N°1852 Fix loss of inline images and attachments when user has been logged off

2026-02-13 07:24:13 +01:00 · 2018-12-13 11:35:00 +01:00
parent 5a1b6e43c9
commit daafa9123c
8 changed files with 47 additions and 16 deletions
--- a/application/cmdbabstract.class.inc.php
+++ b/application/cmdbabstract.class.inc.php
@@ -2485,7 +2485,7 @@ EOF
 		$sJsonFieldsMap = json_encode($aFieldsMap);
 		$sState = $this->GetState();
 		$sSessionStorageKey = $sClass.'_'.$iKey;
-		$sTempId = session_id().'_'.$iTransactionId;
+		$sTempId = utils::GetUploadTempId($iTransactionId);
 		$oPage->add_ready_script(InlineImage::EnableCKEditorImageUpload($this, $sTempId));

 		$oPage->add_script(
@@ -2784,7 +2784,7 @@ EOF
 		}

 		// Note: This part (inline images activation) is duplicated in self::DisplayModifyForm and several other places. Maybe it should be refactored so it automatically activates when an HTML field is present, or be an option of the attribute. See bug n°1240.
-		$sTempId = session_id().'_'.$iTransactionId;
+		$sTempId = utils::GetUploadTempId($iTransactionId);
 		$oPage->add_ready_script(InlineImage::EnableCKEditorImageUpload($this, $sTempId));
 	}

--- a/application/transaction.class.inc.php
+++ b/application/transaction.class.inc.php
@@ -119,7 +119,7 @@ class privUITransactionSession
 		// Strictly speaking, the two lines below should be grouped together
 		// by a critical section
 		// sem_acquire($rSemIdentified);
-		$id = str_replace(array('.', ' '), '', microtime()); //1 + count($_SESSION['transactions']);
+		$id = static::GetUserPrefix() . str_replace(array('.', ' '), '', microtime()); //1 + count($_SESSION['transactions']);
 		$_SESSION['transactions'][$id] = true;
 		// sem_release($rSemIdentified);
 		
@@ -174,6 +174,17 @@ class privUITransactionSession
 			// sem_release($rSemIdentified);
 		}		
 	}
+
+	/**
+	 * Returns a string to prefix transaction ID with info from the current user.
+	 *
+	 * @return string
+	 */
+	protected static function GetUserPrefix()
+	{
+		$sPrefix = 'u'.UserRights::GetUserId();
+		return $sPrefix.'-';
+	}
 }

 /**
@@ -206,7 +217,7 @@ class privUITransactionFile
 			throw new Exception('The directory "'.APPROOT.'data/transactions" must be writable to the application.');
 		}
 		self::CleanupOldTransactions();
-		$id = basename(tempnam(APPROOT.'data/transactions', self::GetUserPrefix()));
+		$id = basename(tempnam(APPROOT.'data/transactions', static::GetUserPrefix()));
 		self::Info('GetNewTransactionId: Created transaction: '.$id);

 		return (string)$id;
@@ -310,6 +321,11 @@ class privUITransactionFile
 		return $aResult;
 	}

+	/**
+	 * Returns a prefix based on the user login instead of its ID for a better usage in tempnam()
+	 *
+	 * @inheritdoc
+	 */
 	protected static function GetUserPrefix()
 	{
 		$sPrefix = substr(UserRights::GetUser(), 0, 10);
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -527,7 +527,7 @@ class utils
 	/**
 	 * Returns a unique tmp id for the current upload based on the transaction system (db).
 	 *
-	 * Build as session_id() . '_' . static::GetNewTransactionId()
+	 * Build as static::GetNewTransactionId()
 	 *
 	 * @return string
 	 */
@@ -537,7 +537,7 @@ class utils
 		{
 			$sTransactionId = static::GetNewTransactionId();
 		}
-		return session_id() . '_' . $sTransactionId;
+		return $sTransactionId;
 	}

 	public static function ReadFromFile($sFileName)
--- a/core/inlineimage.class.inc.php
+++ b/core/inlineimage.class.inc.php
@@ -416,9 +416,11 @@ EOF
 	 * Get the fragment of javascript needed to complete the initialization of
 	 * CKEditor when creating/modifying an object
 	 *
-	 * @param DBObject $oObject The object being edited
-	 * @param string $sTempId The concatenation of session_id().'_'.$iTransactionId.
+	 * @param \DBObject $oObject The object being edited
+	 * @param string $sTempId Generated through utils::GetUploadTempId($iTransactionId)
+	 *
 	 * @return string The JS fragment to insert in "on document ready"
+	 * @throws \Exception
 	 */
 	public static function EnableCKEditorImageUpload(DBObject $oObject, $sTempId)
 	{
--- a/datamodels/2.x/itop-attachments/main.attachments.php
+++ b/datamodels/2.x/itop-attachments/main.attachments.php
@@ -197,7 +197,20 @@ class AttachmentPlugIn implements iApplicationUIExtension, iApplicationObjectExt
 		$this->m_bDeleteEnabled = $bEnabled;
 	}

