bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2026-01-19 17:44:46 +01:00
commit 823af8b11d
8721 changed files with 1130846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
application/Espo/EntryPoints/Attachment.php Normal file
View File

@@ -0,0 +1,109 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Utils\Metadata;
use Espo\Entities\Attachment as AttachmentEntity;
use Espo\Core\Acl;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\FileStorage\Manager as FileStorageManager;
use Espo\Core\ORM\EntityManager;
class Attachment implements EntryPoint
{
public function __construct(
private FileStorageManager $fileStorageManager,
private EntityManager $entityManager,
private Acl $acl,
private Metadata $metadata
) {}
public function run(Request $request, Response $response): void
{
$id = $request->getQueryParam('id');
if (!$id) {
throw new BadRequest("No id.");
}
$attachment = $this->entityManager
->getRDBRepositoryByClass(AttachmentEntity::class)
->getById($id);
if (!$attachment) {
throw new NotFound("Attachment not found.");
}
if (!$this->acl->checkEntity($attachment)) {
throw new Forbidden("No access to attachment.");
}
if (!$this->fileStorageManager->exists($attachment)) {
throw new NotFound("File not found.");
}
$fileType = $attachment->getType();
if (!in_array($fileType, $this->getAllowedFileTypeList())) {
throw new Forbidden("Not allowed file type '{$fileType}'.");
}
if ($attachment->isBeingUploaded()) {
throw new Forbidden("Attachment is being-uploaded.");
}
if ($fileType) {
$response->setHeader('Content-Type', $fileType);
}
$stream = $this->fileStorageManager->getStream($attachment);
$size = $stream->getSize() ?? $this->fileStorageManager->getSize($attachment);
$response
->setHeader('Content-Length', (string) $size)
->setHeader('Cache-Control', 'private, max-age=864000, immutable')
->setHeader('Content-Security-Policy', "default-src 'self'")
->setBody($stream);
}
/**
* @return string[]
*/
private function getAllowedFileTypeList(): array
{
return $this->metadata->get(['app', 'image', 'allowedFileTypeList']) ?? [];
}
}

