diff --git a/ChangeLog b/ChangeLog
index cd9397939f5..de1482ea183 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,65 @@
English Dolibarr ChangeLog
--------------------------------------------------------------
+
+***** ChangeLog for 15.0.0 compared to 14.0.0 *****
+
+For developers:
+---------------
+
+WARNING:
+
+Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
+* Update hook 'printOriginObjectLine', removed check on product type and special code. Need now reshook.
+* Old deprecated module "SimplePOS" has been completely removed. Use module "TakePOS" is you need a Point Of Sale.
+* The method static ActionComm::getActions($db, ...) is no more static. Use $actioncomm->getActions(...) instead (without $db param).
+
+
+
+***** ChangeLog for 14.0.2 compared to 14.0.1 *****
+
+FIX: #18353 Invoice list translation issue
+FIX: #18375 SQL Error on tasks statistics
+FIX: #18465
+FIX: #18484
+FIX: #18531
+FIX: #18542 REST API: set global $user variable to DolibarrApiAccess::user.
+FIX: #18544 Shipment REST API: load thirdparty object into the shipment before validating.
+FIX: #18544 Shipment rest api: load thirdparty object when validating
+FIX: #18565
+FIX: #18589 #18617
+FIX: #18591 : Remove double quotes of SQL Queries for postgresql compatibility
+FIX: #18666 Order / Shipment list: Don't SQL JOIN category table when not necessary.
+FIX: Accountancy - Some problems of length with general & subledger account
+FIX: add DISTINCT
+FIX: Add option $noescapecommand in executeCLI for better compatibility
+FIX: Add token to remove error when removing widget
+FIX: Add token when remove the last widget on home page
+FIX: an approved holiday can be canceled by an admin.
+FIX: better sql request
+FIX: change LOG_DEBUG with LOG_WARNING in syslog and remove sql error in syslog (already done)
+FIX: Collapsing of extrafields has disappeared.
+FIX: Date of payment of subscription must not be set to 1970-01-01.
+FIX: Export of website generates a package that contains a sql error
+FIX: Field already present in SQL request
+FIX: increase maxlength of password input
+FIX: invoice fetch not found syslog debug level instead of error
+FIX: Invoice list - Wrong name for column total_tva
+FIX: invoice validation: when checking if any vat rate has a negative amount, prevent false positives with -1E-14 amounts
+FIX: Manage credit note on situation invoice for calculate margin
+FIX: Menu List of project was not visible.
+FIX: migration script
+FIX: multicompany transverse mode compatibility
+FIX: option "Default value for field 'Refuse bulk emailings'"
+FIX: Recommended session.cookie_samesite must be 'Lax' not 'Strict'.
+FIX: Relative discount with high nb of decimals
+FIX: salary extrafields don't work and table is not well named
+FIX: Supplier invoice list - Wrong language key used
+FIX: wrong table_element_line
+FIX: wrong users count in multicompany transverse mode
+FIX: #yogosha6944 Protection against traversal path.
+
+
***** ChangeLog for 14.0.1 compared to 14.0.0 *****
FIX: $conf->task used but it does not exist, use $conf->projet instead
@@ -42,19 +101,6 @@ FIX: using Tulip, deposit mask was not saved
FIX: #yogosha6907
-***** ChangeLog for 15.0.0 compared to 14.0.0 *****
-
-For developers:
----------------
-
-WARNING:
-
-Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
-* Update hook 'printOriginObjectLine', removed check on product type and special code. Need now reshook.
-* Old deprecated module "SimplePOS" has been completely removed. Use module "TakePOS" is you need a Point Of Sale.
-
-
-
***** ChangeLog for 14.0.0 compared to 13.0.0 *****
For users:
diff --git a/README.md b/README.md
index 834cc09236e..54fdf1e958b 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,7 @@ If you don't have time to install it yourself, you can try some commercial 'read
Dolibarr supports upgrading, usually without the need for any (commercial) support (depending on if you use any commercial extensions). It supports upgrading all the way from any version after 2.8 without breakage. This is unique in the ERP ecosystem and a benefit our users highly appreciate!
