diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php
index 3322e573d7892..3a4fd7a6fcabd 100644
--- a/htdocs/adherents/class/adherent.class.php
+++ b/htdocs/adherents/class/adherent.class.php
@@ -767,7 +767,8 @@ function setPassword($user, $password='', $isencrypted=0, $notrigger=0, $nosyncu
// If new password not provided, we generate one
if (! $password)
{
- $password=getRandomPassword('');
+ require_once(DOL_DOCUMENT_ROOT."/core/lib/security2.lib.php");
+ $password=getRandomPassword('');
}
// Cryptage mot de passe
diff --git a/htdocs/adherents/fiche.php b/htdocs/adherents/fiche.php
index 8c02f1d7716fa..ec10a5622af4a 100644
--- a/htdocs/adherents/fiche.php
+++ b/htdocs/adherents/fiche.php
@@ -706,7 +706,8 @@
// Password
if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED))
{
- $generated_password=getRandomPassword('');
+ require_once(DOL_DOCUMENT_ROOT."/core/lib/security2.lib.php");
+ $generated_password=getRandomPassword('');
print '
'.$langs->trans("Password").' ';
print ' ';
print ' ';
diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php
index 57a2822652712..89c592cb9ffcd 100644
--- a/htdocs/admin/security.php
+++ b/htdocs/admin/security.php
@@ -24,6 +24,7 @@
require("../main.inc.php");
require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
+require_once(DOL_DOCUMENT_ROOT."/core/lib/security2.lib.php");
$langs->load("users");
$langs->load("admin");
diff --git a/htdocs/cashdesk/class/Auth.class.php b/htdocs/cashdesk/class/Auth.class.php
index ffa4dbf195064..e6273273cb61a 100644
--- a/htdocs/cashdesk/class/Auth.class.php
+++ b/htdocs/cashdesk/class/Auth.class.php
@@ -122,6 +122,7 @@ function verif($aLogin, $aPasswd)
if ($test && $goontestloop)
{
+ include_once(DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php');
$login = checkLoginPassEntity($usertotest,$passwordtotest,$entitytotest,$authmode);
if ($login)
{
diff --git a/htdocs/contact/canvas/actions_contactcard_common.class.php b/htdocs/contact/canvas/actions_contactcard_common.class.php
index 82d62cf598fd0..2d5e6c62eed07 100644
--- a/htdocs/contact/canvas/actions_contactcard_common.class.php
+++ b/htdocs/contact/canvas/actions_contactcard_common.class.php
@@ -42,10 +42,10 @@ abstract class ActionsContactCardCommon
//! Error array
var $errors=array();
-
+
/**
* Instantiation of DAO class
- *
+ *
* @return void
*/
private function getInstanceDao()
@@ -66,7 +66,7 @@ private function getInstanceDao()
}
}
}
-
+
/**
* Get object
*
@@ -76,7 +76,7 @@ private function getInstanceDao()
function getObject($id)
{
$ret = $this->getInstanceDao();
-
+
if (is_object($this->object) && method_exists($this->object,'fetch'))
{
if (! empty($id)) $this->object->fetch($id);
@@ -192,7 +192,7 @@ function doActions(&$action, $id)
Header("Location: ".$_SERVER["PHP_SELF"]."?id=".$this->object->id);
exit;
}
-
+
if (empty($_POST["name"]))
{
$this->error=array($langs->trans("ErrorFieldRequired",$langs->transnoentities("Name").' / '.$langs->transnoentities("Label")));
@@ -391,21 +391,22 @@ function assign_values(&$action)
$this->tpl['note'] = nl2br($this->object->note);
}
-
+
if ($action == 'create_user')
{
// Full firstname and name separated with a dot : firstname.name
include_once(DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php');
+ require_once(DOL_DOCUMENT_ROOT."/core/lib/security2.lib.php");
$login=dol_buildlogin($this->object->nom, $this->object->prenom);
-
+
$generated_password=getRandomPassword('');
$password=$generated_password;
-
+
// Create a form array
$formquestion=array(
array('label' => $langs->trans("LoginToCreate"), 'type' => 'text', 'name' => 'login', 'value' => $login),
array('label' => $langs->trans("Password"), 'type' => 'text', 'name' => 'password', 'value' => $password));
-
+
$this->tpl['action_create_user'] = $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$this->object->id,$langs->trans("CreateDolibarrLogin"),$langs->trans("ConfirmCreateContact"),"confirm_create_user",$formquestion,'no');
}
}
diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php
index 9310c3984fa61..3b34162c8f8bc 100644
--- a/htdocs/contact/fiche.php
+++ b/htdocs/contact/fiche.php
@@ -705,7 +705,8 @@
$generated_password='';
if (! $ldap_sid) // TODO ldap_sid ?
{
- $generated_password=getRandomPassword('');
+ require_once(DOL_DOCUMENT_ROOT."/core/lib/security2.lib.php");
+ $generated_password=getRandomPassword('');
}
$password=$generated_password;
diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php
index 13ef292c3eb19..1db9034030076 100644
--- a/htdocs/core/ajax/security.php
+++ b/htdocs/core/ajax/security.php
@@ -43,11 +43,12 @@
//print ''."\n";
// Registering the location of boxes
-if(isset($_GET['action']) && ! empty($_GET['action']))
+if (isset($_GET['action']) && ! empty($_GET['action']))
{
if ($_GET['action'] == 'getrandompassword' && $user->admin)
{
- $generic = $_GET['generic'];
+ require_once(DOL_DOCUMENT_ROOT."/core/lib/security2.lib.php");
+ $generic = $_GET['generic'];
echo getRandomPassword($generic);
}
}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 9f10a498a4b9c..53d36c5da8e59 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -2151,407 +2151,6 @@ function info_admin($text,$infoonimgalt=0)
}
-/**
- * Check permissions of a user to show a page and an object. Check read permission.
- * If GETPOST('action') defined, we also check write and delete permission.
- *
- * @param User $user User to check
- * @param string $features Features to check (in most cases, it's module name)
- * @param int $objectid Object ID if we want to check permission on a particular record (optionnal)
- * @param string $dbtablename Table name where object is stored. Not used if objectid is null (optionnal)
- * @param string $feature2 Feature to check, second level of permission (optionnal)
- * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc (optionnal)
- * @param string $dbt_select Field name for select if not rowid (optionnal)
- * @param Canvas $objcanvas Object canvas
- * @return int Always 1, die process if not allowed
- */
-function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null)
-{
- global $db, $conf;
-
- //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
- //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
- //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
- //print ", perm: ".$features."->".$feature2."=".$user->rights->$features->$feature2->lire." ";
-
- // If we use canvas, we try to use function that overlod restrictarea if provided with canvas
- if (is_object($objcanvas))
- {
- if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
- }
-
- if ($dbt_select != 'rowid') $objectid = "'".$objectid."'";
-
- // More features to check
- $features = explode("&",$features);
-
- // More parameters
- list($dbtablename, $sharedelement) = explode('&', $dbtablename);
-
- // Check read permission from module
- // TODO Replace "feature" param into caller by first level of permission
- $readok=1;
- foreach ($features as $feature)
- {
- if ($feature == 'societe')
- {
- if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) $readok=0;
- }
- else if ($feature == 'contact')
- {
- if (! $user->rights->societe->contact->lire) $readok=0;
- }
- else if ($feature == 'produit|service')
- {
- if (! $user->rights->produit->lire && ! $user->rights->service->lire) $readok=0;
- }
- else if ($feature == 'prelevement')
- {
- if (! $user->rights->prelevement->bons->lire) $readok=0;
- }
- else if ($feature == 'commande_fournisseur')
- {
- if (! $user->rights->fournisseur->commande->lire) $readok=0;
- }
- else if ($feature == 'cheque')
- {
- if (! $user->rights->banque->cheque) $readok=0;
- }
- else if ($feature == 'projet')
- {
- if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) $readok=0;
- }
- else if (! empty($feature2)) // This should be used for future changes
- {
- if (empty($user->rights->$feature->$feature2->lire)
- && empty($user->rights->$feature->$feature2->read)) $readok=0;
- }
- else if (! empty($feature) && ($feature!='user' && $feature!='usergroup')) // This is for old permissions
- {
- if (empty($user->rights->$feature->lire)
- && empty($user->rights->$feature->read)
- && empty($user->rights->$feature->run)) $readok=0;
- }
- }
-
- if (! $readok)
- {
- //print "Read access is down";
- accessforbidden();
- }
- //print "Read access is ok";
-
- // Check write permission from module
- $createok=1;
- if (GETPOST("action") && GETPOST("action") == 'create')
- {
- foreach ($features as $feature)
- {
- if ($feature == 'contact')
- {
- if (! $user->rights->societe->contact->creer) $createok=0;
- }
- else if ($feature == 'produit|service')
- {
- if (! $user->rights->produit->creer && ! $user->rights->service->creer) $createok=0;
- }
- else if ($feature == 'prelevement')
- {
- if (! $user->rights->prelevement->bons->creer) $createok=0;
- }
- else if ($feature == 'commande_fournisseur')
- {
- if (! $user->rights->fournisseur->commande->creer) $createok=0;
- }
- else if ($feature == 'banque')
- {
- if (! $user->rights->banque->modifier) $createok=0;
- }
- else if ($feature == 'cheque')
- {
- if (! $user->rights->banque->cheque) $createok=0;
- }
- else if (! empty($feature2)) // This should be used for future changes
- {
- if (empty($user->rights->$feature->$feature2->creer)
