Sec: Missing security check on page access.
This commit is contained in:
Laurent Destailleur
parent
72fcca6459
commit
04b03f448a
@ -1,97 +0,0 @@
|
||||
<?php
|
||||
/* Copyright (C) 2001-2002 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004-2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* $Id$
|
||||
*/
|
||||
|
||||
/**
|
||||
\file htdocs/compta/charges.php
|
||||
\ingroup compta
|
||||
\brief Page liste des charges sociales
|
||||
\version $Revision$
|
||||
*/
|
||||
|
||||
require("./pre.inc.php");
|
||||
|
||||
$langs->load("compta");
|
||||
$langs->load("tax");
|
||||
|
||||
|
||||
/*
|
||||
* Action ajout en bookmark
|
||||
*/
|
||||
if ($action == 'add_bookmark') {
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."bookmark (fk_soc, dateb, fk_user) VALUES (".$socid.", ".$db->idate(mktime()).",".$user->id.");";
|
||||
if (! $db->query($sql) ) {
|
||||
print $db->error();
|
||||
}
|
||||
}
|
||||
|
||||
if ($action == 'del_bookmark') {
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE rowid=$bid";
|
||||
$result = $db->query($sql);
|
||||
}
|
||||
|
||||
|
||||
|
||||
llxHeader();
|
||||
|
||||
print_titre($langs->trans("Charges"));
|
||||
|
||||
print '<table width="100%">';
|
||||
|
||||
print '<tr><td valign="top" width="30%">';
|
||||
|
||||
|
||||
print '<table class="noborder" width="100%">';
|
||||
print "<tr class=\"liste_titre\">";
|
||||
print "<td colspan=\"2\">Factures</td>";
|
||||
print "</tr>\n";
|
||||
|
||||
$sql = "SELECT c.libelle as nom, sum(s.amount) as total";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_chargesociales as c, ".MAIN_DB_PREFIX."chargesociales as s";
|
||||
$sql .= " WHERE s.fk_type = c.id AND s.paye = 1";
|
||||
$sql .= " GROUP BY lower(c.libelle) ASC";
|
||||
|
||||
if ( $db->query($sql) ) {
|
||||
$num = $db->num_rows();
|
||||
$i = 0;
|
||||
|
||||
while ($i < $num) {
|
||||
$obj = $db->fetch_object();
|
||||
$var = !$var;
|
||||
print "<tr $bc[$var]>";
|
||||
print '<td>'.$obj->nom.'</td><td>'.price($obj->total).'</td>';
|
||||
print '</tr>';
|
||||
$i++;
|
||||
}
|
||||
} else {
|
||||
dolibarr_print_error($db);
|
||||
}
|
||||
|
||||
|
||||
print "</table><br>";
|
||||
|
||||
print '</td></tr>';
|
||||
|
||||
print '</table>';
|
||||
|
||||
$db->close();
|
||||
|
||||
llxFooter('$Date$ - $Revision$');
|
||||
?>
|
||||
@ -29,11 +29,14 @@ require(DOL_DOCUMENT_ROOT."/chargesociales.class.php");
|
||||
$langs->load("compta");
|
||||
$langs->load("bills");
|
||||
|
||||
if (!$user->admin && !$user->rights->tax->charges)
|
||||
accessforbidden();
|
||||
|
||||
$chid=isset($_GET["id"])?$_GET["id"]:$_POST["id"];
|
||||
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -27,9 +27,10 @@
|
||||
require("./pre.inc.php");
|
||||
require(DOL_DOCUMENT_ROOT."/chargesociales.class.php");
|
||||
|
||||
|
||||
if (!$user->admin && ! $user->rights->tax->charges->lire)
|
||||
accessforbidden();
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
|
||||
|
||||
@ -57,10 +57,15 @@ if($min == 0 or $min!=floatval(strval($min))){
|
||||
$modetax = $conf->global->TAX_MODE;
|
||||
if ($_GET["modetax"]) $modetax=$_GET["modetax"];
|
||||
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Code
|
||||
* View
|
||||
*/
|
||||
|
||||
llxHeader();
|
||||
@ -184,8 +189,9 @@ if (is_array($coll_list))
|
||||
}
|
||||
else
|
||||
{
|
||||
$langs->load("errors");
|
||||
if ($coll_list == -1)
|
||||
print '<tr><td colspan="5">'.$langs->trans("NoAccountancyModuleLoaded").'</td></tr>';
|
||||
print '<tr><td colspan="5">'.$langs->trans("ErrorNoAccountancyModuleLoaded").'</td></tr>';
|
||||
else if ($coll_list == -2)
|
||||
print '<tr><td colspan="5">'.$langs->trans("FeatureNotYetAvailable").'</td></tr>';
|
||||
else
|
||||
@ -255,8 +261,9 @@ if (is_array($coll_list))
|
||||
}
|
