26require_once DOL_DOCUMENT_ROOT .
'/core/lib/files.lib.php';
52 public $fullpath_original_file;
57 public $fullpath_original_file_osencoded;
67 public $original_file;
82 global
$conf, $hookmanager, $user;
84 define(
'MAIN_SECURITY_FORCECSP',
"default-src 'none'");
86 if (!defined(
'NOREQUIRESOC')) {
87 define(
'NOREQUIRESOC',
'1');
89 if (!defined(
'NOREQUIRETRAN')) {
90 define(
'NOREQUIRETRAN',
'1');
92 if (!defined(
'NOCSRFCHECK')) {
93 define(
'NOCSRFCHECK',
'1');
95 if (!defined(
'NOTOKENRENEWAL')) {
96 define(
'NOTOKENRENEWAL',
'1');
98 if (!defined(
'NOREQUIREMENU')) {
99 define(
'NOREQUIREMENU',
'1');
101 if (!defined(
'NOREQUIREHTML')) {
102 define(
'NOREQUIREHTML',
'1');
104 if (!defined(
'NOREQUIREAJAX')) {
105 define(
'NOREQUIREAJAX',
'1');
111 $entity = (!empty($_GET[
'entity']) ? (int) $_GET[
'entity'] : (!empty($_POST[
'entity']) ? (int) $_POST[
'entity'] : 1));
112 define(
"DOLENTITY", $entity);
116 $action =
GETPOST(
'action',
'aZ09');
117 $original_file =
GETPOST(
'file',
'alphanohtml');
118 $hashp =
GETPOST(
'hashp',
'aZ09', 1);
119 $extname =
GETPOST(
'extname',
'alpha', 1);
120 $modulepart =
GETPOST(
'modulepart',
'alpha', 1);
121 $urlsource =
GETPOST(
'urlsource',
'alpha');
125 if (empty($modulepart) && empty($hashp)) {
128 if (empty($original_file) && empty($hashp) && $modulepart !=
'barcode') {
131 if ($modulepart ==
'fckeditor') {
132 $modulepart =
'medias';
135 $cachestring =
GETPOST(
"cache",
'aZ09');
141 $delaycache = ((is_numeric($cachestring) && (int) $cachestring > 1 && (
int) $cachestring < 999999) ? $cachestring :
'3600');
142 header(
'Cache-Control: max-age=' . $delaycache .
', public, must-revalidate');
143 header(
'Pragma: cache');
144 header(
'Expires: ' . gmdate(
'D, d M Y H:i:s', time() + (
int) $delaycache) .
' GMT');
148 $type =
'application/octet-stream';
149 if (
GETPOST(
'type',
'alpha')) {
150 $type =
GETPOST(
'type',
'alpha');
156 if (preg_match(
'/html/i', $type)) {
160 if (preg_match(
'/\.noexe$/i', $original_file)) {
165 $original_file = preg_replace(
'/\.\.+/',
'..', $original_file);
166 $original_file = str_replace(
'../',
'/', $original_file);
167 $original_file = str_replace(
'..\\',
'/', $original_file);
170 $refname = basename(dirname($original_file) .
"/");
171 if ($refname ==
'thumbs') {
173 $refname = basename(dirname(dirname($original_file)) .
"/");
182 if (empty($modulepart)) {
188 if ($modulepart ===
'medias' && $entity !=
$conf->entity) {
189 $conf->entity = $entity;
190 $conf->setValues($this->db);
193 $sqlprotectagainstexternals =
'';
194 $fullpath_original_file =
'';
198 $hookmanager->initHooks(array(
'viewimage'));
199 $parameters = array(
'modulepart' => $modulepart,
'original_file' => &$original_file,
200 'sqlprotectagainstexternals' => &$sqlprotectagainstexternals,
'fullpath_original_file' => &$fullpath_original_file,
201 'entity' => $entity,
'accessallowed' => &$accessallowed);
203 $reshook = $hookmanager->executeHooks(
'accessViewImage', $parameters,
$object, $action);
205 $errors = $hookmanager->error . (is_array($hookmanager->errors) ? (!empty($hookmanager->error) ?