- && empty($user->rights->$feature->$feature2->write)) $createok=0;
- }
- else if (! empty($feature)) // This is for old permissions
- {
- //print ' feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write;
- if (empty($user->rights->$feature->creer)
- && empty($user->rights->$feature->write)) $createok=0;
- }
- }
-
- if (! $createok) accessforbidden();
- //print "Write access is ok";
- }
-
- // Check create user permission
- $createuserok=1;
- if ( GETPOST("action") && (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') )
- {
- if (! $user->rights->user->user->creer) $createuserok=0;
-
- if (! $createuserok) accessforbidden();
- //print "Create user access is ok";
- }
-
- // Check delete permission from module
- $deleteok=1;
- if ( GETPOST("action") && ( (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") && GETPOST("confirm") == 'yes') || GETPOST("action") == 'delete') )
- {
- foreach ($features as $feature)
- {
- if ($feature == 'contact')
- {
- if (! $user->rights->societe->contact->supprimer) $deleteok=0;
- }
- else if ($feature == 'produit|service')
- {
- if (! $user->rights->produit->supprimer && ! $user->rights->service->supprimer) $deleteok=0;
- }
- else if ($feature == 'commande_fournisseur')
- {
- if (! $user->rights->fournisseur->commande->supprimer) $deleteok=0;
- }
- else if ($feature == 'banque')
- {
- if (! $user->rights->banque->modifier) $deleteok=0;
- }
- else if ($feature == 'cheque')
- {
- if (! $user->rights->banque->cheque) $deleteok=0;
- }
- else if ($feature == 'ecm')
- {
- if (! $user->rights->ecm->upload) $deleteok=0;
- }
- else if ($feature == 'ftp')
- {
- if (! $user->rights->ftp->write) $deleteok=0;
- }
- else if (! empty($feature2)) // This should be used for future changes
- {
- if (empty($user->rights->$feature->$feature2->supprimer)
- && empty($user->rights->$feature->$feature2->delete)) $deleteok=0;
- }
- else if (! empty($feature)) // This is for old permissions
- {
- //print ' feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
- if (empty($user->rights->$feature->supprimer)
- && empty($user->rights->$feature->delete)) $deleteok=0;
- }
- }
-
- //print "Delete access is ko";
- if (! $deleteok) accessforbidden();
- //print "Delete access is ok";
- }
-
- // If we have a particular object to check permissions on, we check this object
- // is linked to a company allowed to $user.
- if (! empty($objectid) && $objectid > 0)
- {
- foreach ($features as $feature)
- {
- $sql='';
-
- $check = array('banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company)
- $checksoc = array('societe'); // Test for societe object
- $checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
- $checkproject = array('projet'); // Test for project object
- $nocheck = array('barcode','stock','fournisseur'); // No test
- $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
-
- // If dbtable not defined, we use same name for table than module name
- if (empty($dbtablename)) $dbtablename = $feature;
-
- // Check permission for object with entity
- if (in_array($feature,$check))
- {
- $sql = "SELECT dbt.".$dbt_select;
- $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
- $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
- if (($feature == 'user' || $feature == 'usergroup') && ! empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && ! $user->entity)
- {
- $sql.= " AND dbt.entity IS NOT NULL";
- }
- else
- {
- $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
- }
- }
- else if (in_array($feature,$checksoc))
- {
- // If external user: Check permission for external users
- if ($user->societe_id > 0)
- {
- if ($user->societe_id <> $objectid) accessforbidden();
- }
- // If internal user: Check permission for internal users that are restricted on their objects
- else if (! $user->rights->societe->client->voir)
- {
- $sql = "SELECT sc.fk_soc";
- $sql.= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc";
- $sql.= ", ".MAIN_DB_PREFIX."societe as s)";
- $sql.= " WHERE sc.fk_soc = ".$objectid;
- $sql.= " AND sc.fk_user = ".$user->id;
- $sql.= " AND sc.fk_soc = s.rowid";
- $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
- }
- // If multicompany and internal users with all permissions, check user is in correct entity
- else if (! empty($conf->multicompany->enabled))
- {
- $sql = "SELECT s.rowid";
- $sql.= " FROM ".MAIN_DB_PREFIX."societe as s";
- $sql.= " WHERE s.rowid = ".$objectid;
- $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
- }
- }
- else if (in_array($feature,$checkother))
- {
- // If external user: Check permission for external users
- if ($user->societe_id > 0)
- {
- $sql = "SELECT dbt.rowid";
- $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
- $sql.= " WHERE dbt.rowid = ".$objectid;
- $sql.= " AND dbt.fk_soc = ".$user->societe_id;
- }
- // If internal user: Check permission for internal users that are restricted on their objects
- else if (! $user->rights->societe->client->voir)
- {
- $sql = "SELECT dbt.rowid";
- $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
- $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
- $sql.= " WHERE dbt.rowid = ".$objectid;
- $sql.= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
- $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
- }
- // If multicompany and internal users with all permissions, check user is in correct entity
- else if (! empty($conf->multicompany->enabled))
- {
- $sql = "SELECT dbt.rowid";
- $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
- $sql.= " WHERE dbt.rowid = ".$objectid;
- $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
- }
- }
- else if (in_array($feature,$checkproject))
- {
- if (! $user->rights->projet->all->lire)
- {
- include_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php");
- $projectstatic=new Project($db);
- $tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,$user->societe_id);
- $tmparray=explode(',',$tmps);
- if (! in_array($objectid,$tmparray)) accessforbidden();
- }
- }
- else if (! in_array($feature,$nocheck)) // By default we check with link to third party
- {
- // If external user: Check permission for external users
- if ($user->societe_id > 0)
- {
- $sql = "SELECT dbt.".$dbt_keyfield;
- $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
- $sql.= " WHERE dbt.rowid = ".$objectid;
- $sql.= " AND dbt.".$dbt_keyfield." = ".$user->societe_id;
- }
- // If internal user: Check permission for internal users that are restricted on their objects
- else if (! $user->rights->societe->client->voir)
- {
- $sql = "SELECT sc.fk_soc";
- $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
- $sql.= ", ".MAIN_DB_PREFIX."societe as s";
- $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
- $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
- $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield;
- $sql.= " AND dbt.".$dbt_keyfield." = s.rowid";
- $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
- $sql.= " AND sc.fk_user = ".$user->id;
- }
- // If multicompany and internal users with all permissions, check user is in correct entity
- else if (! empty($conf->multicompany->enabled))
- {
- $sql = "SELECT dbt.".$dbt_select;
- $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
- $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
- $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
- }
- }
-
- //print $sql." ";
- if ($sql)
- {
- $resql=$db->query($sql);
- if ($resql)
- {
- if ($db->num_rows($resql) == 0) accessforbidden();
- }
- else
- {
- dol_syslog("functions.lib:restrictedArea sql=".$sql, LOG_ERR);
- accessforbidden();
- }
- }
- }
- }
-
- return 1;
-}
-
-
-/**
- * Show a message to say access is forbidden and stop program
- * Calling this function terminate execution of PHP.
- *
- * @param string $message Force error message
- * @param int $printheader Show header before
- * @param int $printfooter Show footer after
- * @param int $showonlymessage Show only message parameter. Otherwise add more information.
- * @return void
- */
-function accessforbidden($message='',$printheader=1,$printfooter=1,$showonlymessage=0)
-{
- global $conf, $db, $user, $langs;
- if (! is_object($langs))
- {
- include_once(DOL_DOCUMENT_ROOT.'/core/class/translate.class.php');
- $langs=new Translate('',$conf);
- }
-
- $langs->load("errors");
-
- if ($printheader)
- {
- if (function_exists("llxHeader")) llxHeader('');
- else if (function_exists("llxHeaderVierge")) llxHeaderVierge('');
- }
- print '';
- if (! $message) print $langs->trans("ErrorForbidden");
- else print $message;
- print '
';
- print ' ';
- if (empty($showonlymessage))
- {
- if ($user->login)
- {
- print $langs->trans("CurrentLogin").': '.$user->login.' ';
- print $langs->trans("ErrorForbidden2",$langs->trans("Home"),$langs->trans("Users"));
- }
- else
- {
- print $langs->trans("ErrorForbidden3");
- }
- }
- if ($printfooter && function_exists("llxFooter")) llxFooter();
- exit(0);
-}
-
-
/* For backward compatibility */
function dolibarr_print_error($db='',$error='')
{
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 34a6ab9b2007f..533d4039768aa 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -20,437 +20,12 @@
/**
* \file htdocs/core/lib/security.lib.php
* \ingroup core
- * \brief Set of function used for dolibarr security.
