Set of function used for dolibarr security (common function included into filefunc.inc.php) Warning, this file must not depends on other library files, except function.lib.php because it is used at low code level. More...

Functions
	dol_encode ($chain, $key='1')
	Encode a string with base 64 algorithm + specific delta change.

	dol_decode ($chain, $key='1')
	Decode a base 64 encoded + specific delta change.

	dolGetRandomBytes ($length)
	Return a string of random bytes (hexa string) with length = $length for cryptographic purposes.

	dolGetLdapPasswordHash ($password, $type='md5')
	Returns a specific ldap hash of a password.

	restrictedArea (User $user, $features, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $isdraft=0, $mode=0)
	Check permissions of a user to show a page and an object.

	checkUserAccessToObject ($user, array $featuresarray, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='', $dbt_select='rowid', $parenttableforentity='')
	Check that access by a given user to an object is ok.

	httponly_accessforbidden ($message='1', $http_response_code=403, $stringalreadysanitized=0)
	Show a message to say access is forbidden and stop program.

	accessforbidden ($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
	Show a message to say access is forbidden and stop program.

	getMaxFileSizeArray ()
	Return the max allowed for file upload.

	checkIPInCidr ($ip, $cidr)
	Check if IP address is in CIDR range.

Detailed Description

Set of function used for dolibarr security (common function included into filefunc.inc.php) Warning, this file must not depends on other library files, except function.lib.php because it is used at low code level.

Definition in file security.lib.php.

Function Documentation

◆ accessforbidden()

accessforbidden	(	$message = '',
		$printheader = 1,
		$printfooter = 1,
		$showonlymessage = 0,
		$params = null )

Show a message to say access is forbidden and stop program.

This includes HTTP and HTML header and footer (except if $printheader and $printfooter is 0, use this case inside an already started page). Calling this function terminate execution of PHP.

Parameters

string	$message	Force error message
	int<0,1>	$printheader Show header before
	int<0,1>	$printfooter Show footer after
	int<0,1>	$showonlymessage Show only message parameter. Otherwise add more information.
	?array<string,mixed>	$params More parameters provided to hook

Returns: never

See also: httponly_accessforbidden()

Definition at line 1097 of file security.lib.php.

References $conf, $db, $object, llxFooter(), llxHeader(), and llxHeaderVierge().

Referenced by ViewImageController\init(), and restrictedArea().

◆ checkIPInCidr()

checkIPInCidr	(		$ip,
			$cidr )

Check if IP address is in CIDR range.

Parameters

string	$ip	IP address to check (ex: 192.168.0.50, 2001:db8:3333:4444::5555:6666)
string	$cidr	Network IP CIDR notation (ex: 192.168.0.0/24, 2001:db8:3333:4444::/64)

Returns: int 1 if IP is in CIDR range, 0 if IP out of CIDR range, -1 if check error

Definition at line 1230 of file security.lib.php.

◆ checkUserAccessToObject()

checkUserAccessToObject	(		$user,
		array	$featuresarray,
			$object = 0,
			$tableandshare = '',
			$feature2 = '',
			$dbt_keyfield = '',
			$dbt_select = 'rowid',
			$parenttableforentity = '' )

Check that access by a given user to an object is ok.

This function is also called by restrictedArea() that check before if module is enabled and if permission of user for $action is ok.

Parameters

User	$user	User to check
string[]	$featuresarray	Features/modules to check. Example: ('user','service','member','project','task',...)
int \| string \| Object	$object	Full object or object ID or list of object id. For example if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
string	$tableandshare	'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
string[] \| string	$feature2	Feature to check, second level of permission (optional). Can be or check with 'level1\|level2'.
string	$dbt_keyfield	Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA.
string	$dbt_select	Field name for select if not rowid. Not used if objectid is null (optional).
string	$parenttableforentity	Parent table for entity. Example 'fk_website@website'

Returns: bool True if user has access, False otherwise

See also: restrictedArea()

Definition at line 718 of file security.lib.php.

References $conf, $db, $object, dol_print_error(), dol_syslog(), getDolGlobalInt(), getDolGlobalString(), and isModEnabled().

Referenced by DolibarrApi\_checkAccessToResource(), dol_check_secure_access_document(), DocumentController\init(), and restrictedArea().

◆ dol_decode()

dol_decode	(		$chain,
			$key = '1' )

Decode a base 64 encoded + specific delta change.

This function is called by filefunc.inc.php at each page call.

