lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'develop' into look_feel_user_author_list

Browse Source
This commit is contained in:
Laurent Destailleur 2021-05-18 12:27:30 +02:00 committed by GitHub
commit 2ef713bd5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 314 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/adherents/document.php
View File

@ -93,6 +93,8 @@ if ($id) {
$caneditfieldmember = $user->rights->adherent->creer;
}
$permissiontoadd = $canaddmember;
// Security check
$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);

17
htdocs/admin/dict.php
View File

@ -871,8 +871,8 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) {
if ($value == 'price' || preg_match('/^amount/i', $value)) {
$_POST[$keycode] = price2num(GETPOST($keycode), 'MU');
} elseif ($value == 'taux' || $value == 'localtax1' || $value == 'localtax2') {
$_POST[$keycode] = price2num(GETPOST($keycode), 8);
} elseif ($value == 'taux' || $value == 'localtax1') {
$_POST[$keycode] = price2num(GETPOST($keycode), 8); // Note that localtax2 can be a list of rates separated by coma like X:Y:Z
} elseif ($value == 'entity') {
$_POST[$keycode] = getEntity($tabname[$id]);
}
@ -940,8 +940,8 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) {
if ($field == 'price' || preg_match('/^amount/i', $field)) {
$_POST[$keycode] = price2num(GETPOST($keycode), 'MU');
} elseif ($field == 'taux' || $field == 'localtax1' || $field == 'localtax2') {
$_POST[$keycode] = price2num(GETPOST($keycode), 8);
} elseif ($field == 'taux' || $field == 'localtax1') {
$_POST[$keycode] = price2num(GETPOST($keycode), 8); // Note that localtax2 can be a list of rates separated by coma like X:Y:Z
} elseif ($field == 'entity') {
$_POST[$keycode] = getEntity($tabname[$id]);
}
@ -1254,13 +1254,13 @@ if ($id) {
$valuetoshow = $langs->trans("UseLocalTax")." 2"; $class = "center"; $sortable = 0;
}
if ($value == 'localtax1') {
$valuetoshow = $langs->trans("Rate")." 2"; $class = "center";
$valuetoshow = $langs->trans("RateOfTaxN", '2'); $class = "center";
}
if ($value == 'localtax2_type') {
$valuetoshow = $langs->trans("UseLocalTax")." 3"; $class = "center"; $sortable = 0;
}
if ($value == 'localtax2') {
$valuetoshow = $langs->trans("Rate")." 3"; $class = "center";
$valuetoshow = $langs->trans("RateOfTaxN", '3'); $class = "center";
}
if ($value == 'organization') {
$valuetoshow = $langs->trans("Organization");
@ -1598,17 +1598,18 @@ if ($id) {
}
$cssprefix = 'center ';
}
if ($value == 'localtax1_type') {
$valuetoshow = $langs->trans("UseLocalTax")." 2"; $cssprefix = "center "; $sortable = 0;
}
if ($value == 'localtax1') {
$valuetoshow = $langs->trans("Rate")." 2"; $cssprefix = "center "; $sortable = 0;
$valuetoshow = $langs->trans("RateOfTaxN", '2'); $cssprefix = "center "; $sortable = 0;
}
if ($value == 'localtax2_type') {
$valuetoshow = $langs->trans("UseLocalTax")." 3"; $cssprefix = "center "; $sortable = 0;
}
if ($value == 'localtax2') {
$valuetoshow = $langs->trans("Rate")." 3"; $cssprefix = "center "; $sortable = 0;
$valuetoshow = $langs->trans("RateOfTaxN", '3'); $cssprefix = "center "; $sortable = 0;
}
if ($value == 'organization') {
$valuetoshow = $langs->trans("Organization");

14
htdocs/asset/document.php
View File

@ -40,12 +40,6 @@ $socid = GETPOST('socid', 'int');
$action = GETPOST('action', 'aZ09');
$confirm = GETPOST('confirm', 'alpha');
// Security check
if ($user->socid) {
$socid = $user->socid;
}
$result=restrictedArea($user, 'asset', $id, '');
// Get parameters
$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
$sortfield = GETPOST("sortfield", 'alpha');
@ -69,6 +63,14 @@ if ($object->fetch($id)) {
$upload_dir = $conf->asset->dir_output."/".dol_sanitizeFileName($object->ref);
}
$permissiontoadd = $user->rights->asset->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php
// Security check
if ($user->socid) {
$socid = $user->socid;
}
$result=restrictedArea($user, 'asset', $id, '');
/*
* Actions

2
htdocs/bom/bom_document.php
View File

@ -85,6 +85,8 @@ if ($id > 0 || !empty($ref)) {
$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft);
$permissiontoadd = $user->rights->bom->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php
/*
* Actions

2
htdocs/comm/action/document.php
View File

@ -88,6 +88,8 @@ if ($user->socid && $socid) {
$result = restrictedArea($user, 'societe', $socid);
}
$permissiontoadd = $user->rights->agenda->myactions->read; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php
/*
* Actions

2
htdocs/comm/propal/document.php
View File

@ -80,6 +80,8 @@ if (!$sortfield) {
$object = new Propal($db);
$object->fetch($id, $ref);
$permissiontoadd = $user->rights->propale->creer;
// Security check
if (!empty($user->socid)) {
$socid = $user->socid;

9
htdocs/comm/propal/list.php
View File

@ -460,9 +460,10 @@ $sql = 'SELECT';
if ($sall || $search_product_category > 0 || $search_user > 0) {
$sql = 'SELECT DISTINCT';
}
$sql .= ' s.rowid as socid, s.nom as name, s.name_alias as alias, s.email, s.town, s.zip, s.fk_pays, s.client, s.code_client, ';
$sql .= ' s.rowid as socid, s.nom as name, s.name_alias as alias, s.email, s.phone, s.fax , s.address, s.town, s.zip, s.fk_pays, s.client, s.code_client, ';
$sql .= " typent.code as typent_code,";
$sql .= " ava.rowid as availability,";
$sql .= " country.code as country_code,";
$sql .= " state.code_departement as state_code, state.nom as state_name,";
$sql .= ' p.rowid, p.entity, p.note_private, p.total_ht, p.total_tva, p.total_ttc, p.localtax1, p.localtax2, p.ref, p.ref_client, p.fk_statut as status, p.fk_user_author, p.datep as dp, p.fin_validite as dfv,p.date_livraison as ddelivery,';
$sql .= ' p.fk_multicurrency, p.multicurrency_code, p.multicurrency_tx, p.multicurrency_total_ht, p.multicurrency_total_tva, p.multicurrency_total_ttc,';
@ -1335,9 +1336,15 @@ if ($resql) {
$companystatic->id = $obj->socid;
$companystatic->name = $obj->name;
$companystatic->name_alias = $obj->alias;
$companystatic->client = $obj->client;
$companystatic->code_client = $obj->code_client;
$companystatic->email = $obj->email;
$companystatic->phone = $obj->phone;
$companystatic->address = $obj->address;
$companystatic->zip = $obj->zip;
$companystatic->town = $obj->town;
$companystatic->country_code = $obj->country_code;
$projectstatic->id = $obj->project_id;
$projectstatic->ref = $obj->project_ref;

