mirror of
https://github.com/SuiteCRM/SuiteCRM-Core.git
synced 2025-08-29 11:00:40 +08:00
804972c3f6
5750e66a06 SuiteCRM 7.12.6 Release d80ca53e48 Update jquery UI to v1.13.1 cacf7aa247 Upgrade jstree to v3.3.12 2c95a4c083 Update Wysiwyg field to work with the new version of TinyMCE 9c487fa43c Update email/template views to work with new versions of TinyMCE 7bcbf2a737 Upgrade TinyMCE to version 5.10 63b89fbd4f Fix #9494 - Force displaying line breaks to textarea fields 63dc9adf21 Fix #9530 - Fatal error on rendering page after upload 59d0b42cf0 Fix Module Builder Acceptance Tests 29f18cf248 Fix AOR_Report unit tests ccbb40ca4a Fix scrm-core#87 - Prevent disabling the default lang 4c83fe64a3 Fix #9437 - Use application setCookie across the app b293490c65 Fix #9437 - Change cookie_path handling 4e8924e549 Fix #3157 - Add default option to enable session_gc 120e948307 Fix #9438 - Adding Action keyword to fieldname exception e037232900 Fix #8599 - Auto-close message boxes in ModuleBuilder 277d40b61a Fix #9435 - Dropdown doesn't return empty selected value git-subtree-dir: public/legacy git-subtree-split: 5750e66a060310494cc12b074062ffd36658bc1e
889 lines
35 KiB
PHP
Executable file
889 lines
35 KiB
PHP
Executable file
<?php
|
|
/**
|
|
*
|
|
* SugarCRM Community Edition is a customer relationship management program developed by
|
|
* SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
|
|
*
|
|
* SuiteCRM is an extension to SugarCRM Community Edition developed by SalesAgility Ltd.
|
|
* Copyright (C) 2011 - 2018 SalesAgility Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under
|
|
* the terms of the GNU Affero General Public License version 3 as published by the
|
|
* Free Software Foundation with the addition of the following permission added
|
|
* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
|
|
* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
|
|
* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
|
|
* details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License along with
|
|
* this program; if not, see http://www.gnu.org/licenses or write to the Free
|
|
* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301 USA.
|
|
*
|
|
* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
|
|
* SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
|
|
*
|
|
* The interactive user interfaces in modified source and object code versions
|
|
* of this program must display Appropriate Legal Notices, as required under
|
|
* Section 5 of the GNU Affero General Public License version 3.
|
|
*
|
|
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
|
|
* these Appropriate Legal Notices must retain the display of the "Powered by
|
|
* SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
|
|
* reasonably feasible for technical reasons, the Appropriate Legal Notices must
|
|
* display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
|
|
*/
|
|
|
|
if (!defined('sugarEntry') || !sugarEntry) {
|
|
die('Not A Valid Entry Point');
|
|
}
|
|
|
|
/*
|
|
* Created on Mar 21, 2007
|
|
*
|
|
* To change the template for this generated file go to
|
|
* Window - Preferences - PHPeclipse - PHP - Code Templates
|
|
*/
|
|
require_once('include/MVC/Controller/ControllerFactory.php');
|
|
require_once('include/MVC/View/ViewFactory.php');
|
|
|
|
/**
|
|
* SugarCRM application
|
|
* @api
|
|
*/
|
|
class SugarApplication
|
|
{
|
|
public $controller = null;
|
|
public $headerDisplayed = false;
|
|
public $default_module = 'Home';
|
|
public $default_action = 'index';
|
|
|
|
public function __construct()
|
|
{
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
* Perform execution of the application. This method is called from index2.php
|
|
*/
|
|
public function execute()
|
|
{
|
|
global $sugar_config;
|
|
if (!empty($sugar_config['default_module'])) {
|
|
$this->default_module = $sugar_config['default_module'];
|
|
}
|
|
$module = $this->default_module;
|
|
if (!empty($_REQUEST['module'])) {
|
|
$module = $_REQUEST['module'];
|
|
}
|
|
insert_charset_header();
|
|
$this->setupPrint();
|
|
$this->controller = ControllerFactory::getController($module);
|
|
// If the entry point is defined to not need auth, then don't authenticate.
|
|
if (empty($_REQUEST['entryPoint']) || $this->controller->checkEntryPointRequiresAuth($_REQUEST['entryPoint'])) {
|
|
$this->loadUser();
|
|
$this->ACLFilter();
|
|
$this->preProcess();
|
|
$this->controller->preProcess();
|
|
$this->checkHTTPReferer();
|
|
}
|
|
|
|
SugarThemeRegistry::buildRegistry();
|
|
$this->loadLanguages();
|
|
$this->loadDisplaySettings();
|
|
$this->loadGlobals();
|
|
$this->setupResourceManagement($module);
|
|
$this->controller->execute();
|
|
sugar_cleanup();
|
|
}
|
|
|
|
/**
|
|
* Load the authenticated user. If there is not an authenticated user then redirect to login screen.