+ * \brief Set of function used for dolibarr security (common function included into filefunc.inc.php)
* Warning, this file must not depends on other library files, except function.lib.php
* because it is used at low code level.
*/
-/**
- * Return a login if login/pass was successfull
- *
- * @param string $usertotest Login value to test
- * @param string $passwordtotest Password value to test
- * @param string $entitytotest Instance of data we must check
- * @param array $authmode Array list of selected authentication mode array('http', 'dolibarr', 'xxx'...)
- * @return string Login or ''
- */
-function checkLoginPassEntity($usertotest,$passwordtotest,$entitytotest,$authmode)
-{
- global $conf,$langs;
- global $dolauthmode; // To return authentication finally used
-
- // Check parameetrs
- if ($entitytotest == '') $entitytotest=1;
-
- dol_syslog("checkLoginPassEntity usertotest=".$usertotest." entitytotest=".$entitytotest." authmode=".join(',',$authmode));
- $login = '';
-
- // Validation of login/pass/entity with a third party login module method
- if (! empty($conf->login_method_modules) && is_array($conf->login_method_modules))
- {
- foreach($conf->login_method_modules as $dir)
- {
- $newdir=dol_osencode($dir);
-
- // Check if directory exists
- if (! is_dir($newdir)) continue;
-
- $handle=opendir($newdir);
- if (is_resource($handle))
- {
- while (($file = readdir($handle))!==false)
- {
- if (is_readable($dir.'/'.$file) && preg_match('/^functions_([^_]+)\.php/',$file,$reg))
- {
- $authfile = $dir.'/'.$file;
- $mode = $reg[1];
-
- $result=include_once($authfile);
- if ($result)
- {
- // Call function to check user/password
- $function='check_user_password_'.$mode;
- $login=call_user_func($function,$usertotest,$passwordtotest,$entitytotest);
- if ($login)
- {
- $conf->authmode=$mode; // This properties is defined only when logged to say what mode was successfully used
- }
- }
- else
- {
- dol_syslog("Authentification ko - failed to load file '".$authfile."'",LOG_ERR);
- sleep(1); // To slow brut force cracking
- $langs->load('main');
- $langs->load('other');
- $_SESSION["dol_loginmesg"]=$langs->trans("ErrorFailedToLoadLoginFileForMode",$mode);
- }
- }
- }
- closedir($handle);
- }
- }
- }
-
- // Validation of login/pass/entity with standard modules
- if (empty($login))
- {
- $test=true;
- foreach($authmode as $mode)
- {
- if ($test && $mode && ! $login)
- {
- $mode=trim($mode);
- $authfile=DOL_DOCUMENT_ROOT.'/core/login/functions_'.$mode.'.php';
- $result=include_once($authfile);
- if ($result)
- {
- // Call function to check user/password
- $function='check_user_password_'.$mode;
- $login=call_user_func($function,$usertotest,$passwordtotest,$entitytotest);
- if ($login) // Login is successfull
- {
- $test=false; // To stop once at first login success
- $conf->authmode=$mode; // This properties is defined only when logged to say what mode was successfully used
- $dol_tz=$_POST["tz"];
- $dol_dst=$_POST["dst"];
- $dol_screenwidth=$_POST["screenwidth"];
- $dol_screenheight=$_POST["screenheight"];
- }
- }
- else
- {
- dol_syslog("Authentification ko - failed to load file '".$authfile."'",LOG_ERR);
- sleep(1);
- $langs->load('main');
- $langs->load('other');
- $_SESSION["dol_loginmesg"]=$langs->trans("ErrorFailedToLoadLoginFileForMode",$mode);
- }
- }
- }
- }
-
- return $login;
-}
-
-
-/**
- * Show Dolibarr default login page
- *
- * @param Translate $langs Lang object (must be initialized by a new).
- * @param Conf $conf Conf object
- * @param Societe $mysoc Company object
- * @return void
- */
-function dol_loginfunction($langs,$conf,$mysoc)
-{
- global $dolibarr_main_demo,$db;
- global $smartphone,$mc;
-
- $langcode=(GETPOST('lang')?((is_object($langs)&&$langs->defaultlang)?$langs->defaultlang:'auto'):GETPOST('lang'));
- $langs->setDefaultLang($langcode);
-
- $langs->load("main");
- $langs->load("other");
- $langs->load("help");
- $langs->load("admin");
-
- $main_authentication=$conf->file->main_authentication;
- $session_name=session_name();
-
- $dol_url_root = DOL_URL_ROOT;
-
- $php_self = $_SERVER['PHP_SELF'];
- $php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
-
- // Title
- $title='Dolibarr '.DOL_VERSION;
- if (! empty($conf->global->MAIN_APPLICATION_TITLE)) $title=$conf->global->MAIN_APPLICATION_TITLE;
-
- // Select templates
- if (preg_match('/^smartphone/',$conf->smart_menu) && isset($conf->browser->phone))
- {
- $template_dir = DOL_DOCUMENT_ROOT.'/theme/phones/smartphone/tpl/';
- }
- else
- {
- if (file_exists(DOL_DOCUMENT_ROOT."/theme/".$conf->theme."/tpl/login.tpl.php"))
- {
- $template_dir = DOL_DOCUMENT_ROOT."/theme/".$conf->theme."/tpl/";
- }
- else
- {
- $template_dir = DOL_DOCUMENT_ROOT."/core/tpl/";
- }
- }
-
- $conf->css = "/theme/".$conf->theme."/style.css.php?lang=".$langs->defaultlang;
- $conf_css = DOL_URL_ROOT.$conf->css;
-
- // Set cookie for timeout management
- $prefix=dol_getprefix();
- $sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
- if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0);
-
- if (GETPOST("urlfrom")) $_SESSION["urlfrom"]=GETPOST("urlfrom");
- else unset($_SESSION["urlfrom"]);
-
- if (! GETPOST("username")) $focus_element='username';
- else $focus_element='password';
-
- $login_background=DOL_URL_ROOT.'/theme/login_background.png';
- if (file_exists(DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/img/login_background.png'))
- {
- $login_background=DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/login_background.png';
- }
-
- $demologin='';
- $demopassword='';
- if (! empty($dolibarr_main_demo))
- {
- $tab=explode(',',$dolibarr_main_demo);
- $demologin=$tab[0];
- $demopassword=$tab[1];
- }
-
- // Entity cookie
- if (! empty($conf->multicompany->enabled))
- {
- $lastuser = '';
- $lastentity = $_POST['entity'];
-
- if (! empty($conf->global->MULTICOMPANY_COOKIE_ENABLED))
- {
- $prefix=dol_getprefix();
- $entityCookieName = 'DOLENTITYID_'.$prefix;
- if (isset($_COOKIE[$entityCookieName]))
- {
- include_once(DOL_DOCUMENT_ROOT . "/core/class/cookie.class.php");
-
- $cryptkey = (! empty($conf->file->cookie_cryptkey) ? $conf->file->cookie_cryptkey : '' );
-
- $entityCookie = new DolCookie($cryptkey);
- $cookieValue = $entityCookie->_getCookie($entityCookieName);
- list($lastuser, $lastentity) = explode('|', $cookieValue);
- }
- }
- }
-
- // Login
- $login = (!empty($lastuser)?$lastuser:(GETPOST("username","alpha",2)?GETPOST("username","alpha",2):$demologin));
- $password = $demopassword;
-
- // Show logo (search in order: small company logo, large company logo, theme logo, common logo)
- $width=0;
- $rowspan=2;
- $urllogo=DOL_URL_ROOT.'/theme/login_logo.png';
-
- if (! empty($mysoc->logo_small) && is_readable($conf->mycompany->dir_output.'/logos/thumbs/'.$mysoc->logo_small))
- {
- $urllogo=DOL_URL_ROOT.'/viewimage.php?cache=1&modulepart=companylogo&file='.urlencode('thumbs/'.$mysoc->logo_small);
- }
- elseif (! empty($mysoc->logo) && is_readable($conf->mycompany->dir_output.'/logos/'.$mysoc->logo))
- {
- $urllogo=DOL_URL_ROOT.'/viewimage.php?cache=1&modulepart=companylogo&file='.urlencode($mysoc->logo);
- $width=128;
- }
- elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.png'))
- {
- $urllogo=DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.png';
- }
- elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/dolibarr_logo.png'))
- {
- $urllogo=DOL_URL_ROOT.'/theme/dolibarr_logo.png';
-
- }
-
- // Entity field
- $select_entity='';
- if (! empty($conf->multicompany->enabled) && empty($conf->global->MULTICOMPANY_HIDE_LOGIN_COMBOBOX))
- {
- $rowspan++;
- $select_entity = $mc->select_entities($lastentity, 'entity', ' tabindex="3"', 1);
- }
-
- // Security graphical code
- $captcha=0;
- $captcha_refresh='';
- if (function_exists("imagecreatefrompng") && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
- {
- $captcha=1;
- $captcha_refresh=img_picto($langs->trans("Refresh"),'refresh');
- }
-
- // Extra link
- $forgetpasslink=0;
- $helpcenterlink=0;
- if (empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK) || empty($conf->global->MAIN_HELPCENTER_DISABLELINK))
- {
- if (empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK))
- {
- $forgetpasslink=1;
- }
-
- if (empty($conf->global->MAIN_HELPCENTER_DISABLELINK))
- {
- $helpcenterlink=1;
- }
- }
-
- // Home message
- if (! empty($conf->global->MAIN_HOME))
- {
- $i=0;
- while (preg_match('/__\(([a-zA-Z]+)\)__/i',$conf->global->MAIN_HOME,$reg) && $i < 100)
- {
- $conf->global->MAIN_HOME=preg_replace('/__\('.$reg[1].'\)__/i',$langs->trans($reg[1]),$conf->global->MAIN_HOME);
- $i++;
- }
- }
- $main_home=dol_htmlcleanlastbr($conf->global->MAIN_HOME);
-
- // Google AD
- $main_google_ad_client = ((! empty($conf->global->MAIN_GOOGLE_AD_CLIENT) && ! empty($conf->global->MAIN_GOOGLE_AD_SLOT))?1:0);
-
- $dol_loginmesg = $_SESSION["dol_loginmesg"];
-
- include($template_dir.'login.tpl.php'); // To use native PHP
-
- $_SESSION["dol_loginmesg"] = '';
-}
-
-/**
- * Fonction pour initialiser un salt pour la fonction crypt.
