From a0c3527e30d35fba4e4a0d025563e7b3cabeda12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Ferry?= Date: Wed, 29 Jan 2014 19:19:23 +0100 Subject: [PATCH 1/4] Fix : bad sql request during migration --- htdocs/install/mysql/migration/3.5.0-3.6.0.sql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/install/mysql/migration/3.5.0-3.6.0.sql b/htdocs/install/mysql/migration/3.5.0-3.6.0.sql index 36a8f985452..f8679508b4a 100755 --- a/htdocs/install/mysql/migration/3.5.0-3.6.0.sql +++ b/htdocs/install/mysql/migration/3.5.0-3.6.0.sql @@ -1,7 +1,7 @@ -- -- Be carefull to requests order. -- This file must be loaded by calling /install/index.php page --- when current version is 3.5.0 or higher. +-- when current version is 3.5.0 or higher. -- -- To rename a table: ALTER TABLE llx_table RENAME TO llx_table_new; -- To add a column: ALTER TABLE llx_table ADD COLUMN newcol varchar(60) NOT NULL DEFAULT '0' AFTER existingcol; @@ -32,4 +32,4 @@ ALTER TABLE llx_opensurvey_sondage CHANGE COLUMN titre titre TEXT NOT NULL; ALTER TABLE llx_opensurvey_sondage CHANGE COLUMN date_fin date_fin DATETIME NOT NULL; ALTER TABLE llx_opensurvey_sondage CHANGE COLUMN format format VARCHAR(2) NOT NULL; -ALTER TABLE llx_facture_rec.sql MODIFY COLUMN usenewprice INTEGER DEFAULT 0; \ No newline at end of file +ALTER TABLE llx_facture_rec CHANGE COLUMN usenewprice usenewprice INTEGER DEFAULT 0; From 5076e8ce4e26f751338efd51341848771334477d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 30 Jan 2014 10:48:10 +0100 Subject: [PATCH 2/4] Fix: Bad output of extrafields when list is used. --- htdocs/core/class/extrafields.class.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index 130c8b24d38..f0428457700 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -957,17 +957,20 @@ class ExtraFields { $sql.= ' as main'; } - $sql.= ' WHERE '.$selectkey.'=\''.$this->db->escape($value).'\''; + $sql.= " WHERE ".$selectkey."='".$this->db->escape($value)."'"; //$sql.= ' AND entity = '.$conf->entity; + dol_syslog(get_class($this).':showOutputField:$type=sellist sql='.$sql); $resql = $this->db->query($sql); if ($resql) { + $value=''; // value was used, so now we reste it to use it to build final output + $obj = $this->db->fetch_object($resql); // Several field into label (eq table:code|libelle:rowid) $fields_label = explode('|',$InfoFieldList[1]); - + if(is_array($fields_label)) { foreach ($fields_label as $field_toshow) @@ -990,6 +993,7 @@ class ExtraFields } } } + else dol_syslog(get_class($this).'::showOutputField error '.$this->db->lasterror(), LOG_WARNING); } elseif ($type == 'radio') { From 8abde9e11f5915680338aa457118a35a04f15a33 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 30 Jan 2014 11:44:31 +0100 Subject: [PATCH 3/4] Sec: Missing permission tests --- htdocs/compta/facture/impayees.php | 9 +++++---- htdocs/compta/paiement/liste.php | 1 + htdocs/compta/paiement/rapport.php | 8 ++++---- .../modules/rapport/pdf_paiement.class.php | 19 ++++++++++++++++--- htdocs/document.php | 8 ++++++++ 5 files changed, 34 insertions(+), 11 deletions(-) diff --git a/htdocs/compta/facture/impayees.php b/htdocs/compta/facture/impayees.php index d1750755835..dd374eb1a6f 100644 --- a/htdocs/compta/facture/impayees.php +++ b/htdocs/compta/facture/impayees.php @@ -1,7 +1,7 @@ * Copyright (C) 2004 Eric Seigne - * Copyright (C) 2004-2012 Laurent Destailleur + * Copyright (C) 2004-2014 Laurent Destailleur * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify @@ -38,12 +38,13 @@ $id = (GETPOST('facid','int') ? GETPOST('facid','int') : GETPOST('id','int')); $action = GETPOST('action','alpha'); $option = GETPOST('option'); -$diroutputpdf=$conf->facture->dir_output . '/unpaid/temp'; - // Security check if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user,'facture',$id,''); +$diroutputpdf=$conf->facture->dir_output . '/unpaid/temp'; +if (! $user->rights->societe->client->voir || $socid) $diroutputpdf.='/private/'.$user->id; // If user has no permission to see all, output dir is specific to user + /* * Action @@ -221,7 +222,7 @@ if ($search_societe) $sql .= " AND s.nom LIKE '%".$db->escape($search_societ if ($search_montant_ht) $sql .= " AND f.total = '".$db->escape($search_montant_ht)."'"; if ($search_montant_ttc) $sql .= " AND f.total_ttc = '".$db->escape($search_montant_ttc)."'"; if (GETPOST('sf_ref')) $sql .= " AND f.facnumber LIKE '%".$db->escape(GETPOST('sf_ref'))."%'"; -$sql.= " GROUP BY s.nom, s.rowid, f.facnumber, f.increment, f.total, f.tva, f.total_ttc, f.datef, f.date_lim_reglement, f.paye, f.rowid, f.fk_statut, f.type "; +$sql.= " GROUP BY s.nom, s.rowid, f.rowid, f.facnumber, f.increment, f.total, f.tva, f.total_ttc, f.localtax1, f.localtax2, f.revenuestamp, f.datef, f.date_lim_reglement, f.paye, f.fk_statut, f.type "; if (! $user->rights->societe->client->voir && ! $socid) $sql .= ", sc.fk_soc, sc.fk_user "; $sql.