dolibarr  19.0.0-dev
fileupload.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2011-2012 Regis Houssin <regis.houssin@inodbox.com>
3  * Copyright (C) 2011 Laurent Destailleur <eldy@users.sourceforge.net>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 3 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <https://www.gnu.org/licenses/>.
17  */
18 
24 if (!defined('NOREQUIREMENU')) {
25  define('NOREQUIREMENU', '1'); // If there is no menu to show
26 }
27 if (!defined('NOREQUIREHTML')) {
28  define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
29 }
30 if (!defined('NOREQUIREAJAX')) {
31  define('NOREQUIREAJAX', '1');
32 }
33 if (!defined('NOREQUIRESOC')) {
34  define('NOREQUIRESOC', '1');
35 }
36 
37 // Load Dolibarr environment
38 require '../../main.inc.php';
39 require_once DOL_DOCUMENT_ROOT.'/core/class/fileupload.class.php';
40 require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
41 
42 $id = GETPOST('fk_element', 'int');
43 $element = GETPOST('element', 'alpha'); // 'myobject' (myobject=mymodule) or 'myobject@mymodule' or 'myobject_mysubobject' (myobject=mymodule)
44 $elementupload = $element;
45 
46 // Load object according to $id and $element
47 $object = fetchObjectByElement($id, $element);
48 
49 $module = $object->module;
50 $element = $object->element;
51 
52 $usesublevelpermission = ($module != $element ? $element : '');
53 if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly
54  $usesublevelpermission = '';
55 }
56 
57 //print 'fileupload.php: '.$object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n";
58 
59 // Security check
60 if (!empty($user->socid)) {
61  $socid = $user->socid;
62  if (!empty($object->socid) && $socid != $object->socid) {
63  httponly_accessforbidden("Access on object not allowed for this external user."); // This includes the exit.
64  }
65 }
66 
67 $result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return
68 if (!$result) {
69  httponly_accessforbidden('Not allowed by restrictArea (module='.$object->module.' table_element='.$object->table_element.')');
70 }
71 
72 
73 /*
74  * View
75  */
76 
77 $upload_handler = new FileUpload(null, $id, $elementupload);
78 
79 
80 top_httphead();
81 
82 header('Pragma: no-cache');
83 header('Cache-Control: no-store, no-cache, must-revalidate');
84 header('Content-Disposition: inline; filename="files.json"');
85 header('X-Content-Type-Options: nosniff');
86 header('Access-Control-Allow-Origin: *');
87 header('Access-Control-Allow-Methods: OPTIONS, HEAD, GET, POST, PUT, DELETE');
88 header('Access-Control-Allow-Headers: X-File-Name, X-File-Type, X-File-Size');
89 
90 switch ($_SERVER['REQUEST_METHOD']) {
91  case 'OPTIONS':
92  break;
93  case 'HEAD':
94  case 'GET':
95  $upload_handler->get();
96  break;
97  case 'POST':
98  if (isset($_REQUEST['_method']) && $_REQUEST['_method'] === 'DELETE') {
99  $upload_handler->delete();
100  } else {
101  $upload_handler->post();
102  // Note: even if this return an error on 1 file in post(), we will return http code 200 because error must be managed by the caller (some files may be ok and some in error)
103  }
104  break;
105  case 'DELETE':
106  $upload_handler->delete();
107  break;
108  default:
109  header('HTTP/1.0 405 Method Not Allowed');
110  exit;
111 }
112 
113 $db->close();
This class is used to manage file upload using ajax.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
fetchObjectByElement($element_id, $element_type, $element_ref='')
Fetch an object from its id and element_type Inclusion of classes is automatic.
if(!defined('NOREQUIREMENU')) if(!empty(GETPOST('seteventmessages', 'alpha'))) if(!function_exists("llxHeader")) top_httphead($contenttype='text/html', $forcenocache=0)
Show HTTP header.
Definition: main.inc.php:1494
restrictedArea(User $user, $features, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $isdraft=0, $mode=0)
Check permissions of a user to show a page and an object.
httponly_accessforbidden($message=1, $http_response_code=403, $stringalreadysanitized=0)
Show a message to say access is forbidden and stop program.