diff --git a/build/exe/doliwamp/doliwamp.iss b/build/exe/doliwamp/doliwamp.iss index 8d465cc4cbf..a837450f077 100644 --- a/build/exe/doliwamp/doliwamp.iss +++ b/build/exe/doliwamp/doliwamp.iss @@ -108,11 +108,7 @@ Source: "C:\Program Files\Wamp\bin\mysql\mysql5.0.45\*.*"; DestDir: "{app}\bin\m ; Mysql data files (does not overwrite if exists) Source: "build\exe\doliwamp\mysql\*.*"; DestDir: "{app}\bin\mysql\data\mysql"; Flags: onlyifdoesntexist ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db" ; Dolibarr -<<<<<<< HEAD -Source: "htdocs\*.*"; DestDir: "{app}\www\dolibarr\htdocs"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,custom\*,custom2\*,documents\*,nltechno*\*,includes\ckeditor\_source\*,includes\savant\*,includes\phpmailer\*,jquery\plugins\template\*,PHPExcel\Shared\PDF\*,PHPExcel\Shared\PCLZip\*,tcpdf\fonts\dejavu-fonts-ttf-2.33\*,tcpdf\fonts\freefont-20100919\*,tcpdf\fonts\utils\*,*\conf.php,*\conf.php.mysql,*\conf.php.old,*\conf.php.postgres,*\conf.php.sav,*\install.forced.php" -======= -Source: "htdocs\*.*"; DestDir: "{app}\www\dolibarr\htdocs"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,custom\*,custom2\*,documents\*,includes\ckeditor\_source\*,includes\savant\*,includes\phpmailer\*,jquery\plugins\template\*,nltechno*,PHPExcel\Shared\PDF\*,PHPExcel\Shared\PCLZip\*,tcpdf\fonts\dejavu-fonts-ttf-2.33\*,tcpdf\fonts\freefont-20100919\*,tcpdf\fonts\utils\*,*\conf.php,*\conf.php.mysql,*\conf.php.old,*\conf.php.postgres,*\conf.php.sav,*\install.forced.php" ->>>>>>> refs/remotes/origin/3.5 +Source: "htdocs\*.*"; DestDir: "{app}\www\dolibarr\htdocs"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,custom\*,custom2\*,documents\*,includes\ckeditor\_source\*,includes\savant\*,includes\phpmailer\*,jquery\plugins\template\*,nltechno*\*,PHPExcel\Shared\PDF\*,PHPExcel\Shared\PCLZip\*,tcpdf\fonts\dejavu-fonts-ttf-2.33\*,tcpdf\fonts\freefont-20100919\*,tcpdf\fonts\utils\*,*\conf.php,*\conf.php.mysql,*\conf.php.old,*\conf.php.postgres,*\conf.php.sav,*\install.forced.php" Source: "dev\*.*"; DestDir: "{app}\www\dolibarr\dev"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,dbmodel\*,fpdf\*,initdata\*,iso-normes\*,licence\*,phpcheckstyle\*,phpunit\*,samples\*,test\*,uml\*,vagrant\*,xdebug\*" Source: "doc\*.*"; DestDir: "{app}\www\dolibarr\doc"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,wiki\*,plaquette\*,dev\*,images\dolibarr_screenshot2.png,images\dolibarr_screenshot3.png,images\dolibarr_screenshot4.png,images\dolibarr_screenshot5.png,images\dolibarr_screenshot6.png,images\dolibarr_screenshot7.png,images\dolibarr_screenshot8.png,images\dolibarr_screenshot9.png,images\dolibarr_screenshot10.png,images\dolibarr_screenshot11.png,images\dolibarr_screenshot12.png" Source: "scripts\*.*"; DestDir: "{app}\www\dolibarr\scripts"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,product\materiel.net.php,product\import-product.php" diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 7764b4d144e..b54b9233ee5 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -2,7 +2,7 @@ /* Copyright (C) 2001-2003 Rodolphe Quiedeville * Copyright (C) 2002-2003 Jean-Louis Bergamo * Copyright (C) 2004-2014 Laurent Destailleur - * Copyright (C) 2013 Raphaël Doursenaud + * Copyright (C) 2013-2015 Raphaël Doursenaud * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -107,7 +107,7 @@ if ($sall) foreach ($scrit as $crit) { $sql.=" AND ("; - if (is_numeric($sall)) $sql.= "d.rowid = ".$sall." OR "; + if (is_numeric($sall)) $sql.= "d.rowid = ".$db->escape($sall)." OR "; $sql.=" d.firstname LIKE '%".$db->escape($sall)."%' OR d.lastname LIKE '%".$db->escape($sall)."%' OR d.societe LIKE '%".$db->escape($sall)."%'"; $sql.=" OR d.email LIKE '%".$db->escape($sall)."%' OR d.login LIKE '%".$db->escape($sall)."%' OR d.address LIKE '%".$db->escape($sall)."%'"; $sql.=" OR d.town LIKE '%".$db->escape($sall)."%' OR d.note LIKE '%".$db->escape($sall)."%')"; @@ -115,7 +115,7 @@ if ($sall) } if ($type > 0) { - $sql.=" AND t.rowid=".$type; + $sql.=" AND t.rowid=".