= " ORDER BY "; $listfield=explode(',',$sortfield); diff --git a/htdocs/compta/paiement/liste.php b/htdocs/compta/paiement/liste.php index 16a6c1410e6..32400cf29cc 100644 --- a/htdocs/compta/paiement/liste.php +++ b/htdocs/compta/paiement/liste.php @@ -29,6 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/paiement/class/paiement.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; $langs->load("bills"); +$langs->load("compta"); // Security check $facid =GETPOST('facid','int'); diff --git a/htdocs/compta/paiement/rapport.php b/htdocs/compta/paiement/rapport.php index 9c8febe9e1a..eeeaa715718 100644 --- a/htdocs/compta/paiement/rapport.php +++ b/htdocs/compta/paiement/rapport.php @@ -1,6 +1,6 @@ - * Copyright (C) 2004-2011 Laurent Destailleur + * Copyright (C) 2004-2014 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -32,16 +32,16 @@ if (! $user->rights->facture->lire) accessforbidden(); $action=GETPOST('action'); -$dir = $conf->facture->dir_output.'/payments'; - $socid=0; if ($user->societe_id > 0) { $action = ''; $socid = $user->societe_id; - $dir = $conf->facture->dir_output.'/payments/private/'.$user->id; } +$dir = $conf->facture->dir_output.'/payments'; +if (! $user->rights->societe->client->voir || $socid) $dir.='/private/'.$user->id; // If user has no permission to see all, output dir is specific to user + $year = $_GET["year"]; if (! $year) { $year=date("Y"); } diff --git a/htdocs/core/modules/rapport/pdf_paiement.class.php b/htdocs/core/modules/rapport/pdf_paiement.class.php index b7e2f8e5d91..3d3c45e1963 100644 --- a/htdocs/core/modules/rapport/pdf_paiement.class.php +++ b/htdocs/core/modules/rapport/pdf_paiement.class.php @@ -1,6 +1,6 @@ - * Copyright (C) 2006-2009 Laurent Destailleur + * Copyright (C) 2006-2014 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -93,6 +93,9 @@ class pdf_paiement global $user,$langs,$conf; + $socid=0; + if ($user->societe_id) $socid=$user->societe_id; + if (! is_object($outputlangs)) $outputlangs=$langs; // For backward compatibility with FPDF, force output charset to ISO, because FPDF expect text to be encoded in ISO if (! empty($conf->global->MAIN_USE_FPDF)) $outputlangs->charset_output='ISO-8859-1'; @@ -136,11 +139,21 @@ class pdf_paiement $sql.= ", pf.amount as pf_amount "; $sql.= ", p.rowid as prowid"; $sql.= " FROM ".MAIN_DB_PREFIX."paiement as p, ".MAIN_DB_PREFIX."facture as f,"; - $sql.= " ".MAIN_DB_PREFIX."c_paiement as c, ".MAIN_DB_PREFIX."paiement_facture as pf"; - $sql.= " WHERE pf.fk_facture = f.rowid AND pf.fk_paiement = p.rowid"; + $sql.= " ".MAIN_DB_PREFIX."c_paiement as c, ".MAIN_DB_PREFIX."paiement_facture as pf,"; + $sql.= " ".MAIN_DB_PREFIX."societe as s"; + if (! $user->rights->societe->client->voir && ! $socid) + { + $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; + } + $sql.= " WHERE f.fk_soc = s.rowid AND pf.fk_facture = f.rowid AND pf.fk_paiement = p.rowid"; $sql.= " AND f.entity = ".$conf->entity; $sql.= " AND p.fk_paiement = c.id "; $sql.= " AND p.datep BETWEEN '".$this->db->idate(dol_get_first_day($year,$month))."' AND '".$this->db->idate(dol_get_last_day($year,$month))."'"; + if (! $user->rights->societe->client->voir && ! $socid) + { + $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + } + if (! empty($socid)) $sql .= " AND s.rowid = ".$socid; $sql.= " ORDER BY p.datep ASC, pf.fk_paiement ASC"; dol_syslog(get_class($this)."::write_file sql=".$sql); diff --git a/htdocs/document.php b/htdocs/document.php index 9815bbdd7e6..bb6bd032301 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -66,6 +66,14 @@ $entity=GETPOST('entity')?GETPOST('entity','int'):$conf->entity; // Security check if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart'); +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; + +// For some module part, dir may be privates +if (in_array($modulepart,array('facture_paiement','unpaid'))) +{ + if (! $user->rights->societe->client->voir || $socid) $original_file='private/'.$user->id.'/'.$original_file; // If user has no permission to see all, output dir is specific to user +} /* * Action From 17581dd6d648ec56bb737e8fc3ab06408531d681 Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 30 Jan 2014 12:20:36 +0100 Subject: [PATCH 4/4] Fix: Default status into contact creation must be Actif --- htdocs/contact/class/contact.class.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 64cef78239d..c83908b75a9 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -7,6 +7,7 @@ * Copyright (C) 2008 Raphael Bertrand (Resultic) * Copyright (C) 2013 Florian Henry * Copyright (C) 2013 Alexandre Spangaro + * Copyright (C) 2013 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -126,7 +127,7 @@ class Contact extends CommonObject if (! empty($conf->global->MAIN_FIRST_TO_UPPER)) $this->firstname=ucwords($this->firstname); if (! $this->socid) $this->socid = 0; if (! $this->priv) $this->priv = 0; - if (empty($this->statut)) $this->statut = 0; + if (empty($this->statut)) $this->statut = 1; //Defult status to Actif $sql = "INSERT INTO ".MAIN_DB_PREFIX."socpeople ("; $sql.= " datec";