', ' :
'') . implode(
', ', $hookmanager->errors) :
'');
206 dol_syslog(
"document.php - Errors when executing the hook 'accessViewImage' : " . $errors);
207 print
"ErrorViewImageHooks: " . $errors;
209 } elseif (empty($reshook)) {
211 $accessallowed = $check_access[
'accessallowed'];
212 $sqlprotectagainstexternals = $check_access[
'sqlprotectagainstexternals'];
213 $fullpath_original_file = $check_access[
'original_file'];
216 if (!empty($hashp)) {
218 $sqlprotectagainstexternals =
'';
221 if ($user->socid > 0) {
222 if ($sqlprotectagainstexternals) {
223 $resql = $this->db->query($sqlprotectagainstexternals);
225 $num = $this->db->num_rows($resql);
228 $obj = $this->db->fetch_object($resql);
229 if ($user->socid != $obj->fk_soc) {
242 if (!$accessallowed) {
248 if (preg_match(
'/\.\./', $fullpath_original_file) || preg_match(
'/[<>|]/', $fullpath_original_file)) {
249 dol_syslog(
"Refused to deliver file " . $fullpath_original_file);
255 $refname = basename(dirname($original_file) .
"/");
257 $filename = basename($fullpath_original_file);
258 $filename = preg_replace(
'/\.noexe$/i',
'', $filename);
261 dol_syslog(
"document controller download $fullpath_original_file filename=$filename content-type=$type");
262 $fullpath_original_file_osencoded =
dol_osencode($fullpath_original_file);
265 if (!file_exists($fullpath_original_file_osencoded)) {
266 dol_syslog(
"ErrorFileDoesNotExists: " . $fullpath_original_file);
267 print
"ErrorFileDoesNotExists: " . $original_file;
272 $fileSizeMax =
getDolGlobalInt(
'MAIN_SECURITY_MAXFILESIZE_DOWNLOADED');
273 if ($fileSizeMax && $fileSize > $fileSizeMax) {
274 dol_syslog(
'ErrorFileSizeTooLarge: ' . $fileSize);
275 print
'ErrorFileSizeTooLarge: ' . $fileSize .
' (max ' . $fileSizeMax .
' Kb)';
280 $hookmanager->initHooks(array(
'document'));
281 $parameters = array(
'modulepart' => $modulepart,
'original_file' => $original_file,
282 'entity' => $entity,
'refname' => $refname,
'fullpath_original_file' => $fullpath_original_file,
283 'filename' => $filename,
'fullpath_original_file_osencoded' => $fullpath_original_file_osencoded);
285 $reshook = $hookmanager->executeHooks(
'viewImage', $parameters,
$object, $action);
287 $errors = $hookmanager->error . (is_array($hookmanager->errors) ? (!empty($hookmanager->error) ?
', ' :
'') . implode(
', ', $hookmanager->errors) :
'');
288 dol_syslog(
"document.php - Errors when executing the hook 'viewImage' : " . $errors);
289 print
"ErrorViewImageHooks: " . $errors;
294 $this->entity = $entity;
295 $this->filename = $filename;
296 $this->fullpath_original_file = $fullpath_original_file;
297 $this->fullpath_original_file_osencoded = $fullpath_original_file_osencoded;
298 $this->modulepart = $modulepart;
299 $this->original_file = $original_file;
310 $this->accessRight =
true;
312 return parent::checkAccess();
324 if (!
$context->controllerInstance->checkAccess()) {
348 if (!
$context->controllerInstance->checkAccess()) {
354 $modulepart = $this->modulepart;
355 $fullpath_original_file = $this->fullpath_original_file;
356 $fullpath_original_file_osencoded = $this->fullpath_original_file_osencoded;
359 if ($modulepart ==
'barcode') {
360 $generator =
GETPOST(
"generator",
"aZ09");
361 $encoding =
GETPOST(
"encoding",
"aZ09");
362 $readable =
GETPOST(
"readable",
'aZ09') ?
GETPOST(
"readable",
"aZ09") :
"Y";
363 if (in_array($encoding, array(
'EAN8',
'EAN13'))) {
364 $code =
GETPOST(
"code",
'alphanohtml');
366 $code =
GETPOST(
"code",
'restricthtml');
371 if (preg_match(
'/^virtualcard_([^_]+)_(\d+)\.vcf$/', $code, $reg)) {
375 if ($reg[1] ==
'user' && (
int) $reg[2] > 0) {
376 $vcffile =
$conf->user->dir_temp .
