diff --git a/SECURITY.md b/SECURITY.md index f63f9c3f277..7d65b7e98e4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,7 +12,7 @@ This file contains some policies about the security reports on Dolibarr ERP CRM ## Reporting a Vulnerability -To report a vulnerability, please use GitHub security advisory at https://github.com/Dolibarr/dolibarr/security/advisories/new (or alternatively send an email to security@dolibarr.org) +To report a vulnerability, please use GitHub security advisory at https://github.com/Dolibarr/dolibarr/security/advisories/new (if you have permissions) or alternatively send an email to security@dolibarr.org (for everybody) ## Hunting vulnerabilities on Dolibarr @@ -55,7 +55,7 @@ ONLY vulnerabilities discovered, when the following setup on test platform is us * $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value) * $dolibarr_main_force_https must be set to something else than 0. * The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be set to 1 soon by default) -* The module DebugBar and ModuleBuilder must NOT be enabled (by default, this module is not enabled. This is a developer tool) +* The module DebugBar and ModuleBuilder must NOT be enabled (by default, these modules are not enabled. They are developer tools) * ONLY security reports on modules provided by default and with the "stable" status are valid (troubles into "experimental", "developement" or external modules are not valid vulnerabilities). * The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer). * The web server setup must be done so only the documents directory is in write mode. The root directory called htdocs must be readonly. @@ -65,12 +65,12 @@ ONLY vulnerabilities discovered, when the following setup on test platform is us Scope is the web application (back office) and the APIs. -## Qualifying vulnerabilities for Bug bounty programs +## Qualifying vulnerabilities for reporting * Remote code execution (RCE) * Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA) * Code injections (HTML, JS, SQL, PHP, ...) -* Cross-Site Scripting (XSS) +* Cross-Site Scripting (XSS), except from setup page of module "External web site" (allowing any content here, editable by admin user only, is accepted on purpose or into module "Web site" when permission to edit website content is allowed). * Cross-Site Requests Forgery (CSRF) with real security impact (when using GET URLs, CSRF are qualified only for creating, updating or deleting data from pages restricted to admin users) * Open redirect * Broken authentication & session management @@ -82,7 +82,7 @@ Scope is the web application (back office) and the APIs. * Stack traces or path disclosure (for non admin users only) -## Non-qualifying vulnerabilities for Bug bounty programs, but qualified for reporting +## Non-qualifying vulnerabilities for reporting * "Self" XSS * SSL/TLS best practices diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index 8982376ded6..cf2bd2065a2 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -582,6 +582,10 @@ if ($resql) { $i++; } + if ($num == 0) { + print ''.$langs->trans("None").''; + } + print ""; print ""; print ''; diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 8f7d869479d..0ebba6c18a4 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -180,10 +180,6 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) { } } // Other checks - if ($tabname[$id] == MAIN_DB_PREFIX."c_actioncomm" && GETPOSTISSET("type") && in_array($_POST["type"], array('system', 'systemauto'))) { - $ok = 0; - setEventMessages($langs->transnoentities('ErrorReservedTypeSystemSystemAuto'), null, 'errors'); - } if (GETPOSTISSET("pcg_version")) { if (GETPOST("pcg_version") == '0') { $ok = 0; diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index 89c8a2b3b71..deae39aef54 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -185,7 +185,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) { } } if (GETPOSTISSET("code")) { - if ($_POST["code"] == '0') { + if (GETPOST("code") == '0') { $ok = 0; setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors'); } diff --git a/htdocs/accountancy/admin/fiscalyear_card.php b/htdocs/accountancy/admin/fiscalyear_card.php index 410807144f5..16463ec027b 100644 --- a/htdocs/accountancy/admin/fiscalyear_card.php +++ b/htdocs/accountancy/admin/fiscalyear_card.php @@ -121,8 +121,8 @@ if ($action == 'confirm_delete' && $confirm == "yes") { if (!GETPOST('cancel', 'alpha')) { $result = $object->fetch($id); - $object->date_start = empty($_POST["fiscalyear"]) ? '' : $date_start; - $object->date_end = empty($_POST["fiscalyearend"]) ? '' : $date_end; + $object->date_start = GETPOST("fiscalyear") ? $date_start : ''; + $object->date_end = GETPOST("fiscalyearend") ? $date_end : ''; $object->label = GETPOST('label', 'alpha'); $object->statut = GETPOST('statut', 'int'); diff --git a/htdocs/accountancy/class/accountancycategory.class.php b/htdocs/accountancy/class/accountancycategory.class.php index 292fb55a29f..1bdc0f438bf 100644 --- a/htdocs/accountancy/class/accountancycategory.class.php +++ b/htdocs/accountancy/class/accountancycategory.class.php @@ -743,7 +743,7 @@ class AccountancyCategory // extends CommonObject } $listofaccount .= "'".$cptcursor."'"; } - $sql .= " AND t.numero_compte IN (".$listofaccount.")"; + $sql .= " AND t.numero_compte IN (".$this->db->sanitize($listofaccount).")"; } else { $sql .= " AND t.numero_compte = '".$this->db->escape($cpt)."'"; } diff --git a/htdocs/accountancy/class/lettering.class.php b/htdocs/accountancy/class/lettering.class.php index ad6f186d68f..b2abf01948e 100644 --- a/htdocs/accountancy/class/lettering.class.php +++ b/htdocs/accountancy/class/lettering.class.php @@ -126,7 +126,7 @@ class Lettering extends BookKeeping if (count($ids_fact)) { $sql = 'SELECT bk.rowid, facf.ref, facf.ref_supplier '; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf "; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = facf.rowid AND facf.rowid IN (".implode(',', $ids_fact)."))"; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = facf.rowid AND facf.rowid IN (".$this->db->sanitize(implode(',', $ids_fact))."))"; $sql .= " WHERE bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=3 AND entity=".$conf->entity.") "; $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND ( "; @@ -185,7 +185,7 @@ class Lettering extends BookKeeping if (count($ids_fact)) { $sql = 'SELECT bk.rowid, fac.ref, fac.ref_supplier '; $sql .= " FROM ".MAIN_DB_PREFIX."facture fac "; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = fac.rowid AND fac.rowid IN (".implode(',', $ids_fact)."))"; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = fac.rowid AND fac.rowid IN (".$this->db->sanitize(implode(',', $ids_fact))."))"; $sql .= " WHERE code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=2 AND entity=".$conf->entity.") "; $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; @@ -255,7 +255,7 @@ class Lettering extends BookKeeping } $sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL"; + $sql .= " rowid IN (".$this->db->sanitize(implode(',', $ids)).") AND date_validated IS NULL"; $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); @@ -276,7 +276,7 @@ class Lettering extends BookKeeping $sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET"; $sql .= " lettering_code='".$this->db->escape($lettre)."'"; $sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false - $sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; + $sql .= " WHERE rowid IN (".$this->db->sanitize(implode(',', $ids)).") AND date_validated IS NULL "; $this->db->begin(); dol_syslog(get_class($this)."::update sql=".$sql, LOG_DEBUG); diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index b5a000e83f5..4a7ff6c0d81 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -129,7 +129,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0 && $user->rights->acco $sql1 = "UPDATE ".MAIN_DB_PREFIX."facturedet as l"; $sql1 .= " SET l.fk_code_ventilation=".(GETPOST('account_parent', 'int') > 0 ? GETPOST('account_parent', 'int') : '0'); - $sql1 .= ' WHERE l.rowid IN ('.implode(',', $changeaccount).')'; + $sql1 .= ' WHERE l.rowid IN ('.$db->sanitize(implode(',', $changeaccount)).')'; dol_syslog('accountancy/customer/lines.php::changeaccount sql= '.$sql1); $resql1 = $db->query($sql1); @@ -253,11 +253,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 0e95d3804c4..82f2b3cf78a 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -302,11 +302,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/expensereport/lines.php b/htdocs/accountancy/expensereport/lines.php index d29e39d7f37..df50eaaff87 100644 --- a/htdocs/accountancy/expensereport/lines.php +++ b/htdocs/accountancy/expensereport/lines.php @@ -119,7 +119,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0 && $user->rights->acco $sql1 = "UPDATE ".MAIN_DB_PREFIX."expensereport_det as erd"; $sql1 .= " SET erd.fk_code_ventilation=".(GETPOST('account_parent', 'int') > 0 ? GETPOST('account_parent', 'int') : '0'); - $sql1 .= ' WHERE erd.rowid IN ('.implode(',', $changeaccount).')'; + $sql1 .= ' WHERE erd.rowid IN ('.$db->sanitize(implode(',', $changeaccount)).')'; dol_syslog('accountancy/expensereport/lines.php::changeaccount sql= '.$sql1); $resql1 = $db->query($sql1); diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index f661ba42ce9..a87280744ec 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -130,7 +130,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) { $sql1 = "UPDATE ".MAIN_DB_PREFIX."facture_fourn_det as l"; $sql1 .= " SET l.fk_code_ventilation=".(GETPOST('account_parent', 'int') > 0 ? GETPOST('account_parent', 'int') : '0'); - $sql1 .= ' WHERE l.rowid IN ('.implode(',', $changeaccount).')'; + $sql1 .= ' WHERE l.rowid IN ('.$db->sanitize(implode(',', $changeaccount)).')'; dol_syslog('accountancy/supplier/lines.php::changeaccount sql= '.$sql1); $resql1 = $db->query($sql1); @@ -238,11 +238,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index 574ae22892e..9acfeb1684d 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -305,11 +305,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/adherents/canvas/actions_adherentcard_common.class.php b/htdocs/adherents/canvas/actions_adherentcard_common.class.php index 970609fce65..3c6e72cc783 100644 --- a/htdocs/adherents/canvas/actions_adherentcard_common.class.php +++ b/htdocs/adherents/canvas/actions_adherentcard_common.class.php @@ -253,23 +253,23 @@ abstract class ActionsAdherentCardCommon // phpcs:enable global $langs, $mysoc; - $this->object->old_name = $_POST["old_name"]; - $this->object->old_firstname = $_POST["old_firstname"]; + $this->object->old_name = GETPOST("old_name"); + $this->object->old_firstname = GETPOST("old_firstname"); - $this->object->fk_soc = $_POST["fk_soc"]; - $this->object->lastname = $_POST["lastname"]; - $this->object->firstname = $_POST["firstname"]; - $this->object->civility_id = $_POST["civility_id"]; - $this->object->address = $_POST["address"]; - $this->object->zip = $_POST["zipcode"]; - $this->object->town = $_POST["town"]; - $this->object->country_id = $_POST["country_id"] ? $_POST["country_id"] : $mysoc->country_id; - $this->object->state_id = $_POST["state_id"]; - $this->object->phone_perso = $_POST["phone_perso"]; - $this->object->phone_mobile = $_POST["phone_mobile"]; - $this->object->email = $_POST["email"]; - $this->object->note = $_POST["note"]; - $this->object->canvas = $_POST["canvas"]; + $this->object->fk_soc = GETPOST("fk_soc"); + $this->object->lastname = GETPOST("lastname"); + $this->object->firstname = GETPOST("firstname"); + $this->object->civility_id = GETPOST("civility_id"); + $this->object->address = GETPOST("address"); + $this->object->zip = GETPOST("zipcode"); + $this->object->town = GETPOST("town"); + $this->object->country_id = GETPOST("country_id", 'int') ? GETPOST("country_id", 'int') : $mysoc->country_id; + $this->object->state_id = GETPOST("state_id", 'int'); + $this->object->phone_perso = GETPOST("phone_perso"); + $this->object->phone_mobile = GETPOST("phone_mobile"); + $this->object->email = GETPOST("email", 'alphawithlgt'); + $this->object->note = GETPOST("note", 'restricthtml'); + $this->object->canvas = GETPOST("canvas"); // We set country_id, and country_code label of the chosen country if ($this->object->country_id) { diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index 57e510719bb..b75bce38ca9 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -1830,7 +1830,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Send if (empty($user->socid)) { if ($object->statut == 1) { - print '
'.$langs->trans('SendMail').'
'; + print '
'.$langs->trans('SendMail').'
'."\n"; } } @@ -1856,17 +1856,17 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Modify if ($user->rights->adherent->creer) { - print '
'.$langs->trans("Modify")."
"; + print '
'.$langs->trans("Modify").'
'."\n"; } else { - print '
'.$langs->trans("Modify").'
'; + print '
'.$langs->trans("Modify").'
'."\n"; } // Validate if ($object->statut == -1) { if ($user->rights->adherent->creer) { - print '
'.$langs->trans("Validate")."
\n"; + print '
'.$langs->trans("Validate").'
'."\n"; } else { - print '
'.$langs->trans("Validate").'
'; + print '
'.$langs->trans("Validate").'
'."\n"; } } @@ -1875,7 +1875,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if ($user->rights->adherent->creer) { print '
'.$langs->trans("Reenable")."
\n"; } else { - print '
'.$langs->trans("Reenable")."
"; + print '
'.$langs->trans("Reenable").'
'."\n"; } } @@ -1884,7 +1884,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if ($user->rights->adherent->supprimer) { print '
'.$langs->trans("Resiliate")."
\n"; } else { - print '
'.$langs->trans("Resiliate")."
"; + print '
'.$langs->trans("Resiliate").'
'."\n"; } } @@ -1893,7 +1893,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if ($user->rights->adherent->supprimer) { print '
'.$langs->trans("Exclude")."
\n"; } else { - print '
'.$langs->trans("Exclude")."
"; + print '
'.$langs->trans("Exclude").'
'."\n"; } } @@ -1901,12 +1901,12 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if (!empty($conf->societe->enabled) && !$object->socid) { if ($user->rights->societe->creer) { if ($object->statut != -1) { - print '
'.$langs->trans("CreateDolibarrThirdParty").'
'; + print '
'.$langs->trans("CreateDolibarrThirdParty").'
'."\n";; } else { - print '
'.$langs->trans("CreateDolibarrThirdParty").'
'; + print '
'.$langs->trans("CreateDolibarrThirdParty").'
'."\n"; } } else { - print '
'.$langs->trans("CreateDolibarrThirdParty")."
"; + print '
'.$langs->trans("CreateDolibarrThirdParty").'
'."\n"; } } @@ -1914,12 +1914,12 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if (!$user->socid && !$object->user_id) { if ($user->rights->user->user->creer) { if ($object->statut != -1) { - print '
'.$langs->trans("CreateDolibarrLogin").'
'; + print '
'.$langs->trans("CreateDolibarrLogin").'
'."\n"; } else { - print '
'.$langs->trans("CreateDolibarrLogin").'
'; + print '
'.$langs->trans("CreateDolibarrLogin").'
'."\n"; } } else { - print '
'.$langs->trans("CreateDolibarrLogin")."
"; + print '
'.$langs->trans("CreateDolibarrLogin").'
'."\n"; } } @@ -1928,18 +1928,18 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { $isinspip = $mailmanspip->is_in_spip($object); if ($isinspip == 1) { - print '
'.$langs->trans("DeleteIntoSpip")."
\n"; + print '
'.$langs->trans("DeleteIntoSpip").'
'."\n"; } if ($isinspip == 0) { - print '
'.$langs->trans("AddIntoSpip")."
\n"; + print '
'.$langs->trans("AddIntoSpip").'
'."\n"; } } // Delete if ($user->rights->adherent->supprimer) { - print '
'.$langs->trans("Delete")."
\n"; + print '
'.$langs->trans("Delete").'
'."\n"; } else { - print '
'.$langs->trans("Delete")."
"; + print '
'.$langs->trans("Delete").'