|
|
*/
|
|
public function loadUser()
|
|
{
|
|
global $authController, $sugar_config;
|
|
// Double check the server's unique key is in the session. Make sure this is not an attempt to hijack a session
|
|
$user_unique_key = (isset($_SESSION['unique_key'])) ? $_SESSION['unique_key'] : '';
|
|
$server_unique_key = (isset($sugar_config['unique_key'])) ? $sugar_config['unique_key'] : '';
|
|
$allowed_actions = (!empty($this->controller->allowed_actions)) ? $this->controller->allowed_actions : $allowed_actions = array('Authenticate', 'Login', 'LoggedOut');
|
|
|
|
$authController = new AuthenticationController();
|
|
|
|
if (($user_unique_key != $server_unique_key) && (!in_array($this->controller->action, $allowed_actions)) &&
|
|
(!isset($_SESSION['login_error']))) {
|
|
session_destroy();
|
|
|
|
if (!empty($this->controller->action)) {
|
|
if (strtolower($this->controller->action) == 'delete') {
|
|
$this->controller->action = 'DetailView';
|
|
} elseif (strtolower($this->controller->action) == 'save') {
|
|
$this->controller->action = 'EditView';
|
|
} elseif (strtolower($this->controller->action) == 'quickcreate') {
|
|
$this->controller->action = 'index';
|
|
$this->controller->module = 'home';
|
|
} elseif (isset($_REQUEST['massupdate']) || isset($_GET['massupdate']) || isset($_POST['massupdate'])) {
|
|
$this->controller->action = 'index';
|
|
} elseif ($this->isModifyAction()) {
|
|
$this->controller->action = 'index';
|
|
} elseif ($this->controller->action == $this->default_action && $this->controller->module == $this->default_module) {
|
|
$this->controller->action = '';
|
|
$this->controller->module = '';
|
|
} elseif (strtolower($this->controller->module) == 'alerts' && strtolower($this->controller->action) == 'get') {
|
|
echo 'lost password';
|
|
if (preg_match('/\bentryPoint=Changenewpassword\b/', $_SERVER['HTTP_REFERER'])) {
|
|
echo ' - change new password';
|
|
}
|
|
exit();
|
|
}
|
|
}
|
|
|
|
$authController->authController->redirectToLogin($this);
|
|
}
|
|
|
|
$GLOBALS['current_user'] = BeanFactory::newBean('Users');
|
|
|
|
$isLogicActionCall = $this->controller->module === 'Users' && in_array($this->controller->action, $allowed_actions);
|
|
if (isset($_SESSION['authenticated_user_id'])) {
|
|
// set in modules/Users/Authenticate.php
|
|
if (!$authController->sessionAuthenticate()) {
|
|
// if the object we get back is null for some reason, this will break - like user prefs are corrupted
|
|
$GLOBALS['log']->fatal('User retrieval for ID: (' . $_SESSION['authenticated_user_id'] . ') does not exist in database or retrieval failed catastrophically. Calling session_destroy() and sending user to Login page.');
|
|
session_destroy();
|
|
SugarApplication::redirect('index.php?action=Login&module=Users');
|
|
die();
|
|
}//fi
|
|
} elseif (!$isLogicActionCall || !empty($_REQUEST['entryPoint'])) {
|
|
session_destroy();
|
|
SugarApplication::redirect('index.php?action=Login&module=Users');
|
|
die();
|
|
}
|
|
$GLOBALS['log']->debug('Current user is: ' . $GLOBALS['current_user']->user_name);
|
|
|
|
//set cookies
|
|
if (isset($_SESSION['authenticated_user_id'])) {
|
|
$GLOBALS['log']->debug("setting cookie ck_login_id_20 to " . $_SESSION['authenticated_user_id']);
|
|
self::setCookie('ck_login_id_20', $_SESSION['authenticated_user_id'], time() + 86400 * 90);
|
|
}
|
|
if (isset($_SESSION['authenticated_user_theme'])) {
|
|
$GLOBALS['log']->debug("setting cookie ck_login_theme_20 to " . $_SESSION['authenticated_user_theme']);
|
|
self::setCookie('ck_login_theme_20', $_SESSION['authenticated_user_theme'], time() + 86400 * 90);
|
|
}
|
|
if (isset($_SESSION['authenticated_user_theme_color'])) {
|
|
$GLOBALS['log']->debug("setting cookie ck_login_theme_color_20 to " . $_SESSION['authenticated_user_theme_color']);
|
|
self::setCookie('ck_login_theme_color_20', $_SESSION['authenticated_user_theme_color'], time() + 86400 * 90);
|
|
}
|
|
if (isset($_SESSION['authenticated_user_theme_font'])) {
|
|
$GLOBALS['log']->debug("setting cookie ck_login_theme_font_20 to " . $_SESSION['authenticated_user_theme_font']);
|
|
self::setCookie('ck_login_theme_font_20', $_SESSION['authenticated_user_theme_font'], time() + 86400 * 90);
|
|
}
|
|
if (isset($_SESSION['authenticated_user_language'])) {
|
|
$GLOBALS['log']->debug("setting cookie ck_login_language_20 to " . $_SESSION['authenticated_user_language']);
|
|
self::setCookie('ck_login_language_20', $_SESSION['authenticated_user_language'], time() + 86400 * 90);
|
|
}
|
|
//check if user can access
|
|
}
|
|
|
|
public function ACLFilter()
|
|
{
|
|
ACLController :: filterModuleList($GLOBALS['moduleList']);
|
|
}
|
|
|
|
/**
|
|
* setupResourceManagement
|
|
* This function initialize the ResourceManager and calls the setup method
|
|
* on the ResourceManager instance.
