Overview
Comment:Make sure access to skeletons is possible, but only via Skeleton class
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | dev | 1.1.0-alpha7
Files: files | file ages | folders
SHA3-256: f0156b82a12ecdc06e2f7c49cf6fb68820aae1b47891c2f3e076b89525aabb3f
User & Date: bohwaz on 2021-03-19 21:01:06
Other Links: branch diff | manifest | tags
Context
2021-03-19
22:36
Make sure that skeletons can be downloaded, it's a funky security case, but hey it's easier like that check-in: c7df5f56e6 user: bohwaz tags: dev, 1.1.0-alpha7
21:01
Make sure access to skeletons is possible, but only via Skeleton class check-in: f0156b82a1 user: bohwaz tags: dev, 1.1.0-alpha7
2021-03-17
20:42
Fix issue where there was recursion in wiki_pages tree! check-in: 262ad12fe6 user: bohwaz tags: dev, 1.1.0-alpha7
Changes

Modified src/include/lib/Garradin/Entities/Files/File.php from [75845bac02] to [d0135082fc].

540
541
542
543
544
545
546






547
548
549
550
551
552
553
	public function serve(?Session $session = null, bool $download = false): void
	{
		if (!$this->checkReadAccess($session)) {
			header('HTTP/1.1 403 Forbidden', true, 403);
			throw new UserException('Vous n\'avez pas accès à ce fichier.');
			return;
		}







		$path = Files::callStorage('getFullPath', $this);
		$content = null === $path ? Files::callStorage('fetch', $this) : null;

		$this->_serve($path, $content, $download);
	}








>
>
>
>
>
>







540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
	public function serve(?Session $session = null, bool $download = false): void
	{
		if (!$this->checkReadAccess($session)) {
			header('HTTP/1.1 403 Forbidden', true, 403);
			throw new UserException('Vous n\'avez pas accès à ce fichier.');
			return;
		}

		// Only simple files can be served, not directories
		if ($this->type != self::TYPE_FILE) {
			header('HTTP/1.1 404 Not Found', true, 404);
			throw new UserException('Page non trouvée');
		}

		$path = Files::callStorage('getFullPath', $this);
		$content = null === $path ? Files::callStorage('fetch', $this) : null;

		$this->_serve($path, $content, $download);
	}

604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
	 * @param  string $path Chemin vers le fichier local
	 * @param  string $type Type MIME du fichier
	 * @param  string $name Nom du fichier avec extension
	 * @param  integer $size Taille du fichier en octets (facultatif)
	 */
	protected function _serve(?string $path, ?string $content, bool $download = false): void
	{
		if ($this->type != self::TYPE_FILE) {
			header('HTTP/1.1 404 Not Found', true, 404);
			throw new UserException('Page non trouvée');
		}

		if ($this->isPublic()) {
			Utils::HTTPCache(md5($this->path . $this->size . $this->modified->getTimestamp()), $this->modified->getTimestamp());
		}
		else {
			// Disable browser cache
			header('Pragma: private');
			header('Expires: -1');







<
<
<
<
<







610
611
612
613
614
615
616





617
618
619
620
621
622
623
	 * @param  string $path Chemin vers le fichier local
	 * @param  string $type Type MIME du fichier
	 * @param  string $name Nom du fichier avec extension
	 * @param  integer $size Taille du fichier en octets (facultatif)
	 */
	protected function _serve(?string $path, ?string $content, bool $download = false): void
	{





		if ($this->isPublic()) {
			Utils::HTTPCache(md5($this->path . $this->size . $this->modified->getTimestamp()), $this->modified->getTimestamp());
		}
		else {
			// Disable browser cache
			header('Pragma: private');
			header('Expires: -1');
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
		$context = $this->context();
		$ref = strtok(substr($this->path, strpos($this->path, '/')), '/');

		if (null === $session || !$session->isLogged()) {
			return false;
		}

		if ($context == self::CONTEXT_SKELETON && $session->canAccess($session::SECTION_WEB, $session::ACCESS_ADMIN)) {
			return true;
		}
		elseif ($context == self::CONTEXT_TRANSACTION && $session->canAccess($session::SECTION_ACCOUNTING, $session::ACCESS_READ)) {
			return true;
		}
		// The user can access his own profile files
		else if ($context == self::CONTEXT_USER && $ref == $session->getUser()->id) {
			return true;
		}
		// Only users able to manage users can see their profile files







<
<
<
|







718
719
720
721
722
723
724



725
726
727
728
729
730
731
732
		$context = $this->context();
		$ref = strtok(substr($this->path, strpos($this->path, '/')), '/');

		if (null === $session || !$session->isLogged()) {
			return false;
		}




		if ($context == self::CONTEXT_TRANSACTION && $session->canAccess($session::SECTION_ACCOUNTING, $session::ACCESS_READ)) {
			return true;
		}
		// The user can access his own profile files
		else if ($context == self::CONTEXT_USER && $ref == $session->getUser()->id) {
			return true;
		}
		// Only users able to manage users can see their profile files
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
		return sha1($this->path);
	}

	public function isPublic(): bool
	{
		$context = $this->context();

		if ($context == self::CONTEXT_CONFIG || $context == self::CONTEXT_WEB) {
			return true;
		}

		return false;
	}

	public function getEditor(): ?string







|







822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
		return sha1($this->path);
	}

	public function isPublic(): bool
	{
		$context = $this->context();

		if ($context == self::CONTEXT_SKELETON || $context == self::CONTEXT_CONFIG || $context == self::CONTEXT_WEB) {
			return true;
		}

		return false;
	}

	public function getEditor(): ?string

Modified src/include/lib/Garradin/Web/Web.php from [06fb7879ee] to [229d91f1c5].

135
136
137
138
139
140
141



142
143
144
145
146
147
148
			Utils::redirect(ADMIN_URL);
		}

		$page = null;

		if ($uri == '') {
			$skel = 'index.html';



		}
		elseif ($page = self::get($uri)) {
			$skel = $page->template();
			$page = $page->asTemplateArray();
		}
		else {
			// Trying to see if a custom template with this name exists







>
>
>







135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
			Utils::redirect(ADMIN_URL);
		}

		$page = null;

		if ($uri == '') {
			$skel = 'index.html';
		}
		elseif (substr($uri, 0, strlen(File::CONTEXT_SKELETON)) == File::CONTEXT_SKELETON) {
			$skel = '404.html';
		}
		elseif ($page = self::get($uri)) {
			$skel = $page->template();
			$page = $page->asTemplateArray();
		}
		else {
			// Trying to see if a custom template with this name exists