout']; // 'classic', 'phone', 'tablet'
43  //var_dump($conf->browser);
44 
45  if ($conf->browser->layout == 'phone') {
46  $conf->dol_no_mouse_hover = 1;
47  }
48 }
49 // Define $website
50 if (!is_object($website)) {
51  $website = new Website($db);
52  $website->fetch(0, $websitekey);
53 }
54 // Define $websitepage if we have $websitepagefile defined
55 if (empty($pageid) && !empty($websitepagefile)) {
56  $pageid = str_replace(array('.tpl.php', 'page'), array('', ''), basename($websitepagefile));
57  if ($pageid == 'index.php') {
58  $pageid = $website->fk_default_home;
59  }
60 }
61 if (!is_object($websitepage)) {
62  $websitepage = new WebsitePage($db);
63 }
64 // Define $weblangs
65 if (!is_object($weblangs)) {
66  $weblangs = new Translate('', $conf);
67 }
68 if (!is_object($pagelangs)) {
69  $pagelangs = new Translate('', $conf);
70 }
71 if (!empty($pageid) && $pageid > 0) {
72  $websitepage->fetch($pageid);
73 
74  // Rule to define weblang of visitor:
75  // 1 - Take parameter lang
76  // 2 - Cookie lang of website (set by a possible js lang selector)
77  // 3 - XX/... found in url page
78  // 4 - auto (so web browser lang)
79  $srclang = GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : '';
80  if (empty($srclang)) {
81  $srclang = (empty($_COOKIE['weblangs-shortcode']) ? '' : preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['weblangs-shortcode']));
82  }
83  if (empty($srclang)) {
84  $reg = array();
85  // With Dolibarr server, url is in parameter pageref
86  if (defined('USEDOLIBARRSERVER') && !empty($_GET['pageref']) && preg_match('/^\/?(\w\w)\//', $_GET['pageref'], $reg) && $reg[1] != 'js') { // We reuse $_GET['pageref'] because $pageref may have been cleaned already from the language code.
87  $srclang = $reg[1];
88  }
89  // With External server, url is in parameter pageref
90  if (defined('USEEXTERNALSERVER') && !empty($_SERVER['PHP_SELF']) && preg_match('/^\/?(\w\w)\//', $_SERVER['PHP_SELF'], $reg) && $reg[1] != 'js') {
91  $srclang = $reg[1];
92  }
93  }
94  if (empty($srclang)) {
95  $srclang= 'auto';
96  }
97  $weblangs->setDefaultLang($srclang);
98 
99  $pagelangs->setDefaultLang($websitepage->lang ? $websitepage->lang : $weblangs->shortlang);
100 
101  if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status) && !defined('USEDOLIBARRSERVER'))) {
102  $weblangs->load("website");
103 
104  // Security options
105 
106  // X-Content-Type-Options
107  header("X-Content-Type-Options: nosniff");
108 
109  // X-Frame-Options
110  if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
111  header("X-Frame-Options: SAMEORIGIN");
112  }
113 
114  //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>', 404, 1);
115  http_response_code(404);
116  print '<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>';
117  exit;
118  }
119 }
120 
121 if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
122  // Security options
123 
124  // X-Content-Type-Options
125  header("X-Content-Type-Options: nosniff");
126 
127  // X-Frame-Options
128  if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
129  header("X-Frame-Options: SAMEORIGIN");
130  }
131 
132  // X-XSS-Protection
133  //header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
134 
135  // Content-Security-Policy-Report-Only
136  if (!defined('WEBSITE_MAIN_SECURITY_FORCECSPRO')) {
137  // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
138  // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
139  // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
140  // For example, to restrict everything to itself except img that can be on other servers:
141  // default-src 'self'; img-src *;
142  // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
143  // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
144  //
145  // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
146  // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
147  $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO');
148 
149  if (!is_object($hookmanager)) {
150  include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
151  $hookmanager = new HookManager($db);
152  }
153  $hookmanager->initHooks(array("main"));
154 
155  $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'reportonly');
156  $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
157  if ($result > 0) {
158  $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
159  } else {
160  $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
161  }
162 
163  if (!empty($contentsecuritypolicy)) {
164  header("Content-Security-Policy-Report-Only: ".$contentsecuritypolicy);
165  }
166  }
167 
168  // Content-Security-Policy
169  if (!defined('WEBSITE_MAIN_SECURITY_FORCECSP')) {
170  // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
171  // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
172  // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
173  // For example, to restrict everything to itself except img that can be on other servers:
174  // default-src 'self'; img-src *;
175  // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
176  // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
177  //
178  // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
179  // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
180  $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP');
181 
182  if (!is_object($hookmanager)) {
183  include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
184  $hookmanager = new HookManager($db);
185  }
186  $hookmanager->initHooks(array("main"));
187 
188  $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'active');
