From 10b536603a7aef94d719f93b849780d501d665ca Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Mon, 2 May 2011 17:08:50 +0000
Subject: [PATCH] Works on enhancement of paypal module

---
 htdocs/langs/en_US/admin.lang       |  1 +
 htdocs/langs/fr_FR/admin.lang       |  1 +
 htdocs/paypal/admin/paypal.php      | 25 ++++++++++++++++++-------
 htdocs/public/paypal/newpayment.php | 19 ++++++++++---------
 4 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index d525b3d7b91..170c6dccec9 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -302,6 +302,7 @@ ConnectionTimeout=Connexion timeout
 ResponseTimeout=Response timeout
 SmsTestMessage=Test message from __PHONEFROM__ to __PHONETO__
 ModuleMustBeEnabledFirst=Module <b>%s</b> must be enabled first before using this feature.
+SecurityToken=Security token
 
 # Modules
 Module0Name=Users & groups
diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang
index 050422688a4..89036be9029 100644
--- a/htdocs/langs/fr_FR/admin.lang
+++ b/htdocs/langs/fr_FR/admin.lang
@@ -303,6 +303,7 @@ ConnectionTimeout=Timeout de connexion
 ResponseTimeout=Timeout de réponse
 SmsTestMessage=Message de test de __PHONEFROM__ vers __PHONETO__
 ModuleMustBeEnabledFirst=Le module <b>%s</b> doit etre activé pour utiliser cette fonction.
+SecurityToken=Jeton de sécurité
 
 # Modules= undefined
 Module0Name= Utilisateurs & groupes
diff --git a/htdocs/paypal/admin/paypal.php b/htdocs/paypal/admin/paypal.php
index e10a58ad9ad..e2bbdff62af 100644
--- a/htdocs/paypal/admin/paypal.php
+++ b/htdocs/paypal/admin/paypal.php
@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2004      Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2005-2010 Laurent Destailleur  <eldy@users.sourceforge.org>
+ * Copyright (C) 2011      Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -48,6 +49,7 @@ if ($_POST["action"] == 'setvalue' && $user->admin)
     $result=dolibarr_set_const($db, "PAYPAL_CREDITOR",$_POST["PAYPAL_CREDITOR"],'chaine',0,'',$conf->entity);
     $result=dolibarr_set_const($db, "PAYPAL_API_INTEGRAL_OR_PAYPALONLY",$_POST["PAYPAL_API_INTEGRAL_OR_PAYPALONLY"],'chaine',0,'',$conf->entity);
     $result=dolibarr_set_const($db, "PAYPAL_CSS_URL",$_POST["PAYPAL_CSS_URL"],'chaine',0,'',$conf->entity);
+    $result=dolibarr_set_const($db, "PAYPAL_SECURITY_TOKEN",$_POST["PAYPAL_SECURITY_TOKEN"],'chaine',0,'',$conf->entity);
     $result=dolibarr_set_const($db, "PAYPAL_MESSAGE_OK",$_POST["PAYPAL_MESSAGE_OK"],'chaine',0,'',$conf->entity);
     $result=dolibarr_set_const($db, "PAYPAL_MESSAGE_KO",$_POST["PAYPAL_MESSAGE_KO"],'chaine',0,'',$conf->entity);
 
@@ -154,14 +156,20 @@ $var=!$var;
 print '<tr '.$bc[$var].'><td>';
 print $langs->trans("VendorName").'</td><td>';
 print '<input size="64" type="text" name="PAYPAL_CREDITOR" value="'.$conf->global->PAYPAL_CREDITOR.'">';
-print '<br>'.$langs->trans("Example").': '.$mysoc->name;
+print ' &nbsp; '.$langs->trans("Example").': '.$mysoc->name;
 print '</td></tr>';
 