|
|
*
|
|
*/
|
|
public function setupResourceManagement($module)
|
|
{
|
|
require_once('include/resource/ResourceManager.php');
|
|
$resourceManager = ResourceManager::getInstance();
|
|
$resourceManager->setup($module);
|
|
}
|
|
|
|
public function setupPrint()
|
|
{
|
|
$GLOBALS['request_string'] = '';
|
|
|
|
// merge _GET and _POST, but keep the results local
|
|
// this handles the issues where values come in one way or the other
|
|
// without affecting the main super globals
|
|
$merged = array_merge($_GET, $_POST);
|
|
foreach ($merged as $key => $val) {
|
|
if (is_array($val)) {
|
|
foreach ($val as $k => $v) {
|
|
//If an array, then skip the urlencoding. This should be handled with stringify instead.
|
|
if (is_array($v)) {
|
|
continue;
|
|
}
|
|
|
|
$GLOBALS['request_string'] .= urlencode($key) . '[' . $k . ']=' . urlencode($v) . '&';
|
|
}
|
|
} else {
|
|
$GLOBALS['request_string'] .= urlencode($key) . '=' . urlencode($val) . '&';
|
|
}
|
|
}
|
|
$GLOBALS['request_string'] .= 'print=true';
|
|
}
|
|
|
|
public function preProcess()
|
|
{
|
|
$config = new Administration;
|
|
$config->retrieveSettings();
|
|
if (!empty($_SESSION['authenticated_user_id'])) {
|
|
if (isset($_SESSION['hasExpiredPassword']) && $_SESSION['hasExpiredPassword'] == '1') {
|
|
if ($this->controller->action != 'Save' && $this->controller->action != 'Logout') {
|
|
$this->controller->module = 'Users';
|
|
$this->controller->action = 'ChangePassword';
|
|
$record = $GLOBALS['current_user']->id;
|
|
} else {
|
|
$this->handleOfflineClient();
|
|
}
|
|
} else {
|
|
$ut = $GLOBALS['current_user']->getPreference('ut');
|
|
if (empty($ut) && $this->controller->action != 'AdminWizard' && $this->controller->action != 'EmailUIAjax' && $this->controller->action != 'Wizard' && $this->controller->action != 'SaveAdminWizard' && $this->controller->action != 'SaveUserWizard' && $this->controller->action != 'SaveTimezone' && $this->controller->action != 'Logout') {
|
|
$this->controller->module = 'Users';
|
|
$this->controller->action = 'SetTimezone';
|
|
$record = $GLOBALS['current_user']->id;
|
|
} else {
|
|
if ($this->controller->action != 'AdminWizard' && $this->controller->action != 'EmailUIAjax' && $this->controller->action != 'Wizard' && $this->controller->action != 'SaveAdminWizard' && $this->controller->action != 'SaveUserWizard') {
|
|
$this->handleOfflineClient();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
$this->handleAccessControl();
|
|
}
|
|
|
|
public function handleOfflineClient()
|
|
{
|
|
if (isset($GLOBALS['sugar_config']['disc_client']) && $GLOBALS['sugar_config']['disc_client']) {
|
|
if (isset($_REQUEST['action']) && $_REQUEST['action'] != 'SaveTimezone') {
|
|
if (!file_exists('modules/Sync/file_config.php')) {
|
|
if ($_REQUEST['action'] != 'InitialSync' && $_REQUEST['action'] != 'Logout' &&
|
|
($_REQUEST['action'] != 'Popup' && $_REQUEST['module'] != 'Sync')) {
|
|
//echo $_REQUEST['action'];
|
|
//die();
|
|
$this->controller->module = 'Sync';
|
|
$this->controller->action = 'InitialSync';
|
|
}
|
|
} else {
|
|
require_once('modules/Sync/file_config.php');
|
|
if (isset($file_sync_info['is_first_sync']) && $file_sync_info['is_first_sync']) {
|
|
if ($_REQUEST['action'] != 'InitialSync' && $_REQUEST['action'] != 'Logout' &&
|
|
($_REQUEST['action'] != 'Popup' && $_REQUEST['module'] != 'Sync')) {
|
|
$this->controller->module = 'Sync';
|
|
$this->controller->action = 'InitialSync';
|
|
}
|
|
}
|
|
}
|
|
}
|
|
global $moduleList, $sugar_config, $sync_modules;
|
|
require_once('modules/Sync/SyncController.php');
|
|
$GLOBALS['current_user']->is_admin = '0'; //No admins for disc client
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Handles everything related to authorization.
