Add secure PDF download handler to bypass Dolibarr file access restrictions

- Created download_pdf.php as secure download handler - Handles PDF downloads through Dolibarr's security system - Validates user permissions and declaration status - Uses proper token validation for security - Updated declaration list to use download handler instead of direct file links - Bypasses Dolibarr's file access restrictions - Provides secure, controlled access to PDF files
2025-10-06 18:06:05 +02:00 · 2025-10-06 18:06:05 +02:00 · 2a902d7925
commit 2a902d7925
parent 00ecb72791
2 changed files with 76 additions and 5 deletions
--- a/declarationtvaindex.php
+++ b/declarationtvaindex.php
@ -153,11 +153,9 @@ if (empty($declarations)) {
                $pdf_path = $declarationtva->getValidatedPDFPath($d['rowid']);
                
                if ($pdf_path) {
-                    // Create a download link
-                    $relative_path = str_replace(DOL_DATA_ROOT, '', $pdf_path);
-                    // Add /documents to the URL path
-                    $download_url = DOL_URL_ROOT . '/documents' . $relative_path;
-                    print '<a href="' . $download_url . '" target="_blank" title="' . $langs->trans("DownloadPDF") . '" style="color: #28a745; text-decoration: none; font-weight: bold;">';
+                    // Create a secure download link through the download handler
+                    $download_url = $_SERVER['PHP_SELF'] . '?action=download_pdf&declaration_id=' . $d['rowid'] . '&token=' . newToken();
+                    print '<a href="download_pdf.php?id=' . $d['rowid'] . '&token=' . newToken() . '" target="_blank" title="' . $langs->trans("DownloadPDF") . '" style="color: #28a745; text-decoration: none; font-weight: bold;">';
                    print '<i class="fa fa-file-pdf" style="font-size: 16px; color: #dc3545;"></i> PDF';
                    print '</a>';
                } else {
--- a/download_pdf.php
+++ b/download_pdf.php
@ -0,0 +1,73 @@
+<?php
+/**
+ * PDF Download Handler for DeclarationTVA Module
+ * Handles secure PDF downloads through Dolibarr's security system
+ */
+
+// Load Dolibarr environment
+if (file_exists('../main.inc.php')) {
+    $res = @include '../main.inc.php';
+} elseif (file_exists('../../main.inc.php')) {
+    $res = @include '../../main.inc.php';
+} else {
+    $res = 0;
+}
+
+if (!$res) {
+    die("Include of main fails");
+}
+
+// Load module classes
+require_once DOL_DOCUMENT_ROOT . '/custom/declarationtva/core/class/declarationtva.class.php';
+
+// Access control
+if (!$user->hasRight("declarationtva", "declarationtva", "read")) {
+    accessforbidden();
+}
+
+// Get parameters
+$declaration_id = GETPOST('id', 'int');
+$token = GETPOST('token', 'alpha');
+
+// Validate token
+if (!dol_verifyToken($token)) {
+    accessforbidden();
+}
+
+// Load declaration
+$declarationtva = new DeclarationTVA($db, $conf->entity);
+$result = $declarationtva->fetch($declaration_id);
+
+if ($result <= 0) {
+    setEventMessages("Declaration not found", null, 'errors');
+    header("Location: declarationtvaindex.php");
+    exit;
+}
+
+// Check if declaration is validated
+if ($declarationtva->status != 'validated') {
+    setEventMessages("Declaration is not validated", null, 'errors');
+    header("Location: declarationtva_view.php?id=" . $declaration_id);
+    exit;
+}
+
+// Get PDF path
+$pdf_path = $declarationtva->getValidatedPDFPath($declaration_id);
+
+if (!$pdf_path || !file_exists($pdf_path)) {
+    setEventMessages("PDF file not found", null, 'errors');
+    header("Location: declarationtva_view.php?id=" . $declaration_id);
+    exit;
+}
+
+// Set headers for PDF download
+header('Content-Type: application/pdf');
+header('Content-Disposition: attachment; filename="CA3_' . $declarationtva->declaration_number . '.pdf"');
+header('Content-Length: ' . filesize($pdf_path));
+header('Cache-Control: private, max-age=0, must-revalidate');
+header('Pragma: public');
+
+// Output PDF
+readfile($pdf_path);
+exit;
+?>