-- At first make a backup of your Dolibarr files & than [see](https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#Upgrade_Dolibarr)
+- At first make a backup of your Dolibarr files & then [see](https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#Upgrade_Dolibarr)
- Check that your installed PHP version is supported by the new version [see PHP support](./doc/phpmatrix.md).
- Overwrite all old files from 'dolibarr' directory with files provided into the new version's package.
- At first next access, Dolibarr will redirect you to the "install/" page to follow the upgrade process.
@@ -154,18 +154,18 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
### Other application/modules
-- Electronic Document Management (EDM)
+- Electronic Document Management (EDM)
- Bookmarks management
- Reporting
- Data export/import
-- Barcodes
+- Barcodes
- Margin calculations
- LDAP connectivity
- ClickToDial integration
- Mass emailing
- RSS integration
- Skype integration
-- Social platforms linking
+- Social platforms linking
- Payment platforms integration (PayPal, Stripe, Paybox...)
- Email-Collector
@@ -179,14 +179,11 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
- Multi-Users and groups with finely grained rights
- Multi-Currency
- Multi-Company (by adding of an external module)
-
- Very user friendly and easy to use
- customizable Dashboard
- Highly customizable: enable only the modules you need, add user personalized fields, choose your skin, several menu managers (can be used by internal users as a back-office with a particular menu, or by external users as a front-office with another one)
-
- APIs (REST, SOAP)
- Code that is easy to understand, maintain and develop (PHP with no heavy framework; trigger and hook architecture)
-
- Support a lot of country specific features:
- Spanish Tax RE and ISPF
- French NPR VAT rate (VAT called "Non Perçue Récupérable" for DOM-TOM)
@@ -197,7 +194,7 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
- Compatible with European GDPR rules
- ...
- Flexible PDF & ODT generation for invoices, proposals, orders...
-- …
+- ...
### System Environment / Requirements
diff --git a/SECURITY.md b/SECURITY.md
index 7d65b7e98e4..427b1cc7ae2 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,11 +4,11 @@ This file contains some policies about the security reports on Dolibarr ERP CRM
## Supported Versions for security reports
-| Version | Supported |
-| --------- | ------------------ |
-| <= 12.* | :x: |
-| >= 13.* | :white_check_mark: |
-
+| Version | Supported |
+| ---------- | ---------------------- |
+| <= 14.0.1 | :x: |
+| >= 14.0.2+ | :white_check_mark: except CSRF attacks|
+| >= develop | :white_check_mark: |
## Reporting a Vulnerability
@@ -54,12 +54,12 @@ ONLY vulnerabilities discovered, when the following setup on test platform is us
* $dolibarr_main_prod must be set to 1 into conf.php
* $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value)
* $dolibarr_main_force_https must be set to something else than 0.
-* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be set to 1 soon by default)
+* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 3 into backoffice menu Home - Setup - Other (this protection should be set to 3 soon by default)
* The module DebugBar and ModuleBuilder must NOT be enabled (by default, these modules are not enabled. They are developer tools)
* ONLY security reports on modules provided by default and with the "stable" status are valid (troubles into "experimental", "developement" or external modules are not valid vulnerabilities).
* The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer).
* The web server setup must be done so only the documents directory is in write mode. The root directory called htdocs must be readonly.
-* CSRF attacks are accepted when using a POST URL, but when using GET URL, they are validated only for creating, updating or deleting data resctricted from pages restricted to admin users.
+* CSRF attacks are accepted but double check that you have set MAIN_SECURITY_CSRF_WITH_TOKEN to value 3.
* Ability for a high level user to edit web site pages into the CMS by including HTML or Javascript is an expected feature. Vulnerabilities into the website module are validated only if HTML or Javascript injection can be done by a non allowed user.
Scope is the web application (back office) and the APIs.
@@ -90,9 +90,8 @@ Scope is the web application (back office) and the APIs.