14
htdocs/commande/document.php
View File

@ -44,12 +44,6 @@ $confirm = GETPOST('confirm');
$id = GETPOST('id', 'int');
$ref = GETPOST('ref');
// Security check
if ($user->socid) {
$socid = $user->socid;
}
$result = restrictedArea($user, 'commande', $id, '');
// Get parameters
$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
$sortfield = GETPOST("sortfield", 'alpha');
@ -78,6 +72,14 @@ if (!$sortfield) {
$object = new Commande($db);
$permissiontoadd = $user->rights->commande->creer;
// Security check
if ($user->socid) {
$socid = $user->socid;
}
$result = restrictedArea($user, 'commande', $id, '');
/*
* Actions

11
htdocs/commande/list.php
View File

@ -417,9 +417,10 @@ $sql = 'SELECT';
if ($sall || $search_product_category > 0 || $search_user > 0) {
$sql = 'SELECT DISTINCT';
}
$sql .= ' s.rowid as socid, s.nom as name, s.name_alias as name_alias, s.email, s.town, s.zip, s.fk_pays, s.client, s.code_client,';
$sql .= ' s.rowid as socid, s.nom as name, s.name_alias as alias, s.email, s.phone, s.fax, s.address, s.town, s.zip, s.fk_pays, s.client, s.code_client,';
$sql .= " typent.code as typent_code,";
$sql .= " state.code_departement as state_code, state.nom as state_name,";
$sql .= " country.code as country_code,";
$sql .= ' c.rowid, c.ref, c.total_ht, c.total_tva, c.total_ttc, c.ref_client, c.fk_user_author,';
$sql .= ' c.fk_multicurrency, c.multicurrency_code, c.multicurrency_tx, c.multicurrency_total_ht, c.multicurrency_total_tva as multicurrency_total_vat, c.multicurrency_total_ttc,';
$sql .= ' c.date_valid, c.date_commande, c.note_public, c.note_private, c.date_livraison as date_delivery, c.fk_statut, c.facture as billed,';
@ -1383,10 +1384,16 @@ if ($resql) {
$nbprod = 0;
$companystatic->id = $obj->socid;
$companystatic->code_client = $obj->code_client;
$companystatic->name = $obj->name;
$companystatic->name_alias = $obj->alias;
$companystatic->client = $obj->client;
$companystatic->code_client = $obj->code_client;
$companystatic->email = $obj->email;
$companystatic->phone = $obj->phone;
$companystatic->address = $obj->address;
$companystatic->zip = $obj->zip;
$companystatic->town = $obj->town;
$companystatic->country_code = $obj->country_code;
if (!isset($getNomUrl_cache[$obj->socid])) {
$getNomUrl_cache[$obj->socid] = $companystatic->getNomUrl(1, 'customer');
}

2
htdocs/compta/facture/document.php
View File

@ -72,6 +72,8 @@ if ($object->fetch($id, $ref)) {
$upload_dir = $conf->facture->dir_output."/".dol_sanitizeFileName($object->ref);
}
$permissiontoadd = $user->rights->facture->creer;
// Security check
if ($user->socid) {
$socid = $user->socid;

