From fdf6c32fbc708fd3f3d74b607fc73f2779959637 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Thu, 13 Aug 2015 12:47:04 +0200
Subject: [PATCH 1/6] Fix: place the form outside the table for avoid errors

---
 htdocs/product/stock/mouvement.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php
index 177d8c5e0b3..5622899c052 100644
--- a/htdocs/product/stock/mouvement.php
+++ b/htdocs/product/stock/mouvement.php
@@ -414,6 +414,10 @@ if ($resql)
     if ($id) print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder,'',$num,0,'');
     else print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder,'',$num);
 
+
+    print '<form method="get" action="'.$_SERVER["PHP_SELF"].'">';
+    if ($id) print '<input type="hidden" name="id" value="'.$id.'">';
+
     print '<table class="noborder" width="100%">';
     print "<tr class=\"liste_titre\">";
     //print_liste_field_titre($langs->trans("Id"),$_SERVER["PHP_SELF"], "m.rowid","",$param,"",$sortfield,$sortorder);
@@ -428,9 +432,6 @@ if ($resql)
     print "</tr>\n";
 
     // Lignes des champs de filtre
-    print '<form method="get" action="'.$_SERVER["PHP_SELF"].'">';
-    if ($id) print '<input type="hidden" name="id" value="'.$id.'">';
-
     print '<tr class="liste_titre">';
     print '<td class="liste_titre" valign="right">';
     print $langs->trans('Month').': <input class="flat" type="text" size="2" maxlength="2" name="month" value="'.$month.'">';
@@ -465,7 +466,6 @@ if ($resql)
     print '<input type="image" class="liste_titre" src="'.img_picto($langs->trans("Search"),'searchclear.png','','',1).'" name="button_removefilter" value="'.dol_escape_htmltag($langs->trans("RemoveFilter")).'" title="'.dol_escape_htmltag($langs->trans("RemoveFilter")).'">';
     print '</td>';
     print "</tr>\n";
-    print '</form>';
 
     $arrayofuniqueproduct=array();
 
@@ -526,7 +526,7 @@ if ($resql)
     }
     $db->free($resql);
 
-    print "</table><br>";
+    print "</table></form><br>";
 
     // Add number of product when there is a filter on period
     if (count($arrayofuniqueproduct) == 1 && is_numeric($year))

From b3a7b4404608d9f42ad9a78ce79cdcf5fc9ac86e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Fri, 14 Aug 2015 12:29:32 +0200
Subject: [PATCH 2/6] FIX [ bug #3321 ] Users with certain permissions were
 shown a "forbidden access" page even if they had the rights

Close #3321
---
 ChangeLog                        | 1 +
 htdocs/core/lib/security.lib.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 9b403733438..f62facbdc36 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,7 @@ FIX: Not showing delivery date on rouget pdf
 FIX: Not showing task extrafields when creating from left menu
 FIX [ bug #3288 ] Tasks box is not properly drawn
 FIX [ bug #3211 ] Outstading bill amount of a client showed wrong amounts
+FIX [ bug #3321 ] Users with certain permissions were shown a "forbidden access" page even if they had the rights
 
 NEW: Created new ContratLigne::insert function
 
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 73f3b0fa244..b80ae15a277 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -451,7 +451,7 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
                 	if (empty($dbt_keyfield)) dol_print_error('','Param dbt_keyfield is required but not defined');
                    
 
-				    $sql = "SELECT dbt.id";
+				    $sql = "SELECT dbt.$dbt_select";
                     $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
                     $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON (dbt.".$dbt_keyfield." = s.rowid)";
                     $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON (sc.fk_soc = dbt.".$dbt_keyfield.")";

From 6e9bf70add7f1e938cd0e733d88b6f6ae7d37d38 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Aug 2015 15:12:11 +0200
Subject: [PATCH 3/6] Fix bad text into file

---
 build.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 570821a7c7b..c6995ce95f3 100644
--- a/build.xml
+++ b/build.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!-- Script build for hudson CI -->
 <project name="dolibarr" default="hudson" basedir=".">
-fdfds
 <!-- Exclude/ignore paths -->
  <property name="ignorepaths" value="${basedir}/htdocs/conf,${basedir}/htdocs/core/filemanagerdol,${basedir}/htdocs/includes" />
  <property name="ignoreregexp" value="**/PEAR/*,**/NET/*,**/HTTP/*,**/zendgdata/*,**/reportico/*" />

From c3fb14855be5c49172dedc451dddc4bcfded8a4e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Aug 2015 03:38:21 +0200
Subject: [PATCH 4/6] Try a better fix to replace PR #3297