'."\n"; } } } diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index bb56eaf4947..cf6f9d54649 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -1141,7 +1141,7 @@ class Adherent extends CommonObject $this->db->begin(); // If user is linked to this member, remove old link to this member - $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = NULL WHERE fk_member = ".$this->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = NULL WHERE fk_member = ".((int) $this->id); dol_syslog(get_class($this)."::setUserId", LOG_DEBUG); $resql = $this->db->query($sql); if (!$resql) { @@ -1152,7 +1152,7 @@ class Adherent extends CommonObject // Set link to user if ($userid > 0) { - $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = ".$this->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = ".((int) $this->id); $sql .= " WHERE rowid = ".$userid; dol_syslog(get_class($this)."::setUserId", LOG_DEBUG); $resql = $this->db->query($sql); @@ -2279,7 +2279,7 @@ class Adherent extends CommonObject $labelStatus = $langs->trans("MemberStatusResiliated"); $labelStatusShort = $langs->trans("MemberStatusResiliatedShort"); } elseif ($status == -2) { - $statusType = 'status8'; + $statusType = 'status10'; $labelStatus = $langs->trans("MemberStatusExcluded"); $labelStatusShort = $langs->trans("MemberStatusExcludedShort"); } diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index c4402a157bd..b4347277b5d 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -176,7 +176,7 @@ class AdherentType extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent_type_lang"; $sql .= " WHERE fk_type=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); @@ -202,7 +202,7 @@ class AdherentType extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent_type_lang"; $sql .= " WHERE fk_type=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); @@ -552,7 +552,7 @@ class AdherentType extends CommonObject $sql = "SELECT a.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent as a"; $sql .= " WHERE a.entity IN (".getEntity('member').")"; - $sql .= " AND a.fk_adherent_type = ".$this->id; + $sql .= " AND a.fk_adherent_type = ".((int) $this->id); if (!empty($excludefilter)) { $sql .= ' AND ('.$excludefilter.')'; } diff --git a/htdocs/adherents/index.php b/htdocs/adherents/index.php index 517649c4b61..803ef89bb22 100644 --- a/htdocs/adherents/index.php +++ b/htdocs/adherents/index.php @@ -233,7 +233,7 @@ if ($conf->use_javascript_ajax) { include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; $dolgraph = new DolGraph(); $dolgraph->SetData($dataseries); - $dolgraph->SetDataColor(array($badgeStatus1, $badgeStatus4, $badgeStatus8, $badgeStatus6, '-'.$badgeStatus0)); + $dolgraph->SetDataColor(array($badgeStatus1, $badgeStatus4, '-'.$badgeStatus8, $badgeStatus6, '-'.$badgeStatus0)); $dolgraph->setShowLegend(2); $dolgraph->setShowPercent(1); $dolgraph->SetType(array('pie')); diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index a52d551d83e..b06a7538aae 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -302,13 +302,13 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on (s.rowid = d.fk_soc)"; $sql .= ", ".MAIN_DB_PREFIX."adherent_type as t"; $sql .= " WHERE d.fk_adherent_type = t.rowid "; if ($catid > 0) { - $sql .= " AND cm.fk_categorie = ".$db->escape($catid); + $sql .= " AND cm.fk_categorie = ".((int) $catid); } if ($catid == -2) { $sql .= " AND cm.fk_categorie IS NULL"; } if ($search_categ > 0) { - $sql .= " AND cm.fk_categorie = ".$db->escape($search_categ); + $sql .= " AND cm.fk_categorie = ".((int) $search_categ); } if ($search_categ == -2) { $sql .= " AND cm.fk_categorie IS NULL"; @@ -379,7 +379,7 @@ if ($search_phone_mobile) { $sql .= natural_search("d.phone_mobile", $search_phone_mobile); } if ($search_country) { - $sql .= " AND d.country IN (".$search_country.')'; + $sql .= " AND d.country IN (".$db->sanitize($search_country).')'; } // Add where from extra fields diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 8e1b9093e77..ecc0e1cfe47 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -44,6 +44,7 @@ $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $rowid = GETPOST('rowid', 'int') ?GETPOST('rowid', 'int') : GETPOST('id', 'int'); $typeid = GETPOST('typeid', 'int'); +$cancel = GETPOST('cancel'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; @@ -148,19 +149,18 @@ if (empty($reshook) && $action == 'confirm_create_thirdparty' && $confirm == 'ye if (empty($reshook) && $action == 'setuserid' && ($user->rights->user->self->creer || $user->rights->user->user->creer)) { $error = 0; if (empty($user->rights->user->user->creer)) { // If can edit only itself user, we can link to itself only - if ($_POST["userid"] != $user->id && $_POST["userid"] != $object->user_id) { + if (GETPOST("userid", 'int') != $user->id && GETPOST("userid", 'int') != $object->user_id) { $error++; setEventMessages($langs->trans("ErrorUserPermissionAllowsToLinksToItselfOnly"), null, 'errors'); } } if (!$error) { - if ($_POST["userid"] != $object->user_id) { // If link differs from currently in database - $result = $object->setUserId($_POST["userid"]); + if (GETPOST("userid", 'int') != $object->user_id) { // If link differs from currently in database + $result = $object->setUserId(GETPOST("userid", 'int')); if ($result < 0) { dol_print_error('', $object->error); } - $_POST['action'] = ''; $action = ''; } } @@ -190,14 +190,13 @@ if (empty($reshook) && $action == 'setsocid') { if ($result < 0) { dol_print_error('', $object->error); } - $_POST['action'] = ''; $action = ''; } } } } -if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !$_POST["cancel"]) { +if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !$cancel) { $error = 0; $langs->load("banks"); @@ -209,25 +208,25 @@ if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && ! $datesubscription = 0; $datesubend = 0; $paymentdate = 0; - if ($_POST["reyear"] && $_POST["remonth"] && $_POST["reday"]) { - $datesubscription = dol_mktime(0, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); + if (GETPOST("reyear", "int") && GETPOST("remonth", "int") && GETPOST("reday", "int")) { + $datesubscription = dol_mktime(0, 0, 0, GETPOST("remonth", "int"), GETPOST("reday", "int"), GETPOST("reyear", "int")); } - if ($_POST["endyear"] && $_POST["endmonth"] && $_POST["endday"]) { - $datesubend = dol_mktime(0, 0, 0, $_POST["endmonth"], $_POST["endday"], $_POST["endyear"]); + if (GETPOST("endyear", 'int') && GETPOST("endmonth", 'int') && GETPOST("endday", 'int')) { + $datesubend = dol_mktime(0, 0, 0, GETPOST("endmonth", 'int'), GETPOST("endday", 'int'), GETPOST("endyear", 'int')); } - if ($_POST["paymentyear"] && $_POST["paymentmonth"] && $_POST["paymentday"]) { - $paymentdate = dol_mktime(0, 0, 0, $_POST["paymentmonth"], $_POST["paymentday"], $_POST["paymentyear"]); + if (GETPOST("paymentyear", 'int') && GETPOST("paymentmonth", 'int') && GETPOST("paymentday", 'int')) { + $paymentdate = dol_mktime(0, 0, 0, GETPOST("paymentmonth", 'int'), GETPOST("paymentday", 'int'), GETPOST("paymentyear", 'int')); } $amount = price2num(GETPOST("subscription", 'alpha')); // Amount of subscription - $label = $_POST["label"]; + $label = GETPOST("label"); // Payment informations - $accountid = $_POST["accountid"]; - $operation = $_POST["operation"]; // Payment mode + $accountid = GETPOST("accountid", 'int'); + $operation = GETPOST("operation", "alphanohtml"); // Payment mode $num_chq = GETPOST("num_chq", "alphanohtml"); - $emetteur_nom = $_POST["chqemetteur"]; - $emetteur_banque = $_POST["chqbank"]; - $option = $_POST["paymentsave"]; + $emetteur_nom = GETPOST("chqemetteur"); + $emetteur_banque = GETPOST("chqbank"); + $option = GETPOST("paymentsave"); if (empty($option)) { $option = 'none'; } @@ -267,19 +266,19 @@ if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && ! $error++; $action = 'addsubscription'; } else { - if (!empty($conf->banque->enabled) && $_POST["paymentsave"] != 'none') { - if ($_POST["subscription"]) { - if (!$_POST["label"]) { + if (!empty($conf->banque->enabled) && GETPOST("paymentsave") != 'none') { + if (GETPOST("subscription")) { + if (!GETPOST("label")) { $errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("Label")); } - if ($_POST["paymentsave"] != 'invoiceonly' && !$_POST["operation"]) { + if (GETPOST("paymentsave") != 'invoiceonly' && !GETPOST("operation")) { $errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("PaymentMode")); } - if ($_POST["paymentsave"] != 'invoiceonly' && !($_POST["accountid"] > 0)) { + if (GETPOST("paymentsave") != 'invoiceonly' && !(GETPOST("accountid", 'int') > 0)) { $errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("FinancialAccount")); } } else { - if ($_POST["accountid"]) { + if (GETPOST("accountid")) { $errmsg = $langs->trans("ErrorDoNotProvideAccountsIfNullAmount"); } } @@ -453,7 +452,8 @@ if ($optioncss != '') { if ($rowid > 0) { $res = $object->fetch($rowid); if ($res < 0) { - dol_print_error($db, $object->error); exit; + dol_print_error($db, $object->error); + exit; } $adht->fetch($object->typeid); @@ -847,7 +847,7 @@ if ($rowid > 0) { }); '; if (GETPOST('paymentsave')) { - print '$("#'.GETPOST('paymentsave').'").prop("checked",true);'; + print '$("#'.GETPOST('paymentsave', 'aZ09').'").prop("checked", true);'; } print '});'; print ''."\n"; @@ -1038,6 +1038,7 @@ if ($rowid > 0) { // Bank account print ''.$langs->trans("FinancialAccount").''; + print img_picto('', 'bank_account'); $form->select_comptes(GETPOST('accountid'), 'accountid', 0, '', 2); print "\n"; diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index a69962e84b6..bf18a851efb 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -191,7 +191,7 @@ if ($search_note) { $sql .= natural_search('c.note', $search_note); } if ($search_account > 0) { - $sql .= " AND b.fk_account = ".urldecode($search_account); + $sql .= " AND b.fk_account = ".((int) $search_account); } if ($search_amount) { $sql .= natural_search('c.subscription', $search_amount, 1); @@ -547,8 +547,8 @@ while ($i < min($num, $limit)) { // Label if (!empty($arrayfields['t.libelle']['checked'])) { - print ''; - print dol_trunc($obj->note, 128); + print ''; + print $obj->note; print ''; if (!$i) { $totalarray['nbfield']++; @@ -586,7 +586,7 @@ while ($i < min($num, $limit)) { } // Price if (!empty($arrayfields['d.amount']['checked'])) { - print ''.price($obj->subscription).''; + print ''.price($obj->subscription).''; if (!$i) { $totalarray['nbfield']++; } diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php index b28c81a25b1..5b89eefc4f7 100644 --- a/htdocs/admin/boxes.php +++ b/htdocs/admin/boxes.php @@ -49,8 +49,8 @@ $boxes = array(); */ if ($action == 'addconst') { - dolibarr_set_const($db, "MAIN_BOXES_MAXLINES", $_POST["MAIN_BOXES_MAXLINES"], '', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_ACTIVATE_FILECACHE", $_POST["MAIN_ACTIVATE_FILECACHE"], 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_BOXES_MAXLINES", GETPOST("MAIN_BOXES_MAXLINES", 'int'), '', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_ACTIVATE_FILECACHE", GETPOST("MAIN_ACTIVATE_FILECACHE", 'alpha'), 'chaine', 0, '', $conf->entity); } if ($action == 'add') { diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index d78ba486224..f0bb3ea9067 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -211,7 +211,7 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", $uselocaltax1, 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", $uselocaltax2, 'chaine', 0, '', $conf->entity); - if ($_POST["optionlocaltax1"] == "localtax1on") { + if (GETPOST("optionlocaltax1") == "localtax1on") { if (!GETPOSTISSET('lt1')) { dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", 0, 'chaine', 0, '', $conf->entity); } else { @@ -219,7 +219,7 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) } dolibarr_set_const($db, "MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1", 'aZ09'), 'chaine', 0, '', $conf->entity); } - if ($_POST["optionlocaltax2"] == "localtax2on") { + if (GETPOST("optionlocaltax2") == "localtax2on") { if (!GETPOSTISSET('lt2')) { dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", 0, 'chaine', 0, '', $conf->entity); } else { diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index 177a38e382b..93550ea3254 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -237,7 +237,7 @@ $sql .= ", note"; $sql .= ", tms"; $sql .= ", entity"; $sql .= " FROM ".MAIN_DB_PREFIX."const"; -$sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")"; +$sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")"; if ((empty($user->entity) || $user->admin) && $debug) { } elseif (!GETPOST('visible') || GETPOST('visible') != 'all') { // to force for superadmin to debug diff --git a/htdocs/admin/delais.php b/htdocs/admin/delais.php index 6c0cd230cc9..4fe21a8460b 100644 --- a/htdocs/admin/delais.php +++ b/htdocs/admin/delais.php @@ -181,7 +181,7 @@ if ($action == 'update') { } } - dolibarr_set_const($db, "MAIN_DISABLE_METEO", $_POST["MAIN_DISABLE_METEO"], 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_DISABLE_METEO", GETPOST("MAIN_DISABLE_METEO"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_USE_METEO_WITH_PERCENTAGE", GETPOST("MAIN_USE_METEO_WITH_PERCENTAGE"), 'chaine', 0, '', $conf->entity); // For update value with percentage diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 2d1247ec226..9d05ad00377 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -44,7 +44,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formaccounting.class.php'; // Load translation files required by the page -$langs->loadLangs(array("errors", "admin", "main", "companies", "resource", "holiday", "accountancy", "hrm", "orders", "contracts", "projects", "propal", "bills", "interventions")); +$langs->loadLangs(array("errors", "admin", "main", "companies", "resource", "holiday", "accountancy", "hrm", "orders", "contracts", "projects", "propal", "bills", "interventions", "ticket")); $action = GETPOST('action', 'alpha') ?GETPOST('action', 'alpha') : 'view'; $confirm = GETPOST('confirm', 'alpha'); @@ -788,7 +788,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) { $msg .= $langs->transnoentities('ErrorFieldFormat', $langs->transnoentities('Code')).'
