From 1b5bbf72fccfb17e5b95c05db84b23e807bd6298 Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 13:41:02 +0100 Subject: [PATCH] Limit partnership creation on public page by ip adress --- htdocs/langs/en_US/errors.lang | 13 ++++----- htdocs/langs/fr_FR/main.lang | 1 + .../partnership/class/partnership.class.php | 3 +++ htdocs/public/partnership/new.php | 27 +++++++++++++++++++ 4 files changed, 38 insertions(+), 6 deletions(-) diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index 1625f580305..7bcecfa4999 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -97,7 +97,7 @@ ErrorWrongValueForField=Field %s: '%s' does not match regex rule < ErrorHtmlInjectionForField=Field %s: The value '%s' contains a malicious data not allowed ErrorFieldValueNotIn=Field %s: '%s' is not a value found in field %s of %s ErrorFieldRefNotIn=Field %s: '%s' is not a %s existing ref -ErrorMultipleRecordFoundFromRef=Several record found when searching from ref %s. No way to know which ID to use. +ErrorMultipleRecordFoundFromRef=Several record found when searching from ref %s. No way to know which ID to use. ErrorsOnXLines=%s errors found ErrorFileIsInfectedWithAVirus=The antivirus program was not able to validate the file (file might be infected by a virus) ErrorNumRefModel=A reference exists into database (%s) and is not compatible with this numbering rule. Remove record or renamed reference to activate this module. @@ -244,11 +244,12 @@ ErrorObjectMustHaveStatusActiveToBeDisabled=Objects must have status 'Active' to ErrorObjectMustHaveStatusDraftOrDisabledToBeActivated=Objects must have status 'Draft' or 'Disabled' to be enabled ErrorNoFieldWithAttributeShowoncombobox=No fields has property 'showoncombobox' into definition of object '%s'. No way to show the combolist. ErrorFieldRequiredForProduct=Field '%s' is required for product %s +AlreadyTooMuchPostOnThisIPAdress=You have already posted too much on this IP address. ProblemIsInSetupOfTerminal=Problem is in setup of terminal %s. ErrorAddAtLeastOneLineFirst=Add at least one line first ErrorRecordAlreadyInAccountingDeletionNotPossible=Error, record is already transferred in accounting, deletion is not possible. ErrorLanguageMandatoryIfPageSetAsTranslationOfAnother=Error, language is mandatory if you set the page as a translation of another one. -ErrorLanguageOfTranslatedPageIsSameThanThisPage=Error, language of translated page is same than this one. +ErrorLanguageOfTranslatedPageIsSameThanThisPage=Error, language of translated page is same than this one. ErrorBatchNoFoundForProductInWarehouse=No lot/serial found for product "%s" in warehouse "%s". ErrorBatchNoFoundEnoughQuantityForProductInWarehouse=No enough quantity for this lot/serial for product "%s" in warehouse "%s". ErrorOnlyOneFieldForGroupByIsPossible=Only 1 field for the 'Group by' is possible (others are discarded) @@ -281,11 +282,11 @@ ErrorIsNotADraft=%s is not a draft ErrorExecIdFailed=Can't execute command "id" ErrorBadCharIntoLoginName=Unauthorized character in the login name ErrorRequestTooLarge=Error, request too large -ErrorNotApproverForHoliday=You are not the approver for leave %s +ErrorNotApproverForHoliday=You are not the approver for leave %s ErrorAttributeIsUsedIntoProduct=This attribute is used in one or more product variants ErrorAttributeValueIsUsedIntoProduct=This attribute value is used in one or more product variants ErrorPaymentInBothCurrency=Error, all amounts must be entered in the same column -ErrorYouTryToPayInvoicesInACurrencyFromBankWithAnotherCurrency=You try to pay invoices in the currency %s from an account with the currency %s +ErrorYouTryToPayInvoicesInACurrencyFromBankWithAnotherCurrency=You try to pay invoices in the currency %s from an account with the currency %s ErrorInvoiceLoadThirdParty=Can't load third-party object for invoice "%s" ErrorInvoiceLoadThirdPartyKey=Third-party key "%s" no set for invoice "%s" ErrorDeleteLineNotAllowedByObjectStatus=Delete line is not allowed by current object status @@ -294,9 +295,9 @@ ErrorThirpdartyOrMemberidIsMandatory=Third party or Member of partnership is man ErrorFailedToWriteInTempDirectory=Failed to write in temp directory