- *
- * @param int $type 2=>renvoi un salt pour cryptage DES
- * 12=>renvoi un salt pour cryptage MD5
- * non defini=>renvoi un salt pour cryptage par defaut
- * @return string Salt string
- */
-function makesalt($type=CRYPT_SALT_LENGTH)
-{
- dol_syslog("security.lib.php::makesalt type=".$type);
- switch($type)
- {
- case 12: // 8 + 4
- $saltlen=8; $saltprefix='$1$'; $saltsuffix='$'; break;
- case 8: // 8 (Pour compatibilite, ne devrait pas etre utilise)
- $saltlen=8; $saltprefix='$1$'; $saltsuffix='$'; break;
- case 2: // 2
- default: // by default, fall back on Standard DES (should work everywhere)
- $saltlen=2; $saltprefix=''; $saltsuffix=''; break;
- }
- $salt='';
- while(dol_strlen($salt) < $saltlen) $salt.=chr(mt_rand(64,126));
-
- $result=$saltprefix.$salt.$saltsuffix;
- dol_syslog("security.lib.php::makesalt return=".$result);
- return $result;
-}
-
-/**
- * Encode or decode database password in config file
- *
- * @param int $level Encode level: 0 no encoding, 1 encoding
- * @return int <0 if KO, >0 if OK
- */
-function encodedecode_dbpassconf($level=0)
-{
- dol_syslog("security.lib::encodedecode_dbpassconf level=".$level, LOG_DEBUG);
- $config = '';
- $passwd='';
- $passwd_crypted='';
-
- if ($fp = fopen(DOL_DOCUMENT_ROOT.'/conf/conf.php','r'))
- {
- while(!feof($fp))
- {
- $buffer = fgets($fp,4096);
-
- $lineofpass=0;
-
- if (preg_match('/^[^#]*dolibarr_main_db_encrypted_pass[\s]*=[\s]*(.*)/i',$buffer,$reg)) // Old way to save crypted value
- {
- $val = trim($reg[1]); // This also remove CR/LF
- $val=preg_replace('/^["\']/','',$val);
- $val=preg_replace('/["\'][\s;]*$/','',$val);
- if (! empty($val))
- {
- $passwd_crypted = $val;
- $val = dol_decode($val);
- $passwd = $val;
- $lineofpass=1;
- }
- }
- elseif (preg_match('/^[^#]*dolibarr_main_db_pass[\s]*=[\s]*(.*)/i',$buffer,$reg))
- {
- $val = trim($reg[1]); // This also remove CR/LF
- $val=preg_replace('/^["\']/','',$val);
- $val=preg_replace('/["\'][\s;]*$/','',$val);
- if (preg_match('/crypted:/i',$buffer))
- {
- $val = preg_replace('/crypted:/i','',$val);
- $passwd_crypted = $val;
- $val = dol_decode($val);
- $passwd = $val;
- }
- else
- {
- $passwd = $val;
- $val = dol_encode($val);
- $passwd_crypted = $val;
- }
- $lineofpass=1;
- }
-
- // Output line
- if ($lineofpass)
- {
- // Add value at end of file
- if ($level == 0)
- {
- $config .= '$dolibarr_main_db_pass=\''.$passwd.'\';'."\n";
- }
- if ($level == 1)
- {
- $config .= '$dolibarr_main_db_pass=\'crypted:'.$passwd_crypted.'\';'."\n";
- }
-
- //print 'passwd = '.$passwd.' - passwd_crypted = '.$passwd_crypted;
- //exit;
- }
- else
- {
- $config .= $buffer;
- }
- }
- fclose($fp);
-
- // Write new conf file
- $file=DOL_DOCUMENT_ROOT.'/conf/conf.php';
- if ($fp = @fopen($file,'w'))
- {
- fputs($fp, $config);
- fclose($fp);
- // It's config file, so we set read permission for creator only.
- // Should set permission to web user and groups for users used by batch
- //@chmod($file, octdec('0600'));
-
- return 1;
- }
- else
- {
- dol_syslog("security.lib::encodedecode_dbpassconf Failed to open conf.php file for writing", LOG_WARNING);
- return -1;
- }
- }
- else
- {
- dol_syslog("security.lib::encodedecode_dbpassconf Failed to read conf.php", LOG_ERR);
- return -2;
- }
-}
-
/**
* Encode a string
*
@@ -490,32 +65,6 @@ function dol_decode($chain)
}
-/**
- * Return a generated password using default module
- *
- * @param boolean $generic true=Create generic password (a MD5 string), false=Use the configured password generation module
- * @return string New value for password
- */
-function getRandomPassword($generic=false)
-{
- global $db,$conf,$langs,$user;
-
- $generated_password='';
- if ($generic) $generated_password=dol_hash(mt_rand());
- else if ($conf->global->USER_PASSWORD_GENERATED)
- {
- $nomclass="modGeneratePass".ucfirst($conf->global->USER_PASSWORD_GENERATED);
- $nomfichier=$nomclass.".class.php";
- //print DOL_DOCUMENT_ROOT."/core/modules/security/generate/".$nomclass;
- require_once(DOL_DOCUMENT_ROOT."/core/modules/security/generate/".$nomfichier);
- $genhandler=new $nomclass($db,$conf,$langs,$user);
- $generated_password=$genhandler->getNewGeneratedPassword();
- unset($genhandler);
- }
-
- return $generated_password;
-}
-
/**
* Returns a hash of a string
*
@@ -530,4 +79,405 @@ function dol_hash($chain,$type=0)
else return md5($chain);
}
+
+/**
+ * Check permissions of a user to show a page and an object. Check read permission.
+ * If GETPOST('action') defined, we also check write and delete permission.