355
application/Espo/EntryPoints/Avatar.php Normal file
View File

@@ -0,0 +1,355 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\Error;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\Exceptions\ForbiddenSilent;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\Exceptions\NotFoundSilent;
use Espo\Core\Utils\SystemUser;
use Espo\Entities\User;
use LasseRafn\InitialAvatarGenerator\InitialAvatar;
use LasseRafn\StringScript;
/**
* @noinspection PhpUnused
*/
class Avatar extends Image
{
private string $systemColor = '#a4b5bd';
private string $portalColor = '#c9a3d1';
private string $lightTextColor = '#FFF';
private string $darkTextColor = '#6e6e6e';
private int $darkThreshold = 200;
/**
* @noinspection SpellCheckingInspection
* @var string[]
*/
private array $colorList = [
'#6fa8d6', // blue
'#e3bf59', // yellow
'#d4729b', // red
'#8093BD', // gray blue
'#7cbac4', // blue in green
'#8a7cc2', // purple
'#77c9b9', // green
'#d6aa6b', // dark yellow
'#e6859d', // red
];
/**
* @noinspection SpellCheckingInspection
* The explicintly specified font prevents warnings in some environments.
*/
private string $fontFile = 'vendor/lasserafn/php-initial-avatar-generator/src/fonts/OpenSans-Semibold.ttf';
private int $maxAge = 600;
private int $staleWhileRevalidate = 864000;
private function getColor(User $user): string
{
if ($user->getUserName() === SystemUser::NAME) {
return $this->metadata->get(['app', 'avatars', 'systemColor']) ?? $this->systemColor;
}
if ($user->isPortal()) {
return $this->metadata->get(['app', 'avatars', 'portalColor']) ?? $this->portalColor;
}
if ($user->getAvatarColor()) {
return $user->getAvatarColor();
}
$hash = $user->getId();
$length = strlen($hash);
$sum = 0;
for ($i = 0; $i < $length; $i++) {
$sum += ord($hash[$i]);
}
$x = $sum % 128 + 1;
$colorList = $this->metadata->get(['app', 'avatars', 'colorList']) ?? $this->colorList;
if ($x === 128) {
$x--;
}
$index = intval($x * count($colorList) / 128);
return $colorList[$index];
}
/**
* @throws BadRequest
* @throws Error
* @throws NotFoundSilent
* @throws ForbiddenSilent
* @throws NotFound
*/
public function run(Request $request, Response $response): void
{
$userId = $request->getQueryParam('id');
$size = $request->getQueryParam('size') ?? 'small';
if (!$userId) {
throw new BadRequest();
}
$user = $this->entityManager->getRDBRepositoryByClass(User::class)->getById( $userId);
if (!$user) {
$this->renderBlank($request, $response);
return;
}
if ($user->getAvatarId()) {
if ($this->processEtagMatch($request, $response, $user->getAvatarId())) {
return;
}
$this->show(
response: $response,
id: $user->getAvatarId(),
size: $size,
disableAccessCheck: true,
noCacheHeaders: true,
);
$response->setHeader('Cache-Control', $this->composeCacheControlHeader());
$response->setHeader('Etag', $user->getAvatarId());
return;
}
$sizes = $this->getSizes()[$size];
if (empty($sizes)) {
$this->renderBlank($request, $response);
return;
}
$textColors = $this->getTextColors();
$width = $sizes[0];
$color = $this->getColor($user);
$textColor = $this->isDark($color) ? $textColors[0] : $textColors[1];
$name = $this->getName($user, $userId);
$etag = md5($color . $name);
if ($this->processEtagMatch($request, $response, $etag)) {
return;
}
$avatar = (new InitialAvatar())->name($name);
if ($user->getName() && !self::isAllowedLanguage($avatar)) {
$avatar = $avatar->name($user->getUserName() ?? $userId);
}
$image = $avatar
->width($width)
->height($width)
->color($textColor)
->fontSize(0.56)
->preferBold()
->font($this->fontFile)
->background($color)
->generate();
$response
->setHeader('Cache-Control', $this->composeCacheControlHeader())
->setHeader('Content-Type', 'image/png')
->setHeader('Etag', $etag);
$response->writeBody($image->stream('png', 100));
}
private function composeCacheControlHeader(): string
{
return "max-age=$this->maxAge, stale-while-revalidate=$this->staleWhileRevalidate";
}
/**
* @throws Error
*/
private function renderBlank(Request $request, Response $response): void
{
$etag = 'blank';
if ($this->processEtagMatch($request, $response, $etag)) {
return;
}
ob_start();
$img = imagecreatetruecolor(14, 14);
if ($img === false) {
throw new Error();
}
imagesavealpha($img, true);
$color = imagecolorallocatealpha($img, 127, 127, 127, 127);
if ($color === false) {
throw new Error();
}
imagefill($img, 0, 0, $color);
imagepng($img);
imagecolordeallocate($img, $color);
$contents = ob_get_contents();
if ($contents === false) {
throw new Error();
}
ob_end_clean();
imagedestroy($img);
$response
->setHeader('Content-Type', 'image/png')
->setHeader('Cache-Control', $this->composeCacheControlHeader())
->setHeader('Etag', $etag)
->writeBody($contents);
}
private static function isAllowedLanguage(InitialAvatar $avatar): bool
{
$initials = $avatar->getInitials();
if (StringScript::isArabic($initials)) {
return false;
}
if (StringScript::isArmenian($initials)) {
return false;
}
if (StringScript::isBengali($initials)) {
return false;
}
if (StringScript::isGeorgian($initials)) {
return false;
}
if (StringScript::isHebrew($initials)) {
return false;
}
if (StringScript::isMongolian($initials)) {
return false;
}
if (StringScript::isThai($initials)) {
return false;
}
if (StringScript::isTibetan($initials)) {
return false;
}
if (StringScript::isJapanese($initials) || StringScript::isChinese($initials)) {
return false;
}
return true;
}
private function isDark(string $color): bool
{
$hex = substr($color, 1);
$r = hexdec(substr($hex, 0, 2));
$g = hexdec(substr($hex, 2, 2));
$b = hexdec(substr($hex, 4, 2));
$value = (($r * 299) + ($g * 587) + ($b * 114)) / 1000;
return $value < $this->darkThreshold;
}
/**
* @return array{string, string}
*/
private function getTextColors(): array
{
$light = $this->metadata->get("app.avatars.lightTextColor") ?? $this->lightTextColor;
$dark = $this->metadata->get("app.avatars.darkTextColor") ?? $this->darkTextColor;
return [$light, $dark];
}
private function getName(User $user, string $userId): string
{
$name = $user->getName() ?? $user->getUserName() ?? $userId;
if ($user->getUserName() === SystemUser::NAME) {
$name = SystemUser::NAME;
}
return $name;
}
private function processEtagMatch(Request $request, Response $response, string $etag): bool
{
$matchEtag = $request->getHeader('If-None-Match');
if (!$matchEtag) {
return false;
}
if ($matchEtag === $etag) {
$response->setStatus(304);
return true;
}
return false;
}
}