$db->escape($type); } if (isset($_GET["statut"]) || isset($_POST["statut"])) { diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php index b4e1d0bec76..a0ef8878d1f 100644 --- a/htdocs/comm/propal.php +++ b/htdocs/comm/propal.php @@ -567,7 +567,6 @@ if (empty($reshook)) include DOL_DOCUMENT_ROOT.'/core/actions_sendmails.inc.php'; - // Go back to draft if ($action == 'modif' && $user->rights->propal->creer) { diff --git a/htdocs/compta/facture/class/facturestats.class.php b/htdocs/compta/facture/class/facturestats.class.php index 4028849b5fa..5d8d22cfa9d 100644 --- a/htdocs/compta/facture/class/facturestats.class.php +++ b/htdocs/compta/facture/class/facturestats.class.php @@ -84,6 +84,8 @@ class FactureStats extends Stats $this->where.=" AND f.fk_soc = ".$this->socid; } if ($this->userid > 0) $this->where.=' AND f.fk_user_author = '.$this->userid; + if (! empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) $this->where.= " AND f.type IN (0,1,2)"; + else $this->where.= " AND f.type IN (0,1,2,3)"; } @@ -206,7 +208,7 @@ class FactureStats extends Stats $sql = "SELECT product.ref, COUNT(product.ref) as nb, SUM(tl.".$this->field_line.") as total, AVG(tl.".$this->field_line.") as avg"; $sql.= " FROM ".$this->from.", ".$this->from_line.", ".MAIN_DB_PREFIX."product as product"; - //if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; + if (!$user->rights->societe->client->voir && !$this->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE ".$this->where; $sql.= " AND f.rowid = tl.fk_facture AND tl.fk_product = product.rowid"; $sql.= " AND f.datef BETWEEN '".$this->db->idate(dol_get_first_day($year,1,false))."' AND '".$this->db->idate(dol_get_last_day($year,12,false))."'"; diff --git a/htdocs/compta/sociales/charges.php b/htdocs/compta/sociales/charges.php index afe2c27a3be..a343df2cbaa 100644 --- a/htdocs/compta/sociales/charges.php +++ b/htdocs/compta/sociales/charges.php @@ -472,7 +472,7 @@ if ($id > 0) } // Emettre paiement - if ($object->paye == 0 && ((price2num($object->amount) < 0 && round($resteapayer) < 0) || (price2num($object->amount) > 0 && round($resteapayer) > 0)) && $user->rights->tax->charges->creer) + if ($object->paye == 0 && ((price2num($object->amount) < 0 && price2num($resteapayer, 'MT') < 0) || (price2num($object->amount) > 0 && price2num($resteapayer, 'MT') > 0)) && $user->rights->tax->charges->creer) { print "id&action=create\">".$langs->trans("DoPayment").""; } diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 4413b721fc9..f3e9847b36e 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -3,7 +3,7 @@ * Copyright (C) 2003 Eric Seigne * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2013 Raphaël Doursenaud + * Copyright (C) 2013-2015 Raphaël Doursenaud * Copyright (C) 2013 Cédric Salvador * Copyright (C) 2013 Alexandre Spangaro * @@ -158,7 +158,7 @@ else if ($search_priv == '1') $sql .= " AND (p.priv='1' AND p.fk_user_creat=".$user->id.")"; } -if ($search_categ > 0) $sql.= " AND cs.fk_categorie = ".$search_categ; +if ($search_categ > 0) $sql.= " AND cs.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql.= " AND cs.fk_categorie IS NULL"; if ($search_firstlast_only) { @@ -255,11 +255,11 @@ if ($result) { $contactstatic=new Contact($db); - $param ='&begin='.urlencode($begin).'&view='.urlencode($view).'&userid='.urlencode($userid).'&contactname='.urlencode($sall); - $param.='&type='.urlencode($type).'&view='.urlencode($view).'&search_lastname='.urlencode($search_lastname).'&search_firstname='.urlencode($search_firstname).'&search_societe='.urlencode($search_societe).'&search_email='.urlencode($search_email); - if (!empty($search_categ)) $param.='&search_categ='.$search_categ; - if ($search_status != '') $param.='&search_status='.$search_status; - if ($search_priv == '0' || $search_priv == '1') $param.="&search_priv=".urlencode($search_priv); + $param ='&begin='.htmlspecialchars($begin).'&view='.htmlspecialchars($view).'&userid='.htmlspecialchars($userid).'&contactname='.htmlspecialchars($sall); + $param.='&type='.htmlspecialchars($type).'&view='.htmlspecialchars($view).'&search_lastname='.htmlspecialchars($search_lastname).'&search_firstname='.htmlspecialchars($search_firstname).'&search_societe='.htmlspecialchars($search_societe).'&search_email='.htmlspecialchars($search_email); + if (!empty($search_categ)) $param.='&search_categ='.htmlspecialchars($search_categ); + if ($search_status != '') $param.='&search_status='.htmlspecialchars($search_status); + if ($search_priv == '0' || $search_priv == '1') $param.="&search_priv=".htmlspecialchars($search_priv); $num = $db->num_rows($result); $i = 0; @@ -268,7 +268,7 @@ if ($result) print '
