* Copyright (C) 2011 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ /** * \file htdocs/core/ajax/fileupload.php * \brief File to return Ajax response on common file upload. For large files, see flowjs-server.php */ if (!defined('NOREQUIREMENU')) { define('NOREQUIREMENU', '1'); // If there is no menu to show } if (!defined('NOREQUIREHTML')) { define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php } if (!defined('NOREQUIREAJAX')) { define('NOREQUIREAJAX', '1'); } if (!defined('NOREQUIRESOC')) { define('NOREQUIRESOC', '1'); } // Load Dolibarr environment require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/fileupload.class.php'; // Class to upload common files require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php'; $id = GETPOSTINT('fk_element'); $element = GETPOST('element', 'alpha'); // 'myobject' (myobject=mymodule) or 'myobject@mymodule' or 'myobject_mysubobject' (myobject=mymodule) $elementupload = $element; // Load object according to $id and $element $object = fetchObjectByElement($id, $element); $module = $object->module; $element = $object->element; $usesublevelpermission = ($module != $element ? $element : ''); if ($usesublevelpermission && !$user->hasRight($module, $element)) { // There is no permission on object defined, we will check permission on module directly $usesublevelpermission = ''; } //print 'fileupload.php: '.$object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n"; // Security check if (!empty($user->socid)) { $socid = $user->socid; if (!empty($object->socid) && $socid != $object->socid) { httponly_accessforbidden("Access on object not allowed for this external user."); // This includes the exit. } } $result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return if (!$result) { httponly_accessforbidden('Not allowed by restrictArea (module='.$object->module.' table_element='.$object->table_element.')'); } /* * View */ top_httphead(); header('Pragma: no-cache'); header('Cache-Control: no-store, no-cache, must-revalidate'); header('Content-Disposition: inline; filename="files.json"'); header('X-Content-Type-Options: nosniff'); header('Access-Control-Allow-Origin: '.getRootURLFromURL(DOL_MAIN_URL_ROOT)); header('Access-Control-Allow-Methods: OPTIONS, HEAD, GET, POST, PUT, DELETE'); header('Access-Control-Allow-Headers: X-File-Name, X-File-Type, X-File-Size'); switch ($_SERVER['REQUEST_METHOD']) { case 'OPTIONS': break; /*case 'HEAD': case 'GET': $upload_handler->get(); break; */ case 'POST': $upload_handler = new FileUpload(null, $id, $elementupload); /*if (isset($_REQUEST['_method']) && $_REQUEST['_method'] === 'DELETE') { $file = GETPOST('file'); $upload_handler->delete($file); } else {*/ $upload_handler->post(); // Note: even if this return an error on 1 file in post(), we will return http code 200 because error must be managed by the caller (some files may be ok and some in error) //} break; /*case 'DELETE': $file = GETPOST('file'); $upload_handler->delete($file); break;*/ default: header('HTTP/1.0 405 Method Not Allowed'); exit; } $db->close();