|
|
*/
|
|
public function handleAccessControl()
|
|
{
|
|
if ($GLOBALS['current_user']->isDeveloperForAnyModule()) {
|
|
return;
|
|
}
|
|
if (!empty($_REQUEST['action']) && $_REQUEST['action'] == "RetrieveEmail") {
|
|
return;
|
|
}
|
|
if (!is_admin($GLOBALS['current_user']) && !empty($GLOBALS['adminOnlyList'][$this->controller->module]) && !empty($GLOBALS['adminOnlyList'][$this->controller->module]['all']) && (empty($GLOBALS['adminOnlyList'][$this->controller->module][$this->controller->action]) || $GLOBALS['adminOnlyList'][$this->controller->module][$this->controller->action] != 'allow')) {
|
|
$this->controller->hasAccess = false;
|
|
return;
|
|
}
|
|
|
|
// Bug 20916 - Special case for check ACL access rights for Subpanel QuickCreates
|
|
if (isset($_POST['action']) && $_POST['action'] == 'SubpanelCreates') {
|
|
$actual_module = $_POST['target_module'];
|
|
if (!empty($GLOBALS['modListHeader']) && !in_array($actual_module, $GLOBALS['modListHeader'])) {
|
|
$this->controller->hasAccess = false;
|
|
}
|
|
return;
|
|
}
|
|
|
|
|
|
if (!empty($GLOBALS['current_user']) && empty($GLOBALS['modListHeader'])) {
|
|
$GLOBALS['modListHeader'] = query_module_access_list($GLOBALS['current_user']);
|
|
}
|
|
|
|
if (in_array($this->controller->module, $GLOBALS['modInvisList']) &&
|
|
((in_array('Activities', $GLOBALS['moduleList']) &&
|
|
in_array('Calendar', $GLOBALS['moduleList'])) &&
|
|
in_array($this->controller->module, $GLOBALS['modInvisListActivities']))
|
|
) {
|
|
$this->controller->hasAccess = false;
|
|
return;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Load only bare minimum of language that can be done before user init and MVC stuff
|
|
*/
|
|
public static function preLoadLanguages()
|
|
{
|
|
$GLOBALS['current_language'] = get_current_language();
|
|
$GLOBALS['log']->debug('current_language is: ' . $GLOBALS['current_language']);
|
|
//set module and application string arrays based upon selected language
|
|
$GLOBALS['app_strings'] = return_application_language($GLOBALS['current_language']);
|
|
}
|
|
|
|
/**
|
|
* Load application wide languages as well as module based languages so they are accessible
|
|
* from the module.
|
|
*/
|
|
public function loadLanguages()
|
|
{
|
|
$GLOBALS['current_language'] = get_current_language();
|
|
$GLOBALS['log']->debug('current_language is: ' . $GLOBALS['current_language']);
|
|
//set module and application string arrays based upon selected language
|
|
$GLOBALS['app_strings'] = return_application_language($GLOBALS['current_language']);
|
|
if (empty($GLOBALS['current_user']->id)) {
|
|
$GLOBALS['app_strings']['NTC_WELCOME'] = '';
|
|
}
|
|
if (!empty($GLOBALS['system_config']->settings['system_name'])) {
|
|
$GLOBALS['app_strings']['LBL_BROWSER_TITLE'] = $GLOBALS['system_config']->settings['system_name'];
|
|
}
|
|
$GLOBALS['app_list_strings'] = return_app_list_strings_language($GLOBALS['current_language']);
|
|
$GLOBALS['mod_strings'] = return_module_language($GLOBALS['current_language'], $this->controller->module);
|
|
}
|
|
|
|
/**
|
|
* checkDatabaseVersion
|
|
* Check the db version sugar_version.php and compare to what the version is stored in the config table.
|
|
* Ensure that both are the same.
|
|
*/
|
|
public function checkDatabaseVersion($dieOnFailure = true)
|
|
{
|
|
$row_count = sugar_cache_retrieve('checkDatabaseVersion_row_count');
|
|
$sugarDbVersion = $GLOBALS['sugar_db_version'];
|
|
$db = DBManagerFactory::getInstance();
|
|
if (empty($row_count)) {
|
|
$version_query = "SELECT count(*) as the_count FROM config WHERE category='info' AND name='sugar_version' AND " .