'; }*/ } - if (GETPOSTISSET("country") && ($_POST["country"] == '0') && ($id != 2)) { + if (GETPOSTISSET("country") && (GETPOST("country") == '0') && ($id != 2)) { if (in_array($tablib[$id], array('DictionaryCompanyType', 'DictionaryHolidayTypes'))) { // Field country is no mandatory for such dictionaries $_POST["country"] = ''; } else { @@ -796,25 +796,25 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) { setEventMessages($langs->transnoentities("ErrorFieldRequired", $langs->transnoentities("Country")), null, 'errors'); } } - if (($id == 3 || $id == 42) && !is_numeric($_POST["code"])) { + if (($id == 3 || $id == 42) && !is_numeric(GETPOST("code"))) { $ok = 0; setEventMessages($langs->transnoentities("ErrorFieldMustBeANumeric", $langs->transnoentities("Code")), null, 'errors'); } // Clean some parameters - if ((!empty($_POST["localtax1_type"]) || ($_POST['localtax1_type'] == '0')) && empty($_POST["localtax1"])) { + if ((GETPOST("localtax1_type") || (GETPOST('localtax1_type') == '0')) && !GETPOST("localtax1")) { $_POST["localtax1"] = '0'; // If empty, we force to 0 } - if ((!empty($_POST["localtax2_type"]) || ($_POST['localtax2_type'] == '0')) && empty($_POST["localtax2"])) { + if ((GETPOST("localtax2_type") || (GETPOST('localtax2_type') == '0')) && !GETPOST("localtax2")) { $_POST["localtax2"] = '0'; // If empty, we force to 0 } - if ($_POST["accountancy_code"] <= 0) { + if (GETPOST("accountancy_code") <= 0) { $_POST["accountancy_code"] = ''; // If empty, we force to null } - if ($_POST["accountancy_code_sell"] <= 0) { + if (GETPOST("accountancy_code_sell") <= 0) { $_POST["accountancy_code_sell"] = ''; // If empty, we force to null } - if ($_POST["accountancy_code_buy"] <= 0) { + if (GETPOST("accountancy_code_buy") <= 0) { $_POST["accountancy_code_buy"] = ''; // If empty, we force to null } if ($id == 10 && GETPOSTISSET("code")) { // Spaces are not allowed into code for tax dictionary @@ -1139,6 +1139,7 @@ if ($action == 'delete') { } //var_dump($elementList); + /* * Show a dictionary */ @@ -1397,6 +1398,9 @@ if ($id) { if ($fieldlist[$field] == 'unit_type') { $valuetoshow = $langs->trans('TypeOfUnit'); } + if ($fieldlist[$field] == 'public' && $tablib[$id] == 'TicketDictCategory') { + $valuetoshow = $langs->trans('TicketGroupIsPublic'); $class = 'center'; + } if ($id == 2) { // Special case for state page if ($fieldlist[$field] == 'region_id') { @@ -1738,6 +1742,9 @@ if ($id) { if ($fieldlist[$field] == 'unit_type') { $valuetoshow = $langs->trans('TypeOfUnit'); } + if ($fieldlist[$field] == 'public' && $tablib[$id] == 'TicketDictCategory') { + $valuetoshow = $langs->trans('TicketGroupIsPublic'); $cssprefix = 'center '; + } if ($fieldlist[$field] == 'region_id' || $fieldlist[$field] == 'country_id') { $showfield = 0; @@ -1984,6 +1991,9 @@ if ($id) { if ($fieldlist[$field] == 'use_default') { $class .= ' center'; } + if ($fieldlist[$field] == 'public') { + $class .= ' center'; + } // Show value for field if ($showfield) { print ''.$valuetoshow.''; @@ -2343,10 +2353,10 @@ function fieldList($fieldlist, $obj = '', $tabname = '', $context = '') if ($fieldlist[$field] == 'code') { $class = 'maxwidth100'; } - if (in_array($fieldlist[$field], array('dayrule', 'day', 'month', 'year', 'pos', 'use_default', 'affect', 'delay', 'position', 'sortorder', 'sens', 'category_type'))) { + if (in_array($fieldlist[$field], array('dayrule', 'day', 'month', 'year', 'pos', 'use_default', 'affect', 'delay', 'position', 'public', 'sortorder', 'sens', 'category_type'))) { $class = 'maxwidth50 center'; } - if (in_array($fieldlist[$field], array('use_default'))) { + if (in_array($fieldlist[$field], array('use_default', 'public'))) { $classtd = 'center'; } if (in_array($fieldlist[$field], array('libelle', 'label', 'tracking'))) { diff --git a/htdocs/admin/dolistore/ajax/index.html b/htdocs/admin/dolistore/ajax/index.html new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/htdocs/admin/dolistore/ajax/index.html @@ -0,0 +1 @@ + diff --git a/htdocs/admin/eventorganization.php b/htdocs/admin/eventorganization.php index 8625f182f47..23fc463f3b5 100644 --- a/htdocs/admin/eventorganization.php +++ b/htdocs/admin/eventorganization.php @@ -201,7 +201,7 @@ if ($action == 'edit') { print ''; print ''; - print ''; + print ''; foreach ($arrayofparameters as $constname => $val) { if ($val['enabled']==1) { @@ -266,7 +266,7 @@ if ($action == 'edit') { } else { if (!empty($arrayofparameters)) { print '
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'; - print ''; + print ''; foreach ($arrayofparameters as $constname => $val) { if ($val['enabled']==1) { diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php index bbb0f212707..0ef302765e8 100644 --- a/htdocs/admin/external_rss.php +++ b/htdocs/admin/external_rss.php @@ -41,7 +41,6 @@ if (!$user->admin) { accessforbidden(); } -$def = array(); $lastexternalrss = 0; $action = GETPOST('action', 'aZ09'); @@ -56,6 +55,7 @@ $sql .= " WHERE ".$db->decrypt('name')." LIKE 'EXTERNAL_RSS_URLRSS_%'"; //print $sql; $result = $db->query($sql); // We can't use SELECT MAX() because EXTERNAL_RSS_URLRSS_10 is lower than EXTERNAL_RSS_URLRSS_9 if ($result) { + $reg = array(); while ($obj = $db->fetch_object($result)) { preg_match('/([0-9]+)$/i', $obj->name, $reg); if ($reg[1] && $reg[1] > $lastexternalrss) { @@ -70,17 +70,17 @@ if ($action == 'add' || GETPOST("modify")) { $external_rss_title = "external_rss_title_".GETPOST("norss", 'int'); $external_rss_urlrss = "external_rss_urlrss_".GETPOST("norss", 'int'); - if (!empty($_POST[$external_rss_urlrss])) { + if (GETPOST($external_rss_urlrss, 'alpha')) { $boxlabel = '(ExternalRSSInformations)'; - //$external_rss_url = "external_rss_url_" . $_POST["norss"]; + //$external_rss_url = "external_rss_url_" . GETPOST("norss"); $db->begin(); - if ($_POST["modify"]) { + if (GETPOST("modify")) { // Supprime boite box_external_rss de definition des boites /* $sql = "UPDATE ".MAIN_DB_PREFIX."boxes_def"; $sql.= " SET name = '".$db->escape($boxlabel)."'"; - $sql.= " WHERE file ='box_external_rss.php' AND note like '".$db->escape($_POST["norss"])." %'"; + $sql.= " WHERE file ='box_external_rss.php' AND note like '".$db->escape(GETPOST("norss"))." %'"; $resql=$db->query($sql); if (! $resql) @@ -95,13 +95,17 @@ if ($action == 'add' || GETPOST("modify")) { $sql .= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss", 'int').' ('.GETPOST($external_rss_title, 'alpha')).")')"; if (!$db->query($sql)) { dol_print_error($db); - $err++; + $error++; } + //print $sql;exit; } $result1 = dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_".GETPOST("norss", 'int'), GETPOST($external_rss_title, 'alpha'), 'chaine', 0, '', $conf->entity); if ($result1) { - $result2 = dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_".GETPOST("norss", 'int'), GETPOST($external_rss_urlrss, 'alpha'), 'chaine', 0, '', $conf->entity); + $consttosave = "EXTERNAL_RSS_URLRSS_".GETPOST("norss", 'int'); + $urltosave = GETPOST($external_rss_urlrss, 'alpha'); + $result2 = dolibarr_set_const($db, $consttosave, $urltosave, 'chaine', 0, '', $conf->entity); + //var_dump($result2);exit; } if ($result1 && $result2) { @@ -115,7 +119,7 @@ if ($action == 'add' || GETPOST("modify")) { } } -if ($_POST["delete"]) { +if (GETPOST("delete")) { if (GETPOST("norss", 'int')) { $db->begin(); @@ -258,14 +262,14 @@ if ($resql) { print ''; - print ""; - print ""; + print '"; + print ''; print ''."\n"; print ''; print ""; - print ""; + print ''; print ''."\n"; @@ -307,7 +311,7 @@ if ($resql) { // Active $active = _isInBoxList($idrss, $boxlist) ? 'yes' : 'no'; print ''; - print ''; + print ''; print ''; print ''."\n"; diff --git a/htdocs/admin/ihm.php b/htdocs/admin/ihm.php index 81263cba82e..8b799c9c7de 100644 --- a/htdocs/admin/ihm.php +++ b/htdocs/admin/ihm.php @@ -96,7 +96,7 @@ if ($action == 'removebackgroundlogin' && !empty($conf->global->MAIN_LOGIN_BACKG if ($action == 'update') { dolibarr_set_const($db, "MAIN_LANG_DEFAULT", GETPOST("MAIN_LANG_DEFAULT", 'aZ09'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_IHM_PARAMS_REV", (int) $conf->global->MAIN_IHM_PARAMS_REV + 1, 'chaine', 0, '', $conf->entity); - //dolibarr_set_const($db, "MAIN_MULTILANGS", $_POST["MAIN_MULTILANGS"], 'chaine', 0, '', $conf->entity); + //dolibarr_set_const($db, "MAIN_MULTILANGS", GETPOST("MAIN_MULTILANGS"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_THEME", GETPOST("main_theme", 'aZ09'), 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/mailman.php b/htdocs/admin/mailman.php index b3644036cff..15dcccdb000 100644 --- a/htdocs/admin/mailman.php +++ b/htdocs/admin/mailman.php @@ -46,21 +46,27 @@ $action = GETPOST('action', 'aZ09'); $testsubscribeemail = GETPOST("testsubscribeemail"); $testunsubscribeemail = GETPOST("testunsubscribeemail"); +$error = 0; + + /* * Actions */ // Action updated or added a constant if ($action == 'update' || $action == 'add') { - foreach ($_POST['constname'] as $key => $val) { - $constname = $_POST["constname"][$key]; - $constvalue = $_POST["constvalue"][$key]; - $consttype = $_POST["consttype"][$key]; - $constnote = $_POST["constnote"][$key]; - $res = dolibarr_set_const($db, $constname, $constvalue, $type[$consttype], 0, $constnote, $conf->entity); + $tmparray = GETPOST('constname', 'array'); + if (is_array($tmparray)) { + foreach ($tmparray as $key => $val) { + $constname = $tmparray[$key]; + $constvalue = $tmparray[$key]; + $consttype = $tmparray[$key]; + $constnote = $tmparray[$key]; + $res = dolibarr_set_const($db, $constname, $constvalue, $type[$consttype], 0, $constnote, $conf->entity); - if (!($res > 0)) { - $error++; + if (!($res > 0)) { + $error++; + } } } diff --git a/htdocs/admin/mails_emailing.php b/htdocs/admin/mails_emailing.php index cb5df373645..511f5dde698 100644 --- a/htdocs/admin/mails_emailing.php +++ b/htdocs/admin/mails_emailing.php @@ -31,6 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'errors')); $action = GETPOST('action', 'aZ09'); +$cancel = GETPOST('cancel', 'alpha'); if (!$user->admin) { accessforbidden(); @@ -59,7 +60,7 @@ complete_substitutions_array($substitutionarrayfortest, $langs); * Actions */ -if ($action == 'update' && empty($_POST["cancel"])) { +if ($action == 'update' && !$cancel) { // Send mode parameters dolibarr_set_const($db, "MAIN_MAIL_SENDMODE_EMAILING", GETPOST("MAIN_MAIL_SENDMODE_EMAILING"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_SMTP_PORT_EMAILING", GETPOST("MAIN_MAIL_SMTP_PORT_EMAILING"), 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/mails_ticket.php b/htdocs/admin/mails_ticket.php index 14960db11d7..939273c1da2 100644 --- a/htdocs/admin/mails_ticket.php +++ b/htdocs/admin/mails_ticket.php @@ -31,6 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'errors')); $action = GETPOST('action', 'aZ09'); +$cancel = GETPOST('cancel', 'alpha'); $usersignature = $user->signature; // For action = test or send, we ensure that content is not html, even for signature, because this we want a test with NO html. @@ -59,7 +60,7 @@ if (!$user->admin) { * Actions */ -if ($action == 'update' && empty($_POST["cancel"])) { +if ($action == 'update' && !$cancel) { // Send mode parameters dolibarr_set_const($db, "MAIN_MAIL_SENDMODE_TICKET", GETPOST("MAIN_MAIL_SENDMODE_TICKET"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_SMTP_PORT_TICKET", GETPOST("MAIN_MAIL_SMTP_PORT_TICKET"), 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index 8945daa23f8..2e84efbfb06 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -333,8 +333,8 @@ if ($action == 'create') { } else { print ''; } print ''; diff --git a/htdocs/admin/multicurrency.php b/htdocs/admin/multicurrency.php index be4de854099..3a479480812 100644 --- a/htdocs/admin/multicurrency.php +++ b/htdocs/admin/multicurrency.php @@ -33,7 +33,7 @@ require_once DOL_DOCUMENT_ROOT.'/multicurrency/class/multicurrency.class.php'; $langs->loadLangs(array('admin', 'multicurrency')); // Access control -if (!$user->admin) { +if (!$user->admin || empty($conf->multicurrency->enabled)) { accessforbidden(); } @@ -45,7 +45,7 @@ $action = GETPOST('action', 'aZ09'); * Actions */ - +$reg = array(); if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) { $code = $reg[1]; $value = GETPOST($code, 'alpha'); diff --git a/htdocs/admin/perms.php b/htdocs/admin/perms.php index e60f2118f2c..31304c85819 100644 --- a/htdocs/admin/perms.php +++ b/htdocs/admin/perms.php @@ -132,7 +132,7 @@ print ''."\n"; $sql = "SELECT r.id, r.libelle as label, r.module, r.module_position, r.perms, r.subperms, r.bydefault"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" -$sql .= " AND r.entity = ".$entity; +$sql .= " AND r.entity = ".((int) $entity); if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { $sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is not enabled } diff --git a/htdocs/admin/sms.php b/htdocs/admin/sms.php index d2cf26a0c9a..9ddbc3361c8 100644 --- a/htdocs/admin/sms.php +++ b/htdocs/admin/sms.php @@ -66,7 +66,7 @@ if ($action == 'send' && !$_POST['cancel']) { $error = 0; $smsfrom = ''; - if (!empty($_POST["fromsms"])) { + if (GETPOST("fromsms", 'alphanohtml')) { $smsfrom = GETPOST("fromsms", 'alphanohtml'); } if (empty($smsfrom)) { diff --git a/htdocs/admin/system/constall.php b/htdocs/admin/system/constall.php index 14756541d55..96cb98809ef 100644 --- a/htdocs/admin/system/constall.php +++ b/htdocs/admin/system/constall.php @@ -223,7 +223,7 @@ if (empty($conf->multicompany->enabled)) { } else { // If multicompany mode, superadmin (user->entity=0) can see everything, admin are limited to their entities. if ($user->entity) { - $sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")"; + $sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")"; } } $sql .= " ORDER BY entity, name ASC"; diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index cfdc196d79d..b4131a4bdde 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -484,7 +484,7 @@ if (empty($conf->multicompany->enabled)) { } else { // If multicompany mode, superadmin (user->entity=0) can see everything, admin are limited to their entities. if ($user->entity) { - $sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")"; + $sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")"; } } $sql .= " ORDER BY entity, name ASC"; diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php index 7d97b4f7dbe..98ce554c363 100644 --- a/htdocs/admin/ticket_public.php +++ b/htdocs/admin/ticket_public.php @@ -59,6 +59,38 @@ if ($action == 'setTICKET_ENABLE_PUBLIC_INTERFACE') { if ($action == 'setvar') { include_once DOL_DOCUMENT_ROOT."/core/lib/files.lib.php"; + if (GETPOSTISSET('TICKET_ENABLE_PUBLIC_INTERFACE')) { // only for no js case + $param_enable_public_interface = GETPOST('TICKET_ENABLE_PUBLIC_INTERFACE', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_ENABLE_PUBLIC_INTERFACE', $param_enable_public_interface, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } + } + + if (GETPOSTISSET('TICKET_EMAIL_MUST_EXISTS')) { // only for no js case + $param_must_exists = GETPOST('TICKET_EMAIL_MUST_EXISTS', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_EMAIL_MUST_EXISTS', $param_must_exists, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } + } + + if (GETPOSTISSET('TICKET_DISABLE_CUSTOMER_MAILS')) { // only for no js case + $param_disable_email = GETPOST('TICKET_DISABLE_CUSTOMER_MAILS', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_DISABLE_CUSTOMER_MAILS', $param_disable_email, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } + } + + if (GETPOSTISSET('TICKET_SHOW_COMPANY_LOGO')) { // only for no js case + $param_show_module_logo = GETPOST('TICKET_SHOW_COMPANY_LOGO', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_SHOW_COMPANY_LOGO', $param_show_module_logo, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } + } + $topic_interface = GETPOST('TICKET_PUBLIC_INTERFACE_TOPIC', 'nohtml'); if (!empty($topic_interface)) { $res = dolibarr_set_const($db, 'TICKET_PUBLIC_INTERFACE_TOPIC', $topic_interface, 'chaine', 0, '', $conf->entity); @@ -114,32 +146,6 @@ if ($action == 'setvar') { if (!($res > 0)) { $error++; } -} - -if ($action == 'setvarother') { - $param_enable_public_interface = GETPOST('TICKET_ENABLE_PUBLIC_INTERFACE', 'alpha'); - $res = dolibarr_set_const($db, 'TICKET_ENABLE_PUBLIC_INTERFACE', $param_enable_public_interface, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - } - - $param_must_exists = GETPOST('TICKET_EMAIL_MUST_EXISTS', 'alpha'); - $res = dolibarr_set_const($db, 'TICKET_EMAIL_MUST_EXISTS', $param_must_exists, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - } - - $param_disable_email = GETPOST('TICKET_DISABLE_CUSTOMER_MAILS', 'alpha'); - $res = dolibarr_set_const($db, 'TICKET_DISABLE_CUSTOMER_MAILS', $param_disable_email, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - } - - $param_show_module_logo = GETPOST('TICKET_SHOW_COMPANY_LOGO', 'alpha'); - $res = dolibarr_set_const($db, 'TICKET_SHOW_COMPANY_LOGO', $param_show_module_logo, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - } if ($conf->global->MAIN_FEATURES_LEVEL >= 2) { $param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha'); @@ -197,18 +203,16 @@ print ''; - print ''; - print ''; - } + print ''; + print ''; + print ''; print '
'; print '
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'.$langs->trans("Parameter").''.$langs->trans("Value").'
