lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '11.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/compta/accounting-files.php
	htdocs/core/lib/functions.lib.php
This commit is contained in:
Laurent Destailleur 2020-03-19 22:09:17 +01:00
commit 222556b464
9 changed files with 105 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -50,6 +50,7 @@ FIX: missing global $conf
FIX: Missing token in some forms (avoid unset POST errors)
FIX: params of setEventMessage($langs->trans('ErrorProductClone')...
FIX: Remove unexisting link
FIX: mass action on stock movements
FIX: substitute lines dates values on doc generator (ODT, ...)
FIX: Ticket - Load Cache Messages Ticket, wrong message's status
FIX: Ticket Public - Private messages are displayed

2
htdocs/admin/modules.php
View File

@ -930,7 +930,7 @@ if ($mode == 'marketplace')
?>
<form method="POST" class="centpercent" id="searchFormList" action="<?php echo $dolistore->url ?>">
<input type="hidden" name="token" value="<?php echo $_SESSION['newtoken'] ?>">
<input type="hidden" name="token" value="<?php echo newToken(); ?>">
<input type="hidden" name="mode" value="marketplace">
<div class="divsearchfield"><?php echo $langs->trans('Keyword') ?>:
<input name="search_keyword" placeholder="<?php echo $langs->trans('Chercher un module') ?>" id="search_keyword" type="text" size="50" value="<?php echo $options['search'] ?>"><br>

14
htdocs/compta/accounting-files.php
View File

@ -16,11 +16,17 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
/**
/**
* \file htdocs/compta/accounting-files.php
* \ingroup compta
* \brief Page to show portoflio and files of a thirdparty and download it
*/
if ($_GET['action'] == 'dl' || $_POST['action'] == 'dl') { // To not replace token when downloading file
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1');
}
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@ -113,7 +119,7 @@ $error = 0;
$filesarray = array();
$result = false;
if (($action == "searchfiles" || $action == "dl")) {
if (($action == 'searchfiles' || $action == 'dl')) {
if (empty($date_start))
{
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DateStart")), null, 'errors');
@ -259,7 +265,7 @@ if (($action == "searchfiles" || $action == "dl")) {
{
$result = true;
$files = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview\.png)$', '', SORT_ASC, 1);
$files = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview.*\.png)$', '', SORT_ASC, 1);
//var_dump($upload_dir);
//var_dump($files);
if (count($files) < 1)
@ -512,7 +518,7 @@ if (!empty($date_start) && !empty($date_stop))
$param .= '&'.$choice.'='.(GETPOST($choice, 'int') ? 1 : 0);
}
print '<form name="dl" action="?action=dl" method="POST" >'."\n";
print '<input type="hidden" name="token" value="'.newToken().'">';
print '<input type="hidden" name="token" value="'.currentToken().'">';
echo dol_print_date($date_start, 'day')." - ".dol_print_date($date_stop, 'day');

4
htdocs/compta/deplacement/card.php
View File

@ -281,7 +281,7 @@ if ($action == 'create')
print '<td class="tdtop">'.$langs->trans('NotePublic').'</td>';
print '<td>';
$doleditor = new DolEditor('note_public', GETPOST('note_public', 'alpha'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%');
$doleditor = new DolEditor('note_public', GETPOST('note_public', 'restricthtml'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%');
print $doleditor->Create(1);
print '</td></tr>';
@ -293,7 +293,7 @@ if ($action == 'create')
print '<td class="tdtop">'.$langs->trans('NotePrivate').'</td>';
print '<td>';
$doleditor = new DolEditor('note_private', GETPOST('note_private', 'alpha'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%');
$doleditor = new DolEditor('note_private', GETPOST('note_private', 'restricthtml'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%');
print $doleditor->Create(1);
print '</td></tr>';

2
htdocs/core/actions_massactions.inc.php
View File

@ -1215,6 +1215,8 @@ if (!$error && $massaction == 'closed' && $objectclass == "Propal" && $permissio
$db->rollback();
}
}
// Delete record from mass action (massaction = 'delete' for direct delete, action/confirm='delete'/'yes' with a confirmation step before)
if (!$error && ($massaction == 'delete' || ($action == 'delete' && $confirm == 'yes')) && $permissiontodelete)
{

16
htdocs/core/lib/functions.lib.php
View File

@ -509,6 +509,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
// We do this only if var is a GET. If it is a POST, may be we want to post the text with vars as the setup text.
if (!is_array($out) && empty($_POST[$paramname]) && empty($noreplace))
{
$reg = array();
$maxloop = 20; $loopnb = 0; // Protection against infinite loop
while (preg_match('/__([A-Z0-9]+_?[A-Z0-9]+)__/i', $out, $reg) && ($loopnb < $maxloop)) // Detect '__ABCDEF__' as key 'ABCDEF' and '__ABC_DEF__' as key 'ABC_DEF'. Detection is also correct when 2 vars are side by side.
{
@ -5650,7 +5651,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
$allowed_tags_string = '<'.$allowed_tags_string.'>';
if ($cleanalsosomestyles) {
$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to bypass this regex, the string must also be encoded by the dol_htmlentitiesbr during output so it become harmless
}
$temp = strip_tags($stringtoclean, $allowed_tags_string);
@ -8826,7 +8827,8 @@ function isAFileWithExecutableContent($filename)
}
/**
* Return new session token
* Return the value of token currently saved into session with name 'newtoken'.
* This token must be send by any POST as it will be used by next page for comparison with value in session.
*
* @return string
*/
@ -8834,3 +8836,13 @@ function newToken()
{
return $_SESSION['newtoken'];
}
/**
* Return the value of token currently saved into session with name 'token'.
*
* @return string
*/
function currentToken()
{
return $_SESSION['token'];
}

