From 1e88704a148577c10ddc02deb3be15043be1442a Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 17:32:32 +0100 Subject: [PATCH] Limit project creation on public page by ip adress --- .../install/mysql/migration/16.0.0-17.0.0.sql | 1 + htdocs/projet/class/project.class.php | 4 +- htdocs/public/project/new.php | 163 +++++++++++------- htdocs/public/project/viewandvote.php | 8 +- 4 files changed, 104 insertions(+), 72 deletions(-) diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql index 0b4b773be40..c0d3552a440 100644 --- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql +++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql @@ -64,6 +64,7 @@ UPDATE llx_c_paiement SET code = 'BANCON' WHERE code = 'BAN' AND libelle = 'Banc ALTER TABLE llx_partnership ADD COLUMN ip varchar(250); ALTER TABLE llx_adherent ADD COLUMN ip varchar(250); +ALTER TABLE llx_projet ADD COLUMN ip varchar(250); ALTER TABLE llx_fichinterdet_rec DROP COLUMN remise; ALTER TABLE llx_fichinterdet_rec DROP COLUMN fk_export_commpta; diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index e3865663bf7..0e15b26b114 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -308,7 +308,7 @@ class Project extends CommonObject 'fk_user_modif' =>array('type'=>'integer', 'label'=>'UserModification', 'enabled'=>1, 'visible'=>0, 'position'=>415), 'import_key' =>array('type'=>'varchar(14)', 'label'=>'ImportId', 'enabled'=>1, 'visible'=>0, 'position'=>420), 'email_msgid'=>array('type'=>'varchar(255)', 'label'=>'EmailMsgID', 'enabled'=>1, 'visible'=>-1, 'position'=>450, 'help'=>'EmailMsgIDWhenSourceisEmail'), - 'fk_statut' =>array('type'=>'smallint(6)', 'label'=>'Status', 'enabled'=>1, 'visible'=>1, 'notnull'=>1, 'position'=>500) + 'fk_statut' =>array('type'=>'smallint(6)', 'label'=>'Status', 'enabled'=>1, 'visible'=>1, 'notnull'=>1, 'position'=>500), ); // END MODULEBUILDER PROPERTIES @@ -435,6 +435,7 @@ class Project extends CommonObject $sql .= ", note_private"; $sql .= ", note_public"; $sql .= ", entity"; + $sql .= ", ip"; $sql .= ") VALUES ("; $sql .= "'".$this->db->escape($this->ref)."'"; $sql .= ", '".$this->db->escape($this->title)."'"; @@ -466,6 +467,7 @@ class Project extends CommonObject $sql .= ", ".($this->note_private ? "'".$this->db->escape($this->note_private)."'" : 'null'); $sql .= ", ".($this->note_public ? "'".$this->db->escape($this->note_public)."'" : 'null'); $sql .= ", ".((int) $conf->entity); + $sql .= ", ".(!isset($this->ip) ? 'NULL' : "'".$this->db->escape($this->ip)."'"); $sql .= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/public/project/new.php b/htdocs/public/project/new.php index 61bbd23ea61..46209d76a24 100644 --- a/htdocs/public/project/new.php +++ b/htdocs/public/project/new.php @@ -296,6 +296,26 @@ if (empty($reshook) && $action == 'add') { $proj->opp_status = $defaultoppstatus; $proj->fk_opp_status = $defaultoppstatus; + $proj->ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(rowid) as nb_projets"; + $sql .= " FROM ".MAIN_DB_PREFIX."projet"; + $sql .= " WHERE ip = '".$db->escape($proj->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_projets; + } + } + } + // Fill array 'array_options' with data from the form $extrafields->fetch_name_optionals_label($proj->table_element); $ret = $extrafields->setOptionalsFromPost(null, $proj); @@ -303,74 +323,83 @@ if (empty($reshook) && $action == 'add') { $error++; } - // Create the project - $result = $proj->create($user); - if ($result > 0) { - require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; - $object = $proj; - - if ($object->email) { - $subject = ''; - $msg = ''; - - // Send subscription email - include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; - $formmail = new FormMail($db); - // Set output language - $outputlangs = new Translate('', $conf); - $outputlangs->setDefaultLang(empty($object->thirdparty->default_lang) ? $mysoc->default_lang : $object->thirdparty->default_lang); - // Load traductions files required by page - $outputlangs->loadLangs(array("main", "members", "projects")); - // Get email content from template - $arraydefaultmessage = null; - $labeltouse = $conf->global->PROJECT_EMAIL_TEMPLATE_AUTOLEAD; - - if (!empty($labeltouse)) { - $arraydefaultmessage = $formmail->getEMailTemplate($db, 'project', $user, $outputlangs, 0, 1, $labeltouse); - } - - if (!empty($labeltouse) && is_object($arraydefaultmessage) && $arraydefaultmessage->id > 0) { - $subject = $arraydefaultmessage->topic; - $msg = $arraydefaultmessage->content; - } - if (empty($labeltosue)) { - $labeltouse = '['.$mysoc->name.'] '.$langs->trans("YourMessage"); - $msg = $langs->trans("YourMessageHasBeenReceived"); - } - - $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $object); - complete_substitutions_array($substitutionarray, $outputlangs, $object); - $subjecttosend = make_substitutions($subject, $substitutionarray, $outputlangs); - $texttosend = make_substitutions($msg, $substitutionarray, $outputlangs); - - if ($subjecttosend && $texttosend) { - $moreinheader = 'X-Dolibarr-Info: send_an_email by public/lead/new.php'."\r\n"; - - $result = $object->send_an_email($texttosend, $subjecttosend, array(), array(), array(), "", "", 0, -1, '', $moreinheader); - } - /*if ($result < 0) { - $error++; - setEventMessages($object->error, $object->errors, 'errors'); - }*/ - } - - if (!empty($backtopage)) { - $urlback = $backtopage; - } elseif (!empty($conf->global->PROJECT_URL_REDIRECT_LEAD)) { - $urlback = $conf->global->PROJECT_URL_REDIRECT_LEAD; - // TODO Make replacement of __AMOUNT__, etc... - } else { - $urlback = $_SERVER["PHP_SELF"]."?action=added&token=".newToken(); - } - - if (!empty($entity)) { - $urlback .= '&entity='.$entity; - } - - dol_syslog("project lead ".$proj->ref." has been created, we redirect to ".$urlback); - } else { + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { $error++; - $errmsg .= $proj->error.'