|
|
$db->convert('value', 'text2char') . " = " .
|
|
$db->quoted($sugarDbVersion);
|
|
|
|
$result = $db->query($version_query);
|
|
$row = $db->fetchByAssoc($result);
|
|
$row_count = $row['the_count'];
|
|
sugar_cache_put('checkDatabaseVersion_row_count', $row_count);
|
|
}
|
|
|
|
if ($row_count == 0 && empty($GLOBALS['sugar_config']['disc_client'])) {
|
|
if ($dieOnFailure) {
|
|
$replacementStrings = array(
|
|
0 => $GLOBALS['sugar_version'],
|
|
1 => $GLOBALS['sugar_db_version'],
|
|
);
|
|
sugar_die(string_format($GLOBALS['app_strings']['ERR_DB_VERSION'], $replacementStrings));
|
|
} else {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Load the themes/images.
|
|
*/
|
|
public function loadDisplaySettings()
|
|
{
|
|
global $theme;
|
|
|
|
// load the user's default theme
|
|
$theme = $GLOBALS['current_user']->getPreference('user_theme');
|
|
|
|
if (is_null($theme)) {
|
|
$theme = $GLOBALS['sugar_config']['default_theme'];
|
|
if (!empty($_SESSION['authenticated_user_theme'])) {
|
|
$theme = $_SESSION['authenticated_user_theme'];
|
|
} else {
|
|
if (!empty($_COOKIE['sugar_user_theme'])) {
|
|
$theme = $_COOKIE['sugar_user_theme'];
|
|
}
|
|
}
|
|
|
|
if (isset($_SESSION['authenticated_user_theme']) && $_SESSION['authenticated_user_theme'] != '') {
|
|
$_SESSION['theme_changed'] = false;
|
|
}
|
|
}
|
|
|
|
$available_themes = SugarThemeRegistry::availableThemes();
|
|
if (!isset($available_themes[$theme])) {
|
|
$theme = $GLOBALS['sugar_config']['default_theme'];
|
|
}
|
|
|
|
if (!is_null($theme) && !headers_sent()) {
|
|
self::setCookie('sugar_user_theme', $theme, time() + 31536000, null, null, isSSL(), true); // expires in a year
|
|
}
|
|
|
|
SugarThemeRegistry::set($theme);
|
|
require_once('include/utils/layout_utils.php');
|
|
$GLOBALS['image_path'] = SugarThemeRegistry::current()->getImagePath() . '/';
|
|
if (defined('TEMPLATE_URL')) {
|
|
$GLOBALS['image_path'] = TEMPLATE_URL . '/' . $GLOBALS['image_path'];
|
|
}
|
|
|
|
if (isset($GLOBALS['current_user'])) {
|
|
$GLOBALS['gridline'] = (int) ($GLOBALS['current_user']->getPreference('gridline') == 'on');
|
|
$GLOBALS['current_user']->setPreference('user_theme', $theme, 0, 'global');
|
|
}
|
|
}
|
|
|
|
public function loadLicense()
|
|
{
|
|
loadLicense();
|
|
global $user_unique_key, $server_unique_key;
|
|
$user_unique_key = (isset($_SESSION['unique_key'])) ? $_SESSION['unique_key'] : '';
|
|
$server_unique_key = (isset($sugar_config['unique_key'])) ? $sugar_config['unique_key'] : '';
|
|
}
|
|
|
|
public function loadGlobals()
|
|
{
|
|
global $currentModule;
|
|
$currentModule = $this->controller->module;
|
|
if ($this->controller->module == $this->default_module) {
|
|
$_REQUEST['module'] = $this->controller->module;
|
|
if (empty($_REQUEST['action'])) {
|
|
$_REQUEST['action'] = $this->default_action;
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Actions that modify data in this controller's instance and thus require referrers
|
|
* @var array
|
|
*/
|
|
protected $modifyActions = array();
|
|
|
|
/**
|
|
* Actions that always modify data and thus require referrers
|
|
* save* and delete* hardcoded as modified
|
|
* @var array
|
|
*/
|
|
private $globalModifyActions = array(
|
|
'massupdate', 'configuredashlet', 'import', 'importvcardsave', 'inlinefieldsave',
|
|
'wlsave', 'quicksave'
|
|
);
|
|
|
|
/**
|
|
* Modules that modify data and thus require referrers for all actions
|
|
*/
|
|
private $modifyModules = array(
|
|
'Administration' => true,
|
|
'UpgradeWizard' => true,
|
|
'Configurator' => true,
|
|
'Studio' => true,
|
|
'ModuleBuilder' => true,
|
|
'Emails' => true,
|
|
'DCETemplates' => true,
|
|
'DCEInstances' => true,
|
|
'DCEActions' => true,
|
|
'Trackers' => array('trackersettings'),
|
|
'SugarFavorites' => array('tag'),
|
|
'Import' => array('last', 'undo'),
|
|