* Clickjacking/UI redressing
* Physical or social engineering attempts or issues that require physical access to a victim’s computer/device
* Presence of autocomplete attribute on web forms
-* Vulnerabilities affecting outdated browsers or platforms
+* Vulnerabilities affecting outdated browsers or platforms, or vulnerabilities inside browsers themself.
* Logout and other instances of low-severity Cross-Site Request Forgery
-* Missing cookie flags
* Missing security-related HTTP headers which do not lead directly to a vulnerability
* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
* Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
diff --git a/build/docker/Dockerfile b/build/docker/Dockerfile
index dca74e9e720..eb8e3ade6dc 100644
--- a/build/docker/Dockerfile
+++ b/build/docker/Dockerfile
@@ -57,7 +57,6 @@ RUN echo "host mail" >> /etc/msmtprc
RUN echo "from local@localdomain.com" >> /etc/msmtprc
RUN echo "domain localhost.localdomain" >> /etc/msmtprc
RUN echo "sendmail_path=/usr/bin/msmtp -t" >> /usr/local/etc/php/conf.d/php-sendmail.ini
-RUN echo "localhost localhost.localdomain" >> /etc/hosts
EXPOSE 80
diff --git a/build/docker/docker-compose.yml b/build/docker/docker-compose.yml
index 2167f069f25..b72118de5fb 100644
--- a/build/docker/docker-compose.yml
+++ b/build/docker/docker-compose.yml
@@ -46,6 +46,8 @@ services:
networks:
- internal-pod
- external-pod
+ extra_hosts:
+ - "localhost.localdomain:127.0.0.1"
mail:
image: maildev/maildev
diff --git a/build/generate_filelist_xml.php b/build/generate_filelist_xml.php
index 8e7ef3ef46c..7065e20f92b 100755
--- a/build/generate_filelist_xml.php
+++ b/build/generate_filelist_xml.php
@@ -239,10 +239,18 @@ fclose($fp);
if (empty($buildzip)) {
print "File ".$outputfile." generated\n";
} else {
- $result = dol_compress_file($outputfile, $outputfile.'.zip');
- if ($result > 0) {
- dol_delete_file($outputfile);
- print "File ".$outputfile.".zip generated\n";
+ if ($buildzip == '1' || $buildzip == 'zip') {
+ $result = dol_compress_file($outputfile, $outputfile.'.zip', 'zip');
+ if ($result > 0) {
+ dol_delete_file($outputfile);
+ print "File ".$outputfile.".zip generated\n";
+ }
+ } elseif ($buildzip == '2' || $buildzip == 'gz') {
+ $result = dol_compress_file($outputfile, $outputfile.'.gz', 'gz');
+ if ($result > 0) {
+ dol_delete_file($outputfile);
+ print "File ".$outputfile.".gz generated\n";
+ }
}
}
diff --git a/dev/examples/ldap/ldapsearch_sample1.txt b/dev/examples/ldap/ldapsearch_sample1.txt
index 5f667ffd7a4..a02ad632cd0 100644
--- a/dev/examples/ldap/ldapsearch_sample1.txt
+++ b/dev/examples/ldap/ldapsearch_sample1.txt
@@ -3,11 +3,26 @@
#
# Use this sample to search into a ldap
#
-# ldapsearch -h hostname -x
-# ldapsearch -h hostname -x -b "ou=people,dc=teclib,dc=infra"
-# ldapsearch -h hostname -x -z 0 -b "o=somecompany.com" -D "cn=manager,o=somecompany.com" -w password "(objectclass=*)"
-# ldapsearch -h hostname -x -b "o=somecompany.com" -D "cn=manager,o=somecompany.com" -w password "(objectclass=*)"
+
+# Anonymous access
+# ldapsearch -h hostname -p 389
+#
+# Login access (using a Bind DN)
+# ldapsearch -h hostname -p 389 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+# ldapsearch -H ldap://hostname:389 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+# ldapsearch -d1 -H ldap://hostname:389 -x -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+# ldapsearch -H ldap://hostname:389 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+#
+# Login access in SSL (using a Bind DN)
+# ldapsearch -H ldaps://hostnamme:636 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password -b "cn=users,dc=ldap,dc=test,dc=local
+# If it fails, you may try to use "hostname" that is real name of certificate.