88
application/Espo/EntryPoints/ChangePassword.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Exceptions\BadRequest;
use Espo\Entities\PasswordChangeRequest;
use Espo\Core\Utils\Client\ActionRenderer;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\EntryPoint\Traits\NoAuth;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\ORM\EntityManager;
use Espo\Tools\UserSecurity\Password\ConfigProvider;
class ChangePassword implements EntryPoint
{
use NoAuth;
public function __construct(
private EntityManager $entityManager,
private ActionRenderer $actionRenderer,
private ConfigProvider $configProvider,
) {}
public function run(Request $request, Response $response): void
{
$requestId = $request->getQueryParam('id');
if (!$requestId) {
throw new BadRequest("No request ID.");
}
$passwordChangeRequest = $this->entityManager
->getRDBRepository(PasswordChangeRequest::ENTITY_TYPE)
->where([
'requestId' => $requestId,
])
->findOne();
$strengthParams = [
'passwordGenerateLength' => $this->configProvider->getGenerateLength(),
'passwordGenerateLetterCount' => $this->configProvider->getGenerateLetterCount(),
'generateNumberCount' => $this->configProvider->getGenerateNumberCount(),
'passwordStrengthLength' => $this->configProvider->getStrengthLength(),
'passwordStrengthLetterCount' => $this->configProvider->getStrengthLetterCount(),
'passwordStrengthNumberCount' => $this->configProvider->getStrengthNumberCount(),
'passwordStrengthBothCases' => $this->configProvider->getStrengthBothCases(),
'passwordStrengthSpecialCharacterCount' => $this->configProvider->getStrengthSpecialCharacterCount(),
];
$options = [
'id' => $requestId,
'strengthParams' => $strengthParams,
'notFound' => !$passwordChangeRequest,
];
$params = new ActionRenderer\Params('controllers/password-change-request', 'passwordChange', $options);
$this->actionRenderer->write($response, $params);
}
}

98
application/Espo/EntryPoints/ConfirmOptIn.php Normal file
View File

@@ -0,0 +1,98 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Tools\LeadCapture\CaptureService as Service;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\EntryPoint\Traits\NoAuth;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\Error;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\Utils\Client\ActionRenderer;
use Espo\Tools\LeadCapture\ConfirmResult;
use LogicException;
class ConfirmOptIn implements EntryPoint
{
use NoAuth;
private Service $service;
private ActionRenderer $actionRenderer;
public function __construct(Service $service, ActionRenderer $actionRenderer)
{
$this->service = $service;
$this->actionRenderer = $actionRenderer;
}
/**
* @throws BadRequest
* @throws Error
* @throws NotFound
*/
public function run(Request $request, Response $response): void
{
$id = $request->getQueryParam('id');
if (!$id) {
throw new BadRequest("No id.");
}
$result = $this->service->confirmOptIn($id);
$action = null;
if ($result->getStatus() === ConfirmResult::STATUS_EXPIRED) {
$action = 'optInConfirmationExpired';
}
if ($result->getStatus() === ConfirmResult::STATUS_SUCCESS) {
$action = 'optInConfirmationSuccess';
}
if (!$action) {
throw new LogicException();
}
$data = [
'status' => $result->getStatus(),
'message' => $result->getMessage(),
'leadCaptureId' => $result->getLeadCaptureId(),
'leadCaptureName' => $result->getLeadCaptureName(),
];
$params = new ActionRenderer\Params('controllers/lead-capture-opt-in-confirmation', $action, $data);
$this->actionRenderer->write($response, $params);
}
}