+ *
+ * @param User $user User to check
+ * @param string $features Features to check (in most cases, it's module name)
+ * @param int $objectid Object ID if we want to check permission on a particular record (optionnal)
+ * @param string $dbtablename Table name where object is stored. Not used if objectid is null (optionnal)
+ * @param string $feature2 Feature to check, second level of permission (optionnal)
+ * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc (optionnal)
+ * @param string $dbt_select Field name for select if not rowid (optionnal)
+ * @param Canvas $objcanvas Object canvas
+ * @return int Always 1, die process if not allowed
+ */
+function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null)
+{
+ global $db, $conf;
+
+ //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
+ //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
+ //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
+ //print ", perm: ".$features."->".$feature2."=".$user->rights->$features->$feature2->lire." ";
+
+ // If we use canvas, we try to use function that overlod restrictarea if provided with canvas
+ if (is_object($objcanvas))
+ {
+ if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
+ }
+
+ if ($dbt_select != 'rowid') $objectid = "'".$objectid."'";
+
+ // More features to check
+ $features = explode("&",$features);
+
+ // More parameters
+ list($dbtablename, $sharedelement) = explode('&', $dbtablename);
+
+ // Check read permission from module
+ // TODO Replace "feature" param into caller by first level of permission
+ $readok=1;
+ foreach ($features as $feature)
+ {
+ if ($feature == 'societe')
+ {
+ if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) $readok=0;
+ }
+ else if ($feature == 'contact')
+ {
+ if (! $user->rights->societe->contact->lire) $readok=0;
+ }
+ else if ($feature == 'produit|service')
+ {
+ if (! $user->rights->produit->lire && ! $user->rights->service->lire) $readok=0;
+ }
+ else if ($feature == 'prelevement')
+ {
+ if (! $user->rights->prelevement->bons->lire) $readok=0;
+ }
+ else if ($feature == 'commande_fournisseur')
+ {
+ if (! $user->rights->fournisseur->commande->lire) $readok=0;
+ }
+ else if ($feature == 'cheque')
+ {
+ if (! $user->rights->banque->cheque) $readok=0;
+ }
+ else if ($feature == 'projet')
+ {
+ if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) $readok=0;
+ }
+ else if (! empty($feature2)) // This should be used for future changes
+ {
+ if (empty($user->rights->$feature->$feature2->lire)
+ && empty($user->rights->$feature->$feature2->read)) $readok=0;
+ }
+ else if (! empty($feature) && ($feature!='user' && $feature!='usergroup')) // This is for old permissions
+ {
+ if (empty($user->rights->$feature->lire)
+ && empty($user->rights->$feature->read)
+ && empty($user->rights->$feature->run)) $readok=0;
+ }
+ }
+
+ if (! $readok)
+ {
+ //print "Read access is down";
+ accessforbidden();
+ }
+ //print "Read access is ok";
+
+ // Check write permission from module
+ $createok=1;
+ if (GETPOST("action") && GETPOST("action") == 'create')
+ {
+ foreach ($features as $feature)
+ {
+ if ($feature == 'contact')
+ {
+ if (! $user->rights->societe->contact->creer) $createok=0;
+ }
+ else if ($feature == 'produit|service')
+ {
+ if (! $user->rights->produit->creer && ! $user->rights->service->creer) $createok=0;
+ }
+ else if ($feature == 'prelevement')
+ {
+ if (! $user->rights->prelevement->bons->creer) $createok=0;
+ }
+ else if ($feature == 'commande_fournisseur')
+ {
+ if (! $user->rights->fournisseur->commande->creer) $createok=0;
+ }
+ else if ($feature == 'banque')
+ {
+ if (! $user->rights->banque->modifier) $createok=0;
+ }
+ else if ($feature == 'cheque')
+ {
+ if (! $user->rights->banque->cheque) $createok=0;
+ }
+ else if (! empty($feature2)) // This should be used for future changes
+ {
+ if (empty($user->rights->$feature->$feature2->creer)
+ && empty($user->rights->$feature->$feature2->write)) $createok=0;
+ }
+ else if (! empty($feature)) // This is for old permissions
+ {
+ //print ' feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write;
+ if (empty($user->rights->$feature->creer)
+ && empty($user->rights->$feature->write)) $createok=0;
+ }
+ }
+
+ if (! $createok) accessforbidden();
+ //print "Write access is ok";
+ }
+
+ // Check create user permission
+ $createuserok=1;
+ if ( GETPOST("action") && (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') )
+ {
+ if (! $user->rights->user->user->creer) $createuserok=0;
+
+ if (! $createuserok) accessforbidden();
+ //print "Create user access is ok";
+ }
+
+ // Check delete permission from module
+ $deleteok=1;
+ if ( GETPOST("action") && ( (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") && GETPOST("confirm") == 'yes') || GETPOST("action") == 'delete') )
+ {
+ foreach ($features as $feature)
+ {
+ if ($feature == 'contact')
+ {
+ if (! $user->rights->societe->contact->supprimer) $deleteok=0;
+ }
+ else if ($feature == 'produit|service')
+ {
+ if (! $user->rights->produit->supprimer && ! $user->rights->service->supprimer) $deleteok=0;
+ }
+ else if ($feature == 'commande_fournisseur')
+ {
+ if (! $user->rights->fournisseur->commande->supprimer) $deleteok=0;
+ }
+ else if ($feature == 'banque')
+ {
+ if (! $user->rights->banque->modifier) $deleteok=0;
+ }
+ else if ($feature == 'cheque')
+ {
+ if (! $user->rights->banque->cheque) $deleteok=0;
+ }
+ else if ($feature == 'ecm')
+ {
+ if (! $user->rights->ecm->upload) $deleteok=0;
+ }
+ else if ($feature == 'ftp')
+ {
+ if (! $user->rights->ftp->write) $deleteok=0;
+ }
+ else if (! empty($feature2)) // This should be used for future changes
+ {
+ if (empty($user->rights->$feature->$feature2->supprimer)
+ && empty($user->rights->$feature->$feature2->delete)) $deleteok=0;
+ }
+ else if (! empty($feature)) // This is for old permissions
+ {
+ //print ' feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
+ if (empty($user->rights->$feature->supprimer)
+ && empty($user->rights->$feature->delete)) $deleteok=0;
+ }
+ }
+
+ //print "Delete access is ko";
+ if (! $deleteok) accessforbidden();
+ //print "Delete access is ok";
+ }
+
+ // If we have a particular object to check permissions on, we check this object
+ // is linked to a company allowed to $user.
+ if (! empty($objectid) && $objectid > 0)
+ {
+ foreach ($features as $feature)
+ {
+ $sql='';
+
+ $check = array('banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company)
+ $checksoc = array('societe'); // Test for societe object
+ $checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
+ $checkproject = array('projet'); // Test for project object
+ $nocheck = array('barcode','stock','fournisseur'); // No test
+ $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
+
+ // If dbtable not defined, we use same name for table than module name
+ if (empty($dbtablename)) $dbtablename = $feature;
+
+ // Check permission for object with entity
+ if (in_array($feature,$check))
+ {
+ $sql = "SELECT dbt.".$dbt_select;
+ $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+ $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
+ if (($feature == 'user' || $feature == 'usergroup') && ! empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && ! $user->entity)
+ {
+ $sql.= " AND dbt.entity IS NOT NULL";
+ }
+ else
+ {
+ $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
+ }
+ }
+ else if (in_array($feature,$checksoc))
+ {
+ // If external user: Check permission for external users
+ if ($user->societe_id > 0)
+ {
+ if ($user->societe_id <> $objectid) accessforbidden();
+ }
+ // If internal user: Check permission for internal users that are restricted on their objects
+ else if (! $user->rights->societe->client->voir)
+ {
+ $sql = "SELECT sc.fk_soc";
+ $sql.= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc";
+ $sql.= ", ".MAIN_DB_PREFIX."societe as s)";
+ $sql.= " WHERE sc.fk_soc = ".$objectid;
+ $sql.= " AND sc.fk_user = ".$user->id;
+ $sql.= " AND sc.fk_soc = s.rowid";
+ $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
+ }
+ // If multicompany and internal users with all permissions, check user is in correct entity
+ else if (! empty($conf->multicompany->enabled))
+ {
+ $sql = "SELECT s.rowid";
+ $sql.= " FROM ".MAIN_DB_PREFIX."societe as s";
+ $sql.= " WHERE s.rowid = ".$objectid;
+ $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
+ }
+ }
+ else if (in_array($feature,$checkother))
+ {
+ // If external user: Check permission for external users
+ if ($user->societe_id > 0)
+ {
+ $sql = "SELECT dbt.rowid";
+ $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+ $sql.= " WHERE dbt.rowid = ".$objectid;
+ $sql.= " AND dbt.fk_soc = ".$user->societe_id;
+ }
+ // If internal user: Check permission for internal users that are restricted on their objects
+ else if (! $user->rights->societe->client->voir)
+ {
+ $sql = "SELECT dbt.rowid";
+ $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
+ $sql.= " WHERE dbt.rowid = ".$objectid;
+ $sql.= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
+ $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
+ }
+ // If multicompany and internal users with all permissions, check user is in correct entity
+ else if (! empty($conf->multicompany->enabled))
+ {
+ $sql = "SELECT dbt.rowid";
+ $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+ $sql.= " WHERE dbt.rowid = ".$objectid;
+ $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
+ }
+ }
+ else if (in_array($feature,$checkproject))
+ {
+ if (! $user->rights->projet->all->lire)
+ {
+ include_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php");
+ $projectstatic=new Project($db);
+ $tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,$user->societe_id);
+ $tmparray=explode(',',$tmps);
+ if (! in_array($objectid,$tmparray)) accessforbidden();
+ }
+ }
+ else if (! in_array($feature,$nocheck)) // By default we check with link to third party
+ {
+ // If external user: Check permission for external users
+ if ($user->societe_id > 0)
+ {
+ $sql = "SELECT dbt.".$dbt_keyfield;
+ $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+ $sql.= " WHERE dbt.rowid = ".$objectid;
+ $sql.= " AND dbt.".$dbt_keyfield." = ".$user->societe_id;
+ }
+ // If internal user: Check permission for internal users that are restricted on their objects
+ else if (! $user->rights->societe->client->voir)
+ {
+ $sql = "SELECT sc.fk_soc";
+ $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+ $sql.= ", ".MAIN_DB_PREFIX."societe as s";
+ $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
+ $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
+ $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield;
+ $sql.= " AND dbt.".$dbt_keyfield." = s.rowid";
+ $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
+ $sql.= " AND sc.fk_user = ".$user->id;
+ }
+ // If multicompany and internal users with all permissions, check user is in correct entity
+ else if (! empty($conf->multicompany->enabled))
+ {
+ $sql = "SELECT dbt.".$dbt_select;
+ $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+ $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
+ $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
+ }
+ }
+
+ //print $sql." ";
+ if ($sql)
+ {
+ $resql=$db->query($sql);
+ if ($resql)
+ {
+ if ($db->num_rows($resql) == 0) accessforbidden();
+ }
+ else
+ {
+ dol_syslog("security.lib:restrictedArea sql=".$sql, LOG_ERR);
+ accessforbidden();
+ }
+ }
+ }
+ }
+
+ return 1;
+}
+
+
+/**
+ * Show a message to say access is forbidden and stop program
+ * Calling this function terminate execution of PHP.
