From 8e1ffa51444b87368915aea3aed81599fa01198a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Mar 2020 10:52:07 +0100 Subject: [PATCH 1/7] Fix management of token --- htdocs/compta/accounting-files.php | 12 +++++++++--- htdocs/core/lib/functions.lib.php | 13 ++++++++++++- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index af18b834edf..cb2c3d2fdff 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -16,11 +16,17 @@ * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ -/** + + /** * \file htdocs/compta/accounting-files.php * \ingroup compta * \brief Page to show portoflio and files of a thirdparty and download it */ + +if ($_GET['action'] == 'dl' || $_POST['action'] == 'dl') { // To not replace token when downloading file + if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); +} + require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; @@ -106,7 +112,7 @@ $error = 0; $filesarray = array(); $result = false; -if (($action == "searchfiles" || $action == "dl")) { +if (($action == 'searchfiles' || $action == 'dl')) { if (empty($date_start)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DateStart")), null, 'errors'); @@ -459,7 +465,7 @@ if (!empty($date_start) && !empty($date_stop)) $param .= '&date_stopyear='.GETPOST('date_stopyear', 'int'); print '
'."\n"; - print ''; + print ''; echo dol_print_date($date_start, 'day')." - ".dol_print_date($date_stop, 'day'); diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 9842a3d59e0..6976b5fec40 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8574,7 +8574,8 @@ function isAFileWithExecutableContent($filename) } /** - * Return new session token + * Return the value of token currently saved into session with name 'newtoken'. + * This token must be send by any POST as it will be used by next page for comparison with value in session. * * @return string */ @@ -8582,3 +8583,13 @@ function newToken() { return $_SESSION['newtoken']; } + +/** + * Return the value of token currently saved into session with name 'token'. + * + * @return string + */ +function currentToken() +{ + return $_SESSION['token']; +} From 7eb45226364630cfe01d14bc15f5f835ada90219 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Mar 2020 11:59:57 +0100 Subject: [PATCH 2/7] FIX missing token and save of survey description --- htdocs/admin/modules.php | 2 +- htdocs/core/lib/functions.lib.php | 3 ++- htdocs/opensurvey/card.php | 6 ++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 21d54908cf1..72eb8240c10 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -930,7 +930,7 @@ if ($mode == 'marketplace') ?> - +
trans('Keyword') ?>:
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 6976b5fec40..6e71125cbd5 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -508,6 +508,7 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti // We do this only if var is a GET. If it is a POST, may be we want to post the text with vars as the setup text. if (!is_array($out) && empty($_POST[$paramname]) && empty($noreplace)) { + $reg = array(); $maxloop = 20; $loopnb = 0; // Protection against infinite loop while (preg_match('/__([A-Z0-9]+_?[A-Z0-9]+)__/i', $out, $reg) && ($loopnb < $maxloop)) // Detect '__ABCDEF__' as key 'ABCDEF' and '__ABC_DEF__' as key 'ABC_DEF'. Detection is also correct when 2 vars are side by side. { @@ -5579,7 +5580,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1) $allowed_tags_string = '<'.$allowed_tags_string.'>'; if ($cleanalsosomestyles) { - $stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless + $stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to bypass this regex, the string must also be encoded by the dol_htmlentitiesbr during output so it become harmless } $temp = strip_tags($stringtoclean, $allowed_tags_string); diff --git a/htdocs/opensurvey/card.php b/htdocs/opensurvey/card.php index 302ecf5f1ff..28b8f2a7640 100644 --- a/htdocs/opensurvey/card.php +++ b/htdocs/opensurvey/card.php @@ -113,8 +113,8 @@ if (empty($reshook)) if (!$error) { $object->titre = GETPOST('nouveautitre', 'nohtml'); - $object->commentaires = GETPOST('nouveauxcommentaires', 'nohtml'); - $object->description = GETPOST('nouveauxcommentaires', 'nohtml'); + $object->commentaires = GETPOST('nouveauxcommentaires', 'restricthtml'); + $object->description = GETPOST('nouveauxcommentaires', 'restricthtml'); $object->mail_admin = GETPOST('nouvelleadresse', 'alpha'); $object->date_fin = $expiredate; $object->allow_comments = GETPOST('cancomment', 'alpha') == 'on' ? true : false; @@ -208,6 +208,7 @@ $toutsujet = str_replace("@", "