108
application/Espo/EntryPoints/Download.php Normal file
View File

@@ -0,0 +1,108 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Entities\Attachment as AttachmentEntity;
use Espo\Core\Acl;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Exceptions\NotFoundSilent;
use Espo\Core\FileStorage\Manager as FileStorageManager;
use Espo\Core\ORM\EntityManager;
use Espo\Core\Utils\Metadata;
class Download implements EntryPoint
{
public function __construct(
protected FileStorageManager $fileStorageManager,
protected Acl $acl,
protected EntityManager $entityManager,
private Metadata $metadata
) {}
public function run(Request $request, Response $response): void
{
$id = $request->getQueryParam('id');
if (!$id) {
throw new BadRequest("No id.");
}
/** @var ?AttachmentEntity $attachment */
$attachment = $this->entityManager->getEntityById(AttachmentEntity::ENTITY_TYPE, $id);
if (!$attachment) {
throw new NotFoundSilent("Attachment not found.");
}
if (!$this->acl->checkEntity($attachment)) {
throw new Forbidden("No access to attachment.");
}
if ($attachment->isBeingUploaded()) {
throw new Forbidden("Attachment is being uploaded.");
}
$stream = $this->fileStorageManager->getStream($attachment);
$outputFileName = str_replace("\"", "\\\"", $attachment->getName() ?? '');
$type = $attachment->getType();
$disposition = 'attachment';
/** @var string[] $inlineMimeTypeList */
$inlineMimeTypeList = $this->metadata->get(['app', 'file', 'inlineMimeTypeList']) ?? [];
if (in_array($type, $inlineMimeTypeList)) {
$disposition = 'inline';
$response->setHeader('Content-Security-Policy', "default-src 'self'");
}
$response->setHeader('Content-Description', 'File Transfer');
if ($type) {
$response->setHeader('Content-Type', $type);
}
$size = $stream->getSize() ?? $this->fileStorageManager->getSize($attachment);
$response
->setHeader('Content-Disposition', $disposition . ";filename=\"" . $outputFileName . "\"")
->setHeader('Expires', '0')
->setHeader('Cache-Control', 'must-revalidate')
->setHeader('Content-Length', (string) $size)
->setBody($stream);
}
}

