From 4b941222f2e3858e11add24cbf48b2a584d6fbe5 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Tue, 14 Oct 2008 00:16:28 +0000
Subject: [PATCH] Sec: bug #24520 : Acces to unallowed data

---
 htdocs/adherents/fiche.php             |  5 +-
 htdocs/langs/en_US/members.lang        |  6 +-
 htdocs/langs/fr_FR/members.lang        |  6 +-
 htdocs/public/adherents/priv_fiche.php | 93 ++++++++++++++------------
 htdocs/public/adherents/priv_liste.php | 23 ++++---
 5 files changed, 78 insertions(+), 55 deletions(-)
diff --git a/htdocs/adherents/fiche.php b/htdocs/adherents/fiche.php
index e3f46b2d78a..c62ee03cf73 100644
--- a/htdocs/adherents/fiche.php
+++ b/htdocs/adherents/fiche.php
@@ -176,7 +176,7 @@ if ($_REQUEST["action"] == 'update' && ! $_POST["cancel"])
 					if (is_dir($conf->adherent->dir_output))
 					{
 						$newfile=$conf->adherent->dir_output . "/" . $adh->id . ".jpg";
-						if (! dol_move_uploaded_file($_FILES['photo']['tmp_name'],$newfile,1))
+						if (! dol_move_uploaded_file($_FILES['photo']['tmp_name'],$newfile,1) > 0)
 						{
 							$message .= '<div class="error">'.$langs->trans("ErrorFailedToSaveFile").'</div>';
 						}
@@ -960,7 +960,8 @@ if ($rowid && $action != 'edit')
 
     
     // Autres attributs
-    foreach($adho->attribute_label as $key=>$value){
+    foreach($adho->attribute_label as $key=>$value)
+    {
         print "<tr><td>$value</td><td>".$adh->array_options["options_$key"]."&nbsp;</td></tr>\n";
     }
     
diff --git a/htdocs/langs/en_US/members.lang b/htdocs/langs/en_US/members.lang
index df1bcb3e27f..78f2d502087 100644
--- a/htdocs/langs/en_US/members.lang
+++ b/htdocs/langs/en_US/members.lang
@@ -13,6 +13,9 @@ FundationMembers=Fundation members
 Attributs=Attributes
 Person=Person
 ErrorMemberTypeNotDefined=Member type not defined
+ListOfPublicMembers=List of public members
+ListOfValidatedPublicMembers=List of validated public members
+ErrorThisMemberIsNotPublic=This member is not public
 MembersCards=Members print cards
 MembersList=List of members
 MembersListToValid=List of draft members (to be validated)
@@ -96,7 +99,7 @@ ConfirmDeleteSubscription=Are you sure you want to delete this subscription ?
 Filehtpasswd=htpasswd file
 ValidateMember=Validate a member
 ConfirmValidateMember=Are you sure you want to validate this member ?
-FollowingLinksArePublic=The following links are open pages not protected by any Dolibarr permission.
+FollowingLinksArePublic=The following links are open pages not protected by any Dolibarr permission. They are not formated pages, provided as example to show how to list members database. 
 PublicMemberList=Public member list
 BlankSubscriptionForm=Subscription form
 MemberPublicLinks=Public links/pages
@@ -111,6 +114,7 @@ Text=Text
 Int=Int
 Date=Date
 DateAndTime=Date and time
+PublicMemberCard=Member public card
 MemberNotOrNoMoreExpectedToSubscribe=Member not or no more expected to subscribe
 AddSubscription=Add subscription
 ShowSubscription=Show subscription
diff --git a/htdocs/langs/fr_FR/members.lang b/htdocs/langs/fr_FR/members.lang
index 130f45cb4ef..a2026950f26 100644
--- a/htdocs/langs/fr_FR/members.lang
+++ b/htdocs/langs/fr_FR/members.lang
@@ -13,6 +13,9 @@ FundationMembers=Membres de l'association
 Attributs=Attributs
 Person=Personne
 ErrorMemberTypeNotDefined=Le type d'adhérent n'est pas choisi
+ListOfPublicMembers=Liste des adhérents publiques
+ListOfValidatedPublicMembers=Liste des adhérents publiques validés
+ErrorThisMemberIsNotPublic=Cet adhérent n'est pas publique
 MembersCards=Cartes des adhérents
 MembersList=Liste des adhérents
 MembersListToValid=Liste des adhérents brouillons (à valider)
@@ -96,7 +99,7 @@ ConfirmDeleteSubscription=Etes-vous s
 Filehtpasswd=Fichier htpasswd
 ValidateMember=Valider un adhérent
 ConfirmValidateMember=Etes-vous sûr de vouloir valider cet adhérent ?
-FollowingLinksArePublic=Les liens suivants sont des pages accessibles à tous et non protégées par aucune habilitation Dolibarr.
+FollowingLinksArePublic=Les liens suivants sont des pages accessibles à tous et non protégées par aucune habilitation Dolibarr. Ces pages n'ont aucun formatage et sont fournies à titre d'exemple pour les associations qui veulent des scripts de consultation publiques.
 PublicMemberList=Liste des membres publiques
 BlankSubscriptionForm=Formulaire inscription
 MemberPublicLinks=Liens/pages publiques
@@ -111,6 +114,7 @@ Text=Texte long
 Int=Numérique
 Date=Date
 DateAndTime=Date et heure
+PublicMemberCard=Fiche publique adhérent
 MemberNotOrNoMoreExpectedToSubscribe=Non soumis ou plus soumis à cotisation
 AddSubscription=Ajout adhésion
 ShowSubscription=Afficher adhésion
diff --git a/htdocs/public/adherents/priv_fiche.php b/htdocs/public/adherents/priv_fiche.php
index e9c1d142302..3108c641cd8 100644
--- a/htdocs/public/adherents/priv_fiche.php
+++ b/htdocs/public/adherents/priv_fiche.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2001-2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2002-2003 Jean-Louis Bergamo <jlb@j1b.org>
- * Copyright (C) 2007      Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2007-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -19,10 +19,10 @@
  */
 