+ *
+ * @param string $message Force error message
+ * @param int $printheader Show header before
+ * @param int $printfooter Show footer after
+ * @param int $showonlymessage Show only message parameter. Otherwise add more information.
+ * @return void
+ */
+function accessforbidden($message='',$printheader=1,$printfooter=1,$showonlymessage=0)
+{
+ global $conf, $db, $user, $langs;
+ if (! is_object($langs))
+ {
+ include_once(DOL_DOCUMENT_ROOT.'/core/class/translate.class.php');
+ $langs=new Translate('',$conf);
+ }
+
+ $langs->load("errors");
+
+ if ($printheader)
+ {
+ if (function_exists("llxHeader")) llxHeader('');
+ else if (function_exists("llxHeaderVierge")) llxHeaderVierge('');
+ }
+ print '';
+ if (! $message) print $langs->trans("ErrorForbidden");
+ else print $message;
+ print '
';
+ print ' ';
+ if (empty($showonlymessage))
+ {
+ if ($user->login)
+ {
+ print $langs->trans("CurrentLogin").': '.$user->login.' ';
+ print $langs->trans("ErrorForbidden2",$langs->trans("Home"),$langs->trans("Users"));
+ }
+ else
+ {
+ print $langs->trans("ErrorForbidden3");
+ }
+ }
+ if ($printfooter && function_exists("llxFooter")) llxFooter();
+ exit(0);
+}
+
?>
\ No newline at end of file
diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php
new file mode 100644
index 0000000000000..803245a5a844c
--- /dev/null
+++ b/htdocs/core/lib/security2.lib.php
@@ -0,0 +1,480 @@
+
+ * Copyright (C) 2008-2012 Regis Houssin
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ * or see http://www.gnu.org/
+ */
+
+/**
+ * \file htdocs/core/lib/security2.lib.php
+ * \ingroup core
+ * \brief Set of function used for dolibarr security (not common functions).
+ * Warning, this file must not depends on other library files, except function.lib.php
+ * because it is used at low code level.
+ */
+
+
+/**
+ * Return a login if login/pass was successfull
+ *
+ * @param string $usertotest Login value to test
+ * @param string $passwordtotest Password value to test
+ * @param string $entitytotest Instance of data we must check
+ * @param array $authmode Array list of selected authentication mode array('http', 'dolibarr', 'xxx'...)
+ * @return string Login or ''
+ */
+function checkLoginPassEntity($usertotest,$passwordtotest,$entitytotest,$authmode)
+{
+ global $conf,$langs;
+ global $dolauthmode; // To return authentication finally used
+
+ // Check parameetrs
+ if ($entitytotest == '') $entitytotest=1;
+
+ dol_syslog("checkLoginPassEntity usertotest=".$usertotest." entitytotest=".$entitytotest." authmode=".join(',',$authmode));
+ $login = '';
+
+ // Validation of login/pass/entity with a third party login module method
+ if (! empty($conf->login_method_modules) && is_array($conf->login_method_modules))
+ {
+ foreach($conf->login_method_modules as $dir)
+ {
+ $newdir=dol_osencode($dir);
+
+ // Check if directory exists
+ if (! is_dir($newdir)) continue;
+
+ $handle=opendir($newdir);
+ if (is_resource($handle))
+ {
+ while (($file = readdir($handle))!==false)
+ {
+ if (is_readable($dir.'/'.$file) && preg_match('/^functions_([^_]+)\.php/',$file,$reg))
+ {
+ $authfile = $dir.'/'.$file;
+ $mode = $reg[1];
+
+ $result=include_once($authfile);
+ if ($result)
+ {
+ // Call function to check user/password
+ $function='check_user_password_'.$mode;
+ $login=call_user_func($function,$usertotest,$passwordtotest,$entitytotest);
+ if ($login)
+ {
+ $conf->authmode=$mode; // This properties is defined only when logged to say what mode was successfully used
+ }
+ }
+ else
+ {
+ dol_syslog("Authentification ko - failed to load file '".$authfile."'",LOG_ERR);
+ sleep(1); // To slow brut force cracking
+ $langs->load('main');
+ $langs->load('other');
+ $_SESSION["dol_loginmesg"]=$langs->trans("ErrorFailedToLoadLoginFileForMode",$mode);
+ }
+ }
+ }
+ closedir($handle);
+ }
+ }
+ }
+
+ // Validation of login/pass/entity with standard modules
+ if (empty($login))
+ {
+ $test=true;
+ foreach($authmode as $mode)
+ {
+ if ($test && $mode && ! $login)
+ {
+ $mode=trim($mode);
+ $authfile=DOL_DOCUMENT_ROOT.'/core/login/functions_'.$mode.'.php';
+ $result=include_once($authfile);
+ if ($result)
+ {
+ // Call function to check user/password
+ $function='check_user_password_'.$mode;
+ $login=call_user_func($function,$usertotest,$passwordtotest,$entitytotest);
+ if ($login) // Login is successfull
+ {
+ $test=false; // To stop once at first login success
+ $conf->authmode=$mode; // This properties is defined only when logged to say what mode was successfully used
+ $dol_tz=$_POST["tz"];
+ $dol_dst=$_POST["dst"];
+ $dol_screenwidth=$_POST["screenwidth"];
+ $dol_screenheight=$_POST["screenheight"];
+ }
+ }
+ else
+ {
+ dol_syslog("Authentification ko - failed to load file '".$authfile."'",LOG_ERR);
+ sleep(1);
+ $langs->load('main');
+ $langs->load('other');
+ $_SESSION["dol_loginmesg"]=$langs->trans("ErrorFailedToLoadLoginFileForMode",$mode);
+ }
+ }
+ }
+ }
+
+ return $login;
+}
+
+
+/**
+ * Show Dolibarr default login page
+ *
+ * @param Translate $langs Lang object (must be initialized by a new).