456
application/Espo/EntryPoints/Image.php Normal file
View File

@@ -0,0 +1,456 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Repositories\Attachment as AttachmentRepository;
use Espo\Core\Acl;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\Error;
use Espo\Core\Exceptions\ForbiddenSilent;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\Exceptions\NotFoundSilent;
use Espo\Core\FileStorage\Manager as FileStorageManager;
use Espo\Core\ORM\EntityManager;
use Espo\Core\Utils\Config;
use Espo\Core\Utils\File\Manager as FileManager;
use Espo\Core\Utils\Metadata;
use Espo\Entities\Attachment;
use GdImage;
use RuntimeException;
use Throwable;
class Image implements EntryPoint
{
/** @var ?string[] */
protected $allowedRelatedTypeList = null;
/** @var ?string[] */
protected $allowedFieldList = null;
public function __construct(
private FileStorageManager $fileStorageManager,
private FileManager $fileManager,
protected Acl $acl,
protected EntityManager $entityManager,
protected Config $config,
protected Metadata $metadata
) {}
public function run(Request $request, Response $response): void
{
$id = $request->getQueryParam('id');
$size = $request->getQueryParam('size') ?? null;
if (!$id) {
throw new BadRequest("No id.");
}
$this->show($response, $id, $size);
}
/**
* @throws Error
* @throws NotFoundSilent
* @throws NotFound
* @throws ForbiddenSilent
*/
protected function show(
Response $response,
string $id,
?string $size,
bool $disableAccessCheck = false,
bool $noCacheHeaders = false,
): void {
$attachment = $this->entityManager->getRDBRepositoryByClass(Attachment::class)->getById($id);
if (!$attachment) {
throw new NotFoundSilent("Attachment not found.");
}
if (!$disableAccessCheck && !$this->acl->checkEntity($attachment)) {
throw new ForbiddenSilent("No access to attachment.");
}
$fileType = $attachment->getType();
if (!in_array($fileType, $this->getAllowedFileTypeList())) {
throw new ForbiddenSilent("Not allowed file type '$fileType'.");
}
if ($this->allowedRelatedTypeList) {
if (!in_array($attachment->getRelatedType(), $this->allowedRelatedTypeList)) {
throw new NotFoundSilent("Not allowed related type.");
}
}
if ($this->allowedFieldList) {
if (!in_array($attachment->getTargetField(), $this->allowedFieldList)) {
throw new NotFoundSilent("Not allowed field.");
}
}
$fileSize = 0;
$fileName = $attachment->getName();
$toResize = $size && in_array($fileType, $this->getResizableFileTypeList());
if ($toResize) {
$contents = $this->getThumbContents($attachment, $size);
if ($contents) {
$fileName = $size . '-' . $attachment->getName();
$fileSize = strlen($contents);
$response->writeBody($contents);
} else {
$toResize = false;
}
}
if (!$toResize) {
$stream = $this->fileStorageManager->getStream($attachment);
$fileSize = $stream->getSize() ?? $this->fileStorageManager->getSize($attachment);
$response->setBody($stream);
}
if ($fileType) {
$response->setHeader('Content-Type', $fileType);
}
$response
->setHeader('Content-Disposition', 'inline;filename="' . $fileName . '"')
->setHeader('Content-Length', (string) $fileSize)
->setHeader('Content-Security-Policy', "default-src 'self'");
if (!$noCacheHeaders) {
$response->setHeader('Cache-Control', 'private, max-age=864000, immutable');
}
}
/**
* @throws Error
* @throws NotFound
*/
private function getThumbContents(Attachment $attachment, string $size): ?string
{
if (!array_key_exists($size, $this->getSizes())) {
throw new Error("Bad size.");
}
$useCache = !$this->config->get('thumbImageCacheDisabled', false);
$sourceId = $attachment->getSourceId();
$cacheFilePath = "data/upload/thumbs/{$sourceId}_$size";
if ($useCache && $this->fileManager->isFile($cacheFilePath)) {
return $this->fileManager->getContents($cacheFilePath);
}
$filePath = $this->getAttachmentRepository()->getFilePath($attachment);
if (!$this->fileManager->isFile($filePath)) {
throw new NotFound("File not found.");
}
$fileType = $attachment->getType() ?? '';
$targetImage = $this->createThumbImage($filePath, $fileType, $size);
if (!$targetImage) {
return null;
}
ob_start();
switch ($fileType) {
case 'image/jpeg':
imagejpeg($targetImage);
break;
case 'image/png':
imagepng($targetImage);
break;
case 'image/gif':
imagegif($targetImage);
break;
case 'image/webp':
imagewebp($targetImage);
break;
}
$contents = ob_get_contents() ?: '';
