From c723d19e01156aa657b44ee2ddf462bc8cd28593 Mon Sep 17 00:00:00 2001
From: Eric <eric.espie@combodo.com>
Date: Mon, 17 Jun 2019 15:47:37 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B02323=20-=20Fix=20calls=20to=20ajax=20end?=
 =?UTF-8?q?points?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pages/ajax.document.php |  2 +-
 pages/ajax.render.php   | 17 +++++++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/pages/ajax.document.php b/pages/ajax.document.php
index b73715bb2..df9cd2225 100644
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -54,7 +54,7 @@ try
 	{
 		case 'download_document':
 			// Fixing security hole from bug N°1227, disabling by default attachment from legacy portal.
-			$sRequestedPortalId = ((MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) && ($sClass === 'Attachment')) ? 'backoffice' : null;
+			$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
 			LoginWebPage::DoLoginEx($sRequestedPortalId, false);
 			$id = utils::ReadParam('id', '');
 			$sField = utils::ReadParam('field', '');
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index f57b3cee7..ae00a26c0 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -51,13 +51,26 @@ try
 	require_once(APPROOT.'/application/user.preferences.class.inc.php');
 
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
-	LoginWebPage::DoLoginEx(null /* any portal */, false);
+	$operation = utils::ReadParam('operation', '');
+
+	// Only allow export functions to portal users
+	switch ($operation)
+	{
+		case 'export_build':
+		case 'export_cancel':
+		case 'export_download':
+			$sRequestedPortalId = null;
+			break;
+
+		default:
+			$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
+	}
+	LoginWebPage::DoLoginEx($sRequestedPortalId, false);
 
 	$oPage = new ajax_page("");
 	$oPage->no_cache();
 
 
-	$operation = utils::ReadParam('operation', '');
 	$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 	$sEncoding = utils::ReadParam('encoding', 'serialize');
 	$sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class');