QUAL Normalize inclusion of main.inc.php with require_once __DIR__

[Vaadasch]

QUAL|Qual Normalization of calls to main.inc.php

In the event of a page called by another page, the relative path used to include/require the main.inc.php is broken.

As it is mainly require that is used, the error is interruptive.

Modification of all the files of the project to normalize the use of a "require_once" and the use of __DIR__ as a base on which use the "relative" path to find main.inc.php.

moduleBuilder

Inside this PR, modification of the template behavior to find the main.inc.php from the moduleBuilder templates.
If a main.inc.php at the closest path of the file (current dir) is present, tries to include (require_once) it.
And if not present, search inside parent folder.
And if not present, search inside parent's parent folder.
And so on until finding one. Ultimately the /var/www/htdocs/main.inc.php.
To prevent infinite while loop, if it doesn't find it, a counter of 15.

One can have its own main.inc.php inside its module, as long as it include the same code block in order to include the "main" main.inc.php.
Probably useless but that come with the new behavior.

PS : QUAL does mean quality, right ?

[eldy]

the main.inc.php must never be included several times, it is the init of env that must be done once and only once.
So we must use the require and not require_once.

The only reason I see why a module would like to bypass the load of environment is to break the security. This should never be allowed.

If you need to load environment without page loading context, you can include the master.inc.php
A page should never include another page (this will generates conflict in mime type, duplicate http header, content policies rules, and more evil side effects.

[Vaadasch]

Thanks for you answer. You're right, it is the heart of this PR.

the main.inc.php must never be included several times

That is why I propose require_once, it seems to me more secure than crashing PHP to prevent devs to do so.

When i'm testing this, it doesn't seems to break anything. Of course, it is at my own risk, like everything from the very start of coding a new module.

For the security concern, as soon as anyone can add code and make it executed, one can break security. As you said, no need to include main.inc.php to break security, we can include master.inc.php. If i understand you well.

A page should never include another page (this will generates conflict in mime type, duplicate http header, content policies rules, and more evil side effects.

For that, i don't know of it yet, i didn't encounter the problem yet, but that is my problem, at my own pace.
You might be right, no one should never do that, but for me that is not a reason to prevent it.
One can always have a reason to do it, at his own risk, balancing the pros and cons.
As a module developer, that is my problem, not a Dolibarr problem which should allow me to do even dangerous things.
Well, I could add a line in a module initialization to erase all the database, there is no way for Dolibarr to prevent it, it is only my own awareness. So i don't see using require instead of require_once as the thing that will prevent me to do bad things.

[Vaadasch]

Hi, @eldy,

A page should never include another page (this will generates conflict in mime type, duplicate http header, content policies rules, and more evil side effects.

Have you encounter these problems or is that a general assumption ? Is that not dependant on how you code your page ?

As I finally succeed to make work with hooks, can you confirm me that is the way I search ?

Did you happen to see the modifications that i've done inside the templates of modulebuilder ? I find this more elegant. Will that be interesting to include that in a specific PR ?