 /**
-        \file       htdocs/lib/datepicker.php
-        \brief      Fichier de gestion de la popup de selection de date eldy
-        \version    $Id$
-*/
+ \file       htdocs/public/adherents/priv_fiche.php
+ \brief      Fichier de gestion de la popup de selection de date eldy
+ \version    $Id$
+ */
 
 require("../../master.inc.php");
 require_once(DOL_DOCUMENT_ROOT."/adherents/adherent.class.php");
@@ -31,22 +31,27 @@ require_once(DOL_DOCUMENT_ROOT."/adherents/cotisation.class.php");
 require_once(DOL_DOCUMENT_ROOT."/paiement.class.php");
 require_once(DOL_DOCUMENT_ROOT."/adherents/adherent_options.class.php");
 
+$langs->load("main");
+$langs->load("members");
+$langs->load("companies");
+
+
 function llxHeaderVierge($title, $head = "")
 {
 	global $user, $conf, $langs;
 
-    print "<html>\n";
-    print "<head>\n";
-    print "<title>".$title."</title>\n";
-    if ($head) print $head."\n";
-    print "</head>\n";
+	print "<html>\n";
+	print "<head>\n";
+	print "<title>".$title."</title>\n";
+	if ($head) print $head."\n";
+	print "</head>\n";
 	print "<body>\n";
 }
 
 function llxFooter()
 {
-	print "</body>\n";	
-	print "</html>\n";	
+	print "</body>\n";
+	print "</html>\n";
 }
 
 $rowid=$_GET["id"];
@@ -57,53 +62,59 @@ $adho = new AdherentOptions($db);
  * View
  */
 
-llxHeaderVierge("Member edit");
+llxHeaderVierge($langs->trans("MemberCard"));
 
 // fetch optionals attributes and labels
 $adho->fetch_optionals();
 if ($rowid > 0)
 {
 
-  $adh = new Adherent($db);
-  $adh->id = $rowid;
-  $adh->fetch($rowid);
-  $adh->fetch_optionals($rowid);
+	$adh = new Adherent($db);
+	$adh->id = $rowid;
+	$adh->fetch($rowid);
+	$adh->fetch_optionals($rowid);
 
-  print_titre("Fiche adhérent de $adh->prenom $adh->nom");
+	print_titre($langs->trans("MemberCard"));
 
-  print '<table class="border" cellspacing="0" width="100%" cellpadding="3">';
+	if (empty($adh->public))
+	{
+		 print $langs->trans("ErrorThisMemberIsNotPublic");
+	}
+	else
+	{
+		print '<table class="border" cellspacing="0" width="100%" cellpadding="3">';
 