40
htdocs/compta/facture/list.php
View File

@ -467,7 +467,7 @@ if (!empty($conf->margin->enabled)) {
$bankaccountstatic = new Account($db);
$facturestatic = new Facture($db);
$formcompany = new FormCompany($db);
$thirdpartystatic = new Societe($db);
$companystatic = new Societe($db);
$sql = 'SELECT';
if ($sall || $search_product_category > 0 || $search_user > 0) {
@ -481,7 +481,7 @@ $sql .= ' f.datef, f.date_valid, f.date_lim_reglement as datelimite, f.module_so
$sql .= ' f.paye as paye, f.fk_statut, f.close_code,';
$sql .= ' f.datec as date_creation, f.tms as date_update, f.date_closing as date_closing,';
$sql .= ' f.retained_warranty, f.retained_warranty_date_limit, f.situation_final, f.situation_cycle_ref, f.situation_counter,';
$sql .= ' s.rowid as socid, s.nom as name, s.name_alias as name_alias, s.email, s.town, s.zip, s.fk_pays, s.client, s.fournisseur, s.code_client, s.code_fournisseur, s.code_compta as code_compta_client, s.code_compta_fournisseur,';
$sql .= ' s.rowid as socid, s.nom as name, s.name_alias as alias, s.email, s.phone, s.fax, s.address, s.town, s.zip, s.fk_pays, s.client, s.fournisseur, s.code_client, s.code_fournisseur, s.code_compta as code_compta_client, s.code_compta_fournisseur,';
$sql .= ' typent.code as typent_code,';
$sql .= ' state.code_departement as state_code, state.nom as state_name,';
$sql .= ' country.code as country_code,';
@ -714,7 +714,7 @@ if (!$sall) {
$sql .= ' f.retained_warranty, f.retained_warranty_date_limit, f.situation_final, f.situation_cycle_ref, f.situation_counter,';
$sql .= ' f.fk_user_author, f.fk_multicurrency, f.multicurrency_code, f.multicurrency_tx, f.multicurrency_total_ht, f.multicurrency_total_tva,';
$sql .= ' f.multicurrency_total_tva, f.multicurrency_total_ttc,';
$sql .= ' s.rowid, s.nom, s.name_alias, s.email, s.town, s.zip, s.fk_pays, s.client, s.fournisseur, s.code_client, s.code_fournisseur, s.code_compta, s.code_compta_fournisseur,';
$sql .= ' s.rowid, s.nom, s.name_alias, s.email, s.phone, s.fax, s.address, s.town, s.zip, s.fk_pays, s.client, s.fournisseur, s.code_client, s.code_fournisseur, s.code_compta, s.code_compta_fournisseur,';
$sql .= ' typent.code,';
$sql .= ' state.code_departement, state.nom,';
$sql .= ' country.code,';
@ -1539,16 +1539,22 @@ if ($resql) {
$facturestatic->situation_cycle_ref = $obj->situation_cycle_ref;
$facturestatic->situation_counter = $obj->situation_counter;
}
$thirdpartystatic->id = $obj->socid;
$thirdpartystatic->name = $obj->name;
$thirdpartystatic->client = $obj->client;
$thirdpartystatic->fournisseur = $obj->fournisseur;
$thirdpartystatic->code_client = $obj->code_client;
$thirdpartystatic->code_compta_client = $obj->code_compta_client;
$thirdpartystatic->code_fournisseur = $obj->code_fournisseur;
$thirdpartystatic->code_compta_fournisseur = $obj->code_compta_fournisseur;
$thirdpartystatic->email = $obj->email;
$thirdpartystatic->country_code = $obj->country_code;
$companystatic->id = $obj->socid;
$companystatic->name = $obj->name;
$companystatic->name_alias = $obj->alias;
$companystatic->client = $obj->client;
$companystatic->fournisseur = $obj->fournisseur;
$companystatic->code_client = $obj->code_client;
$companystatic->code_compta_client = $obj->code_compta_client;
$companystatic->code_fournisseur = $obj->code_fournisseur;
$companystatic->code_compta_fournisseur = $obj->code_compta_fournisseur;
$companystatic->email = $obj->email;
$companystatic->phone = $obj->phone;
$companystatic->fax = $obj->fax;
$companystatic->address = $obj->address;
$companystatic->zip = $obj->zip;
$companystatic->town = $obj->town;
$companystatic->country_code = $obj->country_code;
$projectstatic->id = $obj->project_id;
$projectstatic->ref = $obj->project_ref;
@ -1570,10 +1576,10 @@ if ($resql) {
$multicurrency_remaintopay = 0;
}
if ($facturestatic->type == Facture::TYPE_CREDIT_NOTE && $obj->paye == 1) { // If credit note closed, we take into account the amount not yet consummed
$remaincreditnote = $discount->getAvailableDiscounts($thirdpartystatic, '', 'rc.fk_facture_source='.$facturestatic->id);
$remaincreditnote = $discount->getAvailableDiscounts($companystatic, '', 'rc.fk_facture_source='.$facturestatic->id);
$remaintopay = -$remaincreditnote;
$totalpay = price2num($facturestatic->total_ttc - $remaintopay);
$multicurrency_remaincreditnote = $discount->getAvailableDiscounts($thirdpartystatic, '', 'rc.fk_facture_source='.$facturestatic->id, 0, 0, 1);
$multicurrency_remaincreditnote = $discount->getAvailableDiscounts($companystatic, '', 'rc.fk_facture_source='.$facturestatic->id, 0, 0, 1);
$multicurrency_remaintopay = -$multicurrency_remaincreditnote;
$multicurrency_totalpay = price2num($facturestatic->multicurrency_total_ttc - $multicurrency_remaintopay);
}
@ -1704,9 +1710,9 @@ if ($resql) {
if (!empty($arrayfields['s.nom']['checked'])) {
print '<td class="tdoverflowmax200">';
if ($contextpage == 'poslist') {
print $thirdpartystatic->name;
print $companystatic->name;
} else {
print $thirdpartystatic->getNomUrl(1, 'customer');
print $companystatic->getNomUrl(1, 'customer');
}
print '</td>';
if (!$i) {

2
htdocs/compta/sociales/list.php
View File

@ -38,7 +38,7 @@ if (!empty($conf->projet->enabled)) {
}
// Load translation files required by the page
$langs->loadLangs(array('compta', 'banks', 'bills', 'hrm'));
$langs->loadLangs(array('compta', 'banks', 'bills', 'hrm', 'projects'));
$action = GETPOST('action', 'aZ09');
$massaction = GETPOST('massaction', 'alpha');

11
htdocs/core/actions_linkedfiles.inc.php
View File

@ -21,13 +21,14 @@
// Variable $upload_dir must be defined when entering here.
// Variable $upload_dirold may also exists.
// Variable $confirm must be defined.
// If variable $permissiontoadd is defined, we check it is true. Note: A test on permission should already have been done into the restrictedArea() method called by parent page.
//var_dump($upload_dir);
//var_dump($upload_dirold);
// Submit file/link
if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC)) {
if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC) && (!isset($permissiontoadd) || $permissiontoadd)) {
if (!empty($_FILES)) {
if (is_array($_FILES['userfile']['tmp_name'])) {
$userfiles = $_FILES['userfile']['tmp_name'];
@ -65,7 +66,7 @@ if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC)) {
}
}
}
} elseif (GETPOST('linkit', 'restricthtml') && !empty($conf->global->MAIN_UPLOAD_DOC)) {
} elseif (GETPOST('linkit', 'restricthtml') && !empty($conf->global->MAIN_UPLOAD_DOC) && (!isset($permissiontoadd) || $permissiontoadd)) {
$link = GETPOST('link', 'alpha');
if ($link) {
if (substr($link, 0, 7) != 'http://' && substr($link, 0, 8) != 'https://' && substr($link, 0, 7) != 'file://' && substr($link, 0, 7) != 'davs://') {
@ -77,7 +78,7 @@ if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC)) {
// Delete file/link
if ($action == 'confirm_deletefile' && $confirm == 'yes') {
if ($action == 'confirm_deletefile' && $confirm == 'yes' && (!isset($permissiontoadd) || $permissiontoadd)) {
$urlfile = GETPOST('urlfile', 'alpha', 0, null, null, 1); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
if (GETPOST('section', 'alpha')) {
// For a delete from the ECM module, upload_dir is ECM root dir and urlfile contains relative path from upload_dir
@ -149,7 +150,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') {
exit;
}
}
} elseif ($action == 'confirm_updateline' && GETPOST('save', 'alpha') && GETPOST('link', 'alpha')) {
} elseif ($action == 'confirm_updateline' && GETPOST('save', 'alpha') && GETPOST('link', 'alpha') && (!isset($permissiontoadd) || $permissiontoadd)) {
require_once DOL_DOCUMENT_ROOT.'/core/class/link.class.php';
$langs->load('link');
$link = new Link($db);
@ -167,7 +168,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') {
} else {
//error fetching
}
} elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha')) {
} elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha') && (!isset($permissiontoadd) || $permissiontoadd)) {
// For documents pages, upload_dir contains already path to file from module dir, so we clean path into urlfile.
if (!empty($upload_dir)) {
$filenamefrom = dol_sanitizeFileName(GETPOST('renamefilefrom', 'alpha'), '_', 0); // Do not remove accents