||||
else
|
||||
{
|
||||
$langs->load("errors");
|
||||
if ($coll_list == -1)
|
||||
print '<tr><td colspan="5">'.$langs->trans("NoAccountancyModuleLoaded").'</td></tr>';
|
||||
print '<tr><td colspan="5">'.$langs->trans("ErrorNoAccountancyModuleLoaded").'</td></tr>';
|
||||
else if ($coll_list == -2)
|
||||
print '<tr><td colspan="5">'.$langs->trans("FeatureNotYetAvailable").'</td></tr>';
|
||||
else
|
||||
|
||||
@ -35,6 +35,11 @@ $id=$_REQUEST["id"];
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
/**
|
||||
* Action ajout paiement tva
|
||||
|
||||
@ -39,6 +39,11 @@ if ($year == 0 )
|
||||
$year_start = $year;
|
||||
}
|
||||
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
|
||||
/**
|
||||
@ -200,7 +205,7 @@ function pt ($db, $sql, $date)
|
||||
|
||||
|
||||
/*
|
||||
*
|
||||
* View
|
||||
*/
|
||||
|
||||
llxHeader();
|
||||
|
||||
@ -40,6 +40,10 @@ if ($year == 0 )
|
||||
$year_start = $year;
|
||||
}
|
||||
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
/**
|
||||
@ -168,8 +172,9 @@ function tva_paye($db, $y,$q)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Main script
|
||||
* View
|
||||
*/
|
||||
|
||||
llxHeader();
|
||||
|
||||
@ -57,10 +57,15 @@ $q=(! empty($_GET["q"]))?$_GET["q"]:1;
|
||||
$modetax = $conf->global->TAX_MODE;
|
||||
if ($_GET["modetax"]) $modetax=$_GET["modetax"];
|
||||
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
/**
|
||||
* Affichage page
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
llxHeader();
|
||||
@ -151,8 +156,9 @@ $x_paye = vat_by_quarter($db, $y, $q, $modetax, 'buy');
|
||||
|
||||
if (! is_array($x_coll) || ! is_array($x_paye))
|
||||
{
|
||||
$langs->load("errors");
|
||||
if ($x_coll == -1)
|
||||
print '<tr><td colspan="5">'.$langs->trans("NoAccountancyModuleLoaded").'</td></tr>';
|
||||
print '<tr><td colspan="5">'.$langs->trans("ErrorNoAccountancyModuleLoaded").'</td></tr>';
|
||||
else if ($x_coll == -2)
|
||||
print '<tr><td colspan="5">'.$langs->trans("FeatureNotYetAvailable").'</td></tr>';
|
||||
else
|
||||
|
||||
@ -30,6 +30,16 @@ require_once(DOL_DOCUMENT_ROOT."/compta/tva/tva.class.php");
|
||||
$langs->load("compta");
|
||||
$langs->load("compta");
|
||||
|
||||
// Security check
|
||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'tax', '', '', 'charges');
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
llxHeader();
|
||||
|
||||
|
||||
@ -32,3 +32,4 @@ ErrorFieldCanNotContainSpecialCharacters=Field <b>%s</b> must not contains speci
|
||||
WarningAllowUrlFopenMustBeOn=Parameter <b>allow_url_fopen</b> must be set to <b>on</b> in filer <b>php.ini</b> for having this module working completely. You must modify this file manually.
|
||||
WarningBuildScriptNotRunned=Script <b>%s</b> was not yet ran to build graphics.
|
||||
WarningBookmarkAlreadyExists=A bookmark with this title or this target (URL) already exists.
|
||||
ErrorNoAccountancyModuleLoaded=No accountancy module activated
|
||||
@ -31,4 +31,5 @@ ErrorDirAlreadyExists=Un r
|
||||
ErrorFieldCanNotContainSpecialCharacters=Le champ <b>%s</b> ne peut contenir de caractères spéciaux.
|
||||
WarningAllowUrlFopenMustBeOn=Attention, le paramètre <b>allow_url_fopen</b> doit etre positionné à <b>on</b> dans le fichier <b>php.ini</b> pour que ce module soit pleinement opérationnel. Vous devez modifier ce fichier manuellement.
|
||||
WarningBuildScriptNotRunned=Le script <b>%s</b> n'a pas encore été lancé pour générer les graphiques.
|
||||
WarningBookmarkAlreadyExists=Un marque-page avec ce titre ou cette destination (URL) existe déjà.
|
||||
WarningBookmarkAlreadyExists=Un marque-page avec ce titre ou cette destination (URL) existe déjà.
|
||||
ErrorNoAccountancyModuleLoaded=Aucun module de comptabilité activé
|
||||
Loading…
Reference in New Issue
Block a user