ob_end_clean();
imagedestroy($targetImage);
if ($useCache) {
$this->fileManager->putContents($cacheFilePath, $contents);
}
return $contents;
}
/**
* @throws Error
*/
private function createThumbImage(string $filePath, string $fileType, string $size): ?GdImage
{
if (!is_array(getimagesize($filePath))) {
throw new Error();
}
[$originalWidth, $originalHeight] = getimagesize($filePath);
[$width, $height] = $this->getSizes()[$size];
if ($originalWidth <= $width && $originalHeight <= $height) {
$targetWidth = $originalWidth;
$targetHeight = $originalHeight;
} else {
if ($originalWidth > $originalHeight) {
$targetWidth = $width;
$targetHeight = (int) ($originalHeight / ($originalWidth / $width));
if ($targetHeight > $height) {
$targetHeight = $height;
$targetWidth = (int) ($originalWidth / ($originalHeight / $height));
}
} else {
$targetHeight = $height;
$targetWidth = (int) ($originalWidth / ($originalHeight / $height));
if ($targetWidth > $width) {
$targetWidth = $width;
$targetHeight = (int) ($originalHeight / ($originalWidth / $width));
}
}
}
if ($targetWidth < 1 || $targetHeight < 1) {
throw new RuntimeException("No width or height.");
}
$targetImage = imagecreatetruecolor($targetWidth, $targetHeight);
if ($targetImage === false) {
return null;
}
switch ($fileType) {
case 'image/jpeg':
$sourceImage = imagecreatefromjpeg($filePath);
if ($sourceImage === false) {
return null;
}
$this->resample(
$targetImage,
$sourceImage,
$targetWidth,
$targetHeight,
$originalWidth,
$originalHeight
);
break;
case 'image/png':
$sourceImage = imagecreatefrompng($filePath);
if ($sourceImage === false) {
return null;
}
imagealphablending($targetImage, false);
imagesavealpha($targetImage, true);
$transparent = imagecolorallocatealpha($targetImage, 255, 255, 255, 127);
if ($transparent !== false) {
imagefilledrectangle($targetImage, 0, 0, $targetWidth, $targetHeight, $transparent);
}
$this->resample(
$targetImage,
$sourceImage,
$targetWidth,
$targetHeight,
$originalWidth,
$originalHeight
);
break;
case 'image/gif':
$sourceImage = imagecreatefromgif($filePath);
if ($sourceImage === false) {
return null;
}
$this->resample(
$targetImage,
$sourceImage,
$targetWidth,
$targetHeight,
$originalWidth,
$originalHeight
);
break;
case 'image/webp':
try {
$sourceImage = imagecreatefromwebp($filePath);
} catch (Throwable) {
return null;
}
if ($sourceImage === false) {
return null;
}
$this->resample(
$targetImage,
$sourceImage,
$targetWidth,
$targetHeight,
$originalWidth,
$originalHeight
);
break;
}
if (in_array($fileType, $this->getFixOrientationFileTypeList())) {
$targetImage = $this->fixOrientation($targetImage, $filePath);
}
return $targetImage;
}
/**
* @param string $filePath
* @return ?int
*/
private function getOrientation(string $filePath)
{
if (!function_exists('exif_read_data')) {
return 0;
}
$data = exif_read_data($filePath) ?: [];
return $data['Orientation'] ?? null;
}
private function fixOrientation(GdImage $targetImage, string $filePath): GdImage
{
$orientation = $this->getOrientation($filePath);
if ($orientation) {
$angle = [0, 0, 0, 180, 0, 0, -90, 0, 90][$orientation];
$targetImage = imagerotate($targetImage, $angle, 0) ?: $targetImage;
}
return $targetImage;
}
/**
* @return string[]
*/
private function getAllowedFileTypeList(): array
{
return $this->metadata->get(['app', 'image', 'allowedFileTypeList']) ?? [];
}
/**
* @return string[]
*/
private function getResizableFileTypeList(): array
{
return $this->metadata->get(['app', 'image', 'resizableFileTypeList']) ?? [];
}
/**
* @return string[]
*/
private function getFixOrientationFileTypeList(): array
{
return $this->metadata->get(['app', 'image', 'fixOrientationFileTypeList']) ?? [];
}
/**
* @return array<string, array{int, int}>
*/
protected function getSizes(): array
{
return $this->metadata->get(['app', 'image', 'sizes']) ?? [];
}
private function getAttachmentRepository(): AttachmentRepository
{
/** @var AttachmentRepository */
return $this->entityManager->getRepository(Attachment::ENTITY_TYPE);
}
private function resample(
GdImage $targetImage,
GdImage $sourceImage,
int $targetWidth,
int $targetHeight,
int $originalWidth,
int $originalHeight
): void {
imagecopyresampled(
$targetImage,
$sourceImage,
0, 0, 0, 0,
$targetWidth, $targetHeight, $originalWidth, $originalHeight
);
}
}