24
htdocs/core/ajax/row.php
View File

@ -49,6 +49,9 @@ if (!defined('NOREQUIRETRAN')) {
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
// Security check
// This is done later into view.
/*
* View
@ -59,16 +62,16 @@ top_httphead();
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if (GETPOST('roworder', 'alpha', 2) && GETPOST('table_element_line', 'aZ09', 2)
&& GETPOST('fk_element', 'aZ09', 2) && GETPOST('element_id', 'int', 2)) {
$roworder = GETPOST('roworder', 'alpha', 2);
$table_element_line = GETPOST('table_element_line', 'aZ09', 2);
$fk_element = GETPOST('fk_element', 'aZ09', 2);
$element_id = GETPOST('element_id', 'int', 2);
if (GETPOST('roworder', 'alpha', 3) && GETPOST('table_element_line', 'aZ09', 3)
&& GETPOST('fk_element', 'aZ09', 3) && GETPOST('element_id', 'int', 3)) {
$roworder = GETPOST('roworder', 'alpha', 3);
$table_element_line = GETPOST('table_element_line', 'aZ09', 3);
$fk_element = GETPOST('fk_element', 'aZ09', 3);
$element_id = GETPOST('element_id', 'int', 3);
dol_syslog("AjaxRow roworder=".$roworder." table_element_line=".$table_element_line." fk_element=".$fk_element." element_id=".$element_id, LOG_DEBUG);
// Make test on pemrission
// Make test on permission
$perm = 0;
if ($table_element_line == 'propaldet' && $user->rights->propal->creer) {
$perm = 1;
@ -92,6 +95,10 @@ if (GETPOST('roworder', 'alpha', 2) && GETPOST('table_element_line', 'aZ09', 2)
$perm = 1;
} elseif ($table_element_line == 'facture_fourn_det' && $user->rights->fourn->facture->creer) {
$perm = 1;
} elseif ($table_element_line == 'ecm_files' && $fk_element == 'fk_product' && (!empty($user->rights->produit->creer) || !empty($user->rights->service->creer))) {
$perm = 1;
} elseif ($table_element_line == 'ecm_files' && $fk_element == 'fk_ticket' && !empty($user->rights->ticket->write)) {
$perm = 1;
} else {
$tmparray = explode('_', $table_element_line);
$tmpmodule = $tmparray[0]; $tmpobject = preg_replace('/line$/', '', $tmparray[1]);
@ -101,7 +108,10 @@ if (GETPOST('roworder', 'alpha', 2) && GETPOST('table_element_line', 'aZ09', 2)
}
if (! $perm) {
// We should not be here. If we are not allowed to reorder rows, feature should not be visible on script.
// If we are here, it is a hack attempt, so we report a warning.
print 'Bad permission to modify position of lines for object in table '.$table_element_line;
dol_syslog('Bad permission to modify position of lines for object in table '.$table_element_line.', fk_element '.$fk_element, LOG_WARNING);
accessforbidden('Bad permission to modify position of lines for object in table '.$table_element_line);
}

22
htdocs/core/lib/functions.lib.php
View File

@ -634,17 +634,17 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
$out = checkVal($out, $check, $filter, $options);
}
// Sanitizing for special parameters. There is no reason to allow the backtopage, backtolist or backtourl parameter to contains an external URL.
// Sanitizing for special parameters.
// Note: There is no reason to allow the backtopage, backtolist or backtourl parameter to contains an external URL.
if ($paramname == 'backtopage' || $paramname == 'backtolist' || $paramname == 'backtourl') {
$out = str_replace('\\', '/', $out);
$out = str_replace(array(':', ';', '@'), '', $out);
$out = str_replace('\\', '/', $out); // Can be before the loop because only 1 char is replaced. No risk to get it after other replacements.
$out = str_replace(array(':', ';', '@'), '', $out); // Can be before the loop because only 1 char is replaced. No risk to get it after other replacements.
do {
$oldstringtoclean = $out;
$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $out);
} while ($oldstringtoclean != $out);
$out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out);
$out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out); // We remove schema*// to remove external URL
}
// Code for search criteria persistence.
@ -684,7 +684,7 @@ function GETPOSTINT($paramname, $method = 0, $filter = null, $options = null, $n
}
/**
* Return a value after checking on a rule.
* Return a value after checking on a rule. A sanitization may also have been done.
*
* @param string $out Value to check/clear.
* @param string $check Type of check/sanitizing
@ -777,6 +777,11 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
case 'restricthtml': // Recommended for most html textarea
do {
$oldstringtoclean = $out;
// We replace chars encoded with numeric HTML entities with real char (to avoid to have numeric entities used for obfuscation of injections)
$out = preg_replace_callback('/&#(x?[0-9][0-9a-f]+);/i', 'realCharForNumericEntities', $out);
$out = preg_replace('/&#x?[0-9]+/i', '', $out); // For example if we have j&#x61vascript with an entities without the ; to hide the 'a' of 'javascript'.
$out = dol_string_onlythesehtmltags($out, 0, 1, 1);
// We should also exclude non expected attributes
@ -797,7 +802,6 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
}
if (!function_exists('dol_getprefix')) {
/**
* Return a prefix to use for this Dolibarr instance, for session/cookie names or email id.
@ -9738,8 +9742,8 @@ function dolGetButtonAction($label, $html = '', $actionType = 'default', $url =
/**
* Add space between dolGetButtonTitle
*
* @param string $moreClass more css class label
* @return string html of title separator
* @param string $moreClass more css class label
* @return string html of title separator
*/
function dolGetButtonTitleSeparator($moreClass = "")
{