-  print '<tr><td>'.$langs->trans("Type").'</td><td class="valeur">'.$adh->type."</td>\n";
-  print '<td valign="top" width="50%">'.$langs->trans("Comments").'</tr>';
+		print '<tr><td>'.$langs->trans("Type").'</td><td class="valeur">'.$adh->type."</td>\n";
+		print '<td valign="top" width="50%">'.$langs->trans("Comments").'</tr>';
 
-  print '<tr><td>Personne</td><td class="valeur">'.$adh->morphy.'&nbsp;</td>';
+		print '<tr><td>Personne</td><td class="valeur">'.$adh->morphy.'&nbsp;</td>';
 
-  print '<td rowspan="13" valign="top" width="50%">';
-  print nl2br($adh->note).'&nbsp;</td></tr>';
+		print '<td rowspan="13" valign="top" width="50%">';
+		print nl2br($adh->note).'&nbsp;</td></tr>';
 
-  print '<tr><td width="15%">Prénom</td><td class="valeur" width="35%">'.$adh->prenom.'&nbsp;</td></tr>';
+		print '<tr><td width="15%">'.$langs->trans("Surname").'</td><td class="valeur" width="35%">'.$adh->prenom.'&nbsp;</td></tr>';
 
-  print '<tr><td>Nom</td><td class="valeur">'.$adh->nom.'&nbsp;</td></tr>';
-  
+		print '<tr><td>'.$langs->trans("Name").'</td><td class="valeur">'.$adh->nom.'&nbsp;</td></tr>';
 
-  print '<tr><td>Société</td><td class="valeur">'.$adh->societe.'&nbsp;</td></tr>';
-  print '<tr><td>Adresse</td><td class="valeur">'.nl2br($adh->adresse).'&nbsp;</td></tr>';
-  print '<tr><td>CP Ville</td><td class="valeur">'.$adh->cp.' '.$adh->ville.'&nbsp;</td></tr>';
-  print '<tr><td>Pays</td><td class="valeur">'.$adh->pays.'&nbsp;</td></tr>';
-  print '<tr><td>Email</td><td class="valeur">'.$adh->email.'&nbsp;</td></tr>';
-  print '<tr><td>Date de Naissance</td><td class="valeur">'.$adh->naiss.'&nbsp;</td></tr>';
-  if (isset($adh->photo) && $adh->photo !=''){
-    print '<tr><td>URL Photo</td><td class="valeur">'."<A HREF=\"$adh->photo\"><IMG SRC=\"$adh->photo\"></A>".'&nbsp;</td></tr>';
-  }
-  //  foreach($adho->attribute_label as $key=>$value){
-  //    print "<tr><td>$value</td><td>".$adh->array_options["options_$key"]."&nbsp;</td></tr>\n";
-  //  }
-  print '</table>';
 
+		print '<tr><td>'.$langs->trans("Company").'</td><td class="valeur">'.$adh->societe.'&nbsp;</td></tr>';
+		print '<tr><td>'.$langs->trans("Address").'</td><td class="valeur">'.nl2br($adh->adresse).'&nbsp;</td></tr>';
+		print '<tr><td>'.$langs->trans("Zip").' '.$langs->trans("Town").'</td><td class="valeur">'.$adh->cp.' '.$adh->ville.'&nbsp;</td></tr>';
+		print '<tr><td>'.$langs->trans("Country").'</td><td class="valeur">'.$adh->pays.'&nbsp;</td></tr>';
+		print '<tr><td>'.$langs->trans("EMail").'</td><td class="valeur">'.$adh->email.'&nbsp;</td></tr>';
+		print '<tr><td>'.$langs->trans("Birthday").'</td><td class="valeur">'.$adh->naiss.'&nbsp;</td></tr>';
+		if (isset($adh->photo) && $adh->photo !=''){
+			print '<tr><td>URL Photo</td><td class="valeur">'."<A HREF=\"$adh->photo\"><IMG SRC=\"$adh->photo\"></A>".'&nbsp;</td></tr>';
+		}
+		//  foreach($adho->attribute_label as $key=>$value){
+		//    print "<tr><td>$value</td><td>".$adh->array_options["options_$key"]."&nbsp;</td></tr>\n";
+		//  }
+		print '</table>';
+	}
 
 }
 
 $db->close();
 