---
 htdocs/core/tpl/objectline_edit.tpl.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/htdocs/core/tpl/objectline_edit.tpl.php b/htdocs/core/tpl/objectline_edit.tpl.php
index f7bcf4ed091..bb75b007524 100644
--- a/htdocs/core/tpl/objectline_edit.tpl.php
+++ b/htdocs/core/tpl/objectline_edit.tpl.php
@@ -278,7 +278,7 @@ if (! empty($conf->margin->enabled))
 		var remise = $("input[name='remise_percent']:first");
 
 		var rate = $("input[name='"+npRate+"']:first");
-		if (rate.val() == '') return true;
+		if (rate.val() == '' || (typeof rate.val()) == 'undefined' ) return true;
 
 		if (! $.isNumeric(rate.val().replace(',','.')))
 		{
@@ -287,7 +287,7 @@ if (! empty($conf->margin->enabled))
 			setTimeout(function () { rate.focus() }, 50);
 			return false;
 		}
-		if (npRate == "markRate" && rate.val() >= 100)
+		if (npRate == "np_markRate" && rate.val() >= 100)
 		{
 			alert('<?php echo $langs->trans("markRateShouldBeLesserThan100"); ?>');
 			e.stopPropagation();
@@ -303,9 +303,11 @@ if (! empty($conf->margin->enabled))
 			bpjs=price2numjs(buying_price.val());
 			ratejs=price2numjs(rate.val());
 
-			if (npRate == "marginRate")
+			/* console.log(npRate+" - "+bpjs+" - "+ratejs); */
+
+			if (npRate == "np_marginRate")
 				price = ((bpjs * (1 + ratejs / 100)) / (1 - remisejs / 100));
-			else if (npRate == "markRate")
+			else if (npRate == "np_markRate")
 				price = ((bpjs / (1 - ratejs / 100)) / (1 - remisejs / 100));
 		}
 		$("input[name='price_ht']:first").val(price);	// TODO Must use a function like php price to have here a formated value

From 1b409538a8b1ddb7c4d5081399442996c307aab4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Aug 2015 15:50:00 +0200
Subject: [PATCH 5/6] Fix #3400

Conflicts:
	htdocs/core/lib/date.lib.php
---
 htdocs/core/lib/date.lib.php                  |  4 +--
 .../contract/doc/pdf_strato.modules.php       | 27 +++++++++++++++----
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/htdocs/core/lib/date.lib.php b/htdocs/core/lib/date.lib.php
index 4d83f76b910..ba6e219a1ed 100644
--- a/htdocs/core/lib/date.lib.php
+++ b/htdocs/core/lib/date.lib.php
@@ -166,7 +166,7 @@ function convertTime2Seconds($iHours=0,$iMinutes=0,$iSeconds=0)
 /**	  	Return, in clear text, value of a number of seconds in days, hours and minutes
  *
  *    	@param      int		$iSecond		Number of seconds
- *    	@param      string	$format		    Output format (all: total delay days hour:min like "2 days 12:30"", allhourmin: total delay hours:min like "60:30", allhour: total delay hours without min/sec like "60:30", fullhour: total delay hour decimal like "60.5" for 60:30, hour: only hours part "12", min: only minutes part "30", sec: only seconds part, month: only month part, year: only year part);
+ *    	@param      string	$format		    Output format ('all': total delay days hour:min like "2 days 12:30", 'allwithouthour': total delay days without hour part like "2 days", 'allhourmin': total delay with format hours:min like "60:30", 'allhour': total delay hours without min/sec like "60:30", 'fullhour': total delay hour decimal like "60.5" for 60:30, 'hour': only hours part "12", 'min': only minutes part "30", 'sec': only seconds part, 'month': only month part, 'year': only year part);
  *      @param      int		$lengthOfDay    Length of day (default 86400 seconds for 1 day, 28800 for 8 hour)
  *      @param      int		$lengthOfWeek   Length of week (default 7)
  *    	@return     string		 		 	Formated text of duration
@@ -179,7 +179,7 @@ function convertSecondToTime($iSecond, $format='all', $lengthOfDay=86400, $lengt
 	if (empty($lengthOfDay))  $lengthOfDay = 86400;         // 1 day = 24 hours
     if (empty($lengthOfWeek)) $lengthOfWeek = 7;            // 1 week = 7 days
 
-	if ($format == 'all' || $format == 'allhour' || $format == 'allhourmin')
+	if ($format == 'all' || $format == 'allwithouthour' || $format == 'allhour' || $format == 'allhourmin')
 	{
 		if ($iSecond === 0) return '0';	// This is to avoid having 0 return a 12:00 AM for en_US
 
diff --git a/htdocs/core/modules/contract/doc/pdf_strato.modules.php b/htdocs/core/modules/contract/doc/pdf_strato.modules.php
index ea75b7cf171..f9ad83b944d 100644
--- a/htdocs/core/modules/contract/doc/pdf_strato.modules.php
+++ b/htdocs/core/modules/contract/doc/pdf_strato.modules.php
@@ -268,18 +268,32 @@ class pdf_strato extends ModelePDFContract
 
 						// Description of product line
 
-						if ($objectligne->datei) {
-							$datei = dol_print_date($objectligne->datei,'dayhour',false,$outputlangs,true);
+						if ($objectligne->date_ouverture_prevue) {
+							$datei = dol_print_date($objectligne->date_ouverture_prevue,'day',false,$outputlangs,true);
 						} else {
 							$datei = $langs->trans("Unknown");
 						}
 