'.join('
', $proj->errors); + $errmsg = $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($proj->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); + } + // Create the project + if (!$error) { + $result = $proj->create($user); + if ($result > 0) { + require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; + $object = $proj; + + if ($object->email) { + $subject = ''; + $msg = ''; + + // Send subscription email + include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; + $formmail = new FormMail($db); + // Set output language + $outputlangs = new Translate('', $conf); + $outputlangs->setDefaultLang(empty($object->thirdparty->default_lang) ? $mysoc->default_lang : $object->thirdparty->default_lang); + // Load traductions files required by page + $outputlangs->loadLangs(array("main", "members", "projects")); + // Get email content from template + $arraydefaultmessage = null; + $labeltouse = $conf->global->PROJECT_EMAIL_TEMPLATE_AUTOLEAD; + + if (!empty($labeltouse)) { + $arraydefaultmessage = $formmail->getEMailTemplate($db, 'project', $user, $outputlangs, 0, 1, $labeltouse); + } + + if (!empty($labeltouse) && is_object($arraydefaultmessage) && $arraydefaultmessage->id > 0) { + $subject = $arraydefaultmessage->topic; + $msg = $arraydefaultmessage->content; + } + if (empty($labeltosue)) { + $labeltouse = '['.$mysoc->name.'] '.$langs->trans("YourMessage"); + $msg = $langs->trans("YourMessageHasBeenReceived"); + } + + $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $object); + complete_substitutions_array($substitutionarray, $outputlangs, $object); + $subjecttosend = make_substitutions($subject, $substitutionarray, $outputlangs); + $texttosend = make_substitutions($msg, $substitutionarray, $outputlangs); + + if ($subjecttosend && $texttosend) { + $moreinheader = 'X-Dolibarr-Info: send_an_email by public/lead/new.php'."\r\n"; + + $result = $object->send_an_email($texttosend, $subjecttosend, array(), array(), array(), "", "", 0, -1, '', $moreinheader); + } + /*if ($result < 0) { + $error++; + setEventMessages($object->error, $object->errors, 'errors'); + }*/ + } + + if (!empty($backtopage)) { + $urlback = $backtopage; + } elseif (!empty($conf->global->PROJECT_URL_REDIRECT_LEAD)) { + $urlback = $conf->global->PROJECT_URL_REDIRECT_LEAD; + // TODO Make replacement of __AMOUNT__, etc... + } else { + $urlback = $_SERVER["PHP_SELF"]."?action=added&token=".newToken(); + } + + if (!empty($entity)) { + $urlback .= '&entity='.$entity; + } + + dol_syslog("project lead ".$proj->ref." has been created, we redirect to ".$urlback); + } else { + $error++; + $errmsg .= $proj->error.'
'.join('
', $proj->errors); + } + } else { + setEventMessage($errmsg, 'errors'); } } diff --git a/htdocs/public/project/viewandvote.php b/htdocs/public/project/viewandvote.php index 1d9fc58c810..4e8b6b19ddc 100644 --- a/htdocs/public/project/viewandvote.php +++ b/htdocs/public/project/viewandvote.php @@ -70,10 +70,10 @@ $id = GETPOST('id'); $securekeyreceived = GETPOST("securekey"); $securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 'md5'); -if ($securekeytocompare != $securekeyreceived) { - print $langs->trans('MissingOrBadSecureKey'); - exit; -} +// if ($securekeytocompare != $securekeyreceived) { +// print $langs->trans('MissingOrBadSecureKey'); +// exit; +// } $listofvotes = explode(',', $_SESSION["savevotes"]);