Parameters

string	$chain	string to decode
string	$key	rule to use for delta ('0', '1' or 'myownkey')

Returns: string decoded string

See also: dol_encode(), dolDecrypt

Definition at line 75 of file security.lib.php.

References dol_strlen().

Referenced by dolDecrypt(), and encodedecode_dbpassconf().

◆ dol_encode()

dol_encode	(		$chain,
			$key = '1' )

Encode a string with base 64 algorithm + specific delta change.

Parameters

string	$chain	string to encode
string	$key	rule to use for delta ('0', '1' or 'myownkey')

Returns: string encoded string with format 'passcrypted'

See also: dol_decode(), dolEncrypt()

Definition at line 44 of file security.lib.php.

References dol_strlen().

◆ dolGetLdapPasswordHash()

dolGetLdapPasswordHash	(		$password,
			$type = 'md5' )

Returns a specific ldap hash of a password.

Parameters

string	$password	Password to hash
	'md5'\|'md5frommd5'\|'smd5'\|'sha'\|'ssha'\|'sha256'\|'ssha256'\|'sha384'\|'ssha384'\|'sha512'\|'ssha512'\|'crypt'\|'clear'	$type Type of hash

Returns: string Hash of password

Definition at line 122 of file security.lib.php.

Referenced by Adherent\_load_ldap_info(), User\_load_ldap_info(), and dol_hash().

◆ dolGetRandomBytes()

dolGetRandomBytes ( $length )

Return a string of random bytes (hexa string) with length = $length for cryptographic purposes.

Parameters

int $length Length of random string

Returns: string Random string

Definition at line 106 of file security.lib.php.

Referenced by dolEncrypt().

◆ getMaxFileSizeArray()

getMaxFileSizeArray ( )

Return the max allowed for file upload.

Analyze among: upload_max_filesize, post_max_size, MAIN_UPLOAD_DOC

Returns: array{max:string,maxmin:mixed,maxphptoshow:int|string,maxphptoshowparam:''|'post_max_size'|'upload_max_filesize'} Array with all max sizes for file upload

Definition at line 1164 of file security.lib.php.

References getDolGlobalString().

◆ httponly_accessforbidden()

httponly_accessforbidden	(	$message = '1',
		$http_response_code = 403,
		$stringalreadysanitized = 0 )

Show a message to say access is forbidden and stop program.

This includes only HTTP header. Calling this function terminate execution of PHP.

Parameters

string	$message	Force error message
int	$http_response_code	HTTP response code (403 for forbidden access, 400 bad parameters or request)
	int<0,1>	$stringalreadysanitized 1 if string is already sanitized with HTML entities

Returns: never

See also: accessforbidden()

Definition at line 1070 of file security.lib.php.

References top_httphead().

Referenced by DocumentController\init(), and ViewImageController\init().

◆ restrictedArea()

restrictedArea	(	User	$user,
			$features,
			$object = 0,
			$tableandshare = '',
			$feature2 = '',
			$dbt_keyfield = 'fk_soc',
			$dbt_select = 'rowid',
			$isdraft = 0,
			$mode = 0 )

Check permissions of a user to show a page and an object.

Check read permission. If GETPOST('action','aZ09') defined, we also check write and delete permission. This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user).

Parameters

User	$user	User to check
string	$features	Features to check (it must be module name or $object->element. Can be a 'or' check with 'levela\|levelb'. Examples: 'societe', 'contact', 'produit&service', 'produit\|service', ...) This is used to check permission $user->rights->features->...
int \| string \| Object	$object	Object or Object ID or list of Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
string	$tableandshare	'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
string	$feature2	Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela\|sublevelb'. This is used to check permission $user->rights->features->feature2...
string	$dbt_keyfield	Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA.
string	$dbt_select	Field rowid name, for select into tableandshare if not "rowid". Not used if objectid is null (optional)
	int<0,1>	$isdraft 1=The object with id=$objectid is a draft
	int<0,1>	$mode Mode (0=default, 1=return without dying)

Returns: int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.

See also: dol_check_secure_access_document(), checkUserAccessToObject()

Definition at line 180 of file security.lib.php.

References $object, accessforbidden(), checkUserAccessToObject(), getDolGlobalString(), and GETPOST().

Functions

Detailed Description

Function Documentation

◆ accessforbidden()

◆ checkIPInCidr()

◆ checkUserAccessToObject()

◆ dol_decode()

◆ dol_encode()

◆ dolGetLdapPasswordHash()

◆ dolGetRandomBytes()

◆ getMaxFileSizeArray()

◆ httponly_accessforbidden()

◆ restrictedArea()