+ * @param Conf $conf Conf object
+ * @param Societe $mysoc Company object
+ * @return void
+ */
+function dol_loginfunction($langs,$conf,$mysoc)
+{
+ global $dolibarr_main_demo,$db;
+ global $smartphone,$mc;
+
+ $langcode=(GETPOST('lang')?((is_object($langs)&&$langs->defaultlang)?$langs->defaultlang:'auto'):GETPOST('lang'));
+ $langs->setDefaultLang($langcode);
+
+ $langs->load("main");
+ $langs->load("other");
+ $langs->load("help");
+ $langs->load("admin");
+
+ $main_authentication=$conf->file->main_authentication;
+ $session_name=session_name();
+
+ $dol_url_root = DOL_URL_ROOT;
+
+ $php_self = $_SERVER['PHP_SELF'];
+ $php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
+
+ // Title
+ $title='Dolibarr '.DOL_VERSION;
+ if (! empty($conf->global->MAIN_APPLICATION_TITLE)) $title=$conf->global->MAIN_APPLICATION_TITLE;
+
+ // Select templates
+ if (preg_match('/^smartphone/',$conf->smart_menu) && isset($conf->browser->phone))
+ {
+ $template_dir = DOL_DOCUMENT_ROOT.'/theme/phones/smartphone/tpl/';
+ }
+ else
+ {
+ if (file_exists(DOL_DOCUMENT_ROOT."/theme/".$conf->theme."/tpl/login.tpl.php"))
+ {
+ $template_dir = DOL_DOCUMENT_ROOT."/theme/".$conf->theme."/tpl/";
+ }
+ else
+ {
+ $template_dir = DOL_DOCUMENT_ROOT."/core/tpl/";
+ }
+ }
+
+ $conf->css = "/theme/".$conf->theme."/style.css.php?lang=".$langs->defaultlang;
+ $conf_css = DOL_URL_ROOT.$conf->css;
+
+ // Set cookie for timeout management
+ $prefix=dol_getprefix();
+ $sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
+ if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0);
+
+ if (GETPOST("urlfrom")) $_SESSION["urlfrom"]=GETPOST("urlfrom");
+ else unset($_SESSION["urlfrom"]);
+
+ if (! GETPOST("username")) $focus_element='username';
+ else $focus_element='password';
+
+ $login_background=DOL_URL_ROOT.'/theme/login_background.png';
+ if (file_exists(DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/img/login_background.png'))
+ {
+ $login_background=DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/login_background.png';
+ }
+
+ $demologin='';
+ $demopassword='';
+ if (! empty($dolibarr_main_demo))
+ {
+ $tab=explode(',',$dolibarr_main_demo);
+ $demologin=$tab[0];
+ $demopassword=$tab[1];
+ }
+
+ // Entity cookie
+ if (! empty($conf->multicompany->enabled))
+ {
+ $lastuser = '';
+ $lastentity = $_POST['entity'];
+
+ if (! empty($conf->global->MULTICOMPANY_COOKIE_ENABLED))
+ {
+ $prefix=dol_getprefix();
+ $entityCookieName = 'DOLENTITYID_'.$prefix;
+ if (isset($_COOKIE[$entityCookieName]))
+ {
+ include_once(DOL_DOCUMENT_ROOT . "/core/class/cookie.class.php");
+
+ $cryptkey = (! empty($conf->file->cookie_cryptkey) ? $conf->file->cookie_cryptkey : '' );
+
+ $entityCookie = new DolCookie($cryptkey);
+ $cookieValue = $entityCookie->_getCookie($entityCookieName);
+ list($lastuser, $lastentity) = explode('|', $cookieValue);
+ }
+ }
+ }
+
+ // Login
+ $login = (!empty($lastuser)?$lastuser:(GETPOST("username","alpha",2)?GETPOST("username","alpha",2):$demologin));
+ $password = $demopassword;
+
+ // Show logo (search in order: small company logo, large company logo, theme logo, common logo)
+ $width=0;
+ $rowspan=2;
+ $urllogo=DOL_URL_ROOT.'/theme/login_logo.png';
+
+ if (! empty($mysoc->logo_small) && is_readable($conf->mycompany->dir_output.'/logos/thumbs/'.$mysoc->logo_small))
+ {
+ $urllogo=DOL_URL_ROOT.'/viewimage.php?cache=1&modulepart=companylogo&file='.urlencode('thumbs/'.$mysoc->logo_small);
+ }
+ elseif (! empty($mysoc->logo) && is_readable($conf->mycompany->dir_output.'/logos/'.$mysoc->logo))
+ {
+ $urllogo=DOL_URL_ROOT.'/viewimage.php?cache=1&modulepart=companylogo&file='.urlencode($mysoc->logo);
+ $width=128;
+ }
+ elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.png'))
+ {
+ $urllogo=DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.png';
+ }
+ elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/dolibarr_logo.png'))
+ {
+ $urllogo=DOL_URL_ROOT.'/theme/dolibarr_logo.png';
+
+ }
+
+ // Entity field
+ $select_entity='';
+ if (! empty($conf->multicompany->enabled) && empty($conf->global->MULTICOMPANY_HIDE_LOGIN_COMBOBOX))
+ {
+ $rowspan++;
+ $select_entity = $mc->select_entities($lastentity, 'entity', ' tabindex="3"', 1);
+ }
+
+ // Security graphical code
+ $captcha=0;
+ $captcha_refresh='';
+ if (function_exists("imagecreatefrompng") && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
+ {
+ $captcha=1;
+ $captcha_refresh=img_picto($langs->trans("Refresh"),'refresh');
+ }
+
+ // Extra link
+ $forgetpasslink=0;
+ $helpcenterlink=0;
+ if (empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK) || empty($conf->global->MAIN_HELPCENTER_DISABLELINK))
+ {
+ if (empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK))
+ {
+ $forgetpasslink=1;
+ }
+
+ if (empty($conf->global->MAIN_HELPCENTER_DISABLELINK))
+ {
+ $helpcenterlink=1;
+ }
+ }
+
+ // Home message
+ if (! empty($conf->global->MAIN_HOME))
+ {
+ $i=0;
+ while (preg_match('/__\(([a-zA-Z]+)\)__/i',$conf->global->MAIN_HOME,$reg) && $i < 100)
+ {
+ $conf->global->MAIN_HOME=preg_replace('/__\('.$reg[1].'\)__/i',$langs->trans($reg[1]),$conf->global->MAIN_HOME);
+ $i++;
+ }
+ }
+ $main_home=dol_htmlcleanlastbr($conf->global->MAIN_HOME);
+
+ // Google AD
+ $main_google_ad_client = ((! empty($conf->global->MAIN_GOOGLE_AD_CLIENT) && ! empty($conf->global->MAIN_GOOGLE_AD_SLOT))?1:0);
+
+ $dol_loginmesg = $_SESSION["dol_loginmesg"];
+
+ include($template_dir.'login.tpl.php'); // To use native PHP
+
+ $_SESSION["dol_loginmesg"] = '';
+}
+
+/**
+ * Fonction pour initialiser un salt pour la fonction crypt.
+ *
+ * @param int $type 2=>renvoi un salt pour cryptage DES
+ * 12=>renvoi un salt pour cryptage MD5
+ * non defini=>renvoi un salt pour cryptage par defaut
+ * @return string Salt string
+ */
+function makesalt($type=CRYPT_SALT_LENGTH)
+{
+ dol_syslog("makesalt type=".$type);
+ switch($type)
+ {
+ case 12: // 8 + 4
+ $saltlen=8; $saltprefix='$1$'; $saltsuffix='$'; break;
+ case 8: // 8 (Pour compatibilite, ne devrait pas etre utilise)
+ $saltlen=8; $saltprefix='$1$'; $saltsuffix='$'; break;
+ case 2: // 2
+ default: // by default, fall back on Standard DES (should work everywhere)
+ $saltlen=2; $saltprefix=''; $saltsuffix=''; break;
+ }
+ $salt='';
+ while(dol_strlen($salt) < $saltlen) $salt.=chr(mt_rand(64,126));
+
+ $result=$saltprefix.$salt.$saltsuffix;
+ dol_syslog("makesalt return=".$result);
+ return $result;
+}
+
+/**
+ * Encode or decode database password in config file
+ *
+ * @param int $level Encode level: 0 no encoding, 1 encoding
+ * @return int <0 if KO, >0 if OK
+ */
+function encodedecode_dbpassconf($level=0)
+{
+ dol_syslog("encodedecode_dbpassconf level=".$level, LOG_DEBUG);
+ $config = '';
+ $passwd='';
+ $passwd_crypted='';
+
+ if ($fp = fopen(DOL_DOCUMENT_ROOT.'/conf/conf.php','r'))
+ {
+ while(!feof($fp))
+ {
+ $buffer = fgets($fp,4096);
+
+ $lineofpass=0;
+
+ if (preg_match('/^[^#]*dolibarr_main_db_encrypted_pass[\s]*=[\s]*(.*)/i',$buffer,$reg)) // Old way to save crypted value
+ {
+ $val = trim($reg[1]); // This also remove CR/LF
+ $val=preg_replace('/^["\']/','',$val);
+ $val=preg_replace('/["\'][\s;]*$/','',$val);
+ if (! empty($val))
+ {
+ $passwd_crypted = $val;
+ $val = dol_decode($val);
+ $passwd = $val;
+ $lineofpass=1;
+ }
+ }
+ elseif (preg_match('/^[^#]*dolibarr_main_db_pass[\s]*=[\s]*(.*)/i',$buffer,$reg))
+ {
+ $val = trim($reg[1]); // This also remove CR/LF
+ $val=preg_replace('/^["\']/','',$val);
+ $val=preg_replace('/["\'][\s;]*$/','',$val);
+ if (preg_match('/crypted:/i',$buffer))
+ {
+ $val = preg_replace('/crypted:/i','',$val);
+ $passwd_crypted = $val;
+ $val = dol_decode($val);
+ $passwd = $val;
+ }
+ else
+ {
+ $passwd = $val;
+ $val = dol_encode($val);
+ $passwd_crypted = $val;
+ }
+ $lineofpass=1;
+ }
+
+ // Output line
+ if ($lineofpass)
+ {
+ // Add value at end of file
+ if ($level == 0)
+ {
+ $config .= '$dolibarr_main_db_pass=\''.$passwd.'\';'."\n";
+ }
+ if ($level == 1)
+ {
+ $config .= '$dolibarr_main_db_pass=\'crypted:'.$passwd_crypted.'\';'."\n";
+ }
+
+ //print 'passwd = '.$passwd.' - passwd_crypted = '.$passwd_crypted;
+ //exit;
+ }
+ else
+ {
+ $config .= $buffer;
+ }
+ }
+ fclose($fp);
+
+ // Write new conf file
+ $file=DOL_DOCUMENT_ROOT.'/conf/conf.php';
+ if ($fp = @fopen($file,'w'))
+ {
+ fputs($fp, $config);
+ fclose($fp);
+ // It's config file, so we set read permission for creator only.