'; print ''; - print ''; + print ''; print ''; print ''; @@ -315,36 +315,36 @@ if ($result) // Ligne des champs de filtres print ''; print ''; - print ''; + print ''; print ''; print ''; - print ''; + print ''; print ''; print ''; - print ''; + print ''; print ''; if (empty($conf->global->SOCIETE_DISABLE_CONTACTS)) { print ''; - print ''; + print ''; print ''; } print ''; - print ''; + print ''; print ''; print ''; - print ''; + print ''; print ''; print ''; - print ''; + print ''; print ''; print ''; - print ''; + print ''; print ''; if (! empty($conf->skype->enabled)) { print ''; - print ''; + print ''; print ''; } print ' '; diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index debe18e995e..360c6ca9e24 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -92,7 +92,7 @@ $sql.= ", ".MAIN_DB_PREFIX."contrat as c"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."contratdet as cd ON c.rowid = cd.fk_contrat"; $sql.= " WHERE c.fk_soc = s.rowid "; $sql.= " AND c.entity = ".$conf->entity; -if ($socid) $sql.= " AND s.rowid = ".$socid; +if ($socid) $sql.= " AND s.rowid = ".$db->escape($socid); if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; if ($search_name) { $sql .= natural_search('s.nom', $search_name); @@ -121,9 +121,9 @@ if ($resql) print ''; print ''; - $param='&search_contract='.$search_contract; - $param.='&search_name='.$search_name; - $param.='&search_ref_supplier='.$search_ref_supplier; + $param='&search_contract='.$search_contract; + $param.='&search_name='.$search_name; + $param.='&search_ref_supplier='.$search_ref_supplier; print_liste_field_titre($langs->trans("Ref"), $_SERVER["PHP_SELF"], "c.rowid","","$param",'',$sortfield,$sortorder); print_liste_field_titre($langs->trans("RefCustomer"), $_SERVER["PHP_SELF"], "c.ref_supplier","","$param",'',$sortfield,$sortorder); print_liste_field_titre($langs->trans("Company"), $_SERVER["PHP_SELF"], "s.nom","","$param",'',$sortfield,$sortorder); @@ -140,13 +140,13 @@ if ($resql) print ''; print ''; print ''; print ''; print ''; print ''; //print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 0059c40bfee..7b75ebe0106 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -507,7 +507,7 @@ function dol_escape_js($stringtoescape, $mode=0, $noescapebackslashn=0) /** - * Returns text escaped for inclusion in HTML alt or title tags + * Returns text escaped for inclusion in HTML alt or title tags, or into values of HTMPL input fields * * @param string $stringtoescape String to escape * @param int $keepb Do not clean b tags diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index f00abaa339f..73f3b0fa244 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -449,15 +449,15 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir)) { if (empty($dbt_keyfield)) dol_print_error('','Param dbt_keyfield is required but not defined'); - $sql = "SELECT sc.fk_soc"; + + + $sql = "SELECT dbt.id"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql.= ", ".MAIN_DB_PREFIX."societe as s"; - $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; + $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON (dbt.".$dbt_keyfield." = s.rowid)"; + $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON (sc.fk_soc = dbt.".$dbt_keyfield.")"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; - $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield; - $sql.= " AND dbt.".$dbt_keyfield." = s.rowid"; - $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")"; - $sql.= " AND sc.fk_user = ".$user->id; + $sql.= " AND ((s.entity IN (".getEntity($sharedelement, 1).")"; + $sql.= " AND sc.fk_user = ".