-						if ($objectligne->duration) {
-							$durationi = convertSecondToTime($objectligne->duration);
+						if ($objectligne->date_fin_validite) {
+							$durationi = convertSecondToTime($objectligne->date_fin_validite - $objectligne->date_ouverture_prevue, 'allwithouthour');
+							$datee = dol_print_date($objectligne->date_fin_validite,'day',false,$outputlangs,true);
 						} else {
 							$durationi = $langs->trans("Unknown");
+							$datee = $langs->trans("Unknown");
 						}
 
+						if ($objectligne->date_ouverture) {
+							$daters = dol_print_date($objectligne->date_ouverture,'day',false,$outputlangs,true);
+						} else {
+							$daters = $langs->trans("Unknown");
+						}
+
+						if ($objectligne->date_cloture) {
+							$datere = dol_print_date($objectligne->date_cloture,'day',false,$outputlangs,true);
+						} else {
+							$datere = $langs->trans("Unknown");
+						}
+						
 						$txtpredefinedservice='';
                         $txtpredefinedservice = $objectligne->product_ref;
                         if ($objectligne->product_label)
@@ -288,7 +302,10 @@ class pdf_strato extends ModelePDFContract
                         	$txtpredefinedservice .= $objectligne->product_label;
                         }
 
-						$txt='<strong>'.dol_htmlentitiesbr($outputlangs->transnoentities("Date")." : ".$datei." - ".$outputlangs->transnoentities("Duration")." : ".$durationi,1,$outputlangs->charset_output).'</strong>';
+						$txt='<strong>'.dol_htmlentitiesbr($outputlangs->transnoentities("DateStartPlannedShort")." : ".$datei." - ".$outputlangs->transnoentities("DateEndPlanned")." : ".$datee,1,$outputlangs->charset_output).'</strong>';
+						$txt.='<br>';
+						$txt.='<strong>'.dol_htmlentitiesbr($outputlangs->transnoentities("DateStartRealShort")." : ".$daters,1,$outputlangs->charset_output);
+						if ($objectligne->date_cloture) $txt.=dol_htmlentitiesbr(" - ".$outputlangs->transnoentities("DateEndRealShort")." : ".$datere,1,$outputlangs->charset_output).'</strong>';
 						$desc=dol_htmlentitiesbr($objectligne->desc,1);
 
 						$pdf->writeHTMLCell(0, 0, $curX, $curY, dol_concatdesc($txt,dol_concatdesc($txtpredefinedservice,$desc)), 0, 1, 0);

From da8e71b2c52c6970825571ee936ee3469167f09c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Aug 2015 16:05:29 +0200
Subject: [PATCH 6/6] Fix #3309

---
 htdocs/societe/class/societe.class.php | 2 +-
 htdocs/user/card.php                   | 2 +-
 htdocs/user/class/user.class.php       | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php
index 0869f46c575..fb99c05728c 100644
--- a/htdocs/societe/class/societe.class.php
+++ b/htdocs/societe/class/societe.class.php
@@ -672,7 +672,7 @@ class Societe extends CommonObject
         $this->localtax2_value=trim($this->localtax2_value);
 
         $this->capital=price2num(trim($this->capital),'MT');
-        if (empty($this->capital)) $this->capital = 0;
+        if (empty($this->capital) || ! is_numeric($this->capital)) $this->capital = 0;
 
         $this->effectif_id=trim($this->effectif_id);
         $this->forme_juridique_code=trim($this->forme_juridique_code);
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 737af4baa27..6693544f78d 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -709,7 +709,7 @@ if (($action == 'create') || ($action == 'adduserldap'))
     print '<form action="'.$_SERVER['PHP_SELF'].'" method="POST" name="createuser">';
     print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="add">';
-    if (! empty($ldap_sid)) print '<input type="hidden" name="ldap_sid" value="'.$ldap_sid.'">';
+    if (! empty($ldap_sid)) print '<input type="hidden" name="ldap_sid" value="'.dol_escape_htmltag($ldap_sid).'">';
     print '<input type="hidden" name="entity" value="'.$conf->entity.'">';
 
     print '<table class="border" width="100%">';
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index 280e6491f17..dce4dbcf720 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -182,7 +182,7 @@ class User extends CommonObject
 
 		if ($sid)    // permet une recherche du user par son SID ActiveDirectory ou Samba
 		{
-			$sql.= " AND (u.ldap_sid = '".$sid."' OR u.login = '".$this->db->escape($login)."') LIMIT 1";
+			$sql.= " AND (u.ldap_sid = '".$this->db->escape($sid)."' OR u.login = '".$this->db->escape($login)."') LIMIT 1";
 		}
 		else if ($login)
 		{
@@ -845,7 +845,7 @@ class User extends CommonObject
 			else
 			{
 				$sql = "INSERT INTO ".MAIN_DB_PREFIX."user (datec,login,ldap_sid,entity)";
-				$sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->db->escape($this->entity).")";
+				$sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->db->escape($this->ldap_sid)."',".$this->db->escape($this->entity).")";
 				$result=$this->db->query($sql);
 
 				dol_syslog(get_class($this)."::create", LOG_DEBUG);