2
htdocs/core/lib/security.lib.php
View File

@ -350,7 +350,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
$createok = 1;
$nbko = 0;
$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update');
$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update') || GETPOST('roworder', 'alpha', 2);
$wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete');
if ($wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft) {

5
htdocs/fourn/class/fournisseur.commande.class.php
View File

@ -280,6 +280,11 @@ class CommandeFournisseur extends CommonOrder
const STATUS_REFUSED = 9;
/**
* The constant used into source field to track the order was generated by the replenishement feature
*/
const SOURCE_ID_REPLENISHMENT = 42;
/**

1
htdocs/langs/en_US/main.lang
View File

@ -430,6 +430,7 @@ LT1IN=CGST
LT2IN=SGST
LT1GC=Additionnal cents
VATRate=Tax Rate
RateOfTaxN=Rate of tax %s
VATCode=Tax Rate code
VATNPR=Tax Rate NPR
DefaultTaxRate=Default tax rate

29
htdocs/main.inc.php
View File

@ -50,9 +50,33 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) {
}
}
/**
* Return the real char for a numeric entities.
* This function is required by testSqlAndScriptInject().
*
* @param string $matches String of numeric entity
* @return string New value
*/
function realCharForNumericEntities($matches)
{
$newstringnumentity = $matches[1];
if (preg_match('/^x/i', $newstringnumentity)) {
$newstringnumentity = hexdec(preg_replace('/^x/i', '', $newstringnumentity));
}
// The numeric value we don't want as entities
if (($newstringnumentity >= 65 && $newstringnumentity <= 90) || ($newstringnumentity >= 97 && $newstringnumentity <= 122)) {
return chr((int) $newstringnumentity);
}
return '&#'.$matches[1];
}
/**
* Security: WAF layer for SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
* Warning: Such a protection can't be enough. It is not reliable as it will alwyas be possible to bypass this. Good protection can
* Warning: Such a protection can't be enough. It is not reliable as it will always be possible to bypass this. Good protection can
* only be guaranted by escaping data during output.
*
* @param string $val Value brut found int $_GET, $_POST or PHP_SELF
@ -61,7 +85,7 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) {
*/
function testSqlAndScriptInject($val, $type)
{
// Decode string first bcause a lot of things are obfuscated by encoding or multiple encoding.
// Decode string first because a lot of things are obfuscated by encoding or multiple encoding.
// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
// So "&colon;&apos;" become ":'" (due to ENT_HTML5)
// Loop to decode until no more thing to decode.
@ -69,6 +93,7 @@ function testSqlAndScriptInject($val, $type)
do {
$oldval = $val;
$val = html_entity_decode($val, ENT_QUOTES | ENT_HTML5);
$val = preg_replace_callback('/&#(x?[0-9][0-9a-f]+)/i', 'realCharForNumericEntities', $val); // Sometimes we have entities without the ; at end so html_entity_decode does not work but entities is still interpreted by browser.
} while ($oldval != $val);
//print "after decoding $val\n";

2
htdocs/modulebuilder/template/myobject_document.php
View File

@ -124,7 +124,7 @@ if ($id > 0 || !empty($ref)) {
$upload_dir = $conf->mymodule->multidir_output[$object->entity ? $object->entity : $conf->entity]."/myobject/".get_exdir(0, 0, 0, 1, $object);
}
$permissiontoadd = $user->rights->mymodule->myobject->write; // Used by the include of actions_addupdatedelete.inc.php
$permissiontoadd = $user->rights->mymodule->myobject->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php
// Security check (enable the most restrictive one)
//if ($user->socid > 0) accessforbidden();

4
htdocs/product/document.php
View File

@ -113,7 +113,7 @@ if ($reshook < 0) {
if (empty($reshook)) {
// Delete line if product propal merge is linked to a file
if (!empty($conf->global->PRODUIT_PDF_MERGE_PROPAL)) {
if ($action == 'confirm_deletefile' && $confirm == 'yes') {
if ($action == 'confirm_deletefile' && $confirm == 'yes' && $permissiontoadd) {
//extract file name
$urlfile = GETPOST('urlfile', 'alpha');
$filename = basename($urlfile);
@ -131,7 +131,7 @@ if (empty($reshook)) {
include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
}
if ($action == 'filemerge') {
if ($action == 'filemerge' && $permissiontoadd) {
$is_refresh = GETPOST('refresh');
if (empty($is_refresh)) {
$filetomerge_file_array = GETPOST('filetoadd');

22
htdocs/product/stock/replenish.php
View File

@ -66,7 +66,7 @@ $fourn_id = GETPOST('fourn_id', 'int');
$fk_supplier = GETPOST('fk_supplier', 'int');
$fk_entrepot = GETPOST('fk_entrepot', 'int');
//List all visible warehouses
// List all visible warehouses
$resWar = $db->query("SELECT rowid FROM " . MAIN_DB_PREFIX . "entrepot WHERE entity IN (" . $db->sanitize(getEntity('stock')) .")");
$listofqualifiedwarehousesid = "";
$count = 0;
@ -103,6 +103,7 @@ if (!$sortorder) {
$sortorder = 'ASC';
}
// Define virtualdiffersfromphysical
$virtualdiffersfromphysical = 0;
if (!empty($conf->global->STOCK_CALCULATE_ON_SHIPMENT)
|| !empty($conf->global->STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER)
@ -224,17 +225,24 @@ if ($action == 'order' && GETPOST('valid')) {
$suppliersid = array_keys($suppliers);
foreach ($suppliers as $supplier) {
$order = new CommandeFournisseur($db);
// Check if an order for the supplier exists
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."commande_fournisseur";
$sql .= " WHERE fk_soc = ".((int) $suppliersid[$i]);
$sql .= " AND source = 42 AND fk_statut = 0";
$sql .= " AND source = ".((int) $order::SOURCE_ID_REPLENISHMENT)." AND fk_statut = ".$order::STATUS_DRAFT;
$sql .= " AND entity IN (".getEntity('commande_fournisseur').")";
$sql .= " ORDER BY date_creation DESC";
$resql = $db->query($sql);
if ($resql && $db->num_rows($resql) > 0) {
$obj = $db->fetch_object($resql);
$order->fetch($obj->rowid);
$order->fetch_thirdparty();
foreach ($supplier['lines'] as $line) {
if (empty($line->remise_percent)) {
$line->remise_percent = $order->thirdparty->remise_supplier_percent;
}
$result = $order->addline(
$line->desc,
$line->subprice,
@ -268,13 +276,19 @@ if ($action == 'order' && GETPOST('valid')) {
} else {
$order->socid = $suppliersid[$i];
$order->fetch_thirdparty();
//trick to know which orders have been generated this way
$order->source = 42;
// Trick to know which orders have been generated using the replenishment feature
$order->source = $order::SOURCE_ID_REPLENISHMENT;
foreach ($supplier['lines'] as $line) {
if (empty($line->remise_percent)) {
$line->remise_percent = $order->thirdparty->remise_supplier_percent;
}
$order->lines[] = $line;
}
$order->cond_reglement_id = $order->thirdparty->cond_reglement_supplier_id;
$order->mode_reglement_id = $order->thirdparty->mode_reglement_supplier_id;
$id = $order->create($user);
if ($id < 0) {
$fail++;