+ // Should set permission to web user and groups for users used by batch
+ //@chmod($file, octdec('0600'));
+
+ return 1;
+ }
+ else
+ {
+ dol_syslog("encodedecode_dbpassconf Failed to open conf.php file for writing", LOG_WARNING);
+ return -1;
+ }
+ }
+ else
+ {
+ dol_syslog("encodedecode_dbpassconf Failed to read conf.php", LOG_ERR);
+ return -2;
+ }
+}
+
+/**
+ * Return a generated password using default module
+ *
+ * @param boolean $generic true=Create generic password (a MD5 string), false=Use the configured password generation module
+ * @return string New value for password
+ */
+function getRandomPassword($generic=false)
+{
+ global $db,$conf,$langs,$user;
+
+ $generated_password='';
+ if ($generic) $generated_password=dol_hash(mt_rand());
+ else if ($conf->global->USER_PASSWORD_GENERATED)
+ {
+ $nomclass="modGeneratePass".ucfirst($conf->global->USER_PASSWORD_GENERATED);
+ $nomfichier=$nomclass.".class.php";
+ //print DOL_DOCUMENT_ROOT."/core/modules/security/generate/".$nomclass;
+ require_once(DOL_DOCUMENT_ROOT."/core/modules/security/generate/".$nomfichier);
+ $genhandler=new $nomclass($db,$conf,$langs,$user);
+ $generated_password=$genhandler->getNewGeneratedPassword();
+ unset($genhandler);
+ }
+
+ return $generated_password;
+}
+
+?>
\ No newline at end of file
diff --git a/htdocs/core/lib/ws.lib.php b/htdocs/core/lib/ws.lib.php
index f93513bcbdc2e..7145f0c2affeb 100755
--- a/htdocs/core/lib/ws.lib.php
+++ b/htdocs/core/lib/ws.lib.php
@@ -75,7 +75,8 @@ function check_authentication($authentication,&$error,&$errorcode,&$errorlabel)
// Set authmode
$authmode=explode(',',$dolibarr_main_authentication);
- $login = checkLoginPassEntity($authentication['login'],$authentication['password'],$authentication['entity'],$authmode);
+ include_once(DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php');
+ $login = checkLoginPassEntity($authentication['login'],$authentication['password'],$authentication['entity'],$authmode);
if (empty($login))
{
$error++;
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index e93b6fb11c98e..0eaf46b41acc2 100755
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -145,7 +145,7 @@
break;
}
}
-if (! $found) // If autodetect fails (Ie: when uing apache alias that point outside default DOCUMENT_ROOT.
+if (! $found) // If autodetect fails (Ie: when using apache alias that point outside default DOCUMENT_ROOT.
{
$tmp=$dolibarr_main_url_root;
}
@@ -213,8 +213,10 @@
exit;
}
-include_once(DOL_DOCUMENT_ROOT ."/core/lib/functions.lib.php"); // Need 970ko memory (1.1 in 2.2)
-include_once(DOL_DOCUMENT_ROOT ."/core/lib/security.lib.php"); // Include by default
+// Included by default
+include_once(DOL_DOCUMENT_ROOT ."/core/lib/functions.lib.php");
+include_once(DOL_DOCUMENT_ROOT ."/core/lib/security.lib.php");
+//print memory_get_usage();
// If password is encoded, we decode it
if (preg_match('/crypted:/i',$dolibarr_main_db_pass) || ! empty($dolibarr_main_db_encrypted_pass))
@@ -227,6 +229,5 @@
}
else $dolibarr_main_db_pass = dol_decode($dolibarr_main_db_encrypted_pass);
}
-//print memory_get_usage();
?>
diff --git a/htdocs/index.php b/htdocs/index.php
index 17968aa962b46..4ede8a6d8cc63 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -223,7 +223,6 @@
"bills",
"Contracts");
- //print memory_get_usage()." ";
// Loop and displays each line of table
foreach ($keys as $key=>$val)
@@ -249,8 +248,6 @@
print ''.$title.' ';
print ''.$board->nb[$val].' ';
print '';
-
- //print $includes[$key].' '.memory_get_usage()." ";
}
}
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index f673d510a45c4..8b5be34f96953 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -332,7 +332,8 @@ function analyse_sql_and_script(&$var, $type)
$test=true;
if (! isset($_SESSION["dol_login"]))
{
- // It is not already authenticated, it requests the login / password
+ // It is not already authenticated and it requests the login / password
+ include_once(DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php');
// If in demo mode, we check we go to home page through the public/demo/index.php page
if ($dolibarr_main_demo && $_SERVER['PHP_SELF'] == DOL_URL_ROOT.'/index.php') // We ask index page
@@ -384,7 +385,7 @@ function analyse_sql_and_script(&$var, $type)
if ($test && $goontestloop)
{
- $login = checkLoginPassEntity($usertotest,$passwordtotest,$entitytotest,$authmode);
+ $login = checkLoginPassEntity($usertotest,$passwordtotest,$entitytotest,$authmode);
if ($login)
{
$dol_authmode=$conf->authmode; // This properties is defined only when logged to say what mode was successfully used
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index f2ee406311eb4..c446edf05bb89 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -1236,7 +1236,7 @@ function update_last_login_date()
function setPassword($user, $password='', $changelater=0, $notrigger=0, $nosyncmember=0)
{
global $conf, $langs;
- require_once(DOL_DOCUMENT_ROOT ."/core/lib/security.lib.php");
+ require_once(DOL_DOCUMENT_ROOT ."/core/lib/security2.lib.php");
$error=0;
diff --git a/htdocs/user/fiche.php b/htdocs/user/fiche.php
index 5db8e190e822e..9854c298be69e 100644
--- a/htdocs/user/fiche.php
+++ b/htdocs/user/fiche.php
@@ -669,8 +669,9 @@
print '';
$generated_password='';
- if (! $ldap_sid)
+ if (! $ldap_sid) // ldap_sid ?
{
+ require_once(DOL_DOCUMENT_ROOT."/core/lib/security2.lib.php");
$generated_password=getRandomPassword('');
}
$password=$generated_password;
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index 4f70ce2f4a264..88ffcac9043af 100755
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -27,8 +27,8 @@
//define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver
require_once 'PHPUnit/Autoload.php';
require_once dirname(__FILE__).'/../../htdocs/master.inc.php';
-require_once dirname(__FILE__).'/../../htdocs/core/lib/functions.lib.php';
require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php';
+require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php';
if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1');
if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1');
@@ -113,6 +113,9 @@ protected function tearDown()
}
/**
+ * testGETPOST
+ *
+ * @return string
*/
public function testGETPOST()
{
@@ -152,6 +155,9 @@ public function testGETPOST()
}
/**
+ * testCheckLoginPassEntity
+ *
+ * @return void
*/
public function testCheckLoginPassEntity()
{
@@ -177,6 +183,9 @@ public function testCheckLoginPassEntity()
}
/**
+ * testEncodeDecode
+ *
+ * @return number
*/
public function testEncodeDecode()
{
@@ -191,6 +200,9 @@ public function testEncodeDecode()
}
/**
+ * testGetRandomPassword
+ *
+ * @return number
*/
public function testGetRandomPassword()
{
@@ -212,5 +224,18 @@ public function testGetRandomPassword()
return 0;
}
+
+ /**
+ * testGetRandomPassword
+ *
+ * @return number
+ */
+ public function testRestrictedArea()
+ {
+
+
+
+ }
+
}
?>
\ No newline at end of file