ErrorQuantityIsLimitedTo=Quantity is limited to %s ErrorFailedToLoadThirdParty=Failed to find/load thirdparty from id=%s, email=%s, name=%s -ErrorThisPaymentModeIsNotSepa=This payment mode is not a bank account +ErrorThisPaymentModeIsNotSepa=This payment mode is not a bank account ErrorStripeCustomerNotFoundCreateFirst=Stripe customer is not set for this thirdparty (or set to a value deleted on Stripe side). Create (or re-attach) it first. -ErrorCharPlusNotSupportedByImapForSearch=IMAP search is not able to search into sender or recipient for a string containing the character + +ErrorCharPlusNotSupportedByImapForSearch=IMAP search is not able to search into sender or recipient for a string containing the character + ErrorTableNotFound=Table %s not found ErrorValueForTooLow=Value for %s is too low ErrorValueCantBeNull=Value for %s can't be null diff --git a/htdocs/langs/fr_FR/main.lang b/htdocs/langs/fr_FR/main.lang index eb787cb279d..37bd9224798 100644 --- a/htdocs/langs/fr_FR/main.lang +++ b/htdocs/langs/fr_FR/main.lang @@ -45,6 +45,7 @@ NoError=Aucune erreur Error=Erreur Errors=Erreurs ErrorFieldRequired=Le champ '%s' est obligatoire +AlreadyTooMuchPostOnThisIPAdress=Vous avez déjà posté trop de messages depuis cette adresse IP. ErrorFieldFormat=Le champ '%s' a une valeur incorrecte ErrorFileDoesNotExists=Le fichier %s n'existe pas ErrorFailedToOpenFile=Impossible d'ouvrir le fichier %s diff --git a/htdocs/partnership/class/partnership.class.php b/htdocs/partnership/class/partnership.class.php index 4838c80f92d..93897771019 100644 --- a/htdocs/partnership/class/partnership.class.php +++ b/htdocs/partnership/class/partnership.class.php @@ -22,6 +22,8 @@ * \brief This file is a CRUD class file for Partnership (Create/Read/Update/Delete) */ +use Illuminate\Support\Arr; + // Put here all includes required by your class file require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; //require_once DOL_DOCUMENT_ROOT . '/societe/class/societe.class.php'; @@ -124,6 +126,7 @@ class Partnership extends CommonObject 'last_check_backlink' => array('type'=>'datetime', 'label'=>'LastCheckBacklink', 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>-2,), 'reason_decline_or_cancel' => array('type'=>'text', 'label'=>'ReasonDeclineOrCancel', 'enabled'=>'1', 'position'=>73, 'notnull'=>0, 'visible'=>-2,), 'fk_soc' => array('type'=>'integer:Societe:societe/class/societe.class.php:1:status=1 AND entity IN (__SHARED_ENTITIES__)', 'label'=>'ThirdParty', 'picto'=>'company', 'enabled'=>'1', 'position'=>50, 'notnull'=>-1, 'visible'=>1, 'index'=>1, 'css'=>'maxwidth500', 'csslist'=>'tdoverflowmax150',), + 'ip' => array('type'=>'varchar(250)', 'label'=>'Ip', 'enabled'=>'1', 'position'=>74, 'notnull'=>0, 'visible'=>-2,), ); public $rowid; public $ref; diff --git a/htdocs/public/partnership/new.php b/htdocs/public/partnership/new.php index 5064ec68695..3420806608a 100644 --- a/htdocs/public/partnership/new.php +++ b/htdocs/public/partnership/new.php @@ -223,7 +223,27 @@ if (empty($reshook) && $action == 'add') { $partnership->fk_user_creat = 0; $partnership->fk_type = GETPOST('partnershiptype', 'int'); //$partnership->typeid = $conf->global->PARTNERSHIP_NEWFORM_FORCETYPE ? $conf->global->PARTNERSHIP_NEWFORM_FORCETYPE : GETPOST('typeid', 'int'); + $partnership->ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(ref) as nb_partnerships"; + $sql .= " FROM ".MAIN_DB_PREFIX."partnership"; + $sql .= " WHERE ip = '".$db->escape($partnership->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_partnerships; + } + } + } // test if societe already exist $company = new Societe($db); $result = $company->fetch(0, GETPOST('societe')); @@ -290,6 +310,11 @@ if (empty($reshook) && $action == 'add') { $error++; } + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + $error++; + $errmsg = $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($partnership->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); + } if (!$error) { $result = $partnership->create($user); if ($result > 0) { @@ -464,6 +489,8 @@ if (empty($reshook) && $action == 'add') { $error++; $errmsg .= join('
', $partnership->errors); } + } else { + setEventMessage($errmsg, 'errors'); } }