".$langs->trans("Title")."global->$keyrsstitle)."\">'.$langs->trans("Title")."
".$langs->trans("URL")."global->$keyrssurl)."\">
'.$langs->trans('WidgetEnabled').''.$langs->trans('WidgetAvailable').''.yn($active).'
'.$langs->trans('DetailType').'
'; print ''; print ''; - print ''; print ''; @@ -222,7 +226,7 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print $form->selectarray("TICKET_EMAIL_MUST_EXISTS", $arrval, $conf->global->TICKET_EMAIL_MUST_EXISTS); } print ''; - print ''; print ''; @@ -255,7 +259,7 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print $form->selectarray("TICKET_SHOW_COMPANY_LOGO", $arrval, $conf->global->TICKET_SHOW_COMPANY_LOGO); } print ''; - print ''; print ''; @@ -271,8 +275,8 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print $form->selectarray("TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS", $arrval, $conf->global->TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS); } print ''; - print ''; print ''; } @@ -282,28 +286,6 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print ''; } - print '
'.$langs->trans("Parameters").''; print ''; + print ''; print '
'; + print ''; print $form->textwithpicto('', $langs->trans("TicketsEmailMustExistHelp"), 1, 'help'); print '
'; + print ''; print $form->textwithpicto('', $langs->trans("TicketsShowCompanyLogoHelp"), 1, 'help'); print '
'; - print $form->textwithpicto('', $langs->trans("TicketsEmailAlsoSendToMainAddressHelp"), 1, 'help'); + print ''; + print $form->textwithpicto('', $langs->trans("TicketsEmailAlsoSendToMainAddressHelp", $langs->transnoentitiesnoconv("TicketEmailNotificationTo").' ('.$langs->transnoentitiesnoconv("Creation").')', $langs->trans("Settings")), 1, 'help'); print '
'; - print ''; - print '
'; - - if (!$conf->use_javascript_ajax) { - print ''; - } - - // Admin var of module - print load_fiche_titre($langs->trans("TicketParamMail")); - - print '
'; - print ''; - - print ''; - print ''; - print ''; - - print ''; - print ''; - print "\n"; - if (empty($conf->global->FCKEDITOR_ENABLE_MAIL)) { print ''; print ''; @@ -316,7 +298,7 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print ''; print ''; - print ''; diff --git a/htdocs/api/admin/explorer.php b/htdocs/api/admin/explorer.php deleted file mode 100644 index 53b9233c130..00000000000 --- a/htdocs/api/admin/explorer.php +++ /dev/null @@ -1,216 +0,0 @@ - - * Copyright (C) 2016 Laurent Destailleur - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * @deprecated Old explorer. Not using Swagger. See instead explorer in htdocs/api/index.php. - */ - -/** - * \defgroup api Module DolibarrApi - * \brief API loader - * Search files htdocs//class/api_.class.php - * \file htdocs/api/admin/explorer.php - */ - -use Luracast\Restler\Routes; - -require_once '../../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; -require_once DOL_DOCUMENT_ROOT.'/api/class/api.class.php'; -require_once DOL_DOCUMENT_ROOT.'/api/class/api_access.class.php'; - -// Load translation files required by the page -$langs->load("admin"); - - -/* - * View - */ - -// Enable and test if module Api is enabled -if (empty($conf->global->MAIN_MODULE_API)) { - dol_syslog("Call Dolibarr API interfaces with module REST disabled"); - print $langs->trans("WarningModuleNotActive", 'Api').'.

'; - print $langs->trans("ToActivateModule"); - exit; -} - - -$api = new DolibarrApi($db); - -$api->r->addAPIClass('Luracast\\Restler\\Resources'); //this creates resources.json at API Root -$api->r->setSupportedFormats('JsonFormat', 'XmlFormat'); -$api->r->addAuthenticationClass('DolibarrApiAccess', ''); - -$listofapis = array(); - -$modulesdir = dolGetModulesDirs(); -foreach ($modulesdir as $dir) { - /* - * Search available module - */ - //dol_syslog("Scan directory ".$dir." for API modules"); - - $handle = @opendir(dol_osencode($dir)); - if (is_resource($handle)) { - while (($file = readdir($handle)) !== false) { - if (is_readable($dir.$file) && preg_match("/^(mod.*)\.class\.php$/i", $file, $reg)) { - $modulename = $reg[1]; - - // Defined if module is enabled - $enabled = true; - $module = $part = $obj = strtolower(preg_replace('/^mod/i', '', $modulename)); - //if ($part == 'propale') $part='propal'; - if ($module == 'societe') { - $obj = 'thirdparty'; - } - if ($module == 'categorie') { - $part = 'categories'; - $obj = 'category'; - } - if ($module == 'facture') { - $part = 'compta/facture'; - $obj = 'facture'; - } - if ($module == 'ficheinter') { - $obj = 'fichinter'; - $part = 'fichinter'; - $module = 'fichinter'; - } - - if (empty($conf->$module->enabled)) { - $enabled = false; - } - - if ($enabled) { - /* - * If exists, load the API class for enable module - * - * Search files named api_.class.php into /htdocs//class directory - * - * @todo : take care of externals module! - * @todo : use getElementProperties() function ? - */ - $dir_part = DOL_DOCUMENT_ROOT.'/'.$part.'/class/'; - - $handle_part = @opendir(dol_osencode($dir_part)); - if (is_resource($handle_part)) { - while (($file_searched = readdir($handle_part)) !== false) { - if (is_readable($dir_part.$file_searched) && preg_match("/^api_(.*)\.class\.php$/i", $file_searched, $reg)) { - $classname = ucwords($reg[1]); - require_once $dir_part.$file_searched; - if (class_exists($classname)) { - dol_syslog("Found API classname=".$classname." into ".$dir); - $listofapis[] = $classname; - } - } - - /* - if (is_readable($dir_part.$file_searched) && preg_match("/^(api_.*)\.class\.php$/i",$file_searched,$reg)) - { - $classname=$reg[1]; - $classname = str_replace('Api_','',ucwords($reg[1])).'Api'; - //$classname = str_replace('Api_','',ucwords($reg[1])); - $classname = ucfirst($classname); - require_once $dir_part.$file_searched; - - // if (class_exists($classname)) - // { - // dol_syslog("Found API classname=".$classname); - // $api->r->addAPIClass($classname,''); - - // require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Routes.php'; - // $tmpclass = new ReflectionClass($classname); - // try { - // $classMetadata = CommentParser::parse($tmpclass->getDocComment()); - // } catch (Exception $e) { - // throw new RestException(500, "Error while parsing comments of `$classname` class. " . $e->getMessage()); - // } - - // //$listofapis[]=array('classname'=>$classname, 'fullpath'=>$file_searched); - // } - }*/ - } - } - } - } - } - } -} - -//var_dump($listofapis); -$listofapis = Routes::toArray(); // @todo api for "status" is lost here -//var_dump($listofapis); - - -llxHeader(); - -$linkback = ''.$langs->trans("BackToModuleList").''; -print load_fiche_titre($langs->trans("ApiSetup"), $linkback, 'title_setup'); - -// Define $urlwithroot -$urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root)); -$urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file -//$urlwithroot=DOL_MAIN_URL_ROOT; // This is to use same domain name than current - -// Show message -print '
'; -$message = ''; -$url = ''.$urlwithroot.'/api/index.php/login?login='.urlencode($user->login).'&password=yourpassword[&reset=1]'; -$message .= $langs->trans("UrlToGetKeyToUseAPIs").':
'; -$message .= img_picto('', 'globe').' '.$url; -print $message; -print '
'; -print '
'; - -$oldclass = ''; - -print $langs->trans("ListOfAvailableAPIs").':
'; -foreach ($listofapis['v1'] as $key => $val) { - if ($key == 'login') { - continue; - } - if ($key == 'index') { - continue; - } - - if ($key) { - foreach ($val as $method => $val2) { - $newclass = $val2['className']; - - if (preg_match('/restler/i', $newclass)) { - continue; - } - - if ($oldclass != $newclass) { - print "\n
\n".$langs->trans("Class").': '.$newclass.'
'."\n"; - $oldclass = $newclass; - } - //print $key.' - '.$val['classname'].' - '.$val['fullpath']." - ".DOL_MAIN_URL_ROOT.'/api/index.php/'.strtolower(preg_replace('/Api$/','',$val['classname']))."/xxx
\n"; - $url = $urlwithroot.'/api/index.php/'.$key; - $url .= '?api_key=token'; - print img_picto('', 'globe').' '.$method.' '.$url."
\n"; - } - } -} - -print '
'; -print '
'; -print $langs->trans("OnlyActiveElementsAreExposed", DOL_URL_ROOT.'/admin/modules.php'); - - -llxFooter(); -$db->close(); diff --git a/htdocs/api/admin/explorer_withredoc.php b/htdocs/api/admin/explorer_withredoc.php new file mode 100644 index 00000000000..45dd31d57c9 --- /dev/null +++ b/htdocs/api/admin/explorer_withredoc.php @@ -0,0 +1,87 @@ + + * Copyright (C) 2016 Laurent Destailleur + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * @deprecated Old explorer. Not using Swagger. See instead explorer in htdocs/api/index.php. + */ + +/** + * \defgroup api Module DolibarrApi + * \brief API explorer using the swagger.json file + * \file htdocs/api/admin/explorer_withredoc.php + */ + +require_once '../../main.inc.php'; + +// Enable and test if module Api is enabled +if (empty($conf->global->MAIN_MODULE_API)) { + $langs->load("admin"); + dol_syslog("Call of Dolibarr API interfaces with module API REST are disabled"); + print $langs->trans("WarningModuleNotActive", 'Api').'.

'; + print $langs->trans("ToActivateModule"); + //session_destroy(); + exit(0); +} + +// Test if explorer is not disabled +if (!empty($conf->global->API_EXPLORER_DISABLED)) { + $langs->load("admin"); + dol_syslog("Call Dolibarr API interfaces with module REST disabled"); + print $langs->trans("WarningAPIExplorerDisabled").'.

'; + //session_destroy(); + exit(0); +} + +// Restrict API to some IPs +if (!empty($conf->global->API_RESTRICT_ON_IP)) { + $allowedip = explode(' ', $conf->global->API_RESTRICT_ON_IP); + $ipremote = getUserRemoteIP(); + if (!in_array($ipremote, $allowedip)) { + dol_syslog('Remote ip is '.$ipremote.', not into list '.$conf->global->API_RESTRICT_ON_IP); + print 'APIs are not allowed from the IP '.$ipremote; + header('HTTP/1.1 503 API not allowed from your IP '.$ipremote); + //session_destroy(); + exit(0); + } +} + +?> + + + + ReDoc + + + + + + + + + + '> + + + + + diff --git a/htdocs/api/admin/index.php b/htdocs/api/admin/index.php index 3743d61b639..05f372a3486 100644 --- a/htdocs/api/admin/index.php +++ b/htdocs/api/admin/index.php @@ -141,7 +141,7 @@ $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domai $message = ''; $url = $urlwithroot.'/api/index.php/login?login=auserlogin&password=thepassword[&reset=1]'; $message .= ''.$langs->trans("UrlToGetKeyToUseAPIs").':
'; -$message .= img_picto('', 'globe').' '.$url; +$message .= '
'.img_picto('', 'globe').' '.$url.'
'; print $message; print '
'; print '
'; @@ -150,7 +150,11 @@ print '
'; print ''.$langs->trans("ApiExporerIs").':
'; if (dol_is_dir(DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/explorer')) { $url = DOL_MAIN_URL_ROOT.'/api/index.php/explorer'; - print img_picto('', 'globe').' '.$url."
\n"; + print '
'.img_picto('', 'globe').' '.$url."

\n"; + print '

'.$langs->trans("SwaggerDescriptionFile").':
'; + $urlswagger = DOL_MAIN_URL_ROOT.'/api/index.php/explorer/swagger.json?DOLAPIKEY=youruserapikey'; + print '
'.img_picto('', 'globe').' '.$urlswagger."

\n"; + print '
'; } else { $langs->load("errors"); print info_admin($langs->trans("ErrorNotAvailableWithThisDistribution"), 0, 0, 'error'); diff --git a/htdocs/api/index.php b/htdocs/api/index.php index bb74144a40d..89b5a696462 100644 --- a/htdocs/api/index.php +++ b/htdocs/api/index.php @@ -2,6 +2,7 @@ /* Copyright (C) 2015 Jean-François Ferry * Copyright (C) 2016 Laurent Destailleur * Copyright (C) 2017 Regis Houssin + * Copyright (C) 2021 Alexis LAURIER * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -54,6 +55,12 @@ if (!empty($_SERVER['HTTP_DOLAPIENTITY'])) { define("DOLENTITY", (int) $_SERVER['HTTP_DOLAPIENTITY']); } +// When we request url to get the json file, we accept Cross site so we can include the descriptor into an external tool. +if (preg_match('/\/explorer\/swagger\.json/', $_SERVER["PHP_SELF"])) { + header('Access-Control-Allow-Origin: *'); + header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE'); + header('Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY'); +} $res = 0; if (!$res && file_exists("../main.inc.php")) { @@ -88,7 +95,7 @@ if (!empty($conf->global->MAIN_NGINX_FIX)) { // Enable and test if module Api is enabled if (empty($conf->global->MAIN_MODULE_API)) { $langs->load("admin"); - dol_syslog("Call Dolibarr API interfaces with module REST disabled"); + dol_syslog("Call of Dolibarr API interfaces with module API REST are disabled"); print $langs->trans("WarningModuleNotActive", 'Api').'.