+# You must also check that /etc/ldap/ldap.conf contains the line TLS_CACERT /etc/ssl/certs/ca-certificates.crt
+
+# What to search
+# ldapsearch -h hostname -p 389 -x -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password -b "cn=users,dc=ldap,dc=test,dc=local"
+# ldapsearch -h hostname -p 389 -x -D "cn=manager,o=somecompany.com" -w password -b "ou=people,dc=teclib,dc=infra"
+# ldapsearch -h hostname -p 389 -x -D "cn=manager,o=somecompany.com" -w password -b "o=somecompany.com" "(objectclass=*)"
#
# Example to test a ldap search:
-# ldapsearch -h hostname -x -z 5 -b 'OU=Collaborateurs,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -D 'CN=UserAdmin,OU=Informatique,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -w password
+# ldapsearch -h hostname -p 389 -x -z 5 -b 'OU=Collaborateurs,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -D 'CN=UserAdmin,OU=Informatique,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -w password
diff --git a/dev/initdemo/initdemopassword.sh b/dev/initdemo/initdemopassword.sh
index 933c3b1afa2..37264fb8e4d 100755
--- a/dev/initdemo/initdemopassword.sh
+++ b/dev/initdemo/initdemopassword.sh
@@ -171,7 +171,10 @@ if [ $res -ne 0 ]; then
fi
if [ -s "$mydir/initdemopostsql.sql" ]; then
+ echo A file initdemopostsql.sql was found, we execute it.
mysql -P$port $base < "$mydir/initdemopostsql.sql"
+else
+ echo No file initdemopostsql.sql found, we extra sql action done.
fi
diff --git a/dev/initdemo/mysqldump_dolibarr_14.0.0.sql b/dev/initdemo/mysqldump_dolibarr_14.0.0.sql
index 4061fb9f4cf..e619c2c8fda 100644
--- a/dev/initdemo/mysqldump_dolibarr_14.0.0.sql
+++ b/dev/initdemo/mysqldump_dolibarr_14.0.0.sql
@@ -2056,7 +2056,7 @@ CREATE TABLE `llx_c_holiday_types` (
`label` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
`affect` int(11) NOT NULL,
`delay` int(11) NOT NULL,
- `newByMonth` double(8,5) NOT NULL DEFAULT 0.00000,
+ `newbymonth` double(8,5) NOT NULL DEFAULT 0.00000,
`fk_country` int(11) DEFAULT NULL,
`active` int(11) DEFAULT 1,
PRIMARY KEY (`rowid`),
diff --git a/dev/tools/github_authors_peryear.sh b/dev/tools/github_authors_and_commits_peryear.sh
similarity index 100%
rename from dev/tools/github_authors_peryear.sh
rename to dev/tools/github_authors_and_commits_peryear.sh
diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php
index 6f510ad3706..c9849f9f54f 100644
--- a/htdocs/accountancy/admin/account.php
+++ b/htdocs/accountancy/admin/account.php
@@ -195,7 +195,7 @@ if (empty($reshook)) {
} elseif ($action == 'enable' && $permissiontoadd) {
if ($accounting->fetch($id)) {
$mode = GETPOST('mode', 'int');
- $result = $accounting->account_activate($id, $mode);
+ $result = $accounting->accountActivate($id, $mode);
}
$action = 'update';
if ($result < 0) {
@@ -392,7 +392,7 @@ if ($resql) {
}
print "";
print ajax_combobox("chartofaccounts");
- print '';
+ print '';
print ' ';
print ' ';
diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php
index 0f4d538cfac..f19afb12899 100644
--- a/htdocs/accountancy/admin/accountmodel.php
+++ b/htdocs/accountancy/admin/accountmodel.php
@@ -535,7 +535,7 @@ if ($id) {
}
print '