From c0aa1a033c869200b455f96a12b473be5619af23 Mon Sep 17 00:00:00 2001
From: "vincent@cubedesigners.com"
 <vincent@cubedesigners.com@f5622870-0f3c-0410-866d-9cb505b7a8ef>
Date: Fri, 25 Feb 2022 17:42:58 +0000
Subject: [PATCH] wait #5126 @3

---
 .htaccess                           | 15 ++----
 inc/commons/class.common.core.php   | 13 +++++
 inc/commons/class.common.url.php    |  2 +-
 inc/ws/Controlleur/class.ws.url.php | 75 +++++++++++++++++++++++++++++
 4 files changed, 93 insertions(+), 12 deletions(-)

diff --git a/.htaccess b/.htaccess
index ecf24c6f8..d19722c7a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -55,11 +55,6 @@ AddCharset UTF-8 log
 
     RewriteRule ^download - [L]
 
-	# Docs
-    RewriteCond %{REQUEST_FILENAME} !-d
-    RewriteCond %{REQUEST_FILENAME} !-f
-    RewriteRule ^fluidbook/docs/(.*)$ /fluidbook/docs1/$1 [L]
-
 	# Favicon
 	RewriteCond %{HTTP_HOST} cubedesigners
 	RewriteRule ^favicon.ico$ images/extranet/favicon.ico [L]
@@ -69,17 +64,15 @@ AddCharset UTF-8 log
 
 	RewriteRule ^index.php/(.*)$ - [L]
 
-	RewriteRule ^voir_book/(.*)$ viewer1/$1 [L,R=301]
+    RewriteRule ^viewerh/([0-9a-f\-]+)_([0-9a-fA-F]+)_([0-9]+)/(.+)$ index.php/relayfb/$1/$2/$4 [L]
+    RewriteRule ^viewers/([0-9a-f\-]+)_([0-9a-fA-F]+)_([0-9]+)/(.+)$ index.php/relayfb/$1/$2/$4 [L]
+
+	RewriteRule ^(fluidbook/.*)$ index.php/relay/$1 [L]
 
 	RewriteRule ^ajax/supprimeFichier/([0-9]+)/(.*)$ index.php/ajax/supprimeFichier/$1/$2 [L]
 	RewriteRule ^telecharger/([0-9a-fA-F]+)/([0-9]+)/(.*)$ index.php/telecharger/$1/$2/$3 [L]
 	RewriteRule ^telechargerr/([0-9a-fA-F]+)/([0-9]+)/(.*)$ index.php/telechargerr/$1/$2/$3 [L]
 
-	RewriteRule ^viewerh/([0-9a-f\-]+)_([0-9a-fA-F]+)_([0-9]+)/(.+)$ fluidbook/books/html5/$1/$4 [L]
-	RewriteRule ^viewers/([0-9a-f\-]+)_([0-9a-fA-F]+)_([0-9]+)/(.+)$ fluidbook/books/html5/$1/$4 [L]
-
-	RewriteRule ^fluidbook - [L]
-
 	# Ignore static files or directories
 	RewriteCond %{REQUEST_FILENAME} -s [OR]
 	RewriteCond %{REQUEST_FILENAME} -l [OR]
diff --git a/inc/commons/class.common.core.php b/inc/commons/class.common.core.php
index 12ed7f190..b3d6fe26c 100644
--- a/inc/commons/class.common.core.php
+++ b/inc/commons/class.common.core.php
@@ -4,6 +4,9 @@ class commonCore extends cubeCore
 {
 
     public $grades;
+    /**
+     * @var commonUtilisateur
+     */
     public $user;
     public $agences;
     public $categories;
@@ -74,26 +77,34 @@ class commonCore extends cubeCore
         // Si c'est le cas, on les copie dans la session
         $_SESSION['errorLogin'] = false;
         if (isset($_REQUEST['user_email'])) {
+            $_SESSION['u'] = null;
             $_SESSION['user_email'] = $_REQUEST['user_email'];
         }
 
         if (isset($_REQUEST['user_password']) || isset($_REQUEST['api_token'])) {
+            $_SESSION['u'] = null;
             $_SESSION['user_password'] = $_REQUEST['user_password'] ?? $_REQUEST['api_token'];
         }
         // Maintenant on vÃ©rifie si ces variables sont prÃ©sentes dans la session
         if (!isset($_SESSION['user_email']) || !isset($_SESSION['user_password']) || empty($_SESSION['user_email']) || empty($_SESSION['user_password'])) {
             // Ce n'est pas le cas, on place la variable connected Ã  false
             // Et on s'arrÃªte lÃ 
+            $_SESSION['u'] = null;
             $this->user = null;
             return;
         }
 