'; print $langs->trans("ToActivateModule"); //session_destroy(); @@ -307,12 +314,28 @@ if (!empty($reg[1]) && ($reg[1] != 'explorer' || ($reg[2] != '/swagger.json' && //var_dump($api->r->apiVersionMap); //exit; +// We do not want that restler output data if we use native compression (default behaviour) but we want to have it returned into a string. +Luracast\Restler\Defaults::$returnResponse = (empty($conf->global->API_DISABLE_COMPRESSION) && !empty($_SERVER['HTTP_ACCEPT_ENCODING'])); + // Call API (we suppose we found it). // The handle will use the file api/temp/routes.php to get data to run the API. If the file exists and the entry for API is not found, it will return 404. +$result = $api->r->handle(); -//Luracast\Restler\Defaults::$returnResponse = true; -//print $api->r->handle(); +if (Luracast\Restler\Defaults::$returnResponse) { + // We try to compress data + if (strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'br') !== false && is_callable('brotli_compress')) { + header('Content-Encoding: br'); + $result = brotli_compress($result, 11, BROTLI_TEXT); + } elseif (strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'bz') !== false && is_callable('bzcompress')) { + header('Content-Encoding: bz'); + $result = bzcompress($result, 9); + } elseif (strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== false && is_callable('gzencode')) { + header('Content-Encoding: gzip'); + $result = gzencode($result, 9); + } -$api->r->handle(); + // Restler did not output data yet, we return it now + echo $result; +} //session_destroy(); diff --git a/htdocs/asset/class/asset_type.class.php b/htdocs/asset/class/asset_type.class.php index 6b345aaef68..17943f4dfd4 100644 --- a/htdocs/asset/class/asset_type.class.php +++ b/htdocs/asset/class/asset_type.class.php @@ -332,7 +332,7 @@ class AssetType extends CommonObject /** * Return array of Asset objects for asset type this->id (or all if this->id not defined) * - * @param string $excludefilter Filter to exclude + * @param string $excludefilter Filter to exclude. This parameter must not be provided by input of users * @param int $mode 0=Return array of asset instance * 1=Return array of asset instance without extra data * 2=Return array of asset id only diff --git a/htdocs/bom/bom_agenda.php b/htdocs/bom/bom_agenda.php index 6a86f1c2258..dc3421dea0c 100644 --- a/htdocs/bom/bom_agenda.php +++ b/htdocs/bom/bom_agenda.php @@ -86,7 +86,7 @@ if ($id > 0 || !empty($ref)) { //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft); /* diff --git a/htdocs/bom/bom_card.php b/htdocs/bom/bom_card.php index fa2ef014d17..eaea02cda3a 100644 --- a/htdocs/bom/bom_card.php +++ b/htdocs/bom/bom_card.php @@ -76,7 +76,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -$result = restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +$result = restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft); $permissionnote = $user->rights->bom->write; // Used by the include of actions_setnotes.inc.php $permissiondellink = $user->rights->bom->write; // Used by the include of actions_dellink.inc.php diff --git a/htdocs/bom/bom_document.php b/htdocs/bom/bom_document.php index 520dd8bb9d7..bac28f2ea9a 100644 --- a/htdocs/bom/bom_document.php +++ b/htdocs/bom/bom_document.php @@ -83,7 +83,7 @@ if ($id > 0 || !empty($ref)) { //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft); /* diff --git a/htdocs/bom/bom_note.php b/htdocs/bom/bom_note.php index 244bcfd7a49..99f6a708c05 100644 --- a/htdocs/bom/bom_note.php +++ b/htdocs/bom/bom_note.php @@ -63,7 +63,7 @@ $permissionnote = $user->rights->bom->write; // Used by the include of actions_s //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft); /* diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index 24ec68d0e2f..b0f536140dd 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -134,14 +134,14 @@ class Boms extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($restrictonsocid && $socid) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } if ($restrictonsocid && $search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($restrictonsocid && $search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } if ($sqlfilters) { if (!DolibarrApi::_checkFilters($sqlfilters)) { diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php index ffd1673ac63..950cce19420 100644 --- a/htdocs/bookmarks/bookmarks.lib.php +++ b/htdocs/bookmarks/bookmarks.lib.php @@ -53,7 +53,7 @@ function printDropdownBookmarksList() if (is_array($_POST)) { foreach ($_POST as $key => $val) { if (preg_match('/^search_/', $key) && $val != '') { - $tmpurl .= ($tmpurl ? '&' : '').$key.'='.$val; + $tmpurl .= ($tmpurl ? '&' : '').http_build_query(array($key => $val)); } } } diff --git a/htdocs/cashdesk/admin/cashdesk.php b/htdocs/cashdesk/admin/cashdesk.php index 382dd062131..eee5cac755f 100644 --- a/htdocs/cashdesk/admin/cashdesk.php +++ b/htdocs/cashdesk/admin/cashdesk.php @@ -45,6 +45,7 @@ $langs->loadLangs(array("admin", "cashdesk")); /* * Actions */ + if (GETPOST('action', 'alpha') == 'set') { $db->begin(); diff --git a/htdocs/cashdesk/affContenu.php b/htdocs/cashdesk/affContenu.php index 384e3490fa1..7d9af18913e 100644 --- a/htdocs/cashdesk/affContenu.php +++ b/htdocs/cashdesk/affContenu.php @@ -22,6 +22,7 @@ * \ingroup cashdesk * \brief Include to show main page for cashdesk module */ + require_once 'class/Facturation.class.php'; // Si nouvelle vente, reinitialisation des donnees (destruction de l'objet et vidage de la table contenant la liste des articles) @@ -39,6 +40,15 @@ if (isset($_SESSION['serObjFacturation'])) { $obj_facturation = new Facturation(); } +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + + +/* + * View + */ + // $obj_facturation contains data for all invoice total + selection of current product $obj_facturation->calculTotaux(); // Redefine prix_total_ttc, prix_total_ht et montant_tva from $_SESSION['poscart'] diff --git a/htdocs/cashdesk/affIndex.php b/htdocs/cashdesk/affIndex.php index 931bcd76f6f..a352649feb4 100644 --- a/htdocs/cashdesk/affIndex.php +++ b/htdocs/cashdesk/affIndex.php @@ -38,6 +38,10 @@ if ($_SESSION['uid'] <= 0) { // Load translation files required by the page $langs->loadLangs(array("companies", "compta", "cashdesk")); +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + /* * View diff --git a/htdocs/cashdesk/affPied.php b/htdocs/cashdesk/affPied.php index 1a7c9c5b6a7..6481a0c2aff 100644 --- a/htdocs/cashdesk/affPied.php +++ b/htdocs/cashdesk/affPied.php @@ -21,6 +21,10 @@ * \brief Bottom of main page of point of sale module */ +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + ?>
diff --git a/htdocs/cashdesk/deconnexion.php b/htdocs/cashdesk/deconnexion.php index 9cac758be1a..f7506902ab5 100644 --- a/htdocs/cashdesk/deconnexion.php +++ b/htdocs/cashdesk/deconnexion.php @@ -40,5 +40,9 @@ require_once '../main.inc.php'; // This destroy tag that say "Point of Sale session is on". unset($_SESSION['uid']); +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + header('Location: '.DOL_URL_ROOT.'/cashdesk/index.php'); exit; diff --git a/htdocs/cashdesk/facturation.php b/htdocs/cashdesk/facturation.php index 446cd161756..edce8acd781 100644 --- a/htdocs/cashdesk/facturation.php +++ b/htdocs/cashdesk/facturation.php @@ -26,6 +26,9 @@ */ +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} /* diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php index b37c3f41dec..3d0e9ff84ec 100644 --- a/htdocs/cashdesk/facturation_dhtml.php +++ b/htdocs/cashdesk/facturation_dhtml.php @@ -47,6 +47,15 @@ if (!defined('NOREQUIREAJAX')) { require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/cashdesk/include/environnement.php'; +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + + +/* + * View + */ + top_httphead('text/html'); $search = GETPOST("code", "alpha"); diff --git a/htdocs/cashdesk/facturation_verif.php b/htdocs/cashdesk/facturation_verif.php index 77df185c7cd..eed48555e20 100644 --- a/htdocs/cashdesk/facturation_verif.php +++ b/htdocs/cashdesk/facturation_verif.php @@ -34,6 +34,14 @@ $action = GETPOST('action', 'aZ09'); $obj_facturation = unserialize($_SESSION['serObjFacturation']); unset($_SESSION['serObjFacturation']); +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + + +/* + * View + */ switch ($action) { default: diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php index ad92f9edd81..a4ee6fa415c 100644 --- a/htdocs/cashdesk/index.php +++ b/htdocs/cashdesk/index.php @@ -43,6 +43,11 @@ $err = GETPOST("err"); // Instantiate hooks of thirdparty module only if not already define $hookmanager->initHooks(array('cashdeskloginpage')); +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + + /* * View */ diff --git a/htdocs/cashdesk/index_verif.php b/htdocs/cashdesk/index_verif.php index 0c0281e5414..47a1d90b76c 100644 --- a/htdocs/cashdesk/index_verif.php +++ b/htdocs/cashdesk/index_verif.php @@ -41,6 +41,12 @@ $bankid_cash = (GETPOST("CASHDESK_ID_BANKACCOUNT_CASH") > 0) ?GETPOST("CASHDESK_ $bankid_cheque = (GETPOST("CASHDESK_ID_BANKACCOUNT_CHEQUE") > 0) ?GETPOST("CASHDESK_ID_BANKACCOUNT_CHEQUE", 'int') : $conf->global->CASHDESK_ID_BANKACCOUNT_CHEQUE; $bankid_cb = (GETPOST("CASHDESK_ID_BANKACCOUNT_CB") > 0) ?GETPOST("CASHDESK_ID_BANKACCOUNT_CB", 'int') : $conf->global->CASHDESK_ID_BANKACCOUNT_CB; + +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + + // Check username if (empty($username)) { $retour = $langs->trans("ErrorFieldRequired", $langs->transnoentities("Login")); diff --git a/htdocs/cashdesk/validation_ticket.php b/htdocs/cashdesk/validation_ticket.php index 0c32dfa8c44..5fcf017ada1 100644 --- a/htdocs/cashdesk/validation_ticket.php +++ b/htdocs/cashdesk/validation_ticket.php @@ -26,6 +26,15 @@ require_once DOL_DOCUMENT_ROOT.'/cashdesk/include/environnement.php'; require_once DOL_DOCUMENT_ROOT.'/cashdesk/class/Facturation.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php'; +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + + +/* + * Actions + */ + $obj_facturation = unserialize($_SESSION['serObjFacturation']); unset($_SESSION['serObjFacturation']); diff --git a/htdocs/cashdesk/validation_verif.php b/htdocs/cashdesk/validation_verif.php index b9ad0d94a02..76cba5d3d95 100644 --- a/htdocs/cashdesk/validation_verif.php +++ b/htdocs/cashdesk/validation_verif.php @@ -36,6 +36,15 @@ $obj_facturation = unserialize($_SESSION['serObjFacturation']); $action = GETPOST('action', 'aZ09'); $bankaccountid = GETPOST('cashdeskbank'); +if (empty($user->rights->cashdesk->run)) { + accessforbidden(); +} + + +/* + * Actions + */ + switch ($action) { default: $redirection = DOL_URL_ROOT.'/cashdesk/affIndex.php?menutpl=validation'; diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index ba8ffe0e89f..94a1b89de8f 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1300,7 +1300,7 @@ class Categorie extends CommonObject $sql = "SELECT c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."categorie as c "; $sql .= " WHERE c.entity IN (".getEntity('category').")"; - $sql .= " AND c.type = ".$type; + $sql .= " AND c.type = ".((int) $type); $sql .= " AND c.fk_parent = ".$this->fk_parent; $sql .= " AND c.label = '".$this->db->escape($this->label)."'"; @@ -1520,7 +1520,6 @@ class Categorie extends CommonObject return $cats; } - /** * Returns categories whose id or name match * add wildcards in the name unless $exact = true @@ -1555,7 +1554,7 @@ class Categorie extends CommonObject $sql .= " AND entity IN (".getEntity('category').")"; if ($nom) { if (!$exact) { - $nom = '%'.str_replace('*', '%', $nom).'%'; + $nom = '%'.$this->db->escape(str_replace('*', '%', $nom)).'%'; } if (!$case) { $sql .= " AND label LIKE '".$this->db->escape($nom)."'"; @@ -1564,7 +1563,7 @@ class Categorie extends CommonObject } } if ($id) { - $sql .= " AND rowid = '".$id."'"; + $sql .= " AND rowid = ".((int) $id); } $res = $this->db->query($sql); @@ -1792,7 +1791,7 @@ class Categorie extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."categorie_lang"; $sql .= " WHERE fk_category=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); diff --git a/htdocs/categories/edit.php b/htdocs/categories/edit.php index 176b39ca008..91d32736cbc 100644 --- a/htdocs/categories/edit.php +++ b/htdocs/categories/edit.php @@ -99,7 +99,6 @@ if ($action == 'update' && $user->rights->categorie->creer) { $object->visible = $visible; $object->fk_parent = $parent != -1 ? $parent : 0; - if (empty($object->label)) { $error++; $action = 'edit'; diff --git a/htdocs/categories/index.php b/htdocs/categories/index.php index 6ca392aef47..a23dee4fbb9 100644 --- a/htdocs/categories/index.php +++ b/htdocs/categories/index.php @@ -116,15 +116,15 @@ if (empty($nosearch)) { print '
'; foreach ($cats as $cat) { - $color = $categstatic->color ? ' style="background: #'.sprintf("%06s", $categstatic->color).';"' : ' style="background: #bbb"'; - - print "\t".''."\n"; - print "\t\t'."\n"; + print "\t\t'; + print $langs->trans("Action".$object->type_code); + print ''; } // Full day event diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 21c130cafac..4bef5ddcd16 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1227,17 +1227,17 @@ class ActionComm extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."actioncomm as a"; $sql .= " WHERE a.entity IN (".getEntity('agenda').")"; if (!empty($socid)) { - $sql .= " AND a.fk_soc = ".$socid; + $sql .= " AND a.fk_soc = ".((int) $socid); } if (!empty($elementtype)) { if ($elementtype == 'project') { - $sql .= ' AND a.fk_project = '.$fk_element; + $sql .= ' AND a.fk_project = '.((int) $fk_element); } elseif ($elementtype == 'contact') { $sql .= ' AND a.id IN'; $sql .= " (SELECT fk_actioncomm FROM ".MAIN_DB_PREFIX."actioncomm_resources WHERE"; - $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; + $sql .= " element_type = 'socpeople' AND fk_element = ".((int) $fk_element).')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$db->escape($elementtype)."'"; + $sql .= " AND a.fk_element = ".((int) $fk_element)." AND a.elementtype = '".$db->escape($elementtype)."'"; } } if (!empty($filter)) { diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 9ad3dd8ce51..5d57b9624e3 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -147,14 +147,14 @@ class AgendaEvents extends DolibarrApi } } if ($user_ids) { - $sql .= " AND t.fk_user_action IN (".$user_ids.")"; + $sql .= " AND t.fk_user_action IN (".$this->db->sanitize($user_ids).")"; } if ($socid > 0) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 6c92f07085b..b8d443d8096 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -115,8 +115,8 @@ if ($dateselect > 0) { } // Set actioncode (this code must be same for setting actioncode into peruser, listacton and index) -if (GETPOST('search_actioncode', 'array')) { - $actioncode = GETPOST('search_actioncode', 'array', 3); +if (GETPOST('search_actioncode', 'array:aZ09')) { + $actioncode = GETPOST('search_actioncode', 'array:aZ09', 3); if (!count($actioncode)) { $actioncode = '0'; } @@ -669,18 +669,18 @@ if (!empty($actioncode)) { $sql .= " AND ca.type = 'systemauto'"; } else { if (is_array($actioncode)) { - $sql .= " AND ca.code IN ('".implode("','", $actioncode)."')"; + $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")"; } else { - $sql .= " AND ca.code IN ('".implode("','", explode(',', $actioncode))."')"; + $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")"; } } } } if ($resourceid > 0) { - $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); + $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid); } if ($pid) { - $sql .= " AND a.fk_project=".$db->escape($pid); + $sql .= " AND a.fk_project=".((int) $pid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; diff --git a/htdocs/comm/action/list.php b/htdocs/comm/action/list.php index 64ed79d87ca..888a13fb4b8 100644 --- a/htdocs/comm/action/list.php +++ b/htdocs/comm/action/list.php @@ -429,31 +429,31 @@ if (!empty($actioncode)) { $sql .= " AND c.type = 'systemauto'"; } else { if (is_array($actioncode)) { - $sql .= " AND c.code IN ('".implode("','", $actioncode)."')"; + $sql .= " AND c.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")"; } else { - $sql .= " AND c.code IN ('".implode("','", explode(',', $actioncode))."')"; + $sql .= " AND c.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")"; } } } } if ($resourceid > 0) { - $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); + $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid); } if ($pid) { - $sql .