lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix GETPOST second param

Browse Source
This commit is contained in:
Laurent Destailleur 2020-11-26 22:59:05 +01:00
parent b3b511a6d4
commit 61c0c7f0a6
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
htdocs/admin/mails_templates.php
View File

@ -268,6 +268,7 @@ if (empty($reshook)) {
if ($value == 'content') continue;
if ($value == 'content_lines') continue;
// Rename some POST variables into a generic name
if (GETPOST('actionmodify', 'alpha') && $value == 'topic') $_POST['topic'] = $_POST['topic-'.$rowid];
if ((!isset($_POST[$value]) || $_POST[$value] == '' || $_POST[$value] == '-1') && $value != 'lang' && $value != 'fk_user' && $value != 'position')
@ -306,6 +307,7 @@ if (empty($reshook)) {
if ($value == 'lang') $keycode = 'langcode';
if (empty($keycode)) $keycode = $value;
// Clean input variables
if ($value == 'entity') $_POST[$keycode] = $conf->entity;
if ($value == 'fk_user' && !($_POST[$keycode] > 0)) $_POST[$keycode] = '';
if ($value == 'private' && !is_numeric($_POST[$keycode])) $_POST[$keycode] = '0';
@ -319,7 +321,7 @@ if (empty($reshook)) {
if (!$user->admin) { // A non admin user can only edit its own template
$sql .= " ".((int) $user->id);
} else {
$sql .= " ".((int) GETPOST($keycode, 'fk_user'));
$sql .= " ".((int) GETPOST($keycode, 'int'));
}
} elseif ($keycode == 'content') {
$sql .= "'".$db->escape(GETPOST($keycode, 'restricthtml'))."'";
@ -362,6 +364,7 @@ if (empty($reshook)) {
if ($field == 'lang') $keycode = 'langcode';
if (empty($keycode)) $keycode = $field;
// Rename some POST variables into a generic name
if ($field == 'fk_user' && !($_POST['fk_user'] > 0)) $_POST['fk_user'] = '';
if ($field == 'topic') $_POST['topic'] = $_POST['topic-'.$rowid];
if ($field == 'joinfiles') $_POST['joinfiles'] = $_POST['joinfiles-'.$rowid];
@ -378,7 +381,7 @@ if (empty($reshook)) {
if (!$user->admin) { // A non admin user can only edit its own template
$sql .= " ".((int) $user->id);
} else {
$sql .= " ".((int) GETPOST($keycode, 'fk_user'));
$sql .= " ".((int) GETPOST($keycode, 'int'));
}
} elseif ($keycode == 'content') {
$sql .= "'".$db->escape(GETPOST($keycode, 'restricthtml'))."'";
@ -393,7 +396,7 @@ if (empty($reshook)) {
$sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
if (!$user->admin) { // A non admin user can only edit its own template
$sql .= " AND fk_user = ".$user->id;
$sql .= " AND fk_user = ".((int) $user->id);
}
//print $sql;exit;
dol_syslog("actionmodify", LOG_DEBUG);
@ -414,7 +417,7 @@ if (empty($reshook)) {
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."=".((int) $rowid);
if (!$user->admin) { // A non admin user can only edit its own template
$sql .= " AND fk_user = ".$user->id;
$sql .= " AND fk_user = ".((int) $user->id;
}
dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);