85
application/Espo/EntryPoints/LeadCaptureForm.php Normal file
View File

@@ -0,0 +1,85 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Utils\Client\Script;
use Espo\Tools\LeadCapture\FormService;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\EntryPoint\Traits\NoAuth;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\Utils\Client\ActionRenderer;
/**
* @noinspection PhpUnused
*/
class LeadCaptureForm implements EntryPoint
{
use NoAuth;
public function __construct(
private ActionRenderer $actionRenderer,
private FormService $service,
) {}
/**
* @throws BadRequest
* @throws NotFound
*/
public function run(Request $request, Response $response): void
{
$id = $request->getQueryParam('id');
if (!$id) {
throw new BadRequest("No ID.");
}
[$leadCapture, $data, $captchaScript] = $this->service->getData($id);
$params = new ActionRenderer\Params(
controller: 'controllers/lead-capture-form',
action: 'show',
data: $data,
);
$params = $params
->withFrameAncestors($leadCapture->getFormFrameAncestors())
->withPageTitle($leadCapture->getFormTitle())
->withTheme($leadCapture->getFormTheme());
if ($captchaScript) {
$params = $params->withScripts([new Script(source: $captchaScript)]);
}
$this->actionRenderer->write($response, $params);
}
}

66
application/Espo/EntryPoints/LoginAs.php Normal file
View File

@@ -0,0 +1,66 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\EntryPoint\Traits\NoAuth;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\Utils\Client\ActionRenderer;
class LoginAs implements EntryPoint
{
use NoAuth;
public function __construct(private ActionRenderer $actionRenderer) {}
/**
* @throws BadRequest
*/
public function run(Request $request, Response $response): void
{
$anotherUser = $request->getQueryParam('anotherUser');
if (!$anotherUser) {
throw new BadRequest("No anotherUser.");
}
$this->actionRenderer->write(
$response,
ActionRenderer\Params::create('controllers/login-as', 'login')
->withData([
'anotherUser' => $anotherUser,
'username' => $request->getQueryParam('username'),
])
->withInitAuth()
);
}
}

59
application/Espo/EntryPoints/LogoImage.php Normal file
View File

@@ -0,0 +1,59 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\Traits\NoAuth;
use Espo\Core\Exceptions\NotFound;
class LogoImage extends Image
{
use NoAuth;
protected $allowedRelatedTypeList = ['Settings', 'Portal'];
protected $allowedFieldList = ['companyLogo'];
public function run(Request $request, Response $response): void
{
$id = $request->getQueryParam('id');
$size = $request->getQueryParam('size') ?? null;
if (!$id) {
$id = $this->config->get('companyLogoId');
}
if (!$id) {
throw new NotFound("No id.");
}
$this->show($response, $id, $size);
}
}

49
application/Espo/EntryPoints/OauthCallback.php Normal file
View File

@@ -0,0 +1,49 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\EntryPoint\Traits\NoAuth;
/**
* @noinspection PhpUnused
*/
class OauthCallback implements EntryPoint
{
use NoAuth;
public function run(Request $request, Response $response): void
{
echo "If this window is not closed automatically, it's probable that the URL you use to access ".
"EspoCRM doesn't match the URL specified at Administration > Settings > Site URL.";
}
}

91
application/Espo/EntryPoints/Pdf.php Normal file
View File

@@ -0,0 +1,91 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\EntryPoints;
use Espo\Core\Api\Request;
use Espo\Core\Api\Response;
use Espo\Core\EntryPoint\EntryPoint;
use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\Name\Field;
use Espo\Core\ORM\EntityManager;
use Espo\Core\Utils\Util;
use Espo\Entities\Template;
use Espo\Tools\Pdf\Service;
class Pdf implements EntryPoint
{
public function __construct(
private EntityManager $entityManager,
private Service $service,
) {}
public function run(Request $request, Response $response): void
{
$entityId = $request->getQueryParam('entityId');
$entityType = $request->getQueryParam('entityType');
$templateId = $request->getQueryParam('templateId');
if (!$entityId || !$entityType || !$templateId) {
throw new BadRequest("No entityId or entityType or templateId.");
}
$entity = $this->entityManager->getEntityById($entityType, $entityId);
/** @var ?Template $template */
$template = $this->entityManager->getEntityById(Template::ENTITY_TYPE, $templateId);
if (!$entity) {
throw new NotFound("Record not found.");
}
if (!$template) {
throw new NotFound("Template not found.");
}
$contents = $this->service->generate($entityType, $entityId, $templateId);
$fileName = Util::sanitizeFileName($entity->get(Field::NAME) ?? 'unnamed');
$fileName = $fileName . '.pdf';
$response
->setHeader('Content-Type', 'application/pdf')
->setHeader('Cache-Control', 'private, must-revalidate, post-check=0, pre-check=0, max-age=1')
->setHeader('Expires', 'Sat, 26 Jul 1997 05:00:00 GMT')
->setHeader('Last-Modified', gmdate('D, d M Y H:i:s') . ' GMT')
->setHeader('Content-Disposition', 'inline; filename="' . basename($fileName) . '"');
if (!$request->getServerParam('HTTP_ACCEPT_ENCODING')) {
$response->setHeader('Content-Length', (string) $contents->getStream()->getSize());
}
$response->writeBody($contents->getStream());
}
}