10
htdocs/projet/document.php
View File

@ -40,11 +40,6 @@ $ref = GETPOST('ref', 'alpha');
$mine = (GETPOST('mode', 'alpha') == 'mine' ? 1 : 0);
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
// Security check
$socid = 0;
//if ($user->socid > 0) $socid = $user->socid; // For external user, no check is done on company because readability is managed by public status of project and assignement.
$result = restrictedArea($user, 'projet', $id, 'projet&project');
$object = new Project($db);
include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once
@ -82,6 +77,11 @@ if (!$sortfield) {
$sortfield = "name";
}
// Security check
$socid = 0;
//if ($user->socid > 0) $socid = $user->socid; // For external user, no check is done on company because readability is managed by public status of project and assignement.
$result = restrictedArea($user, 'projet', $id, 'projet&project');
/*

38
htdocs/projet/list.php
View File

@ -297,7 +297,7 @@ if (empty($reshook)) {
* View
*/
$socstatic = new Societe($db);
$companystatic = new Societe($db);
$form = new Form($db);
$formother = new FormOther($db);
$formproject = new FormProjets($db);
@ -330,12 +330,13 @@ if (count($listofprojectcontacttype) == 0) {
}
$distinct = 'DISTINCT'; // We add distinct until we are added a protection to be sure a contact of a project and task is only once.
$sql = "SELECT ".$distinct." p.rowid as id, p.ref, p.title, p.fk_statut as status, p.fk_opp_status, p.public, p.fk_user_creat";
$sql .= ", p.datec as date_creation, p.dateo as date_start, p.datee as date_end, p.opp_amount, p.opp_percent, (p.opp_amount*p.opp_percent/100) as opp_weighted_amount, p.tms as date_update, p.budget_amount ";
$sql .= ", p.usage_opportunity, p.usage_task, p.usage_bill_time, p.usage_organize_event";
$sql .= ", accept_conference_suggestions, accept_booth_suggestions, price_registration, price_booth";
$sql .= ", s.rowid as socid, s.nom as name, s.email";
$sql .= ", cls.code as opp_status_code";
$sql = "SELECT ".$distinct." p.rowid as id, p.ref, p.title, p.fk_statut as status, p.fk_opp_status, p.public, p.fk_user_creat,";
$sql .= " p.datec as date_creation, p.dateo as date_start, p.datee as date_end, p.opp_amount, p.opp_percent, (p.opp_amount*p.opp_percent/100) as opp_weighted_amount, p.tms as date_update, p.budget_amount,";
$sql .= " p.usage_opportunity, p.usage_task, p.usage_bill_time, p.usage_organize_event,";
$sql .= " accept_conference_suggestions, accept_booth_suggestions, price_registration, price_booth,";
$sql .= " s.rowid as socid, s.nom as name, s.name_alias as alias, s.email, s.email, s.phone, s.fax, s.address, s.town, s.zip, s.fk_pays, s.client, s.code_client,";
$sql .= " country.code as country_code,";
$sql .= " cls.code as opp_status_code";
// Add fields from extrafields
if (!empty($extrafields->attributes[$object->table_element]['label'])) {
foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) {
@ -355,6 +356,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX.$object->table_element."_extrafields as ef on (p.rowid = ef.fk_object)";
}
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as country on (country.rowid = s.fk_pays)";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_lead_status as cls on p.fk_opp_status = cls.rowid";
// We'll need this table joined to the select in order to filter by sale
// No check is done on company permission because readability is managed by public status of project and assignement.
@ -978,9 +980,17 @@ while ($i < min($num, $limit)) {
$userAccess = $object->restrictedProjectArea($user); // why this ?
if ($userAccess >= 0) {
$socstatic->id = $obj->socid;
$socstatic->name = $obj->name;
$socstatic->email = $obj->email;
$companystatic->id = $obj->socid;
$companystatic->name = $obj->name;
$companystatic->name_alias = $obj->alias;
$companystatic->client = $obj->client;
$companystatic->code_client = $obj->code_client;
$companystatic->email = $obj->email;
$companystatic->phone = $obj->phone;
$companystatic->address = $obj->address;
$companystatic->zip = $obj->zip;
$companystatic->town = $obj->town;
$companystatic->country_code = $obj->country_code;
print '<tr class="oddeven">';
@ -1009,7 +1019,7 @@ while ($i < min($num, $limit)) {
if (!empty($arrayfields['s.nom']['checked'])) {
print '<td class="tdoverflowmax100">';
if ($obj->socid) {
print $socstatic->getNomUrl(1);
print $companystatic->getNomUrl(1);
} else {
print '&nbsp;';
}
@ -1022,9 +1032,9 @@ while ($i < min($num, $limit)) {
if (!empty($arrayfields['commercial']['checked'])) {
print '<td>';
if ($obj->socid) {
$socstatic->id = $obj->socid;
$socstatic->name = $obj->name;
$listsalesrepresentatives = $socstatic->getSalesRepresentatives($user);
$companystatic->id = $obj->socid;
$companystatic->name = $obj->name;
$listsalesrepresentatives = $companystatic->getSalesRepresentatives($user);
$nbofsalesrepresentative = count($listsalesrepresentatives);
if ($nbofsalesrepresentative > 6) {
// We print only number

4
htdocs/salaries/card.php
View File

@ -359,7 +359,9 @@ if ($action == 'confirm_clone' && $confirm == 'yes' && ($user->rights->salaries-
* View
*/
llxHeader("", $langs->trans("Salary"));
$title = $langs->trans('Salary')." - ".$langs->trans('Card');
$help_url = "";
llxHeader("", $title, $help_url);
$form = new Form($db);
if (!empty($conf->projet->enabled)) $formproject = new FormProjets($db);

