* Api: Customfield selectboxes can read options from a PHP file in the VFS using @[path] ex: @/home/Default/selects.php

2024-11-07 16:44:20 +01:00 · 2023-06-29 13:36:28 -06:00 · 2023-06-29 13:36:28 -06:00 · 3cfdca0ae9
commit 3cfdca0ae9
parent 85cc2a33cd
3 changed files with 7 additions and 11 deletions
--- a/admin/lang/egw_en.lang
+++ b/admin/lang/egw_en.lang
@ -351,7 +351,7 @@ document root (default)	admin	en	Document root (default)
 domainname	admin	en	Domain name
 down	admin	en	Down
 download csv	admin	en	Download CSV
-each value is a line like id[=label], or use @path to read options from a file in egroupware directory	admin	en	each value is a line like id[=label], or use @path to read options from a file in EGroupware directory
+each value is a line like id[=label], or use @path to read options from a file in egroupware directory	admin	en	each value is a line like id[=label], or use @path to read options from a file in the VFS
 each value is a line like label=[javascript]	admin	en	each value is a line like label=[javascript]
 edit account	admin	en	Edit account
 edit application	admin	en	Edit application
--- a/api/js/etemplate/et2_extension_nextmatch.ts
+++ b/api/js/etemplate/et2_extension_nextmatch.ts
@ -4194,8 +4194,7 @@ export class et2_nextmatch_customfields extends et2_customfields_list implements
 					field.type == 'select-account' ? 'et2-nextmatch-header-account' : "et2-nextmatch-header-filter",
 					{
 						id: cf_id,
-						empty_label: field.label,
-						select_options: field.values
+						empty_label: field.label
 					},
 					this
 				);
--- a/api/src/Storage/Customfields.php
+++ b/api/src/Storage/Customfields.php
@ -272,9 +272,7 @@ class Customfields implements \IteratorAggregate
 	/**
 	 * Read the options of a 'select' or 'radio' custom field from a file
 	 *
-	 * For security reasons that file has to be relative to the eGW root
-	 * (to not use that feature to explore arbitrary files on the server)
-	 * and it has to be a php file setting one variable called options,
+	 * For security reasons it has to be a php file setting one variable called options,
 	 * (to not display it to anonymously by the webserver).
 	 * The $options var has to be an array with value => label pairs, eg:
 	 *
@ -292,12 +290,11 @@ class Customfields implements \IteratorAggregate
 	{
 		$options = array();

-		if (!($path = realpath($file[0] == '/' ? $file : EGW_SERVER_ROOT.'/'.$file)) ||	// file does not exist
-			substr($path,0,strlen(EGW_SERVER_ROOT)+1) != EGW_SERVER_ROOT.'/' ||	// we are NOT inside the eGW root
-			basename($path,'.php').'.php' != basename($path) ||	// extension is NOT .php
-			basename($path) == 'header.inc.php')	// dont allow to include our header again
+		if(!($path = Api\Vfs::resolve_url($file)) ||    // file does not exist   // we are NOT inside the eGW root
+			basename($path, '.php') . '.php' != basename($path) ||    // extension is NOT .php
+			basename($path) == 'header.inc.php')    // dont allow to include our header again
 		{
-			return array(lang("'%1' is no php file in the eGW server root (%2)!".': '.$path,$file,EGW_SERVER_ROOT));
+			return array(lang("'%1' is no php file in the eGW server root (%2)!" . ': ' . $path, $file, EGW_SERVER_ROOT));
 		}
 		include($path);