12
htdocs/opensurvey/card.php
View File

@ -113,8 +113,8 @@ if (empty($reshook))
if (!$error)
{
$object->titre = GETPOST('nouveautitre', 'nohtml');
$object->commentaires = GETPOST('nouveauxcommentaires', 'nohtml');
$object->description = GETPOST('nouveauxcommentaires', 'nohtml');
$object->commentaires = GETPOST('nouveauxcommentaires', 'restricthtml');
$object->description = GETPOST('nouveauxcommentaires', 'restricthtml');
$object->mail_admin = GETPOST('nouvelleadresse', 'alpha');
$object->date_fin = $expiredate;
$object->allow_comments = GETPOST('cancomment', 'alpha') == 'on' ? true : false;
@ -208,6 +208,7 @@ $toutsujet = str_replace("@", "<br>", $toutsujet);
$toutsujet = str_replace("°", "'", $toutsujet);
print '<form name="updatesurvey" action="'.$_SERVER["PHP_SELF"].'?id='.$numsondage.'" method="POST">'."\n";
print '<input type="hidden" name="token" value="'.newToken().'">';
print '<input type="hidden" name="action" value="update">';
$head = opensurvey_prepare_head($object);
@ -248,12 +249,12 @@ print '</td></tr>';
print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td colspan="2">';
if ($action == 'edit')
{
$doleditor = new DolEditor('nouveauxcommentaires', dol_htmlentities($object->commentaires), '', 120, 'dolibarr_notes', 'In', 1, 1, 1, ROWS_7, '90%');
$doleditor = new DolEditor('nouveauxcommentaires', $object->description, '', 120, 'dolibarr_notes', 'In', 1, 1, 1, ROWS_7, '90%');
$doleditor->Create(0, '');
}
else
{
print (dol_textishtml($object->commentaires) ? $object->commentaires : dol_nl2br($object->commentaires, 1, true));
print (dol_textishtml($object->description) ? $object->description : dol_nl2br($object->description, 1, true));
}
print '</td></tr>';
@ -263,7 +264,7 @@ if (!$object->fk_user_creat) {
print '<tr><td>'.$langs->trans("EMail").'</td><td colspan="2">';
if ($action == 'edit')
{
print '<input type="text" name="nouvelleadresse" size="40" value="'.$object->mail_admin.'">';
print '<input type="text" name="nouvelleadresse" class="minwith200" value="'.$object->mail_admin.'">';
}
else print dol_print_email($object->mail_admin, 0, 0, 1);
print '</td></tr>';
@ -395,6 +396,7 @@ print '<br>';
print '<form name="formulaire5" action="#" method="POST">'."\n";
print '<input type="hidden" name="token" value="'.newToken().'">';
print load_fiche_titre($langs->trans("CommentsOfVoters"), '', '');

13
htdocs/product/stock/class/mouvementstock.class.php
View File

@ -1162,4 +1162,17 @@ class MouvementStock extends CommonObject
return $this->commonGenerateDocument($modelpath, $modele, $outputlangs, $hidedetails, $hidedesc, $hideref);
}
/**
* Delete object in database
*
* @param User $user User that deletes
* @param bool $notrigger false=launch triggers after, true=disable triggers
* @return int <0 if KO, >0 if OK
*/
public function delete(User $user, $notrigger = false)
{
return $this->deleteCommon($user, $notrigger);
//return $this->deleteCommon($user, $notrigger, 1);
}
}