'Users' => array('changepassword', "generatepassword"),
|
|
);
|
|
|
|
protected function isModifyAction()
|
|
{
|
|
$action = strtolower($this->controller->action);
|
|
if (substr($action, 0, 4) == "save" || substr($action, 0, 6) == "delete") {
|
|
return true;
|
|
}
|
|
if (isset($this->modifyModules[$this->controller->module])) {
|
|
if ($this->modifyModules[$this->controller->module] === true) {
|
|
return true;
|
|
}
|
|
if (in_array($this->controller->action, $this->modifyModules[$this->controller->module])) {
|
|
return true;
|
|
}
|
|
}
|
|
if (in_array($this->controller->action, $this->globalModifyActions)) {
|
|
return true;
|
|
}
|
|
if (in_array($this->controller->action, $this->modifyActions)) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* The list of the actions excepted from referer checks by default
|
|
* @var array
|
|
*/
|
|
protected $whiteListActions = array('index', 'ListView', 'DetailView', 'EditView', 'oauth', 'authorize', 'Authenticate', 'Login', 'SupportPortal');
|
|
|
|
/**
|
|
*
|
|
* Checks a request to ensure the request is coming from a valid source or it is for one of the white listed actions
|
|
*/
|
|
protected function checkHTTPReferer($dieIfInvalid = true)
|
|
{
|
|
global $sugar_config;
|
|
if (!empty($sugar_config['http_referer']['actions'])) {
|
|
$this->whiteListActions = array_merge($sugar_config['http_referer']['actions'], $this->whiteListActions);
|
|
}
|
|
|
|
$strong = empty($sugar_config['http_referer']['weak']);
|
|
|
|
// Bug 39691 - Make sure localhost and 127.0.0.1 are always valid HTTP referers
|
|
$whiteListReferers = array('127.0.0.1', 'localhost');
|
|
if (!empty($_SERVER['SERVER_ADDR'])) {
|
|
$whiteListReferers[] = $_SERVER['SERVER_ADDR'];
|
|
}
|
|
if (!empty($sugar_config['http_referer']['list'])) {
|
|
$whiteListReferers = array_merge($whiteListReferers, $sugar_config['http_referer']['list']);
|
|
}
|
|
|
|
if ($strong && empty($_SERVER['HTTP_REFERER']) && !in_array($this->controller->action, $this->whiteListActions) && $this->isModifyAction()) {
|
|
$http_host = explode(':', $_SERVER['HTTP_HOST']);
|
|
$whiteListActions = $this->whiteListActions;
|
|
$whiteListActions[] = $this->controller->action;
|
|
$whiteListString = "'" . implode("', '", $whiteListActions) . "'";
|
|
if ($dieIfInvalid) {
|
|
header("Cache-Control: no-cache, must-revalidate");
|
|
$ss = new Sugar_Smarty;
|
|
$ss->assign('host', $http_host[0]);
|
|
$ss->assign('action', $this->controller->action);
|
|
$ss->assign('whiteListString', $whiteListString);
|
|
$ss->display('include/MVC/View/tpls/xsrf.tpl');
|
|
sugar_cleanup(true);
|
|
}
|
|
return false;
|
|
} else {
|
|
if (!empty($_SERVER['HTTP_REFERER']) && !empty($_SERVER['SERVER_NAME'])) {
|
|
$http_ref = parse_url($_SERVER['HTTP_REFERER']);
|
|
if ($http_ref['host'] !== $_SERVER['SERVER_NAME'] && !in_array($this->controller->action, $this->whiteListActions) &&
|
|
(empty($whiteListReferers) || !in_array($http_ref['host'], $whiteListReferers))) {
|
|
if ($dieIfInvalid) {
|
|
header("Cache-Control: no-cache, must-revalidate");
|
|
$whiteListActions = $this->whiteListActions;
|
|
$whiteListActions[] = $this->controller->action;
|
|
$whiteListString = "'" . implode("', '", $whiteListActions) . "'";
|
|
|
|
$ss = new Sugar_Smarty;
|
|
$ss->assign('host', $http_ref['host']);
|
|
$ss->assign('action', $this->controller->action);
|
|
$ss->assign('whiteListString', $whiteListString);
|
|
$ss->display('include/MVC/View/tpls/xsrf.tpl');
|
|
sugar_cleanup(true);
|
|
}
|
|
return false;
|
|
}
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
public function startSession()
|
|
{
|
|
$sessionIdCookie = isset($_COOKIE[session_name()]) ? $_COOKIE[session_name()] : null;
|
|
if (isset($_REQUEST['MSID'])) {
|
|
session_id($_REQUEST['MSID']);
|
|
session_start();
|
|
if (!isset($_SESSION['user_id'])) {
|
|
if (isset($_COOKIE[session_name()])) {