-llxFooter("<em>Derni&egrave;re modification $Date$ r&eacute;vision $Revision$</em>");
+llxFooter('$Date$ - $Revision$');
 ?>
diff --git a/htdocs/public/adherents/priv_liste.php b/htdocs/public/adherents/priv_liste.php
index d9d0f73a220..6257005460b 100644
--- a/htdocs/public/adherents/priv_liste.php
+++ b/htdocs/public/adherents/priv_liste.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2001-2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2002-2003 Jean-Louis Bergamo   <jlb@j1b.org>
- * Copyright (C) 2004-2007 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -19,13 +19,18 @@
  */
 
 /**
-        \file       htdocs/lib/datepicker.php
-        \brief      Fichier de gestion de la popup de selection de date eldy
+        \file       htdocs/public/adherents/priv_liste.php
+        \brief      File sample to list members
         \version    $Id$
 */
 
 require("../../master.inc.php");
 
+$langs->load("main");
+$langs->load("members");
+$langs->load("companies");
+
+
 function llxHeaderVierge($title, $head = "")
 {
 	global $user, $conf, $langs;
@@ -45,8 +50,6 @@ function llxFooter()
 }
 
 
-$langs->load("members");
-
 
 $sortorder=$_GET["sortorder"];
 $sortfield=$_GET["sortfield"];
@@ -66,11 +69,11 @@ $pagenext = $page + 1;
  * View
  */
 
-llxHeaderVierge("List of members");
+llxHeaderVierge($langs->trans("ListOfValidatedPublicMembers"));
 
 
-$sql = "select rowid,prenom,nom, societe, cp,ville,email,naiss,photo";
-$sql.= " from ".MAIN_DB_PREFIX."adherent where statut=1";
+$sql = "select rowid, prenom, nom, societe, cp, ville, email, naiss, photo";
+$sql.= " from ".MAIN_DB_PREFIX."adherent where statut=1 and public=1";
 $sql.= " ORDER BY $sortfield $sortorder";
 $sql.= " ".$db->plimit($conf->liste_limit+1, $offset);
 //$sql = "SELECT d.rowid, d.prenom, d.nom, d.societe, cp, ville, d.email, t.libelle as type, d.morphy, d.statut, t.cotisation";
@@ -85,7 +88,7 @@ if ($result)
 	$i = 0;
 
 	$param="&statut=$statut&sortorder=$sortorder&sortfield=$sortfield";
-	print_barre_liste($langs->trans("MembersList"), $page, "priv_liste.php", $param);
+	print_barre_liste($langs->trans("ListOfValidatedPublicMembers"), $page, "priv_liste.php", $param, $sortfield, $sortorder, '', $num);
 	print "<table class=\"noborder\" width=\"100%\">";
 
 	print '<tr class="liste_titre">';
@@ -103,7 +106,7 @@ if ($result)
 		$objp = $db->fetch_object($result);
 		$var=!$var;
 		print "<tr $bc[$var]>";
-		print "<td><a href=\"priv_fiche.php?rowid=$objp->rowid\">".stripslashes($objp->prenom)." ".stripslashes($objp->nom)." / ".stripslashes($objp->societe)."</a></TD>\n";
+		print "<td><a href=\"priv_fiche.php?id=$objp->rowid\">".$objp->prenom." ".$objp->nom." / ".$objp->societe."</a></TD>\n";
 		print "<td>$objp->naiss</td>\n";
 		print "<td>$objp->email</td>\n";
 		print "<td>$objp->cp</td>\n";

'.$langs->trans("Type").'	'.$adh->type."	'.$langs->trans("Comments").'
'.$langs->trans("Type").'	'.$adh->type."	'.$langs->trans("Comments").'
Personne	'.$adh->morphy.'
Personne	'.$adh->morphy.'	'; - print nl2br($adh->note).'
'; + print nl2br($adh->note).'
	Prénom		'.$adh->prenom.'
	'.$langs->trans("Surname").'		'.$adh->prenom.'
	Nom		'.$adh->nom.'
	'.$langs->trans("Name").'		'.$adh->nom.'
	Société		'.$adh->societe.'
	Adresse		'.nl2br($adh->adresse).'
	CP Ville		'.$adh->cp.' '.$adh->ville.'
	Pays		'.$adh->pays.'
	Email		'.$adh->email.'
	Date de Naissance		'.$adh->naiss.'
	URL Photo		'."photo\">photo\">".'
	$value	".$adh->array_options["options_$key"]."