= " AND a.fk_project=".$db->escape($pid); + $sql .= " AND a.fk_project=".((int) $pid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; } if ($socid > 0) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } // We must filter on assignement table if ($filtert > 0 || $usergroup > 0) { $sql .= " AND ar.fk_actioncomm = a.id AND ar.element_type='user'"; } if ($type) { - $sql .= " AND c.id = ".(int) $type; + $sql .= " AND c.id = ".((int) $type); } if ($search_status == '0') { $sql .= " AND a.percent = 0"; @@ -486,10 +486,10 @@ if ($search_note) { if ($filtert > 0 || $usergroup > 0) { $sql .= " AND ("; if ($filtert > 0) { - $sql .= "(ar.fk_element = ".$filtert." OR (ar.fk_element IS NULL AND a.fk_user_action=".$filtert."))"; // The OR is for backward compatibility + $sql .= "(ar.fk_element = ".((int) $filtert)." OR (ar.fk_element IS NULL AND a.fk_user_action = ".((int) $filtert)."))"; // The OR is for backward compatibility } if ($usergroup > 0) { - $sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".$usergroup; + $sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".((int) $usergroup); } $sql .= ")"; } diff --git a/htdocs/comm/action/pertype.php b/htdocs/comm/action/pertype.php index dc70fb30743..3b55399a58a 100644 --- a/htdocs/comm/action/pertype.php +++ b/htdocs/comm/action/pertype.php @@ -540,24 +540,24 @@ if (!empty($actioncode)) { $sql .= " AND ca.type = 'systemauto'"; } else { if (is_array($actioncode)) { - $sql .= " AND ca.code IN ('".implode("','", $actioncode)."')"; + $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")"; } else { - $sql .= " AND ca.code IN ('".implode("','", explode(',', $actioncode))."')"; + $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")"; } } } } if ($resourceid > 0) { - $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); + $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid); } if ($pid) { - $sql .= " AND a.fk_project=".$db->escape($pid); + $sql .= " AND a.fk_project=".((int) $pid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; } if ($socid > 0) { - $sql .= ' AND a.fk_soc = '.$socid; + $sql .= ' AND a.fk_soc = '.((int) $socid); } // We must filter on assignement table if ($filtert > 0 || $usergroup > 0) { diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php index 388363f63fc..8c440395083 100644 --- a/htdocs/comm/action/peruser.php +++ b/htdocs/comm/action/peruser.php @@ -105,8 +105,8 @@ $type = GETPOST("search_type", 'alpha') ?GETPOST("search_type", 'alpha') : GETPO $maxprint = ((GETPOST("maxprint", 'int') != '') ?GETPOST("maxprint", 'int') : $conf->global->AGENDA_MAX_EVENTS_DAY_VIEW); $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' except when 'print') // Set actioncode (this code must be same for setting actioncode into peruser, listacton and index) -if (GETPOST('search_actioncode', 'array')) { - $actioncode = GETPOST('search_actioncode', 'array', 3); +if (GETPOST('search_actioncode', 'array:aZ09')) { + $actioncode = GETPOST('search_actioncode', 'array:aZ09', 3); if (!count($actioncode)) { $actioncode = '0'; } @@ -562,24 +562,24 @@ if (!empty($actioncode)) { $sql .= " AND ca.type = 'systemauto'"; } else { if (is_array($actioncode)) { - $sql .= " AND ca.code IN ('".implode("','", $actioncode)."')"; + $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")"; } else { - $sql .= " AND ca.code IN ('".implode("','", explode(',', $actioncode))."')"; + $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")"; } } } } if ($resourceid > 0) { - $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); + $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid); } if ($pid) { - $sql .= " AND a.fk_project=".$db->escape($pid); + $sql .= " AND a.fk_project = ".((int) $pid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; } if ($socid > 0) { - $sql .= ' AND a.fk_soc = '.$socid; + $sql .= ' AND a.fk_soc = '.((int) $socid); } // We must filter on assignement table if ($filtert > 0 || $usergroup > 0) { diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index c70bfb7fe91..8039241a899 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -162,7 +162,7 @@ if (empty($reshook)) { // set accountancy code if ($action == 'setcustomeraccountancycode') { $result = $object->fetch($id); - $object->code_compta = $_POST["customeraccountancycode"]; + $object->code_compta = GETPOST("customeraccountancycode"); $result = $object->update($object->id, $user, 1, 1, 0); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index b1e8b3c3768..8a921e1c358 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -101,7 +101,7 @@ if ($type == "f") { $sql .= " AND s.fournisseur = 1"; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if (dol_strlen($stcomm)) { diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index b720ff638c9..b727a18b76f 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -169,7 +169,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php index 8d57a9ee6a0..4b60fdd3464 100644 --- a/htdocs/comm/mailing/advtargetemailing.php +++ b/htdocs/comm/mailing/advtargetemailing.php @@ -397,7 +397,7 @@ if ($action == 'delete') { } } -if ($_POST["button_removefilter"]) { +if (GETPOST("button_removefilter")) { $search_nom = ''; $search_prenom = ''; $search_email = ''; diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index e0a9138244d..3fc50d03eaf 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -46,6 +46,7 @@ if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AU $id = (GETPOST('mailid', 'int') ? GETPOST('mailid', 'int') : GETPOST('id', 'int')); $action = GETPOST('action', 'aZ09'); +$cancel = GETPOST('cancel'); $confirm = GETPOST('confirm', 'alpha'); $urlfrom = GETPOST('urlfrom'); @@ -393,12 +394,12 @@ if (empty($reshook)) { } // Action send test emailing - if ($action == 'send' && empty($_POST["cancel"])) { + if ($action == 'send' && ! $cancel) { $error = 0; $upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing'); - $object->sendto = $_POST["sendto"]; + $object->sendto = GETPOST("sendto", 'alphawithlgt'); if (!$object->sendto) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("MailTo")), null, 'errors'); $error++; @@ -537,7 +538,7 @@ if (empty($reshook)) { } // Action of file remove - if (!empty($_POST["removedfile"])) { + if (GETPOST("removedfile")) { $upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing'); require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; @@ -548,7 +549,7 @@ if (empty($reshook)) { } // Action of emailing update - if ($action == 'update' && empty($_POST["removedfile"]) && empty($_POST["cancel"])) { + if ($action == 'update' && !GETPOST("removedfile") && !$cancel) { require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $isupload = 0; @@ -643,7 +644,7 @@ if (empty($reshook)) { } } - if (!empty($_POST["cancel"])) { + if ($cancel) { $action = ''; } } diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index c811b673197..063fb6c7f00 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -559,34 +559,34 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = " (t.parent IN (SELECT rowid FROM ".MAIN_DB_PREFIX."societe WHERE (".$str.")))"; } if (!empty($arrayquery['cust_status']) && count($arrayquery['cust_status']) > 0) { - $sqlwhere[] = " (t.status IN (".implode(',', $arrayquery['cust_status'])."))"; + $sqlwhere[] = " (t.status IN (".$this->db->sanitize(implode(',', $arrayquery['cust_status']))."))"; } if (!empty($arrayquery['cust_typecust']) && count($arrayquery['cust_typecust']) > 0) { - $sqlwhere[] = " (t.client IN (".implode(',', $arrayquery['cust_typecust'])."))"; + $sqlwhere[] = " (t.client IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typecust']))."))"; } if (!empty($arrayquery['cust_comm_status']) && count($arrayquery['cust_comm_status'] > 0)) { - $sqlwhere[] = " (t.fk_stcomm IN (".implode(',', $arrayquery['cust_comm_status'])."))"; + $sqlwhere[] = " (t.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))"; } if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) { - $sqlwhere[] = " (t.fk_prospectlevel IN ('".implode("','", $arrayquery['cust_prospect_status'])."'))"; + $sqlwhere[] = " (t.fk_prospectlevel IN (".$this->db->sanitize("'".implode("','", $arrayquery['cust_prospect_status'])."'", 1)."))"; } if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) { - $sqlwhere[] = " (t.fk_typent IN (".implode(',', $arrayquery['cust_typeent'])."))"; + $sqlwhere[] = " (t.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))"; } if (!empty($arrayquery['cust_saleman']) && count($arrayquery['cust_saleman']) > 0) { - $sqlwhere[] = " (saleman.fk_user IN (".implode(',', $arrayquery['cust_saleman'])."))"; + $sqlwhere[] = " (saleman.fk_user IN (".$this->db->sanitize(implode(',', $arrayquery['cust_saleman']))."))"; } if (!empty($arrayquery['cust_country']) && count($arrayquery['cust_country']) > 0) { - $sqlwhere[] = " (t.fk_pays IN (".implode(',', $arrayquery['cust_country'])."))"; + $sqlwhere[] = " (t.fk_pays IN (".$this->db->sanitize(implode(',', $arrayquery['cust_country']))."))"; } if (!empty($arrayquery['cust_effectif_id']) && count($arrayquery['cust_effectif_id']) > 0) { - $sqlwhere[] = " (t.fk_effectif IN (".implode(',', $arrayquery['cust_effectif_id'])."))"; + $sqlwhere[] = " (t.fk_effectif IN (".$this->db->sanitize(implode(',', $arrayquery['cust_effectif_id']))."))"; } if (!empty($arrayquery['cust_categ']) && count($arrayquery['cust_categ']) > 0) { - $sqlwhere[] = " (custcateg.fk_categorie IN (".implode(',', $arrayquery['cust_categ'])."))"; + $sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))"; } if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) { - $sqlwhere[] = " (t.default_lang IN ('".implode("','", $arrayquery['cust_language'])."'))"; + $sqlwhere[] = " (t.default_lang IN (".$this->db->sanitize("'".implode("','", $arrayquery['cust_language'])."'", 1)."))"; } //Standard Extrafield feature @@ -618,7 +618,7 @@ class AdvanceTargetingMailing extends CommonObject } } else { if (is_array($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; + $sqlwhere[] = " (te.".$key." IN (".$this->db->sanitize("'".implode("','", $arrayquery['options_'.$key])."'", 1)."))"; } elseif (!empty($arrayquery['options_'.$key])) { $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } @@ -703,7 +703,7 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = " (t.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_status'])))."))"; } if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility']) > 0) { - $sqlwhere[] = " (t.civility IN ('".$this->db->sanitize($this->db->escape(implode("','", $arrayquery['contact_civility'])))."'))"; + $sqlwhere[] = " (t.civility IN (".$this->db->sanitize("'".implode("','", $arrayquery['contact_civility'])."'", 1)."))"; } if ($arrayquery['contact_no_email'] != '') { $tmpwhere = ''; @@ -762,7 +762,7 @@ class AdvanceTargetingMailing extends CommonObject } } else { if (is_array($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))"; + $sqlwhere[] = " (te.".$key." IN (".$this->db->sanitize("'".implode("','", $arrayquery['options_'.$key.'_cnct'])."'", 1)."))"; } elseif (!empty($arrayquery['options_'.$key.'_cnct'])) { $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } @@ -797,34 +797,34 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = " (ts.parent IN (SELECT rowid FROM ".MAIN_DB_PREFIX."societe WHERE (".$str.")))"; } if (!empty($arrayquery['cust_status']) && count($arrayquery['cust_status']) > 0) { - $sqlwhere[] = " (ts.status IN (".implode(',', $arrayquery['cust_status'])."))"; + $sqlwhere[] = " (ts.status IN (".$this->db->sanitize(implode(',', $arrayquery['cust_status']))."))"; } if (!empty($arrayquery['cust_typecust']) && count($arrayquery['cust_typecust']) > 0) { - $sqlwhere[] = " (ts.client IN (".implode(',', $arrayquery['cust_typecust'])."))"; + $sqlwhere[] = " (ts.client IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typecust']))."))"; } if (!empty($arrayquery['cust_comm_status']) && count($arrayquery['cust_comm_status'] > 0)) { - $sqlwhere[] = " (ts.fk_stcomm IN (".implode(',', $arrayquery['cust_comm_status'])."))"; + $sqlwhere[] = " (ts.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))"; } if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) { - $sqlwhere[] = " (ts.fk_prospectlevel IN ('".implode("','", $arrayquery['cust_prospect_status'])."'))"; + $sqlwhere[] = " (ts.fk_prospectlevel IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_prospect_status']))."'))"; } if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) { - $sqlwhere[] = " (ts.fk_typent IN (".implode(',', $arrayquery['cust_typeent'])."))"; + $sqlwhere[] = " (ts.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))"; } if (!empty($arrayquery['cust_saleman']) && count($arrayquery['cust_saleman']) > 0) { - $sqlwhere[] = " (saleman.fk_user IN (".implode(',', $arrayquery['cust_saleman'])."))"; + $sqlwhere[] = " (saleman.fk_user IN (".$this->db->sanitize(implode(',', $arrayquery['cust_saleman']))."))"; } if (!empty($arrayquery['cust_country']) && count($arrayquery['cust_country']) > 0) { - $sqlwhere[] = " (ts.fk_pays IN (".implode(',', $arrayquery['cust_country'])."))"; + $sqlwhere[] = " (ts.fk_pays IN (".$this->db->sanitize(implode(',', $arrayquery['cust_country']))."))"; } if (!empty($arrayquery['cust_effectif_id']) && count($arrayquery['cust_effectif_id']) > 0) { - $sqlwhere[] = " (ts.fk_effectif IN (".implode(',', $arrayquery['cust_effectif_id'])."))"; + $sqlwhere[] = " (ts.fk_effectif IN (".$this->db->sanitize(implode(',', $arrayquery['cust_effectif_id']))."))"; } if (!empty($arrayquery['cust_categ']) && count($arrayquery['cust_categ']) > 0) { - $sqlwhere[] = " (custcateg.fk_categorie IN (".implode(',', $arrayquery['cust_categ'])."))"; + $sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))"; } if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) { - $sqlwhere[] = " (ts.default_lang IN ('".implode("','", $arrayquery['cust_language'])."'))"; + $sqlwhere[] = " (ts.default_lang IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_language']))."'))"; } //Standard Extrafield feature @@ -860,7 +860,7 @@ class AdvanceTargetingMailing extends CommonObject } } else { if (is_array($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; + $sqlwhere[] = " (tse.".$key." IN (".$this->db->sanitize("'".implode("','", $arrayquery['options_'.$key])."'", 1)."))"; } elseif (!empty($arrayquery['options_'.$key])) { $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } diff --git a/htdocs/comm/multiprix.php b/htdocs/comm/multiprix.php index 2f5e146843b..f1638e9dc37 100644 --- a/htdocs/comm/multiprix.php +++ b/htdocs/comm/multiprix.php @@ -30,6 +30,9 @@ require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; // Load translation files required by the page $langs->loadLangs(array('orders', 'companies')); +$action = GETPOST('action', 'alpha'); +$cancel = GETPOST('cancel', 'alpha'); + $id = GETPOST('id', 'int'); $_socid = GETPOST("id", 'int'); // Security check @@ -42,10 +45,10 @@ if ($user->socid > 0) { * Actions */ -if ($_POST["action"] == 'setpricelevel') { +if ($action == 'setpricelevel') { $soc = new Societe($db); $soc->fetch($id); - $soc->set_price_level($_POST["price_level"], $user); + $soc->set_price_level(GETPOST("price_level"), $user); header("Location: multiprix.php?id=".$id); exit; diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index c8c94e7e95a..cecb4fff28a 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -775,9 +775,9 @@ if (empty($reshook)) { $object->generateDocument($object->model_pdf, $outputlangs, $hidedetails, $hidedesc, $hideref); } } elseif ($action == "setabsolutediscount" && $usercancreate) { - if ($_POST["remise_id"]) { + if (GETPOST("remise_id", "int")) { if ($object->id > 0) { - $result = $object->insert_discount($_POST["remise_id"]); + $result = $object->insert_discount(GETPOST("remise_id", "int")); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); } diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 84d7cf23385..9f5cdea8000 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -181,14 +181,14 @@ class Proposals extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 197c9c7074f..3674356af20 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -2734,7 +2734,7 @@ class Propal extends CommonObject $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND p.fk_statut = ".self::STATUS_DRAFT; @@ -2821,7 +2821,7 @@ class Propal extends CommonObject if (count($linkedInvoices) > 0) { $sql = "SELECT rowid as facid, ref, total, datef as df, fk_user_author, fk_statut, paye"; $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE rowid IN (".implode(',', $linkedInvoices).")"; + $sql .