|
|
self::setCookie(session_name(), '', time() - 42000, '/');
|
|
}
|
|
sugar_cleanup(false);
|
|
session_destroy();
|
|
exit('Not a valid entry method');
|
|
}
|
|
} else {
|
|
if (can_start_session()) {
|
|
session_start();
|
|
}
|
|
}
|
|
|
|
//set the default module to either Home or specified default
|
|
$default_module = !empty($GLOBALS['sugar_config']['default_module']) ? $GLOBALS['sugar_config']['default_module'] : 'Home';
|
|
|
|
//set session expired message if login module and action are set to a non login default
|
|
//AND session id in cookie is set but super global session array is empty
|
|
if (isset($_REQUEST['login_module']) && isset($_REQUEST['login_action']) && !($_REQUEST['login_module'] == $default_module && $_REQUEST['login_action'] == 'index')) {
|
|
if (!is_null($sessionIdCookie) && empty($_SESSION)) {
|
|
self::setCookie('loginErrorMessage', 'LBL_SESSION_EXPIRED', time() + 30, '/');
|
|
}
|
|
}
|
|
|
|
|
|
LogicHook::initialize()->call_custom_logic('', 'after_session_start');
|
|
}
|
|
|
|
public function endSession()
|
|
{
|
|
session_destroy();
|
|
}
|
|
|
|
/**
|
|
* Redirect to another URL
|
|
*
|
|
* @access public
|
|
* @param string $url The URL to redirect to
|
|
*/
|
|
public static function redirect(
|
|
$url
|
|
) {
|
|
/*
|
|
* If the headers have been sent, then we cannot send an additional location header
|
|
* so we will output a javascript redirect statement.
|
|
*/
|
|
|
|
if (!empty($_REQUEST['ajax_load'])) {
|
|
ob_get_clean();
|
|
$ajax_ret = array(
|
|
'content' => "<script>SUGAR.ajaxUI.loadContent('$url');</script>\n",
|
|
'menu' => array(
|
|
'module' => $_REQUEST['module'],
|
|
'label' => translate($_REQUEST['module']),
|
|
),
|
|
);
|
|
$json = getJSONobj();
|
|
echo $json->encode($ajax_ret);
|
|
} else {
|
|
if (headers_sent()) {
|
|
echo "<script>SUGAR.ajaxUI.loadContent('$url');</script>\n";
|
|
} else {
|
|
//@ob_end_clean(); // clear output buffer
|
|
session_write_close();
|
|
header('HTTP/1.1 301 Moved Permanently');
|
|
header("Location: " . $url);
|
|
}
|
|
}
|
|
if (!defined('SUITE_PHPUNIT_RUNNER')) {
|
|
exit();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* classic redirect to another URL, but check first that URL start with "Location:"...
|
|
* @param $header_URL
|
|
*/
|
|
public static function headerRedirect($header_URL)
|
|
{
|
|
if (preg_match('/\s*Location:\s*(.*)$/', $header_URL, $matches)) {
|
|
$href = $matches[1];
|
|
SugarApplication::redirect($href);
|
|
} else {
|
|
header($header_URL);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Storing messages into session
|
|
*
|
|
* @access public
|
|
* @param string $message
|
|
*/
|
|
public static function appendErrorMessage($message)
|
|
{
|
|
self::appendMessage('user_error_message', $message);
|
|
}
|
|
|
|
/**
|
|
* picking up the messages from the session and clearing session storage array
|
|
* @return array messages
|
|
*/
|
|
public static function getErrorMessages()
|
|
{
|
|
$messages = self::getMessages('user_error_message');
|
|
return $messages;
|
|
}
|
|
|
|
/**
|
|
* Storing messages into session
|
|
*
|
|
* @access public
|
|
* @param string $message
|
|
*/
|
|
public static function appendSuccessMessage($message)
|
|
{
|
|
self::appendMessage('user_success_message', $message);
|
|
}
|
|
|
|
/**
|
|
* picking up the messages from the session and clearing session storage array
|
|
* @return array messages
|
|
*/
|
|
public static function getSuccessMessages()
|
|
{
|
|
$messages = self::getMessages('user_success_message');
|
|
return $messages;
|
|
}
|
|
|
|
/**
|
|
* Storing messages into session
|
|
* @param string $message
|
|
*/
|
|
protected static function appendMessage($type, $message)
|
|
{
|
|
self::validateMessageType($type);
|
|
|
|
if (empty($_SESSION[$type]) || !is_array($_SESSION[$type])) {
|
|
$_SESSION[$type] = array();
