lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sec: bug #24520 : Acces to unallowed data

Browse Source
This commit is contained in:
Laurent Destailleur 2008-10-14 00:16:28 +00:00
parent 10918775b3
commit 4b941222f2
5 changed files with 78 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/adherents/fiche.php
View File

@ -176,7 +176,7 @@ if ($_REQUEST["action"] == 'update' && ! $_POST["cancel"])
if (is_dir($conf->adherent->dir_output))
{
$newfile=$conf->adherent->dir_output . "/" . $adh->id . ".jpg";
if (! dol_move_uploaded_file($_FILES['photo']['tmp_name'],$newfile,1))
if (! dol_move_uploaded_file($_FILES['photo']['tmp_name'],$newfile,1) > 0)
{
$message .= '<div class="error">'.$langs->trans("ErrorFailedToSaveFile").'</div>';
}
@ -960,7 +960,8 @@ if ($rowid && $action != 'edit')
// Autres attributs
foreach($adho->attribute_label as $key=>$value){
foreach($adho->attribute_label as $key=>$value)
{
print "<tr><td>$value</td><td>".$adh->array_options["options_$key"]."&nbsp;</td></tr>\n";
}

6
htdocs/langs/en_US/members.lang
View File

@ -13,6 +13,9 @@ FundationMembers=Fundation members
Attributs=Attributes
Person=Person
ErrorMemberTypeNotDefined=Member type not defined
ListOfPublicMembers=List of public members
ListOfValidatedPublicMembers=List of validated public members
ErrorThisMemberIsNotPublic=This member is not public
MembersCards=Members print cards
MembersList=List of members
MembersListToValid=List of draft members (to be validated)
@ -96,7 +99,7 @@ ConfirmDeleteSubscription=Are you sure you want to delete this subscription ?
Filehtpasswd=htpasswd file
ValidateMember=Validate a member
ConfirmValidateMember=Are you sure you want to validate this member ?
FollowingLinksArePublic=The following links are open pages not protected by any Dolibarr permission.
FollowingLinksArePublic=The following links are open pages not protected by any Dolibarr permission. They are not formated pages, provided as example to show how to list members database.
PublicMemberList=Public member list
BlankSubscriptionForm=Subscription form
MemberPublicLinks=Public links/pages
@ -111,6 +114,7 @@ Text=Text
Int=Int
Date=Date
DateAndTime=Date and time
PublicMemberCard=Member public card
MemberNotOrNoMoreExpectedToSubscribe=Member not or no more expected to subscribe
AddSubscription=Add subscription
ShowSubscription=Show subscription

6
htdocs/langs/fr_FR/members.lang
View File

@ -13,6 +13,9 @@ FundationMembers=Membres de l'association
Attributs=Attributs
Person=Personne
ErrorMemberTypeNotDefined=Le type d'adhérent n'est pas choisi
ListOfPublicMembers=Liste des adhérents publiques
ListOfValidatedPublicMembers=Liste des adhérents publiques validés
ErrorThisMemberIsNotPublic=Cet adhérent n'est pas publique
MembersCards=Cartes des adhérents
MembersList=Liste des adhérents
MembersListToValid=Liste des adhérents brouillons (à valider)
@ -96,7 +99,7 @@ ConfirmDeleteSubscription=Etes-vous s
Filehtpasswd=Fichier htpasswd
ValidateMember=Valider un adhérent
ConfirmValidateMember=Etes-vous sûr de vouloir valider cet adhérent ?
FollowingLinksArePublic=Les liens suivants sont des pages accessibles à tous et non protégées par aucune habilitation Dolibarr.
FollowingLinksArePublic=Les liens suivants sont des pages accessibles à tous et non protégées par aucune habilitation Dolibarr. Ces pages n'ont aucun formatage et sont fournies à titre d'exemple pour les associations qui veulent des scripts de consultation publiques.
PublicMemberList=Liste des membres publiques
BlankSubscriptionForm=Formulaire inscription
MemberPublicLinks=Liens/pages publiques
@ -111,6 +114,7 @@ Text=Texte long
Int=Numérique
Date=Date
DateAndTime=Date et heure
PublicMemberCard=Fiche publique adhérent
MemberNotOrNoMoreExpectedToSubscribe=Non soumis ou plus soumis à cotisation
AddSubscription=Ajout adhésion
ShowSubscription=Afficher adhésion