= " WHERE rowid IN (".$this->db->sanitize(implode(',', $linkedInvoices)).")"; dol_syslog(get_class($this)."::InvoiceArrayList", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/comm/propal/index.php b/htdocs/comm/propal/index.php index 812561a63b1..2005e51571b 100644 --- a/htdocs/comm/propal/index.php +++ b/htdocs/comm/propal/index.php @@ -106,7 +106,7 @@ if ($user->socid) { if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } -$sql .= " AND p.fk_statut IN (".implode(" ,", $listofstatus).")"; +$sql .= " AND p.fk_statut IN (".$db->sanitize(implode(" ,", $listofstatus)).")"; $sql .= " GROUP BY p.fk_statut"; $resql = $db->query($sql); if ($resql) { @@ -372,7 +372,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY p.rowid DESC"; diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 4c8ee0894f5..b4c63365bf8 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -565,7 +565,7 @@ if ($socid > 0) { $sql .= ' AND s.rowid = '.$socid; } if ($search_status != '' && $search_status != '-1') { - $sql .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; + $sql .= ' AND p.fk_statut IN ('.$db->sanitize($search_status).')'; } if ($search_date_start) { $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'"; diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 3cb6de90a8d..4ae18df12f8 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -103,7 +103,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($object_status).')'; } // Build graphic number of object diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index 768e6a78c70..17b7d4285b4 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -184,14 +184,14 @@ class Orders extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index b29b594f8f2..14fc65cf18d 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -2300,8 +2300,8 @@ class Commande extends CommonOrder if (count($array_of_product)) { $sql = "SELECT fk_product, sum(ps.reel) as total"; $sql .= " FROM ".MAIN_DB_PREFIX."product_stock as ps"; - $sql .= " WHERE ps.fk_product IN (".join(',', $array_of_product).")"; - $sql .= ' GROUP BY fk_product '; + $sql .= " WHERE ps.fk_product IN (".$this->db->sanitize(join(',', $array_of_product)).")"; + $sql .= ' GROUP BY fk_product'; $resql = $this->db->query($sql); if ($resql) { $num = $this->db->num_rows($resql); diff --git a/htdocs/commande/index.php b/htdocs/commande/index.php index 4b6fcc7d8aa..66798c94157 100644 --- a/htdocs/commande/index.php +++ b/htdocs/commande/index.php @@ -209,7 +209,7 @@ if (!empty($conf->commande->enabled)) { $sql .= " AND c.entity IN (".getEntity('commande').")"; $sql .= " AND c.fk_statut = 0"; if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index 73ac91c7098..117f7557db3 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -426,10 +426,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_company) { $sql .= natural_search('s.nom', $search_company); diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index 0c9b80c3883..090d07baf81 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -96,12 +96,12 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { if ($object_status != '' && $object_status >= -1) { - $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($object_status).')'; } } if ($mode == 'supplier') { if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($object_status).')'; } } diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index fed0e025f4c..d369f36c32f 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -173,7 +173,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= "SELECT t.rowid as id, t.entity, t.ref, t.paye as paid, t.total as total_ht, t.total_ttc, t.tva as total_vat, t.multicurrency_code as currency, t.fk_soc, t.datef as date, t.date_lim_reglement as date_due, 'Invoice' as item, s.nom as thirdparty_name, s.code_client as thirdparty_code, c.code as country_code, s.tva_intra as vatnum, ".PAY_CREDIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."facture as t LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = t.fk_soc LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = s.fk_pays"; $sql .= " WHERE datef between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".Facture::STATUS_DRAFT; } // Vendor invoices @@ -184,7 +184,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, t.paye as paid, t.total_ht, t.total_ttc, t.total_tva as total_vat, t.multicurrency_code as currency, t.fk_soc, t.datef as date, t.date_lim_reglement as date_due, 'SupplierInvoice' as item, s.nom as thirdparty_name, s.code_fournisseur as thirdparty_code, c.code as country_code, s.tva_intra as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as t LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = t.fk_soc LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = s.fk_pays"; $sql .= " WHERE datef between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".FactureFournisseur::STATUS_DRAFT; } // Expense reports @@ -195,7 +195,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, t.paid, t.total_ht, t.total_ttc, t.total_tva as total_vat, t.multicurrency_code as currency, t.fk_user_author as fk_soc, t.date_fin as date, t.date_fin as date_due, 'ExpenseReport' as item, CONCAT(CONCAT(u.lastname, ' '), u.firstname) as thirdparty_name, '' as thirdparty_code, c.code as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as t LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = t.fk_user_author LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = u.fk_country"; $sql .= " WHERE date_fin between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".ExpenseReport::STATUS_DRAFT; } // Donations @@ -206,7 +206,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, paid, amount as total_ht, amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.datedon as date, t.datedon as date_due, 'Donation' as item, t.societe as thirdparty_name, '' as thirdparty_code, c.code as country_code, '' as vatnum, ".PAY_CREDIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."don as t LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = t.fk_country"; $sql .= " WHERE datedon between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".Don::STATUS_DRAFT; } // Payments of salaries @@ -217,7 +217,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.label as ref, 1 as paid, amount as total_ht, amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, t.fk_user as fk_soc, t.datep as date, t.dateep as date_due, 'SalaryPayment' as item, CONCAT(CONCAT(u.lastname, ' '), u.firstname) as thirdparty_name, '' as thirdparty_code, c.code as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."payment_salary as t LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = t.fk_user LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = u.fk_country"; $sql .= " WHERE datep between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; //$sql.=" AND fk_statut <> ".PaymentSalary::STATUS_DRAFT; } // Social contributions @@ -228,7 +228,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.libelle as ref, t.paye as paid, t.amount as total_ht, t.amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.date_ech as date, t.periode as date_due, 'SocialContributions' as item, '' as thirdparty_name, '' as thirdparty_code, '' as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."chargesociales as t"; $sql .= " WHERE t.date_ech between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; //$sql.=" AND fk_statut <> ".ChargeSociales::STATUS_DRAFT; } // Various payments @@ -239,7 +239,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, 1 as paid, t.amount as total_ht, t.amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.datep as date, t.datep as date_due, 'VariousPayment' as item, '' as thirdparty_name, '' as thirdparty_code, '' as country_code, '' as vatnum, sens"; $sql .= " FROM ".MAIN_DB_PREFIX."payment_various as t"; $sql .= " WHERE datep between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; } // Loan payments if (GETPOST('selectloanspayment') && !empty($listofchoices['selectloanspayment']['perms'])) { @@ -249,7 +249,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, l.entity, l.label as ref, 1 as paid, (t.amount_capital+t.amount_insurance+t.amount_interest) as total_ht, (t.amount_capital+t.amount_insurance+t.amount_interest) as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.datep as date, t.datep as date_due, 'LoanPayment' as item, '' as thirdparty_name, '' as thirdparty_code, '' as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."payment_loan as t LEFT JOIN ".MAIN_DB_PREFIX."loan as l ON l.rowid = t.fk_loan"; $sql .= " WHERE datep between ".$wheretail; - $sql .= " AND l.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND l.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; } if ($sql) { diff --git a/htdocs/compta/bank/account_statement_document.php b/htdocs/compta/bank/account_statement_document.php index ea4911e7050..e144f6acbe0 100644 --- a/htdocs/compta/bank/account_statement_document.php +++ b/htdocs/compta/bank/account_statement_document.php @@ -79,12 +79,12 @@ $result = restrictedArea($user, 'banque', $object->id, 'bank_account', '', ''); // Define number of receipt to show (current, previous or next one ?) $found = false; -if ($_GET["rel"] == 'prev') { +if (GETPOST("rel") == 'prev') { // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql .= " FROM ".MAIN_DB_PREFIX."bank as b"; $sql .= " WHERE b.num_releve < '".$db->escape($numref)."'"; - $sql .= " AND b.fk_account = ".$id; + $sql .= " AND b.fk_account = ".((int) $id); $sql .= " ORDER BY b.num_releve DESC"; dol_syslog("htdocs/compta/bank/releve.php", LOG_DEBUG); @@ -97,12 +97,12 @@ if ($_GET["rel"] == 'prev') { $found = true; } } -} elseif ($_GET["rel"] == 'next') { +} elseif (GETPOST("rel") == 'next') { // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql .= " FROM ".MAIN_DB_PREFIX."bank as b"; $sql .= " WHERE b.num_releve > '".$db->escape($numref)."'"; - $sql .= " AND b.fk_account = ".$id; + $sql .= " AND b.fk_account = ".((int) $id); $sql .= " ORDER BY b.num_releve ASC"; dol_syslog("htdocs/compta/bank/releve.php", LOG_DEBUG); diff --git a/htdocs/compta/bank/annuel.php b/htdocs/compta/bank/annuel.php index 45ae92480a0..686b14362cc 100644 --- a/htdocs/compta/bank/annuel.php +++ b/htdocs/compta/bank/annuel.php @@ -267,7 +267,7 @@ if ($result < 0) { $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($id && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$id.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($id).")"; } $resql = $db->query($sql); @@ -299,7 +299,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".($year - $annee)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($id && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$id.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($id).")"; } $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -381,7 +381,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".($year - $annee)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($id && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$id.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($id).")"; } $sql .= " GROUP BY date_format(b.datev,'%m');"; diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index 37ef8a5da76..22121fa7664 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -245,7 +245,7 @@ if ((GETPOST('confirm_savestatement', 'alpha') || GETPOST('confirm_reconcile', ' foreach ($rowids as $row) { if ($row > 0) { $result = $bankline->fetch($row); - $bankline->num_releve = $num_releve; //$_POST["num_releve"]; + $bankline->num_releve = $num_releve; // GETPOST("num_releve"); $result = $bankline->update_conciliation($user, GETPOST("cat"), GETPOST('confirm_reconcile', 'alpha') ? 1 : 0); // If we confirm_reconcile, we set flag 'rappro' to 1. if ($result < 0) { setEventMessages($bankline->error, $bankline->errors, 'errors'); @@ -581,7 +581,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($search_account > 0) { - $sql .= " AND b.fk_account = ".$search_account; + $sql .= " AND b.fk_account = ".((int) $search_account); } // Search period criteria if (dol_strlen($search_dt_start) > 0) { @@ -607,7 +607,7 @@ if ($search_num_releve) { $sql .= natural_search("b.num_releve", $search_num_releve); } if ($search_conciliated != '' && $search_conciliated != '-1') { - $sql .= " AND b.rappro = ".urlencode($search_conciliated); + $sql .= " AND b.rappro = ".((int) $search_conciliated); } if ($search_thirdparty_user) { $sql.= " AND (b.rowid IN "; diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php index bf74035d553..33d4bc37aed 100644 --- a/htdocs/compta/bank/card.php +++ b/htdocs/compta/bank/card.php @@ -87,18 +87,18 @@ if ($action == 'add') { $object->ref = dol_string_nospecial(trim(GETPOST('ref', 'alpha'))); $object->label = trim(GETPOST("label", 'alphanohtml')); - $object->courant = $_POST["type"]; - $object->clos = $_POST["clos"]; + $object->courant = GETPOST("type"); + $object->clos = GETPOST("clos"); $object->rappro = (GETPOST("norappro", 'alpha') ? 0 : 1); $object->url = trim(GETPOST("url", 'alpha')); - $object->bank = trim($_POST["bank"]); - $object->code_banque = trim($_POST["code_banque"]); - $object->code_guichet = trim($_POST["code_guichet"]); - $object->number = trim($_POST["number"]); - $object->cle_rib = trim($_POST["cle_rib"]); - $object->bic = trim($_POST["bic"]); - $object->iban = trim($_POST["iban"]); + $object->bank = trim(GETPOST("bank")); + $object->code_banque = trim(GETPOST("code_banque")); + $object->code_guichet = trim(GETPOST("code_guichet")); + $object->number = trim(GETPOST("number")); + $object->cle_rib = trim(GETPOST("cle_rib")); + $object->bic = trim(GETPOST("bic")); + $object->iban = trim(GETPOST("iban")); $object->domiciliation = trim(GETPOST("domiciliation", "nohtml")); $object->proprio = trim(GETPOST("proprio", 'alphanohtml')); @@ -120,10 +120,10 @@ if ($action == 'add') { $object->fk_accountancy_journal = $fk_accountancy_journal; } - $object->solde = $_POST["solde"]; + $object->solde = price2num(GETPOST("solde")); $object->date_solde = dol_mktime(12, 0, 0, GETPOST("remonth", 'int'), GETPOST('reday', 'int'), GETPOST("reyear", 'int')); - $object->currency_code = trim($_POST["account_currency_code"]); + $object->currency_code = trim(GETPOST("account_currency_code")); $object->state_id = GETPOST("account_state_id", 'int'); $object->country_id = GETPOST("account_country_id", 'int'); @@ -187,18 +187,18 @@ if ($action == 'update') { $object->ref = dol_string_nospecial(trim(GETPOST('ref', 'alpha'))); $object->label = trim(GETPOST("label", 'alphanohtml')); - $object->courant = $_POST["type"]; - $object->clos = $_POST["clos"]; + $object->courant = GETPOST("type"); + $object->clos = GETPOST("clos"); $object->rappro = (GETPOST("norappro", 'alpha') ? 0 : 1); $object->url = trim(GETPOST("url", 'alpha')); - $object->bank = trim($_POST["bank"]); - $object->code_banque = trim($_POST["code_banque"]); - $object->code_guichet = trim($_POST["code_guichet"]); - $object->number = trim($_POST["number"]); - $object->cle_rib = trim($_POST["cle_rib"]); - $object->bic = trim($_POST["bic"]); - $object->iban = trim($_POST["iban"]); + $object->bank = trim(GETPOST("bank")); + $object->code_banque = trim(GETPOST("code_banque")); + $object->code_guichet = trim(GETPOST("code_guichet")); + $object->number = trim(GETPOST("number")); + $object->cle_rib = trim(GETPOST("cle_rib")); + $object->bic = trim(GETPOST("bic")); + $object->iban = trim(GETPOST("iban")); $object->domiciliation = trim(GETPOST("domiciliation", "nohtml")); $object->proprio = trim(GETPOST("proprio", 'alphanohtml')); @@ -220,7 +220,7 @@ if ($action == 'update') { $object->fk_accountancy_journal = $fk_accountancy_journal; } - $object->currency_code = trim($_POST["account_currency_code"]); + $object->currency_code = trim(GETPOST("account_currency_code")); $object->state_id = GETPOST("account_state_id", 'int'); $object->country_id = GETPOST("account_country_id", 'int'); @@ -274,7 +274,7 @@ if ($action == 'update') { } } -if ($action == 'confirm_delete' && $_POST["confirm"] == "yes" && $user->rights->banque->configurer) { +if ($action == 'confirm_delete' && GETPOST("confirm") == "yes" && $user->rights->banque->configurer) { // Delete $object = new Account($db); $object->fetch(GETPOST("id", "int")); @@ -462,7 +462,8 @@ if ($action == 'create') { print '
'.$langs->trans("Parameter").'