$user->id." ) OR dbt.fk_soc IS NULL)"; } // If multicompany and internal users with all permissions, check user is in correct entity else if (! empty($conf->multicompany->enabled)) diff --git a/htdocs/product/list.php b/htdocs/product/list.php index c060ef424e6..8212722bf57 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -181,7 +181,7 @@ else if (dol_strlen($canvas) > 0) $sql.= " AND p.canvas = '".$db->escape($canvas)."'"; if ($catid > 0) $sql.= " AND cp.fk_categorie = ".$catid; if ($catid == -2) $sql.= " AND cp.fk_categorie IS NULL"; - if ($search_categ > 0) $sql.= " AND cp.fk_categorie = ".$search_categ; + if ($search_categ > 0) $sql.= " AND cp.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql.= " AND cp.fk_categorie IS NULL"; if ($fourn_id > 0) $sql.= " AND pfp.fk_soc = ".$fourn_id; $sql.= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.price_ttc, p.price_base_type,"; @@ -321,16 +321,16 @@ else // Lignes des champs de filtre print ''; print ''; print ''; // Barcode if (! empty($conf->barcode->enabled)) { print ''; } // Date modification @@ -536,10 +536,10 @@ else $i++; } - $param="&sref=".$sref.($sbarcode?"&sbarcode=".$sbarcode:"")."&snom=".$snom."&sall=".$sall."&tosell=".$tosell."&tobuy=".$tobuy; - $param.=($fourn_id?"&fourn_id=".$fourn_id:""); - $param.=($search_categ?"&search_categ=".$search_categ:""); - $param.=isset($type)?"&type=".$type:""; + $param="&sref=".$sref.($sbarcode?"&sbarcode=".$sbarcode:"")."&snom=".$snom."&sall=".$sall."&tosell=".$tosell."&tobuy=".$tobuy; + $param.=($fourn_id?"&fourn_id=".$fourn_id:""); + $param.=($search_categ?"&search_categ=".$search_categ:""); + $param.=isset($type)?"&type=".$type:""; print_barre_liste('', $page, "list.php", $param, $sortfield, $sortorder,'',$num,$nbtotalofrecords); $db->free($resql); diff --git a/htdocs/societe/societe.php b/htdocs/societe/societe.php index 2d046a3ec16..db1bfe5cccb 100644 --- a/htdocs/societe/societe.php +++ b/htdocs/societe/societe.php @@ -3,7 +3,7 @@ * Copyright (C) 2004-2013 Laurent Destailleur * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2012 Marcos García - * Copyright (C) 2013 Raphaël Doursenaud + * Copyright (C) 2013-2015 Raphaël Doursenaud * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -210,12 +210,12 @@ if (! $user->rights->fournisseur->lire) $sql.=" AND (s.fournisseur <> 1 OR s.cli // Insert sale filter if ($search_sale) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".$db->escape($search_sale); } // Insert categ filter if ($search_categ) { - $sql .= " AND cs.fk_categorie = ".$search_categ; + $sql .= " AND cs.fk_categorie = ".$db->escape($search_categ); } if ($search_nom_only) { @@ -272,12 +272,12 @@ if ($resql) $num = $db->num_rows($resql); $i = 0; - $params = "&socname=".$socname."&search_nom=".$search_nom."&search_town=".$search_town; - $params.= ($sbarcode?"&sbarcode=".$sbarcode:""); - $params.= '&search_idprof1='.$search_idprof1; - $params.= '&search_idprof2='.$search_idprof2; - $params.= '&search_idprof3='.$search_idprof3; - $params.= '&search_idprof4='.$search_idprof4; + $params = "&socname=".htmlspecialchars($socname)."&search_nom=".htmlspecialchars($search_nom)."&search_town=".htmlspecialchars($search_town); + $params.= ($sbarcode?"&sbarcode=".htmlspecialchars($sbarcode):""); + $params.= '&search_idprof1='.htmlspecialchars($search_idprof1); + $params.= '&search_idprof2='.htmlspecialchars($search_idprof2); + $params.= '&search_idprof3='.htmlspecialchars($search_idprof3); + $params.= '&search_idprof4='.htmlspecialchars($search_idprof4); print_barre_liste($title, $page, $_SERVER["PHP_SELF"],$params,$sortfield,$sortorder,'',$num,$nbtotalofrecords); @@ -348,34 +348,34 @@ if ($resql) print ''; print ''; if (! empty($search_nom_only) && empty($search_nom)) $search_nom=$search_nom_only; - print ''; + print ''; print ''; // Barcode if (! empty($conf->barcode->enabled)) { - print ''; + print ''; } // Town print ''; // IdProf1 print ''; // IdProf2 print ''; // IdProf3 print ''; // IdProf4 print ''; // Type (customer/prospect/supplier) print '
'; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print '  
'; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; - print ''; + print ''; + print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print '';