93
htdocs/public/adherents/priv_fiche.php
View File

@ -1,7 +1,7 @@
<?php
/* Copyright (C) 2001-2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2002-2003 Jean-Louis Bergamo <jlb@j1b.org>
* Copyright (C) 2007 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2007-2008 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -19,10 +19,10 @@
*/
/**
\file htdocs/lib/datepicker.php
\brief Fichier de gestion de la popup de selection de date eldy
\version $Id$
*/
\file htdocs/public/adherents/priv_fiche.php
\brief Fichier de gestion de la popup de selection de date eldy
\version $Id$
*/
require("../../master.inc.php");
require_once(DOL_DOCUMENT_ROOT."/adherents/adherent.class.php");
@ -31,22 +31,27 @@ require_once(DOL_DOCUMENT_ROOT."/adherents/cotisation.class.php");
require_once(DOL_DOCUMENT_ROOT."/paiement.class.php");
require_once(DOL_DOCUMENT_ROOT."/adherents/adherent_options.class.php");
$langs->load("main");
$langs->load("members");
$langs->load("companies");
function llxHeaderVierge($title, $head = "")
{
global $user, $conf, $langs;
print "<html>\n";
print "<head>\n";
print "<title>".$title."</title>\n";
if ($head) print $head."\n";
print "</head>\n";
print "<html>\n";
print "<head>\n";
print "<title>".$title."</title>\n";
if ($head) print $head."\n";
print "</head>\n";
print "<body>\n";
}
function llxFooter()
{
print "</body>\n";
print "</html>\n";
print "</body>\n";
print "</html>\n";
}
$rowid=$_GET["id"];
@ -57,53 +62,59 @@ $adho = new AdherentOptions($db);
* View
*/
llxHeaderVierge("Member edit");
llxHeaderVierge($langs->trans("MemberCard"));
// fetch optionals attributes and labels
$adho->fetch_optionals();
if ($rowid > 0)
{
$adh = new Adherent($db);
$adh->id = $rowid;
$adh->fetch($rowid);
$adh->fetch_optionals($rowid);
$adh = new Adherent($db);
$adh->id = $rowid;
$adh->fetch($rowid);
$adh->fetch_optionals($rowid);
print_titre("Fiche adhérent de $adh->prenom $adh->nom");
print_titre($langs->trans("MemberCard"));
print '<table class="border" cellspacing="0" width="100%" cellpadding="3">';
if (empty($adh->public))
{
print $langs->trans("ErrorThisMemberIsNotPublic");
}
else
{
print '<table class="border" cellspacing="0" width="100%" cellpadding="3">';
print '<tr><td>'.$langs->trans("Type").'</td><td class="valeur">'.$adh->type."</td>\n";
print '<td valign="top" width="50%">'.$langs->trans("Comments").'</tr>';
print '<tr><td>'.$langs->trans("Type").'</td><td class="valeur">'.$adh->type."</td>\n";
print '<td valign="top" width="50%">'.$langs->trans("Comments").'</tr>';
print '<tr><td>Personne</td><td class="valeur">'.$adh->morphy.'&nbsp;</td>';
print '<tr><td>Personne</td><td class="valeur">'.$adh->morphy.'&nbsp;</td>';
print '<td rowspan="13" valign="top" width="50%">';
print nl2br($adh->note).'&nbsp;</td></tr>';
print '<td rowspan="13" valign="top" width="50%">';
print nl2br($adh->note).'&nbsp;</td></tr>';
print '<tr><td width="15%">Prénom</td><td class="valeur" width="35%">'.$adh->prenom.'&nbsp;</td></tr>';
print '<tr><td width="15%">'.$langs->trans("Surname").'</td><td class="valeur" width="35%">'.$adh->prenom.'&nbsp;</td></tr>';
print '<tr><td>Nom</td><td class="valeur">'.$adh->nom.'&nbsp;</td></tr>';
print '<tr><td>'.$langs->trans("Name").'</td><td class="valeur">'.$adh->nom.'&nbsp;</td></tr>';
print '<tr><td>Société</td><td class="valeur">'.$adh->societe.'&nbsp;</td></tr>';
print '<tr><td>Adresse</td><td class="valeur">'.nl2br($adh->adresse).'&nbsp;</td></tr>';
print '<tr><td>CP Ville</td><td class="valeur">'.$adh->cp.' '.$adh->ville.'&nbsp;</td></tr>';
print '<tr><td>Pays</td><td class="valeur">'.$adh->pays.'&nbsp;</td></tr>';
print '<tr><td>Email</td><td class="valeur">'.$adh->email.'&nbsp;</td></tr>';
print '<tr><td>Date de Naissance</td><td class="valeur">'.$adh->naiss.'&nbsp;</td></tr>';
if (isset($adh->photo) && $adh->photo !=''){
print '<tr><td>URL Photo</td><td class="valeur">'."<A HREF=\"$adh->photo\"><IMG SRC=\"$adh->photo\"></A>".'&nbsp;</td></tr>';
}
// foreach($adho->attribute_label as $key=>$value){
// print "<tr><td>$value</td><td>".$adh->array_options["options_$key"]."&nbsp;</td></tr>\n";
// }
print '</table>';
print '<tr><td>'.$langs->trans("Company").'</td><td class="valeur">'.$adh->societe.'&nbsp;</td></tr>';
print '<tr><td>'.$langs->trans("Address").'</td><td class="valeur">'.nl2br($adh->adresse).'&nbsp;</td></tr>';
print '<tr><td>'.$langs->trans("Zip").' '.$langs->trans("Town").'</td><td class="valeur">'.$adh->cp.' '.$adh->ville.'&nbsp;</td></tr>';
print '<tr><td>'.$langs->trans("Country").'</td><td class="valeur">'.$adh->pays.'&nbsp;</td></tr>';
print '<tr><td>'.$langs->trans("EMail").'</td><td class="valeur">'.$adh->email.'&nbsp;</td></tr>';
print '<tr><td>'.$langs->trans("Birthday").'</td><td class="valeur">'.$adh->naiss.'&nbsp;</td></tr>';
if (isset($adh->photo) && $adh->photo !=''){
print '<tr><td>URL Photo</td><td class="valeur">'."<A HREF=\"$adh->photo\"><IMG SRC=\"$adh->photo\"></A>".'&nbsp;</td></tr>';
}
// foreach($adho->attribute_label as $key=>$value){
// print "<tr><td>$value</td><td>".$adh->array_options["options_$key"]."&nbsp;</td></tr>\n";
// }
print '</table>';
}
}
$db->close();
llxFooter("<em>Derni&egrave;re modification $Date$ r&eacute;vision $Revision$</em>");
llxFooter('$Date$ - $Revision$');
?>