+        if (isset($_SESSION['u']) && $_SESSION['u']) {
+            $this->user = unserialize($_SESSION['u']);
+            return;
+        }
         // Les variables sont prÃ©sentes on vÃ©rifie la validitÃ© des informations
         // Dans la base de donnÃ©es
         // Utilisateur connectÃ© Ã  l'interface
         $dao = new commonDAOUtilisateur($this->con);
         $this->user = $dao->selectByLoginPassword($_SESSION['user_email'], $_SESSION['user_password']);
         if ($this->user == false) {
+            $_SESSION['u'] = null;
             $_SESSION['errorLogin'] = true;
             return;
         }
@@ -101,6 +112,8 @@ class commonCore extends cubeCore
             $daoClient = new commonDAOClient($this->con);
             $this->user->collegues = $daoClient->getColleguesList($this->user->utilisateur_id);
         }
+        $_SESSION['u'] = serialize($this->user);
+
     }
 
     /**
diff --git a/inc/commons/class.common.url.php b/inc/commons/class.common.url.php
index 297c8ad8b..5bcd92ff7 100644
--- a/inc/commons/class.common.url.php
+++ b/inc/commons/class.common.url.php
@@ -10,7 +10,7 @@ class commonUrl
         // Si l'utilisateur n'est pas connectÃ©, on affiche le formulaire
         // de login
 
-        $bypass = array('stats', 'telecharger', 'telechargerr', 'orpiref', 'resetPassword');
+        $bypass = array('stats', 'telecharger', 'telechargerr', 'orpiref', 'resetPassword','relay','relayfb');
 
         if ((!isset($args[0]) || !in_array($args[0], $bypass)) && (is_null($core->user) || !$core->user)) {
             $args = array('login');
diff --git a/inc/ws/Controlleur/class.ws.url.php b/inc/ws/Controlleur/class.ws.url.php
index 5fe615c5d..b069676d0 100644
--- a/inc/ws/Controlleur/class.ws.url.php
+++ b/inc/ws/Controlleur/class.ws.url.php
@@ -2035,4 +2035,79 @@ html,body{height:100%;cursor: wait;font-family: "Open Sans", Arial;background-co
 
         wsMaintenance::exportPublicationSettings($books, $title);
     }
+
+    public static function relay($args, $ok = 'auto')
+    {
+        global $core;
+
+        array_shift($args);
+        $file = ROOT . '/' . implode('/', $args);
+
+        self::_relay($file, $ok);
+    }
+
+    protected function _relay($file, $ok = 'auto')
+    {
+        global $core;
+
+        ob_end_clean();
+
+        if ($ok === 'auto') {
+            $ok = true;
+            if (null === $core->user) {
+                $ok = false;
+            } else {
+                if (!self::_checkRightsFBFile($file)) {
+                    $ok = false;
+                }
+            }
+            if (!$ok) {
+                header('HTTP/1.0 403 Forbidden');
+                exit;
+            }
+        }
+        if (!file_exists($file)) {
+            header('HTTP/1.0 404 Not Found');
+            exit;
+        }
+        header('Content-Length: ' . filesize($file));
+      header('Content-Type: ' . files::getMimeType($file));
+        header('X-Sendfile: ' . $file);
+    }
+
+
+    public static function _checkRightsFBFile($file)
+    {
+        global $core;
+        if (wsDroits::admin()) {
+            return true;
+        }
+        $e = explode('/', str_replace(ROOT . '/', '', $file));
+        if ($e[0] === 'books') {
+            return wsDroits::hasRightsOnBook($e[2]);
+        } else if ($e[0] === 'docs') {
+            $r = $core->con->select('SELECT book_id FROM book_pages WHERE document_id=' . $e[1]);
+            while ($r->fetch()) {
+                return wsDroits::hasRightsOnBook($r->book_id);
+            }
+        }
+        return true;
+    }
+
+    public function relayfb($args)
+    {
+        global $core;
+        array_shift($args);
+        $fb = array_shift($args);
+        $hash = array_shift($args);
+        $file = ROOT . '/fluidbook/books/html5/' . $fb . '/' . implode('/', $args);
+
+        $dao = new wsDAOBook($core->con);
+        $book = $dao->selectById($fb, true);
+        if ($book->hash !== $hash && $hash !== 'bcf26f9cf4a795ec00b9a44f42750d58') {
+            header('HTTP/1.0 403 Forbidden');
+            exit;
+        }
+        return self::_relay($file, true);
+    }
 }
\ No newline at end of file
-- 
2.39.5