", $toutsujet); $toutsujet = str_replace("°", "'", $toutsujet); print ''."\n"; +print ''; print ''; $head = opensurvey_prepare_head($object); @@ -395,6 +396,7 @@ print '
'; print ''."\n"; +print ''; print load_fiche_titre($langs->trans("CommentsOfVoters"), '', ''); From c71da5d0132a689314ebae38f13405116b563111 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Mar 2020 15:43:06 +0100 Subject: [PATCH 3/7] FIX mass action on stock movements --- htdocs/core/actions_massactions.inc.php | 2 + .../stock/class/mouvementstock.class.php | 13 +++ htdocs/product/stock/movement_list.php | 84 ++++++++++++------- 3 files changed, 70 insertions(+), 29 deletions(-) diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index c3f046431b0..17e063244df 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -1215,6 +1215,8 @@ if (!$error && $massaction == 'closed' && $objectclass == "Propal" && $permissio $db->rollback(); } } + + // Delete record from mass action (massaction = 'delete' for direct delete, action/confirm='delete'/'yes' with a confirmation step before) if (!$error && ($massaction == 'delete' || ($action == 'delete' && $confirm == 'yes')) && $permissiontodelete) { diff --git a/htdocs/product/stock/class/mouvementstock.class.php b/htdocs/product/stock/class/mouvementstock.class.php index 9e8dcc3184e..7b92af43ef0 100644 --- a/htdocs/product/stock/class/mouvementstock.class.php +++ b/htdocs/product/stock/class/mouvementstock.class.php @@ -1134,4 +1134,17 @@ class MouvementStock extends CommonObject return $this->commonGenerateDocument($modelpath, $modele, $outputlangs, $hidedetails, $hidedesc, $hideref); } + + /** + * Delete object in database + * + * @param User $user User that deletes + * @param bool $notrigger false=launch triggers after, true=disable triggers + * @return int <0 if KO, >0 if OK + */ + public function delete(User $user, $notrigger = false) + { + return $this->deleteCommon($user, $notrigger); + //return $this->deleteCommon($user, $notrigger, 1); + } } diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index dea7580aeb7..48806ce51b8 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -54,8 +54,11 @@ $ref = GETPOST('ref', 'alpha'); $msid = GETPOST('msid', 'int'); $product_id = GETPOST("product_id", 'int'); $action = GETPOST('action', 'aZ09'); +$massaction = GETPOST('massaction', 'alpha'); // The bulk action (combo box choice into lists) +$confirm = GETPOST('confirm', 'alpha'); // Result of a confirmation $cancel = GETPOST('cancel', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'movementlist'; +$toselect = GETPOST('toselect', 'array'); // Array of ids of elements selected into a list // Security check //$result=restrictedArea($user, 'stock', $id, 'entrepot&stock'); @@ -123,15 +126,19 @@ if (!$user->rights->stock->mouvement->lire) { accessforbidden(); } +$permissiontoread = $user->rights->stock->mouvement->lire; +$permissiontoadd = $user->rights->stock->mouvement->creer; +$permissiontodelete = $user->rights->stock->mouvement->creer; // There is no deletion permission for stock movement as we shoul dnever delete + +$usercanread = $user->rights->stock->mouvement->lire; +$usercancreate = $user->rights->stock->mouvement->creer; +$usercandelete = $user->rights->stock->mouvement->creer; + /* * Actions */ -$usercanread = (($user->rights->stock->mouvement->lire)); -$usercancreate = (($user->rights->stock->mouvement->creer)); -$usercandelete = (($user->rights->stock->mouvement->supprimer)); - if (GETPOST('cancel', 'alpha')) { $action = 'list'; $massaction = ''; } if (!GETPOST('confirmmassaction', 'alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction = ''; } @@ -139,26 +146,35 @@ $parameters = array(); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); -include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php'; - -// Do we click on purge search criteria ? -if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) // Both test are required to be compatible with all browsers +if (empty($reshook)) { - $year = ''; - $month = ''; - $search_ref = ''; - $search_movement = ""; - $search_type_mouvement = ""; - $search_inventorycode = ""; - $search_product_ref = ""; - $search_product = ""; - $search_warehouse = ""; - $search_user = ""; - $search_batch = ""; - $search_qty = ''; - $sall = ""; - $toselect = ''; - $search_array_options = array(); + include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php'; + + // Do we click on purge search criteria ? + if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) // Both test are required to be compatible with all browsers + { + $year = ''; + $month = ''; + $search_ref = ''; + $search_movement = ""; + $search_type_mouvement = ""; + $search_inventorycode = ""; + $search_product_ref = ""; + $search_product = ""; + $search_warehouse = ""; + $search_user = ""; + $search_batch = ""; + $search_qty = ''; + $sall = ""; + $toselect = ''; + $search_array_options = array(); + } + + // Mass actions + $objectclass = 'MouvementStock'; + $objectlabel = 'MouvementStock'; + $uploaddir = $conf->stock->dir_output; + include DOL_DOCUMENT_ROOT.'/core/actions_massactions.inc.php'; } // Correct stock @@ -600,8 +616,8 @@ if ($resql) $resqlbis = $db->query($sql); if ($resqlbis) { - $obj = $db->fetch_object($resqlbis); - $lastmovementdate = $db->jdate($obj->datem); + $objbis = $db->fetch_object($resqlbis); + $lastmovementdate = $db->jdate($objbis->datem); } else { @@ -694,8 +710,9 @@ if ($resql) // 'presend'=>$langs->trans("SendByMail"), // 'builddoc'=>$langs->trans("PDFMerge"), ); - //if ($user->rights->stock->supprimer) $arrayofmassactions['predelete']=''.$langs->trans("Delete"); - if (in_array($massaction, array('presend', 'predelete'))) $arrayofmassactions = array(); + // By default, we should never accept deletion of stock movement. + if (! empty($conf->global->STOCK_ALLOW_DELETE_OF_MOVEMENT) && $permissiontodelete) $arrayofmassactions['predelete']=''.$langs->trans("Delete"); + if (GETPOST('nomassaction', 'int') || in_array($massaction, array('presend', 'predelete'))) $arrayofmassactions = array(); $massactionbutton = $form->selectMassAction('', $arrayofmassactions); print ''; @@ -713,6 +730,13 @@ if ($resql) if ($id > 0) print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, '', 0, '', '', $limit); else print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'generic', 0, '', '', $limit); + // Add code for pre mass action (confirmation or email presend form) + $topicmail = "SendStockMovement"; + $modelmail = "movementstock"; + $objecttmp = new MouvementStock($db); + $trackid = 'mov'.$object->id; + include DOL_DOCUMENT_ROOT.'/core/tpl/massactions_pre.tpl.php'; + if ($sall) { foreach ($fieldstosearchall as $key => $val) $fieldstosearchall[$key] = $langs->trans($val); @@ -961,6 +985,8 @@ if ($resql) $arrayofuniqueproduct = array(); + $i = 0; + $totalarray = array(); while ($i < min($num, $limit)) { $objp = $db->fetch_object($resql); @@ -1126,8 +1152,8 @@ if ($resql) if ($massactionbutton || $massaction) // If we are in select mode (massactionbutton defined) or if we have already selected and sent an action ($massaction) defined { $selected = 0; - if (in_array($obj->rowid, $arrayofselected)) $selected = 1; - print ''; + if (in_array($objp->mid, $arrayofselected)) $selected = 1; + print ''; } print ''; if (!