'/' . $code;
378 $tmpuser =
new User($this->db);
379 $tmpuser->fetch(
$id);
380 $login = $tmpuser->login;
381 } elseif ($reg[1] ==
'contact' && (
int) $reg[2] > 0) {
382 $vcffile =
$conf->contact->dir_temp .
'/' . $code;
387 if ($vcffile &&
$id) {
390 if ($reg[1] ==
'user' && (
int) $reg[2] > 0) {
391 $encodedsecurekey =
dol_hash(
$conf->file->instance_unique_id .
'uservirtualcard' .
$id .
'-' . $login,
'md5');
392 if ($encodedsecurekey !=
GETPOST(
'securekey')) {
393 $code =
'badvalueforsecurekey';
397 $code = file_get_contents($vcffile);
403 if (empty($generator) || empty($encoding)) {
404 print
'Error: Parameter "generator" or "encoding" not defined';
408 $dirbarcode = array_merge(array(
"/core/modules/barcode/doc/"),
$conf->modules_parts[
'barcode']);
412 foreach ($dirbarcode as $reldir) {
417 if (!is_dir($newdir)) {
421 $result = @include_once $newdir . $generator .
'.modules.php';
428 $classname =
"mod" . ucfirst($generator);
430 $module =
new $classname($this->db);
431 '@phan-var-force ModeleBarCode $module';
433 if ($module->encodingIsSupported($encoding)) {
434 $result = $module->buildBarCode($code, $encoding, $readable);
440 $filename = basename($fullpath_original_file);
443 dol_syslog(
"viewimage.php return file $fullpath_original_file filename=$filename content-type=$type");
456 header(
'Content-Disposition: inline; filename="' . basename($fullpath_original_file) .
'"');
459 header(
'Content-Disposition: inline; filename="' . basename($fullpath_original_file) .
'"');
462 $fullpath_original_file_osencoded =
dol_osencode($fullpath_original_file);
464 readfile($fullpath_original_file_osencoded);
$id
Support class for third parties, contacts, members, users or resources.
if(! $sortfield) if(! $sortorder) $object
static getInstance()
Singleton method to create one instance of this object.
static getRootConfigUrl()
Get WebPortal root url.
display404()
Display error template.
Class to manage Dolibarr users.
Class for ViewImageController.
checkAccess()
Check current access to controller.
action()
Action method is called before html output can be used to manage security and change context.
dol_filesize($pathoffile)
Return size of a file.
dol_check_secure_access_document($modulepart, $original_file, $entity, $fuser=null, $refname='', $mode='read')
Security check when accessing to a document (used by document.php, viewimage.php and webservices to g...
dol_is_file($pathoffile)
Return if path is a file.
dol_mimetype($file, $default='application/octet-stream', $mode=0)
Return MIME type of a file from its name with extension.
GETPOSTINT($paramname, $method=0)
Return the value of a $_GET or $_POST supervariable, converted into integer.
dol_osencode($str)
Return a string encoded into OS filesystem encoding.
getDolGlobalInt($key, $default=0)
Return a Dolibarr global constant int value.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
dolIsAllowedForPreview($file)
Return if a file is qualified for preview.
dol_buildpath($path, $type=0, $returnemptyifnotfound=0)
Return path of url or filesystem.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
dol_escape_htmltag($stringtoescape, $keepb=0, $keepn=0, $noescapetags='', $escapeonlyhtmltags=0, $cleanalsojavascript=0)
Returns text escaped for inclusion in HTML alt or title or value tags, or into values of HTML input f...
if(!defined( 'NOREQUIREMENU')) if(!empty(GETPOST('seteventmessages', 'alpha'))) if(!function_exists("llxHeader")) top_httphead($contenttype='text/html', $forcenocache=0)
Show HTTP header.
$context
@method int call_trigger(string $triggerName, ?User $user)
if(preg_match('/(crypted|dolcrypt):/i', $dolibarr_main_db_pass)||!empty($dolibarr_main_db_encrypted_pass)) $conf db type
'integer', 'integer:ObjectClass:PathToClass[:AddCreateButtonOrNot[:Filter[:Sortfield]]]',...
httponly_accessforbidden($message='1', $http_response_code=403, $stringalreadysanitized=0)
Show a message to say access is forbidden and stop program.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.
dol_hash($chain, $type='0', $nosalt=0, $mode=0)
Returns a hash (non reversible encryption) of a string.