diff --git a/htdocs/expensereport/ajax/ajaxik.php b/htdocs/expensereport/ajax/ajaxik.php index 6b64a28d50c..c2cc8345671 100644 --- a/htdocs/expensereport/ajax/ajaxik.php +++ b/htdocs/expensereport/ajax/ajaxik.php @@ -17,7 +17,7 @@ */ /** - * \file htdocs/expensereport/ajax/ajaxprojet.php + * \file htdocs/expensereport/ajax/ajaxik.php * \ingroup expensereport * \brief File to return Ajax response on third parties request */ @@ -49,6 +49,12 @@ require_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport_ik.class.php' // Load translation files required by the page $langs->loadlangs(array('errors', 'trips')); +$fk_expense = GETPOST('fk_expense', 'int'); +$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat', 'int'); + +// Security check +$result = restrictedArea($user, 'expensereport', $fk_expense, 'expensereport'); + /* * View @@ -56,9 +62,6 @@ $langs->loadlangs(array('errors', 'trips')); top_httphead(); -$fk_expense = GETPOST('fk_expense', 'int'); -$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat', 'int'); - if (empty($fk_expense) || $fk_expense < 0) { echo json_encode(array('error' => $langs->transnoentitiesnoconv('ErrorBadValueForParameter', $fk_expense, 'fk_expense'))); } elseif (empty($fk_c_exp_tax_cat) || $fk_c_exp_tax_cat < 0) { diff --git a/htdocs/expensereport/ajax/ajaxprojet.php b/htdocs/expensereport/ajax/ajaxprojet.php deleted file mode 100644 index 8549d62fa62..00000000000 --- a/htdocs/expensereport/ajax/ajaxprojet.php +++ /dev/null @@ -1,95 +0,0 @@ - - * Copyright (C) 2005-2009 Regis Houssin - * Copyright (C) 2007-2010 Laurent Destailleur - * Copyright (C) 2010 Cyrille de Lambert - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -/** - * \file htdocs/expensereport/ajax/ajaxprojet.php - * \ingroup expensereport - * \brief File to return Ajax response on third parties request - */ - -if (!defined('NOTOKENRENEWAL')) { - define('NOTOKENRENEWAL', 1); // Disables token renewal -} -if (!defined('NOREQUIREMENU')) { - define('NOREQUIREMENU', '1'); -} -if (!defined('NOREQUIREHTML')) { - define('NOREQUIREHTML', '1'); -} -if (!defined('NOREQUIREAJAX')) { - define('NOREQUIREAJAX', '1'); -} -if (!defined('NOREQUIRESOC')) { - define('NOREQUIRESOC', '1'); -} -if (!defined('NOCSRFCHECK')) { - define('NOCSRFCHECK', '1'); -} - -$res = 0; -require '../../main.inc.php'; - - -/* - * View - */ - -// Ajout directives pour resoudre bug IE -//header('Cache-Control: Public, must-revalidate'); -//header('Pragma: public'); - -//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. -top_httphead(); - -//print ''."\n"; - -dol_syslog(join(',', $_GET)); - - -// Generation liste des projets -if (GETPOST('fk_projet') != '') { - $return_arr = array(); - - $sql = "SELECT p.rowid, p.ref, p.title, s.nom"; - $sql .= " FROM ".MAIN_DB_PREFIX."projet as p"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON p.fk_soc = s.rowid"; - if (!empty($_GET["fk_projet"])) { - $sql .= " WHERE p.ref LIKE '%".$db->escape($_GET["fk_projet"])."%' OR p.title LIKE '%".$db->escape($_GET["fk_projet"])."%' OR s.nom LIKE '%".$db->escape($_GET["fk_projet"])."%'"; // Add other filters - } - $sql .= " ORDER BY p.ref ASC"; - - $resql = $db->query($sql); - if ($resql) { - while ($row = $db->fetch_array($resql)) { - $label = $row['ref'].' - '.$row['title']; - $row_array['label'] = $label; - $row_array['value'] = $label; - $row_array['key'] = $row['rowid']; - - array_push($return_arr, $row_array); - } - - echo json_encode($return_arr); - } else { - echo json_encode(array('nom'=>'Error', 'label'=>'Error', 'key'=>'Error', 'value'=>'Error')); - } -} else { - echo json_encode(array('nom'=>'ErrorBadParameter', 'label'=>'ErrorBadParameter', 'key'=>'ErrorBadParameter', 'value'=>'ErrorBadParameter')); -} diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 1c3e8594c41..c356ed708b2 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -67,14 +67,6 @@ $socid = GETPOST('socid', 'int') ?GETPOST('socid', 'int') : GETPOST('socid_id', $childids = $user->getAllChildIds(1); -// Security check -$id = GETPOST("id", 'int'); -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'expensereport', $id, 'expensereport'); - - // Hack to use expensereport dir $rootfordata = DOL_DATA_ROOT; $rootforuser = DOL_DATA_ROOT; @@ -111,10 +103,8 @@ $permissionnote = $user->rights->expensereport->creer; // Used by the include of $permissiondellink = $user->rights->expensereport->creer; // Used by the include of actions_dellink.inc.php $permissiontoadd = $user->rights->expensereport->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php - $upload_dir = $conf->expensereport->dir_output.'/'.dol_sanitizeFileName($object->ref); - if ($object->id > 0) { // Check current user can read this expense report $canread = 0; @@ -129,6 +119,13 @@ if ($object->id > 0) { } } +// Security check +$id = GETPOST("id", 'int'); +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'expensereport', $object->id, 'expensereport'); + /* * Actions