$i) $totalarray['nbfield']++; From 9be4b28bea0d5a836051482cad3fabf68770aabc Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Mar 2020 15:43:55 +0100 Subject: [PATCH 4/7] FIX mass action on stock movements --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 97923801971..fea73254f20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,7 @@ FIX: missing global $conf FIX: Missing token in some forms (avoid unset POST errors) FIX: params of setEventMessage($langs->trans('ErrorProductClone')... FIX: Remove unexisting link +FIX: mass action on stock movements FIX: substitute lines dates values on doc generator (ODT, ...) FIX: Ticket - Load Cache Messages Ticket, wrong message's status FIX: Ticket Public - Private messages are displayed From d9f616d6e3c0ce9cd5ba15d4031fd7b1b46f9ba7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Mar 2020 15:59:49 +0100 Subject: [PATCH 5/7] Avoid file xxx_preview-1.png into export --- htdocs/compta/accounting-files.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index cb2c3d2fdff..4eb368e72df 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -241,7 +241,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { { $result = true; - $files = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview\.png)$', '', SORT_ASC, 1); + $files = dol_dir_list($upload_dir, "files", 0, '', '(\.meta|_preview.*\.png)$', '', SORT_ASC, 1); //var_dump($upload_dir); //var_dump($files); From a413e2861e4f3bef054eb09fd8fdc4c55c6a4709 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Mar 2020 21:13:15 +0100 Subject: [PATCH 6/7] Fix edit html --- htdocs/compta/deplacement/card.php | 4 ++-- htdocs/opensurvey/card.php | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/htdocs/compta/deplacement/card.php b/htdocs/compta/deplacement/card.php index cabc3510ea4..c08be32242b 100644 --- a/htdocs/compta/deplacement/card.php +++ b/htdocs/compta/deplacement/card.php @@ -281,7 +281,7 @@ if ($action == 'create') print ''.$langs->trans('NotePublic').''; print ''; - $doleditor = new DolEditor('note_public', GETPOST('note_public', 'alpha'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%'); + $doleditor = new DolEditor('note_public', GETPOST('note_public', 'restricthtml'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%'); print $doleditor->Create(1); print ''; @@ -293,7 +293,7 @@ if ($action == 'create') print ''.$langs->trans('NotePrivate').''; print ''; - $doleditor = new DolEditor('note_private', GETPOST('note_private', 'alpha'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%'); + $doleditor = new DolEditor('note_private', GETPOST('note_private', 'restricthtml'), '', 200, 'dolibarr_notes', 'In', false, true, true, ROWS_8, '90%'); print $doleditor->Create(1); print ''; diff --git a/htdocs/opensurvey/card.php b/htdocs/opensurvey/card.php index 28b8f2a7640..64b270799a2 100644 --- a/htdocs/opensurvey/card.php +++ b/htdocs/opensurvey/card.php @@ -249,12 +249,12 @@ print ''; print ''.$langs->trans("Description").''; if ($action == 'edit') { - $doleditor = new DolEditor('nouveauxcommentaires', dol_htmlentities($object->commentaires), '', 120, 'dolibarr_notes', 'In', 1, 1, 1, ROWS_7, '90%'); + $doleditor = new DolEditor('nouveauxcommentaires', $object->description, '', 120, 'dolibarr_notes', 'In', 1, 1, 1, ROWS_7, '90%'); $doleditor->Create(0, ''); } else { - print (dol_textishtml($object->commentaires) ? $object->commentaires : dol_nl2br($object->commentaires, 1, true)); + print (dol_textishtml($object->description) ? $object->description : dol_nl2br($object->description, 1, true)); } print ''; @@ -264,7 +264,7 @@ if (!$object->fk_user_creat) { print ''.$langs->trans("EMail").''; if ($action == 'edit') { - print ''; + print ''; } else print dol_print_email($object->mail_admin, 0, 0, 1); print ''; From 87e808fec4d5116f4b5561fbd060bf85160603cb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Mar 2020 22:07:20 +0100 Subject: [PATCH 7/7] Fix phpcs --- htdocs/compta/accounting-files.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index 4eb368e72df..b8e10e7d0e3 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -24,7 +24,7 @@ */ if ($_GET['action'] == 'dl' || $_POST['action'] == 'dl') { // To not replace token when downloading file - if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); + if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); } require '../main.inc.php';