 $var=!$var;
 print '<tr '.$bc[$var].'><td>';
 print $langs->trans("CSSUrlForPaymentForm").'</td><td>';
 print '<input size="64" type="text" name="PAYPAL_CSS_URL" value="'.$conf->global->PAYPAL_CSS_URL.'">';
-print '<br>'.$langs->trans("Example").': http://mysite/mycss.css';
+print ' &nbsp; '.$langs->trans("Example").': http://mysite/mycss.css';
+print '</td></tr>';
+
+$var=!$var;
+print '<tr '.$bc[$var].'><td>';
+print $langs->trans("SecurityToken").'</td><td>';
+print '<input size="64" type="text" name="PAYPAL_SECURITY_TOKEN" value="'.$conf->global->PAYPAL_SECURITY_TOKEN.'">';
 print '</td></tr>';
 
 $var=!$var;
@@ -206,30 +214,33 @@ print '</div>';
 
 print '<br><br>';
 
+$token='';
+if (! empty($conf->global->PAYPAL_SECURITY_TOKEN)) $token='&token='.md5($conf->global->PAYPAL_SECURITY_TOKEN);
+
 // Url list
 print '<u>'.$langs->trans("FollowingUrlAreAvailableToMakePayments").':</u><br>';
 print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnFreeAmount",$servicename).':<br>';
-print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?amount=<i>9.99</i>&tag=<i>your_free_tag</i></b>'."<br>\n";
+print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?amount=<i>9.99</i>&tag=<i>your_free_tag'.$token.'</i></b>'."<br>\n";
 if ($conf->commande->enabled)
 {
 	print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnOrder",$servicename).':<br>';
-	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=order&ref=<i>order_ref</i></b>'."<br>\n";
+	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=order&ref=<i>order_ref'.$token.'</i></b>'."<br>\n";
 }
 if ($conf->facture->enabled)
 {
 	print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnInvoice",$servicename).':<br>';
-	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=invoice&ref=<i>invoice_ref</i></b>'."<br>\n";
+	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=invoice&ref=<i>invoice_ref'.$token.'</i></b>'."<br>\n";
 //	print $langs->trans("SetupPaypalToHavePaymentCreatedAutomatically",$langs->transnoentitiesnoconv("FeatureNotYetAvailable"))."<br>\n";
 }
 if ($conf->contrat->enabled)
 {
 	print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnContractLine",$servicename).':<br>';
-	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=contractline&ref=<i>contractline_ref</i></b>'."<br>\n";
+	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=contractline&ref=<i>contractline_ref'.$token.'</i></b>'."<br>\n";
 }
 if ($conf->adherent->enabled)
 {
 	print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnMemberSubscription",$servicename).':<br>';
-	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=membersubscription&ref=<i>member_ref</i></b>'."<br>\n";
+	print '<b>'.DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?source=membersubscription&ref=<i>member_ref'.$token.'</i></b>'."<br>\n";
 }
 
 print "<br>";
diff --git a/htdocs/public/paypal/newpayment.php b/htdocs/public/paypal/newpayment.php
index c5e0df77d1d..aae429b1fd3 100755
--- a/htdocs/public/paypal/newpayment.php
+++ b/htdocs/public/paypal/newpayment.php
@@ -55,6 +55,7 @@ $langs->load("paypal");
 // tag (a free text, required if type is empty)
 // currency (iso code)
 
+$ref=GETPOST('ref','alpha');
 $suffix=GETPOST("suffix",'alpha');
 $amount=price2num(GETPOST("amount"));
 if (! GETPOST("currency",'alpha')) $currency=$conf->global->MAIN_MONNAIE;
@@ -341,7 +342,7 @@ if (GETPOST("source") == 'order')
 	require_once(DOL_DOCUMENT_ROOT."/commande/class/commande.class.php");
 
 	$order=new Commande($db);
-	$result=$order->fetch('',$_REQUEST["ref"]);
+	$result=$order->fetch('',$ref);
 	if ($result < 0)
 	{
 		$mesg=$order->error;
@@ -358,7 +359,7 @@ if (GETPOST("source") == 'order')
 
