Eduard Wisch
3a7ed278e5
All checks were successful
Deploy bericht / deploy (push) Successful in 1s
- ajax/_inc.php: ob_start() + register_shutdown_function fangen PHP Notices und Fatals auf, geben strukturiertes JSON zurück (vorher Server-Fehler 'kein JSON' weil PHP-Warning mitten im Body stand). - generate_pdf.php/preview_pdf.php: mysoc, logo-Pfad defensiv geprüft.
72 lines
3 KiB
PHP
72 lines
3 KiB
PHP
<?php
|
|
/* Gemeinsamer Header für alle Bericht-Ajax-Endpoints.
|
|
* Lädt Dolibarr (symlink-sicher), validiert Token + Rechte.
|
|
*/
|
|
|
|
if (!defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', 1);
|
|
|
|
$res = 0;
|
|
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) $res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
|
|
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;
|
|
while ($i > 0 && $j > 0 && isset($tmp[$i]) && isset($tmp2[$j]) && $tmp[$i] == $tmp2[$j]) { $i--; $j--; }
|
|
if (!$res && $i > 0 && file_exists(substr($tmp, 0, ($i + 1))."/main.inc.php")) $res = @include substr($tmp, 0, ($i + 1))."/main.inc.php";
|
|
if (!$res && $i > 0 && file_exists(dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php")) $res = @include dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php";
|
|
if (!$res && file_exists("../../main.inc.php")) $res = @include "../../main.inc.php";
|
|
if (!$res && file_exists("../../../main.inc.php")) $res = @include "../../../main.inc.php";
|
|
if (!$res) die("Include of main fails");
|
|
|
|
require_once __DIR__.'/../class/bericht.class.php';
|
|
require_once __DIR__.'/../lib/bericht.lib.php';
|
|
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
|
|
// Output-Buffer: jeder PHP-Notice/Warning landet sonst mitten im JSON
|
|
// und macht es auf dem Client unparsebar ("Server-Fehler (kein JSON)").
|
|
if (!ob_get_level()) ob_start();
|
|
|
|
function bericht_ajax_fail($msg, $code = 400)
|
|
{
|
|
while (ob_get_level()) ob_end_clean();
|
|
http_response_code($code);
|
|
echo json_encode(array('success' => false, 'error' => $msg));
|
|
exit;
|
|
}
|
|
|
|
function bericht_ajax_ok($data = array())
|
|
{
|
|
// Verworfenen Output aus ob_start() wegwerfen, nur unser JSON rausschicken
|
|
while (ob_get_level() > 1) ob_end_clean();
|
|
$trash = ob_get_clean();
|
|
if ($trash && getenv('BERICHT_DEBUG')) error_log('[bericht-ajax] verworfener Output: '.substr($trash, 0, 500));
|
|
echo json_encode(array_merge(array('success' => true), $data));
|
|
exit;
|
|
}
|
|
|
|
// Fatal-Handler: wenn etwas im PDF-Pfad explodiert, trotzdem JSON zurückgeben
|
|
register_shutdown_function(function () {
|
|
$err = error_get_last();
|
|
if ($err && in_array($err['type'], array(E_ERROR, E_PARSE, E_CORE_ERROR, E_COMPILE_ERROR, E_USER_ERROR), true)) {
|
|
while (ob_get_level()) ob_end_clean();
|
|
if (!headers_sent()) {
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
http_response_code(500);
|
|
}
|
|
echo json_encode(array(
|
|
'success' => false,
|
|
'error' => 'PHP Fatal: '.$err['message'].' @ '.basename($err['file']).':'.$err['line'],
|
|
));
|
|
}
|
|
});
|
|
|
|
// Token-Check
|
|
if (!isset($_REQUEST['token']) || $_REQUEST['token'] !== newToken() && $_REQUEST['token'] !== $_SESSION['token']) {
|
|
// Dolibarr-Standard erlaubt aktuellen Token; einfache Prüfung:
|
|
if (function_exists('verifCsrfToken')) {
|
|
// ok — main.inc.php hat schon geprüft
|
|
}
|
|
}
|
|
|
|
global $user;
|
|
if (!$user->hasRight('bericht', 'read')) {
|
|
bericht_ajax_fail('Permission denied', 403);
|
|
}
|