-	public function DisplayAttachments($oObject, WebPage $oPage, $bEditMode = false)
+	/**
+	 * @param \DBObject $oObject
+	 * @param \WebPage $oPage
+	 * @param bool $bEditMode
+	 *
+	 * @throws \CoreCannotSaveObjectException
+	 * @throws \CoreException
+	 * @throws \CoreUnexpectedValue
+	 * @throws \MissingQueryArgument
+	 * @throws \MySQLException
+	 * @throws \MySQLHasGoneAwayException
+	 * @throws \OQLException
+	 */
+	public function DisplayAttachments(DBObject $oObject, WebPage $oPage, $bEditMode = false)
 	{
 		// Exit here if the class is not allowed
 		if (!$this->IsTargetObject($oObject)) return;
@@ -206,7 +219,7 @@ class AttachmentPlugIn implements iApplicationUIExtension, iApplicationObjectExt
 		$oSet = new DBObjectSet($oSearch, array(), array('class' => get_class($oObject), 'item_id' => $oObject->GetKey()));

 		$iTransactionId = $oPage->GetTransactionId();
-		$sTempId = session_id().'_'.$iTransactionId;
+		$sTempId = utils::GetUploadTempId($iTransactionId);
 		$oSearchTemp = DBObjectSearch::FromOQL("SELECT Attachment WHERE temp_id = :temp_id");
 		$oSetTemp = new DBObjectSet($oSearchTemp, array(), array('temp_id' => $sTempId));

@@ -494,7 +507,7 @@ EOF
 			}			

 			// Attach new (temporary) attachments
-			$sTempId = session_id().'_'.$sTransactionId;
+			$sTempId = utils::GetUploadTempId($sTransactionId);
 			// The object is being created from a form, check if there are pending attachments
 			// for this object, but deleting the "new" ones that were already removed from the form
 			$sOQL = 'SELECT Attachment WHERE temp_id = :temp_id';
@@ -535,7 +548,7 @@ EOF
 		$oSearch = DBObjectSearch::FromOQL("SELECT Attachment WHERE item_class = :class AND item_id = :item_id");
 		$oSet = new DBObjectSet($oSearch, array(), array('class' => get_class($oObject), 'item_id' => $oObject->GetKey()));
 		// Attach new (temporary) attachments
-		$sTempId = session_id().'_'.$sTransactionId;
+		$sTempId = utils::GetUploadTempId($sTransactionId);
 		while ($oAttachment = $oSet->Fetch())
 		{
 			$oTempAttachment = clone $oAttachment;
--- a/datamodels/2.x/itop-portal-base/portal/src/forms/objectformmanager.class.inc.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/forms/objectformmanager.class.inc.php
@@ -1224,7 +1224,7 @@ class ObjectFormManager extends FormManager
 		}

 		// Processing temporary attachments
-		$sTempId = session_id() . '_' . $this->oForm->GetTransactionId();
+		$sTempId = utils::GetUploadTempId($this->oForm->GetTransactionId());
 		$sOQL = 'SELECT Attachment WHERE temp_id = :temp_id';
 		$oSearch = DBObjectSearch::FromOQL($sOQL);
 		$oSet = new DBObjectSet($oSearch, array(), array('temp_id' => $sTempId));
@@ -1254,7 +1254,7 @@ class ObjectFormManager extends FormManager
 	protected function CancelAttachments()
 	{
 		// Processing temporary attachments
-		$sTempId = session_id() . '_' . $this->oForm->GetTransactionId();
+		$sTempId = utils::GetUploadTempId($this->oForm->GetTransactionId());
 		$sOQL = 'SELECT Attachment WHERE temp_id = :temp_id';
 		$oSearch = DBObjectSearch::FromOQL($sOQL);
 		$oSet = new DBObjectSet($oSearch, array(), array('temp_id' => $sTempId));
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -904,7 +904,7 @@ try
 			// Called when a creation/modification form is cancelled by the end-user
 			// Let's take this opportunity to inform the plug-ins so that they can perform some cleanup
 			$iTransactionId = utils::ReadParam('transaction_id', 0, false, 'transaction_id');
-			$sTempId = session_id().'_'.$iTransactionId;
+			$sTempId = utils::GetUploadTempId($iTransactionId);
 			InlineImage::OnFormCancel($sTempId);
 			foreach(MetaModel::EnumPlugins('iApplicationUIExtension') as $oExtensionInstance)
 			{
--- a/sources/renderer/bootstrap/fieldrenderer/bsfileuploadfieldrenderer.class.inc.php
+++ b/sources/renderer/bootstrap/fieldrenderer/bsfileuploadfieldrenderer.class.inc.php
@@ -50,7 +50,7 @@ class BsFileUploadFieldRenderer extends FieldRenderer
 		$sObjectClass = get_class($this->oField->GetObject());
 		$sIsDeleteAllowed = ($this->oField->GetAllowDelete() && !$this->oField->GetReadOnly()) ? 'true' : 'false';
 		$sDeleteBtn = Dict::S('Portal:Button:Delete');
-		$sTempId = session_id() . '_' . $this->oField->GetTransactionId();
+		$sTempId = utils::GetUploadTempId($this->oField->GetTransactionId());
 		$sUploadDropZoneLabel = Dict::S('Portal:Attachments:DropZone:Message');

 		// Starting field container