|
|
}
|
|
if (!in_array($message, $_SESSION[$type])) {
|
|
$_SESSION[$type][] = $message;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* picking up the messages from the session and clearing session storage array
|
|
* @return array messages
|
|
*/
|
|
protected static function getMessages($type)
|
|
{
|
|
self::validateMessageType($type);
|
|
|
|
if (isset($_SESSION[$type]) && is_array($_SESSION[$type])) {
|
|
$msgs = $_SESSION[$type];
|
|
unset($_SESSION[$type]);
|
|
return $msgs;
|
|
} else {
|
|
return array();
|
|
}
|
|
}
|
|
|
|
/**
|
|
*
|
|
* @param string $type possible message types: ['user_error_message', 'user_success_message']
|
|
* @throws Exception message type should be valid
|
|
*/
|
|
protected static function validateMessageType($type)
|
|
{
|
|
if (!in_array($type, array('user_error_message', 'user_success_message'))) {
|
|
throw new Exception('Incorrect application message type: ' . $type);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Wrapper for the PHP setcookie() function, to handle cases where headers have
|
|
* already been sent
|
|
* @param $name
|
|
* @param $value
|
|
* @param int $expire
|
|
* @param null $path
|
|
* @param null $domain
|
|
* @param bool $secure
|
|
* @param bool $httponly
|
|
*/
|
|
public static function setCookie(
|
|
$name,
|
|
$value,
|
|
$expire = 0,
|
|
$path = null,
|
|
$domain = null,
|
|
$secure = false,
|
|
$httponly = true
|
|
) {
|
|
if (isSSL()) {
|
|
$secure = true;
|
|
}
|
|
if ($domain === null) {
|
|
if (isset($_SERVER["HTTP_HOST"])) {
|
|
$domain = $_SERVER["HTTP_HOST"];
|
|
} else {
|
|
$domain = 'localhost';
|
|
}
|
|
}
|
|
|
|
$defaultCookiePath = ini_get('session.cookie_path');
|
|
if ($path === null) {
|
|
if(empty($defaultCookiePath)) {
|
|
$path = '/';
|
|
} else {
|
|
$path = $defaultCookiePath;
|
|
}
|
|
}
|
|
|
|
if (!headers_sent()) {
|
|
setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
|
|
}
|
|
|
|
$_COOKIE[$name] = $value;
|
|
}
|
|
|
|
protected $redirectVars = array('module', 'action', 'record', 'token', 'oauth_token', 'mobile');
|
|
|
|
/**
|
|
* Create string to attach to login URL with vars to preserve post-login
|
|
* @return string URL part with login vars
|
|
*/
|
|
public function createLoginVars()
|
|
{
|
|
$ret = array();
|
|
foreach ($this->redirectVars as $var) {
|
|
if (!empty($this->controller->$var)) {
|
|
$ret["login_" . $var] = $this->controller->$var;
|
|
continue;
|
|
}
|
|
if (!empty($_REQUEST[$var])) {
|
|
$ret["login_" . $var] = $_REQUEST[$var];
|
|
}
|
|
}
|
|
if (isset($_REQUEST['mobile'])) {
|
|
$ret['mobile'] = $_REQUEST['mobile'];
|
|
}
|
|
if (isset($_REQUEST['no_saml'])) {
|
|
$ret['no_saml'] = $_REQUEST['no_saml'];
|
|
}
|
|
if (empty($ret)) {
|
|
return '';
|
|
}
|
|
return "&" . http_build_query($ret);
|
|
}
|
|
|
|
/**
|
|
* Get the list of vars passed with login form
|
|
* @param bool $add_empty Add empty vars to the result?
|
|
* @return array List of vars passed with login
|
|
*/
|
|
public function getLoginVars($add_empty = true)
|
|
{
|
|
$ret = array();
|
|
foreach ($this->redirectVars as $var) {
|
|
if (!empty($_REQUEST['login_' . $var]) || $add_empty) {
|
|
$ret["login_" . $var] = isset($_REQUEST['login_' . $var]) ? $_REQUEST['login_' . $var] : '';
|
|
}
|
|
}
|
|
return $ret;
|
|
}
|
|
|
|
/**
|
|
* Get URL to redirect after the login
|
|
* @return string the URL to redirect to
|
|
*/
|
|
public function getLoginRedirect()
|
|
{
|
|
$vars = array();
|
|
foreach ($this->redirectVars as $var) {
|
|
if (!empty($_REQUEST['login_' . $var])) {
|
|
$vars[$var] = $_REQUEST['login_' . $var];
|
|
}
|
|
}
|
|
|
|
if (isset($_REQUEST['mobile'])) {
|
|
$vars['mobile'] = $_REQUEST['mobile'];
|
|
}
|
|
if (empty($vars)) {
|
|
return "index.php?module=Home&action=index";
|
|
} else {
|
|
return "index.php?" . http_build_query($vars);
|
|
}
|
|
}
|
|
}
|