84
htdocs/product/stock/movement_list.php
View File

@ -54,8 +54,11 @@ $ref = GETPOST('ref', 'alpha');
$msid = GETPOST('msid', 'int');
$product_id = GETPOST("product_id", 'int');
$action = GETPOST('action', 'aZ09');
$massaction = GETPOST('massaction', 'alpha'); // The bulk action (combo box choice into lists)
$confirm = GETPOST('confirm', 'alpha'); // Result of a confirmation
$cancel = GETPOST('cancel', 'alpha');
$contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'movementlist';
$toselect = GETPOST('toselect', 'array'); // Array of ids of elements selected into a list
// Security check
//$result=restrictedArea($user, 'stock', $id, 'entrepot&stock');
@ -123,15 +126,19 @@ if (!$user->rights->stock->mouvement->lire) {
accessforbidden();
}
$permissiontoread = $user->rights->stock->mouvement->lire;
$permissiontoadd = $user->rights->stock->mouvement->creer;
$permissiontodelete = $user->rights->stock->mouvement->creer; // There is no deletion permission for stock movement as we shoul dnever delete
$usercanread = $user->rights->stock->mouvement->lire;
$usercancreate = $user->rights->stock->mouvement->creer;
$usercandelete = $user->rights->stock->mouvement->creer;
/*
* Actions
*/
$usercanread = (($user->rights->stock->mouvement->lire));
$usercancreate = (($user->rights->stock->mouvement->creer));
$usercandelete = (($user->rights->stock->mouvement->supprimer));
if (GETPOST('cancel', 'alpha')) { $action = 'list'; $massaction = ''; }
if (!GETPOST('confirmmassaction', 'alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction = ''; }
@ -139,26 +146,35 @@ $parameters = array();
$reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');
include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php';
// Do we click on purge search criteria ?
if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) // Both test are required to be compatible with all browsers
if (empty($reshook))
{
$year = '';
$month = '';
$search_ref = '';
$search_movement = "";
$search_type_mouvement = "";
$search_inventorycode = "";
$search_product_ref = "";
$search_product = "";
$search_warehouse = "";
$search_user = "";
$search_batch = "";
$search_qty = '';
$sall = "";
$toselect = '';
$search_array_options = array();
include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php';
// Do we click on purge search criteria ?
if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) // Both test are required to be compatible with all browsers
{
$year = '';
$month = '';
$search_ref = '';
$search_movement = "";
$search_type_mouvement = "";
$search_inventorycode = "";
$search_product_ref = "";
$search_product = "";
$search_warehouse = "";
$search_user = "";
$search_batch = "";
$search_qty = '';
$sall = "";
$toselect = '';
$search_array_options = array();
}
// Mass actions
$objectclass = 'MouvementStock';
$objectlabel = 'MouvementStock';
$uploaddir = $conf->stock->dir_output;
include DOL_DOCUMENT_ROOT.'/core/actions_massactions.inc.php';
}
// Correct stock
@ -600,8 +616,8 @@ if ($resql)
$resqlbis = $db->query($sql);
if ($resqlbis)
{
$obj = $db->fetch_object($resqlbis);
$lastmovementdate = $db->jdate($obj->datem);
$objbis = $db->fetch_object($resqlbis);
$lastmovementdate = $db->jdate($objbis->datem);
}
else
{
@ -694,8 +710,9 @@ if ($resql)
// 'presend'=>$langs->trans("SendByMail"),
// 'builddoc'=>$langs->trans("PDFMerge"),
);
//if ($user->rights->stock->supprimer) $arrayofmassactions['predelete']='<span class="fa fa-trash paddingrightonly"></span>'.$langs->trans("Delete");
if (in_array($massaction, array('presend', 'predelete'))) $arrayofmassactions = array();
// By default, we should never accept deletion of stock movement.
if (! empty($conf->global->STOCK_ALLOW_DELETE_OF_MOVEMENT) && $permissiontodelete) $arrayofmassactions['predelete']='<span class="fa fa-trash paddingrightonly"></span>'.$langs->trans("Delete");
if (GETPOST('nomassaction', 'int') || in_array($massaction, array('presend', 'predelete'))) $arrayofmassactions = array();
$massactionbutton = $form->selectMassAction('', $arrayofmassactions);
print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">';
@ -713,6 +730,13 @@ if ($resql)
if ($id > 0) print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, '', 0, '', '', $limit);
else print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'generic', 0, '', '', $limit);
// Add code for pre mass action (confirmation or email presend form)
$topicmail = "SendStockMovement";
$modelmail = "movementstock";
$objecttmp = new MouvementStock($db);
$trackid = 'mov'.$object->id;
include DOL_DOCUMENT_ROOT.'/core/tpl/massactions_pre.tpl.php';
if ($sall)
{
foreach ($fieldstosearchall as $key => $val) $fieldstosearchall[$key] = $langs->trans($val);
@ -961,6 +985,8 @@ if ($resql)
$arrayofuniqueproduct = array();
$i = 0;
$totalarray = array();
while ($i < min($num, $limit))
{
$objp = $db->fetch_object($resql);
@ -1126,8 +1152,8 @@ if ($resql)
if ($massactionbutton || $massaction) // If we are in select mode (massactionbutton defined) or if we have already selected and sent an action ($massaction) defined
{
$selected = 0;
if (in_array($obj->rowid, $arrayofselected)) $selected = 1;
print '<input id="cb'.$obj->rowid.'" class="flat checkforselect" type="checkbox" name="toselect[]" value="'.$obj->rowid.'"'.($selected ? ' checked="checked"' : '').'>';
if (in_array($objp->mid, $arrayofselected)) $selected = 1;
print '<input id="cb'.$objp->mid.'" class="flat checkforselect" type="checkbox" name="toselect[]" value="'.$objp->mid.'"'.($selected ? ' checked="checked"' : '').'>';
}
print '</td>';
if (!$i) $totalarray['nbfield']++;