4
htdocs/salaries/document.php
View File

@ -91,7 +91,9 @@ include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
$form = new Form($db);
llxHeader("", $langs->trans("SalaryPayment"));
$title = $langs->trans('Salary')." - ".$langs->trans('Documents');
$help_url = "";
llxHeader("", $title, $help_url);
if ($object->id) {
$object->fetch_thirdparty();

4
htdocs/salaries/info.php
View File

@ -53,7 +53,9 @@ restrictedArea($user, 'salaries', $object->id, 'salary', '');
* View
*/
llxHeader("", $langs->trans("SalaryPayment"));
$title = $langs->trans('Salary')." - ".$langs->trans('Info');
$help_url = "";
llxHeader("", $title, $help_url);
$object = new Salary($db);
$object->fetch($id);

1
htdocs/societe/document.php
View File

@ -76,6 +76,7 @@ if ($id > 0 || !empty($ref)) {
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager->initHooks(array('thirdpartydocument', 'globalcard'));
$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php
// Security check
if ($user->socid > 0) {

5
htdocs/ticket/agenda.php
View File

@ -81,12 +81,9 @@ if (!$action) {
// Security check
$id = GETPOST("id", 'int');
$socid = 0;
//if ($user->socid > 0) $socid = $user->socid; // For external user, no check is done on company because readability is managed by public status of project and assignement.
if ($user->socid > 0) $socid = $user->socid;
$result = restrictedArea($user, 'ticket', $id, '');
if (!$user->rights->ticket->read) {
accessforbidden();
}
// restrict access for externals users
if ($user->socid > 0 && ($object->fk_soc != $user->socid)) {
accessforbidden();

31
htdocs/ticket/card.php
View File

@ -112,8 +112,8 @@ if ($id || $track_id || $ref) {
$url_page_current = DOL_URL_ROOT.'/ticket/card.php';
// Security check - Protection if external user
//if ($user->socid > 0) accessforbidden();
//if ($user->socid > 0) $socid = $user->socid;
$socid = 0;
if ($user->socid > 0) $socid = $user->socid;
$result = restrictedArea($user, 'ticket', $object->id);
$triggermodname = 'TICKET_MODIFY';
@ -1320,15 +1320,28 @@ if ($action == 'create' || $action == 'presend') {
// add a message
if ($action == 'presend' || $action == 'presend_addmessage') {
if ($object->fk_soc > 0) {
$object->fetch_thirdparty();
}
$outputlangs = $langs;
$newlang = '';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id', 'aZ09')) {
$newlang = GETPOST('lang_id', 'aZ09');
}
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && is_object($object->thirdparty)) {
$newlang = $object->thirdparty->default_lang;
}
$arrayoffamiliestoexclude = array('objectamount');
$action = 'add_message'; // action to use to post the message
$modelmail = 'ticket_send';
// Substitution array
$morehtmlright = '';
$help = "";
$substitutionarray = array();
$substitutionarray = getCommonSubstitutionArray($newlang, 0, $arrayoffamiliestoexclude, $object);
if ($object->fk_soc > 0) {
$object->fetch_thirdparty();
$substitutionarray['__THIRDPARTY_NAME__'] = $object->thirdparty->name;
}
$substitutionarray['__USER_SIGNATURE__'] = $user->signature;
@ -1361,16 +1374,6 @@ if ($action == 'create' || $action == 'presend') {
print '<hr>';
// Define output language
$outputlangs = $langs;
$newlang = '';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id', 'aZ09')) {
$newlang = GETPOST('lang_id', 'aZ09');
}
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) {
$newlang = $object->default_lang;
}
$formticket = new FormTicket($db);
$formticket->action = $action;

23
htdocs/ticket/contact.php
View File

@ -50,11 +50,6 @@ $source = GETPOST('source', 'alpha');
$ligne = GETPOST('ligne', 'int');
$lineid = GETPOST('lineid', 'int');
// Protection if external user
if ($user->socid > 0) {
$socid = $user->socid;
accessforbidden();
}
// Store current page url
$url_page_current = dol_buildpath('/ticket/contact.php', 1);
@ -62,6 +57,24 @@ $url_page_current = dol_buildpath('/ticket/contact.php', 1);
$object = new Ticket($db);
$permissiontoadd = $user->rights->ticket->write;
// Security check
$id = GETPOST("id", 'int');
$socid = 0;
if ($user->socid > 0) $socid = $user->socid;
$result = restrictedArea($user, 'ticket', $object->id, '');
// restrict access for externals users
if ($user->socid > 0 && ($object->fk_soc != $user->socid)) {
accessforbidden();
}
// or for unauthorized internals users
if (!$user->socid && (!empty($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY) && $object->fk_user_assign != $user->id) && !$user->rights->ticket->manage) {
accessforbidden();
}
/*
* Actions
*/

20
htdocs/ticket/document.php
View File

@ -43,11 +43,6 @@ $track_id = GETPOST('track_id', 'alpha');
$action = GETPOST('action', 'alpha');
$confirm = GETPOST('confirm', 'alpha');
// Security check
if (!$user->rights->ticket->read) {
accessforbidden();
}
// Get parameters
$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
$sortfield = GETPOST("sortfield", 'alpha');
@ -75,6 +70,21 @@ if ($result < 0) {
$upload_dir = $conf->ticket->dir_output."/".dol_sanitizeFileName($object->ref);
}
$permissiontoadd = $user->rights->ticket->write;
// Security check - Protection if external user
$result = restrictedArea($user, 'ticket', $object->id);
// restrict access for externals users
if ($user->socid > 0 && ($object->fk_soc != $user->socid)) {
accessforbidden();
}
// or for unauthorized internals users
if (!$user->socid && ($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY && $object->fk_user_assign != $user->id) && !$user->rights->ticket->manage) {
accessforbidden();
}
/*
* Actions

