From 55e8aca47ec955ab18ed57e2716e2053df23021e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 2 Aug 2019 19:06:40 +0200 Subject: [PATCH 1/5] Fix skeleton of module --- htdocs/modulebuilder/template/class/myobject.class.php | 2 +- htdocs/modulebuilder/template/myobject_list.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/modulebuilder/template/class/myobject.class.php b/htdocs/modulebuilder/template/class/myobject.class.php index f6020882502..3c68b0472e2 100644 --- a/htdocs/modulebuilder/template/class/myobject.class.php +++ b/htdocs/modulebuilder/template/class/myobject.class.php @@ -60,7 +60,7 @@ class MyObject extends CommonObject const STATUS_DRAFT = 0; const STATUS_VALIDATED = 1; - const STATUS_DISABLED = 9; + const STATUS_CANCELED = 9; /** diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index 5e6388d55f9..25279be4f03 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -493,7 +493,7 @@ while ($i < min($num, $limit)) if (in_array($val['type'], array('timestamp'))) $cssforfield.=($cssforfield?' ':'').'nowrap'; elseif ($key == 'ref') $cssforfield.=($cssforfield?' ':'').'nowrap'; - if (in_array($val['type'], array('double(24,8)', 'double(6,3)', 'integer', 'real', 'price'))) $cssforfield.=($cssforfield?' ':'').'right'; + if (in_array($val['type'], array('double(24,8)', 'double(6,3)', 'integer', 'real', 'price')) && $key != 'status') $cssforfield.=($cssforfield?' ':'').'right'; if (! empty($arrayfields['t.'.$key]['checked'])) { From 76b7aa2e0fe954bd01bc7cdcbe711bc05cd72c84 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 2 Aug 2019 19:20:19 +0200 Subject: [PATCH 2/5] Fix fields with visible = 3 must not be visible into list --- htdocs/modulebuilder/template/myobject_list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index 25279be4f03..11fafd59ab5 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -135,7 +135,7 @@ $arrayfields=array(); foreach($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field - if (! empty($val['visible'])) $arrayfields['t.'.$key]=array('label'=>$val['label'], 'checked'=>(($val['visible']<0)?0:1), 'enabled'=>$val['enabled'], 'position'=>$val['position']); + if (! empty($val['visible'])) $arrayfields['t.'.$key]=array('label'=>$val['label'], 'checked'=>(($val['visible']<0)?0:1), 'enabled'=>($val['enabled'] && ($val['visible'] != 3)), 'position'=>$val['position']); } // Extra fields if (is_array($extrafields->attributes[$object->table_element]['label']) && count($extrafields->attributes[$object->table_element]['label']) > 0) From c34739ab3fb6c84b8f0d569f30e20e984e3b173c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 2 Aug 2019 17:12:03 +0200 Subject: [PATCH 3/5] Fix A file for a hidden feature provides a service without security checks. --- htdocs/core/ajax/objectonoff.php | 26 ++++++++++++++++++++++++-- htdocs/core/ajax/security.php | 2 +- htdocs/core/lib/ajax.lib.php | 5 +++-- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php index 6b06cccd50c..987a59ec3fb 100644 --- a/htdocs/core/ajax/objectonoff.php +++ b/htdocs/core/ajax/objectonoff.php @@ -15,8 +15,9 @@ */ /** - * \file htdocs/core/ajax/productonoff.php - * \brief File to set tosell and tobuy for product + * \file htdocs/core/ajax/objectonoff.php + * \brief File to set status for an object + * This Ajax service is called when option MAIN_DIRECT_STATUS_UPDATE is set. */ if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); // Disables token renewal @@ -36,6 +37,13 @@ $field=GETPOST('field', 'alpha'); $element=GETPOST('element', 'alpha'); $object = new GenericObject($db); + +// Security check +if (! empty($user->societe_id)) + $socid = $user->societe_id; + + + /* * View */ @@ -44,6 +52,20 @@ top_httphead(); print ''."\n"; +if ($element == 'societe' && in_array($field, array('status'))) +{ + $result = restrictedArea($user, 'societe', $id); +} +elseif ($element == 'product' && in_array($field, array('tosell', 'tobuy', 'tobatch'))) +{ + $result = restrictedArea($user, 'produit|service', $id, 'product&product', '', '', 'rowid'); +} +else +{ + accessforbidden("Bad value for combination of parameters element/field.", 0, 0, 1); + exit; +} + // Registering new values if (($action == 'set') && ! empty($id)) $object->setValueFrom($field, $value, $element, $id); diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php index 9e7dea2ef95..faaddd31b23 100644 --- a/htdocs/core/ajax/security.php +++ b/htdocs/core/ajax/security.php @@ -17,7 +17,7 @@ /** * \file htdocs/core/ajax/security.php - * \brief This ajax component is used to generated has keys for security purposes + * \brief This ajax component is used to generated hash keys for security purposes * like key to use into URL to protect them. */ diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php index a96e63a4f43..43f4723d695 100644 --- a/htdocs/core/lib/ajax.lib.php +++ b/htdocs/core/lib/ajax.lib.php @@ -538,11 +538,12 @@ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonof } /** - * On/off button for object + * On/off button to change status of an object + * This is called when MAIN_DIRECT_STATUS_UPDATE is set and it use tha ajax service objectonoff.php * * @param Object $object Object to set * @param string $code Name of constant : status or status_buy for product by example - * @param string $field Name of database field : tosell or tobuy for product by example + * @param string $field Name of database field : 'tosell' or 'tobuy' for product by example * @param string $text_on Text if on * @param string $text_off Text if off * @param array $input Array of type->list of CSS element to switch. Example: array('disabled'=>array(0=>'cssid')) From 55e9335cd2a9814b8d5462fe8546252918ebde34 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 2 Aug 2019 17:16:13 +0200 Subject: [PATCH 4/5] Fix code comment --- htdocs/core/class/fileupload.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/class/fileupload.class.php b/htdocs/core/class/fileupload.class.php index bd36dba199b..40dd4783a60 100644 --- a/htdocs/core/class/fileupload.class.php +++ b/htdocs/core/class/fileupload.class.php @@ -17,7 +17,7 @@ */ /** - * \file htdocs/core/ajax/fileupload.php + * \file htdocs/core/ajax/fileupload.class.php * \brief File to return Ajax response on file upload */ From 25ee539f920cab0ac1b7bcca1101485bf655f9d4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 3 Aug 2019 16:32:35 +0200 Subject: [PATCH 5/5] FIX Missing where on entity Conflicts: htdocs/core/class/commonobject.class.php --- htdocs/core/class/commonobject.class.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 1490e36c3ed..e607e8f214a 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -2054,6 +2054,7 @@ abstract class CommonObject } } + /** * Define delivery address * @deprecated @@ -7319,6 +7320,7 @@ abstract class CommonObject if (!empty($id)) $sql.= ' WHERE rowid = '.$id; elseif (!empty($ref)) $sql.= " WHERE ref = ".$this->quote($ref, $this->fields['ref']); else $sql.=' WHERE 1 = 1'; // usage with empty id and empty ref is very rare + if (empty($id) && isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 1) $sql.=' AND entity IN ('.getEntity($this->table_element).')'; if ($morewhere) $sql.= $morewhere; $sql.=' LIMIT 1'; // This is a fetch, to be sure to get only one record