23
htdocs/public/adherents/priv_liste.php
View File

@ -1,7 +1,7 @@
<?php
/* Copyright (C) 2001-2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2002-2003 Jean-Louis Bergamo <jlb@j1b.org>
* Copyright (C) 2004-2007 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2004-2008 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -19,13 +19,18 @@
*/
/**
\file htdocs/lib/datepicker.php
\brief Fichier de gestion de la popup de selection de date eldy
\file htdocs/public/adherents/priv_liste.php
\brief File sample to list members
\version $Id$
*/
require("../../master.inc.php");
$langs->load("main");
$langs->load("members");
$langs->load("companies");
function llxHeaderVierge($title, $head = "")
{
global $user, $conf, $langs;
@ -45,8 +50,6 @@ function llxFooter()
}
$langs->load("members");
$sortorder=$_GET["sortorder"];
$sortfield=$_GET["sortfield"];
@ -66,11 +69,11 @@ $pagenext = $page + 1;
* View
*/
llxHeaderVierge("List of members");
llxHeaderVierge($langs->trans("ListOfValidatedPublicMembers"));
$sql = "select rowid,prenom,nom, societe, cp,ville,email,naiss,photo";
$sql.= " from ".MAIN_DB_PREFIX."adherent where statut=1";
$sql = "select rowid, prenom, nom, societe, cp, ville, email, naiss, photo";
$sql.= " from ".MAIN_DB_PREFIX."adherent where statut=1 and public=1";
$sql.= " ORDER BY $sortfield $sortorder";
$sql.= " ".$db->plimit($conf->liste_limit+1, $offset);
//$sql = "SELECT d.rowid, d.prenom, d.nom, d.societe, cp, ville, d.email, t.libelle as type, d.morphy, d.statut, t.cotisation";
@ -85,7 +88,7 @@ if ($result)
$i = 0;
$param="&statut=$statut&sortorder=$sortorder&sortfield=$sortfield";
print_barre_liste($langs->trans("MembersList"), $page, "priv_liste.php", $param);
print_barre_liste($langs->trans("ListOfValidatedPublicMembers"), $page, "priv_liste.php", $param, $sortfield, $sortorder, '', $num);
print "<table class=\"noborder\" width=\"100%\">";
print '<tr class="liste_titre">';
@ -103,7 +106,7 @@ if ($result)
$objp = $db->fetch_object($result);
$var=!$var;
print "<tr $bc[$var]>";
print "<td><a href=\"priv_fiche.php?rowid=$objp->rowid\">".stripslashes($objp->prenom)." ".stripslashes($objp->nom)." / ".stripslashes($objp->societe)."</a></TD>\n";
print "<td><a href=\"priv_fiche.php?id=$objp->rowid\">".$objp->prenom." ".$objp->nom." / ".$objp->societe."</a></TD>\n";
print "<td>$objp->naiss</td>\n";
print "<td>$objp->email</td>\n";
print "<td>$objp->cp</td>\n";