9
htdocs/ticket/messaging.php
View File

@ -76,16 +76,14 @@ if (!$action) {
$action = 'view';
}
$permissiontoadd = $user->rights->ticket->write;
// Security check
$id = GETPOST("id", 'int');
$socid = 0;
//if ($user->socid > 0) $socid = $user->socid; // For external user, no check is done on company because readability is managed by public status of project and assignement.
$result = restrictedArea($user, 'ticket', $id, '');
if ($user->socid > 0) $socid = $user->socid;
$result = restrictedArea($user, 'ticket', $object->id, '');
if (!$user->rights->ticket->read) {
accessforbidden();
}
// restrict access for externals users
if ($user->socid > 0 && ($object->fk_soc != $user->socid)) {
accessforbidden();
@ -96,7 +94,6 @@ if (!$user->socid && (!empty($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY) &&
}
/*
* Actions
*/

14
htdocs/user/class/api_users.class.php
View File

@ -21,6 +21,7 @@ use Luracast\Restler\RestException;
require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
require_once DOL_DOCUMENT_ROOT.'/user/class/usergroup.class.php';
/**
* API class for users
*
@ -47,6 +48,7 @@ class Users extends DolibarrApi
public function __construct()
{
global $db, $conf;
$this->db = $db;
$this->useraccount = new User($this->db);
}
@ -68,9 +70,9 @@ class Users extends DolibarrApi
*/
public function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100, $page = 0, $user_ids = 0, $category = 0, $sqlfilters = '')
{
global $db, $conf;
global $conf;
if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) {
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
throw new RestException(401, "You are not allowed to read list of users");
}
@ -423,12 +425,12 @@ class Users extends DolibarrApi
*/
public function getGroups($id)
{
$obj_ret = array();
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
throw new RestException(403);
}
$obj_ret = array();
$user = new User($this->db);
$result = $user->fetch($id);
if (!$result) {
@ -512,13 +514,13 @@ class Users extends DolibarrApi
*/
public function listGroups($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100, $page = 0, $group_ids = 0, $sqlfilters = '')
{
global $db, $conf;
global $conf;
$obj_ret = array();
if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) ||
!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) {
throw new RestException(401, "You are not allowed to read groups");
throw new RestException(401, "You are not allowed to read groups");
}
// case of external user, $societe param is ignored and replaced by user's socid

68
test/phpunit/SecurityTest.php
View File

@ -198,20 +198,29 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0b');
// Should detect XSS
// Should detect attack
$expectedresult=1;
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php/<svg>';
$result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject for PHP_SELF that should detect XSS');
$test = 'j&#x61;vascript:';
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for javascript1. Should find an attack and did not.');
$test = 'j&#x61vascript:';
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for javascript2. Should find an attack and did not.');
$test = 'javascript&colon&#x3B;alert(1)';
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 1a');
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for javascript2');
$test="<img src='1.jpg' onerror =javascript:alert('XSS')>";
$result=testSqlAndScriptInject($test, 0);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa');
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa1');
$test="<img src='1.jpg' onerror =javascript:alert('XSS')>";
$result=testSqlAndScriptInject($test, 2);
@ -328,9 +337,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
$_POST["param11"]=' Name <email@email.com> ';
$_POST["param12"]='<!DOCTYPE html><html>aaa</html>';
$_POST["param13"]='&#110; &#x6E; &gt; &lt; &quot; <a href=\"j&#x61;vascript:alert(document.domain)\">XSS</a>';
$_POST["param13b"]='&#110; &#x6E; &gt; &lt; &quot; <a href=\"j&#x61vascript:alert(document.domain)\">XSS</a>';
//$_POST["param13"]='javascript%26colon%26%23x3B%3Balert(1)';
//$_POST["param14"]='javascripT&javascript#x3a alert(1)';
$result=GETPOST('id', 'int'); // Must return nothing
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, '');
@ -343,7 +355,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 333, 'Test on param1 with 3rd param = 2');
// Test alpha
// Test with alpha
$result=GETPOST("param2", 'alpha');
print __METHOD__." result=".$result."\n";
@ -357,7 +369,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'dir');
// Test aZ09
// Test with aZ09
$result=GETPOST("param1", 'aZ09');
print __METHOD__." result=".$result."\n";
@ -379,25 +391,22 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($_GET["param5"], $result);
$result=GETPOST("param6", 'alpha');
print __METHOD__." result=".$result."\n";
$this->assertEquals('>', $result);
// Test with nohtml
$result=GETPOST("param6", 'nohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('">', $result);
$result=GETPOST("param6b");
// Test with alpha = alphanohtml. We must convert the html entities like &#110; and disable all entities
$result=GETPOST("param6", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('>', $result);
$result=GETPOST("param6b", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('abc', $result);
// With restricthtml we must remove html open/close tag and content but not htmlentities like &#110;
$result=GETPOST("param7", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('"c:\this is a path~1\aaa&#110;" abcdef', $result);
// With alphanohtml, we must convert the html entities like &#110; and disable all entities
$result=GETPOST("param8a", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals("Hackersvg onload='console.log(123)'", $result);
@ -434,24 +443,39 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals("Name", $result, 'Test an email string with alphanohtml');
$result=GETPOST("param13", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('n n > < XSS', $result, 'Test that html entities are decoded with alpha');
// Test with alphawithlgt
$result=GETPOST("param11", 'alphawithlgt');
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
// Test with restricthtml we must remove html open/close tag and content but not htmlentities (we can decode html entities for ascii chars like &#110;)
$result=GETPOST("param6", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('&quot;&gt;', $result);
$result=GETPOST("param7", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('"c:\this is a path~1\aaan" abcdef', $result);
$result=GETPOST("param12", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml');
/*$result=GETPOST("param13", 'alphanohtml');
$result=GETPOST("param13", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param13"]), $result, 'Test a string and alphanohtml');
$this->assertEquals('n n &gt; &lt; &quot; <a href=\"alert(document.domain)\">XSS</a>', $result, 'Test that HTML entities are decoded with restricthtml, but only for common alpha chars');
$result=GETPOST("param14", 'alphanohtml');
$result=GETPOST("param13b", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param14"]), $result, 'Test a string and alphanohtml');
*/
$this->assertEquals('n n &gt; &lt; &quot; <a href=\"jvascript:alert(document.domain)\">XSS</a>', $result, 'Test that HTML entities are decoded with restricthtml, but only for common alpha chars');
// Special test for GETPOST of backtopage or backtolist parameter
// Special test for GETPOST of backtopage, backtolist or backtourl parameter
$_POST["backtopage"]='//www.google.com';
$result=GETPOST("backtopage");