189  $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
190  if ($result > 0) {
191  $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
192  } else {
193  $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
194  }
195 
196  if (!empty($contentsecuritypolicy)) {
197  header("Content-Security-Policy: ".$contentsecuritypolicy);
198  }
199  }
200 
201  // Referrer-Policy
202  if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
203  // The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be
204 
205  // For public web sites, we use the same default value than "strict-origin-when-cross-origin"
206  $referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");
207 
208  header("Referrer-Policy: ".$referrerpolicy);
209  }
210 
211  // Strict-Transport-Security
212  if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
213  // The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
214 
215  // Example: "max-age=31536000; includeSubDomains"
216  $sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
217  if (!empty($sts)) {
218  header("Strict-Transport-Security: ".$sts);
219  }
220  }
221 
222  // Permissions-Policy (old name was Feature-Policy)
223  if (!defined('WEBSITE_MAIN_SECURITY_FORCEPP')) {
224  // The constant WEBSITE_MAIN_SECURITY_FORCEPP should never be defined by page, but the variable used just after may be
225 
226  // Example: "camera: 'none'; microphone: 'none';"
227  $pp = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP');
228  if (!empty($pp)) {
229  header("Permissions-Policy: ".$pp);
230  }
231  }
232 }
233 
234 // A lang was forced, so we change weblangs init
235 if (GETPOST('l', 'aZ09')) {
236  $weblangs->setDefaultLang(GETPOST('l', 'aZ09'));
237 }
238 // A lang was forced, so we check to find if we must make a redirect on translation page
239 if ($_SERVER['PHP_SELF'] != DOL_URL_ROOT.'/website/index.php') { // If we browsing page using Dolibarr server or a Native web server
240  //print_r(get_defined_constants(true));exit;
241  if (GETPOST('l', 'aZ09')) {
242  $sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page";
243  $sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp";
244  $sql .= " WHERE wp.fk_website = ".((int) $website->id);
245  $sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid = ".((int) $pageid);
246  if (is_object($websitepage) && $websitepage->fk_page > 0) {
247  $sql .= " OR wp.fk_page = ".((int) $websitepage->fk_page)." OR wp.rowid = ".((int) $websitepage->fk_page);
248  }
249  $sql .= ")";
250  $sql .= " AND wp.lang = '".$db->escape(GETPOST('l', 'aZ09'))."'";
251 
252  $resql = $db->query($sql);
253  if ($resql) {
254  $obj = $db->fetch_object($resql);
255  if ($obj) {
256  $newpageid = $obj->rowid;
257  if ($newpageid != $pageid) { // To avoid to make a redirect on same page (infinite loop)
258  if (defined('USEDOLIBARRSERVER')) {
259  header("Location: ".DOL_URL_ROOT.'/public/website/index.php?website='.$websitekey.'&pageid='.$newpageid.'&l='.GETPOST('l', 'aZ09'));
260  exit;
261  } else {
262  $newpageref = $obj->pageurl;
263  header("Location: ".(($obj->lang && $obj->lang != $website->lang) ? '/'.$obj->lang.'/' : '/').$newpageref.'.php?l='.GETPOST('l', 'aZ09'));
264  exit;
265  }
266  }
267  }
268  }
269  }
270 }
271 
272 // Show off line message when all website is off
273 if (!defined('USEDOLIBARREDITOR') && empty($website->status)) {
274  // Security options
275 
276  // X-Content-Type-Options
277  header("X-Content-Type-Options: nosniff");
278 
279  // X-Frame-Options
280  if (empty($websitepage->allowed_in_frames) && !getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
281  header("X-Frame-Options: SAMEORIGIN");
282  }
283 
284  $weblangs->load("website");
285 
286  //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>', 503, 1);
287  http_response_code(503);
288  print '<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>';
289  exit;
290 }
291 
292 
293 // Get session info and obfuscate session cookie and other variables
294 $prefix = dol_getprefix('');
295 $sessionname = 'DOLSESSID_'.$prefix;
296 //$savsessionid = $_COOKIE[$sessionname];
297 
298 $_COOKIE[$sessionname] = 'obfuscatedcookie';
299 unset($conf->file->instance_unique_id);
300 
301 unset($dolibarr_main_instance_unique_id);
302 unset($dolibarr_main_db_host);
303 unset($dolibarr_main_db_port);
304 unset($dolibarr_main_db_name);
305 unset($dolibarr_main_db_user);
306 unset($dolibarr_main_db_pass);
307 unset($$dolibarr_main_db_type);
308 unset($dolibarr_main_document_root);
309 unset($dolibarr_main_document_root_alt);
Class to manage hooks.
Class to manage translations.
Class Website.
Class Websitepage.
if(isModEnabled('invoice') && $user->hasRight('facture', 'lire')) if((isModEnabled('fournisseur') &&!getDolGlobalString('MAIN_USE_NEW_SUPPLIERMOD') && $user->hasRight("fournisseur", "facture", "lire"))||(isModEnabled('supplier_invoice') && $user->hasRight("supplier_invoice", "lire"))) if(isModEnabled('don') && $user->hasRight('don', 'lire')) if(isModEnabled('tax') && $user->hasRight('tax', 'charges', 'lire')) if(isModEnabled('invoice') &&isModEnabled('order') && $user->hasRight("commande", "lire") &&!getDolGlobalString('WORKFLOW_DISABLE_CREATE_INVOICE_FROM_ORDER')) $sql
Social contributions to pay.
Definition: index.php:744
getBrowserInfo($user_agent)
Return information about user browser.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
GETPOSTISSET($paramname)
Return true if we are in a context of submitting the parameter $paramname from a POST of a form.
getDolGlobalString($key, $default='')
Return dolibarr global constant string value.