 	$fulltag='ORD='.$order->ref.'.CUS='.$order->client->id;
 	//$fulltag.='.NAM='.strtr($order->client->nom,"-"," ");
-	if (! empty($_REQUEST["tag"])) { $tag=$_REQUEST["tag"]; $fulltag.='.TAG='.$_REQUEST["tag"]; }
+	if (! empty($TAG)) { $tag=$TAG; $fulltag.='.TAG='.$TAG; }
 	$fulltag=dol_string_unaccent($fulltag);
 
 	// Creditor
@@ -450,7 +451,7 @@ if (GETPOST("source") == 'invoice')
 	require_once(DOL_DOCUMENT_ROOT."/compta/facture/class/facture.class.php");
 
 	$invoice=new Facture($db);
-	$result=$invoice->fetch('',$_REQUEST["ref"]);
+	$result=$invoice->fetch('',$ref);
 	if ($result < 0)
 	{
 		$mesg=$invoice->error;
@@ -467,7 +468,7 @@ if (GETPOST("source") == 'invoice')
 
 	$fulltag='INV='.$invoice->ref.'.CUS='.$invoice->client->id;
 	//$fulltag.='.NAM='.strtr($invoice->client->nom,"-"," ");
-	if (! empty($_REQUEST["tag"])) { $tag=$_REQUEST["tag"]; $fulltag.='.TAG='.$_REQUEST["tag"]; }
+	if (! empty($TAG)) { $tag=$TAG; $fulltag.='.TAG='.$TAG; }
 	$fulltag=dol_string_unaccent($fulltag);
 
 	// Creditor
@@ -558,7 +559,7 @@ if (GETPOST("source") == 'contractline')
 	require_once(DOL_DOCUMENT_ROOT."/contrat/class/contrat.class.php");
 
 	$contractline=new ContratLigne($db);
-	$result=$contractline->fetch('',$_REQUEST["ref"]);
+	$result=$contractline->fetch('',$ref);
 	if ($result < 0)
 	{
 		$mesg=$contractline->error;
@@ -619,11 +620,11 @@ if (GETPOST("source") == 'contractline')
 
 	$fulltag='COL='.$contractline->ref.'.CON='.$contract->ref.'.CUS='.$contract->client->id;
 	//$fulltag.='.NAM='.strtr($contract->client->nom,"-"," ");
-	if (! empty($_REQUEST["tag"])) { $tag=$_REQUEST["tag"]; $fulltag.='.TAG='.$_REQUEST["tag"]; }
+	if (! empty($TAG)) { $tag=$TAG; $fulltag.='.TAG='.$TAG; }
 	$fulltag=dol_string_unaccent($fulltag);
 
 	$qty=1;
-	if (isset($_REQUEST["qty"])) $qty=$_REQUEST["qty"];
+	if (GETPOST('qty')) $qty=GETPOST('qty');
 
 	// Creditor
 	$var=!$var;
@@ -756,7 +757,7 @@ if (GETPOST("source") == 'membersubscription')
 	require_once(DOL_DOCUMENT_ROOT."/adherents/class/cotisation.class.php");
 
 	$member=new Adherent($db);
-	$result=$member->fetch('',$_REQUEST["ref"]);
+	$result=$member->fetch('',$ref);
 	if ($result < 0)
 	{
 		$mesg=$member->error;
@@ -773,7 +774,7 @@ if (GETPOST("source") == 'membersubscription')
 
 	$fulltag='MEM='.$member->id;
 	//$fulltag.='.NAM='.strtr($member->getFullName($langs),"-"," ");
-	if (! empty($_REQUEST["tag"])) { $tag=$_REQUEST["tag"]; $fulltag.='.TAG='.$_REQUEST["tag"]; }
+	if (! empty($TAG)) { $tag=$TAG; $fulltag.='.TAG='.$TAG; }
 	$fulltag=dol_string_unaccent($fulltag);
 
 	// Creditor