'.$langs->trans("TicketCkEditorEmailNotActivated").'
'; print ''; + print ''; print $form->textwithpicto('', $langs->trans("TicketPublicInterfaceTopicHelp"), 1, 'help'); print '
'.$langs->trans("FoundCats").'
"; $categstatic->id = $cat->id; $categstatic->ref = $cat->label; $categstatic->label = $cat->label; $categstatic->type = $cat->type; $categstatic->color = $cat->color; + $color = $categstatic->color ? ' style="background: #'.sprintf("%06s", $categstatic->color).';"' : ' style="background: #bbb"'; + + print "\t".'
"; print ''; print $categstatic->getNomUrl(1, ''); print ''; diff --git a/htdocs/categories/photos.php b/htdocs/categories/photos.php index e30067e8815..5fb1c85dd40 100644 --- a/htdocs/categories/photos.php +++ b/htdocs/categories/photos.php @@ -66,7 +66,7 @@ $upload_dir = $conf->categorie->multidir_output[$object->entity]; * Actions */ -if (isset($_FILES['userfile']) && $_FILES['userfile']['size'] > 0 && $_POST["sendit"] && !empty($conf->global->MAIN_UPLOAD_DOC)) { +if (isset($_FILES['userfile']) && $_FILES['userfile']['size'] > 0 && GETPOST("sendit") && !empty($conf->global->MAIN_UPLOAD_DOC)) { if ($object->id) { $file = $_FILES['userfile']; if (is_array($file['name']) && count($file['name']) > 0) { diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 391b418f5b8..db26bc4ad22 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -1896,7 +1896,8 @@ if ($id > 0) { if (!empty($conf->global->AGENDA_USE_EVENT_TYPE)) { print '
'.$langs->trans("Type").''; print $object->getTypePicto(); - print $langs->trans($object->type).'
'; print '
'; - if ($_POST["type"] == Account::TYPE_SAVINGS || $_POST["type"] == Account::TYPE_CURRENT) { + $type = GETPOST('type'); + if ($type == Account::TYPE_SAVINGS || $type == Account::TYPE_CURRENT) { print ''; // If bank account @@ -988,7 +989,7 @@ if ($action == 'create') { print '
'; - if ($_POST["type"] == Account::TYPE_SAVINGS || $_POST["type"] == Account::TYPE_CURRENT) { + if (GETPOST("type") == Account::TYPE_SAVINGS || GETPOST("type") == Account::TYPE_CURRENT) { print '
'; //print '
'; diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index be38f1311d7..451f855a5fe 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -943,7 +943,7 @@ class Account extends CommonObject $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'accounting_journal as aj ON aj.rowid=ba.fk_accountancy_journal'; $sql .= " WHERE ba.entity IN (".getEntity($this->element).")"; if ($id) { - $sql .= " AND ba.rowid = ".$id; + $sql .= " AND ba.rowid = ".((int) $id); } if ($ref) { $sql .= " AND ba.ref = '".$this->db->escape($ref)."'"; diff --git a/htdocs/compta/bank/graph.php b/htdocs/compta/bank/graph.php index 6dd588f51e1..4c0efec57d2 100644 --- a/htdocs/compta/bank/graph.php +++ b/htdocs/compta/bank/graph.php @@ -35,10 +35,10 @@ $WIDTH = DolGraph::getDefaultGraphSizeForStats('width', 768); $HEIGHT = DolGraph::getDefaultGraphSizeForStats('height', 200); // Security check -if (isset($_GET["account"]) || isset($_GET["ref"])) { - $id = isset($_GET["account"]) ? $_GET["account"] : (isset($_GET["ref"]) ? $_GET["ref"] : ''); +if (GETPOST('account') || GETPOST('ref')) { + $id = GETPOST('account') ? GETPOST('account') : GETPOST('ref'); } -$fieldid = isset($_GET["ref"]) ? 'ref' : 'rowid'; +$fieldid = GETPOST('ref') ? 'ref' : 'rowid'; if ($user->socid) { $socid = $user->socid; } @@ -66,19 +66,19 @@ $datetime = dol_now(); $year = dol_print_date($datetime, "%Y"); $month = dol_print_date($datetime, "%m"); $day = dol_print_date($datetime, "%d"); -if (GETPOST("year")) { - $year = sprintf("%04d", GETPOST("year")); +if (GETPOST("year", 'int')) { + $year = sprintf("%04d", GETPOST("year", 'int')); } -if (GETPOST("month")) { - $month = sprintf("%02d", GETPOST("month")); +if (GETPOST("month", 'int')) { + $month = sprintf("%02d", GETPOST("month", 'int')); } $object = new Account($db); -if ($_GET["account"] && !preg_match('/,/', $_GET["account"])) { // if for a particular account and not a list - $result = $object->fetch(GETPOST("account", "int")); +if (GETPOST('account') && !preg_match('/,/', GETPOST('account'))) { // if for a particular account and not a list + $result = $object->fetch(GETPOST('account', 'int')); } -if ($_GET["ref"]) { +if (GETPOST("ref")) { $result = $object->fetch(0, GETPOST("ref")); $account = $object->id; } @@ -96,7 +96,7 @@ if ($result < 0) { $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $resql = $db->query($sql); @@ -138,7 +138,7 @@ if ($result < 0) { $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -166,7 +166,7 @@ if ($result < 0) { $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.datev < '".$db->escape($year)."-".sprintf("%02s", $month)."-01'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $resql = $db->query($sql); @@ -280,7 +280,7 @@ if ($result < 0) { $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -308,7 +308,7 @@ if ($result < 0) { $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.datev < '".$db->escape($year)."-01-01'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $resql = $db->query($sql); @@ -416,7 +416,7 @@ if ($result < 0) { $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -541,7 +541,7 @@ if ($result < 0) { $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -576,7 +576,7 @@ if ($result < 0) { $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -650,7 +650,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -677,7 +677,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%m')"; diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index 410e3a82bea..292a61e8bc6 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -140,9 +140,9 @@ if ($user->rights->banque->modifier && $action == "update") { if (!$error) { $db->begin(); - $amount = price2num($_POST['amount']); - $dateop = dol_mktime(12, 0, 0, $_POST["dateomonth"], $_POST["dateoday"], $_POST["dateoyear"]); - $dateval = dol_mktime(12, 0, 0, $_POST["datevmonth"], $_POST["datevday"], $_POST["datevyear"]); + $amount = price2num(GETPOST('amount')); + $dateop = dol_mktime(12, 0, 0, GETPOST("dateomonth"), GETPOST("dateoday"), GETPOST("dateoyear")); + $dateval = dol_mktime(12, 0, 0, GETPOST("datevmonth"), GETPOST("datevday"), GETPOST("datevyear")); $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET "; // Always opened @@ -212,8 +212,8 @@ if ($user->rights->banque->modifier && $action == "update") { // Reconcile if ($user->rights->banque->consolidate && ($action == 'num_releve' || $action == 'setreconcile')) { - $num_rel = trim($_POST["num_rel"]); - $rappro = $_POST['reconciled'] ? 1 : 0; + $num_rel = trim(GETPOST("num_rel")); + $rappro = GETPOST('reconciled') ? 1 : 0; // Check parameters if ($rappro && empty($num_rel)) { diff --git a/htdocs/compta/bank/various_payment/list.php b/htdocs/compta/bank/various_payment/list.php index 39cbb91fde1..65542598351 100644 --- a/htdocs/compta/bank/various_payment/list.php +++ b/htdocs/compta/bank/various_payment/list.php @@ -264,10 +264,6 @@ if ($search_accountancy_subledger > 0) { if ($typeid > 0) { $sql .= " AND v.fk_typepayment=".$typeid; } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_all) { $sql .= natural_search(array_keys($fieldstosearchall), $search_all); } diff --git a/htdocs/compta/charges/index.php b/htdocs/compta/charges/index.php index 2661678d411..b238e47c50e 100644 --- a/htdocs/compta/charges/index.php +++ b/htdocs/compta/charges/index.php @@ -30,6 +30,7 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php'; +require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/paymentvat.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/paymentsocialcontribution.class.php'; require_once DOL_DOCUMENT_ROOT.'/salaries/class/salary.class.php'; @@ -83,6 +84,7 @@ if (!$sortorder) { */ $tva_static = new Tva($db); +$ptva_static = new PaymentVat($db); $socialcontrib = new ChargeSociales($db); $payment_sc_static = new PaymentSocialContribution($db); $sal_static = new Salary($db); @@ -132,7 +134,7 @@ print "
"; if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { // Social contributions only - print load_fiche_titre($langs->trans("SocialContributionsPayments").($year ? ' ('.$langs->trans("Year").' '.$year.')' : ''), '', ''); + print load_fiche_titre($langs->trans("SocialContributions").($year ? ' ('.$langs->trans("Year").' '.$year.')' : ''), '', ''); print ''; print ''; @@ -269,22 +271,23 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { $tva = new Tva($db); - print load_fiche_titre($langs->trans("VATPayments").($year ? ' ('.$langs->trans("Year").' '.$year.')' : ''), '', ''); + print load_fiche_titre($langs->trans("VATDeclarations").($year ? ' ('.$langs->trans("Year").' '.$year.')' : ''), '', ''); - $sql = "SELECT pv.rowid, pv.amount, pv.label, pv.datev as dm, pv.fk_bank,"; + $sql = "SELECT ptva.rowid, pv.rowid as id_tva, pv.amount as amount_tva, ptva.amount, pv.label, pv.datev as dm, ptva.datep as date_payment, ptva.fk_bank,"; $sql .= " pct.code as payment_code,"; $sql .= " ba.rowid as bid, ba.ref as bref, ba.number as bnumber, ba.account_number, ba.fk_accountancy_journal, ba.label as blabel"; $sql .= " FROM ".MAIN_DB_PREFIX."tva as pv"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank as b ON pv.fk_bank = b.rowid"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."payment_vat as ptva ON (ptva.fk_tva = pv.rowid)"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank as b ON (ptva.fk_bank = b.rowid)"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON b.fk_account = ba.rowid"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as pct ON pv.fk_typepayment = pct.id"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as pct ON ptva.fk_typepaiement = pct.id"; $sql .= " WHERE pv.entity IN (".getEntity("tax").")"; if ($year > 0) { // Si period renseignee on l'utilise comme critere de date, sinon on prend date echeance, // ceci afin d'etre compatible avec les cas ou la periode n'etait pas obligatoire $sql .= " AND pv.datev between '".$db->idate(dol_get_first_day($year, 1, false))."' AND '".$db->idate(dol_get_last_day($year, 12, false))."'"; } - if (preg_match('/^pv\./', $sortfield)) { + if (preg_match('/^pv\./', $sortfield) || preg_match('/^ptva\./', $sortfield)) { $sql .= $db->order($sortfield, $sortorder); } @@ -298,13 +301,13 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { print_liste_field_titre("PeriodEndDate", $_SERVER["PHP_SELF"], "pv.datev", "", $param, 'width="140px"', $sortfield, $sortorder); print_liste_field_titre("Label", $_SERVER["PHP_SELF"], "pv.label", "", $param, '', $sortfield, $sortorder); print_liste_field_titre("ExpectedToPay", $_SERVER["PHP_SELF"], "pv.amount", "", $param, 'class="right"', $sortfield, $sortorder); - print_liste_field_titre("RefPayment", $_SERVER["PHP_SELF"], "pv.rowid", "", $param, '', $sortfield, $sortorder); - print_liste_field_titre("DatePayment", $_SERVER["PHP_SELF"], "pv.datev", "", $param, 'align="center"', $sortfield, $sortorder); + print_liste_field_titre("RefPayment", $_SERVER["PHP_SELF"], "ptva.rowid", "", $param, '', $sortfield, $sortorder); + print_liste_field_titre("DatePayment", $_SERVER["PHP_SELF"], "ptva.datep", "", $param, 'align="center"', $sortfield, $sortorder); print_liste_field_titre("Type", $_SERVER["PHP_SELF"], "pct.code", "", $param, '', $sortfield, $sortorder); if (!empty($conf->banque->enabled)) { print_liste_field_titre("Account", $_SERVER["PHP_SELF"], "ba.label", "", $param, "", $sortfield, $sortorder); } - print_liste_field_titre("PayedByThisPayment", $_SERVER["PHP_SELF"], "pv.amount", "", $param, 'class="right"', $sortfield, $sortorder); + print_liste_field_titre("PayedByThisPayment", $_SERVER["PHP_SELF"], "ptva.amount", "", $param, 'class="right"', $sortfield, $sortorder); print "\n"; $var = 1; while ($i < $num) { @@ -316,17 +319,19 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { print ''; print ''."\n"; - print "\n"; + $tva_static->id = $obj->id_tva; + $tva_static->ref = $obj->label; + print "\n"; - print '"; + print '"; // Ref payment - $tva_static->id = $obj->rowid; - $tva_static->ref = $obj->rowid; - print '\n"; + $ptva_static->id = $obj->rowid; + $ptva_static->ref = $obj->rowid; + print '\n"; // Date - print '\n"; + print '\n"; // Type payment print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -440,9 +445,9 @@ while ($j < $numlt) { print '"; // Ref payment - $tva_static->id = $obj->rowid; - $tva_static->ref = $obj->rowid; - print '\n"; + $ptva_static->id = $obj->rowid; + $ptva_static->ref = $obj->rowid; + print '\n"; print '\n"; print '"; diff --git a/htdocs/compta/deplacement/class/deplacementstats.class.php b/htdocs/compta/deplacement/class/deplacementstats.class.php index bb99b477584..64cee98c33b 100644 --- a/htdocs/compta/deplacement/class/deplacementstats.class.php +++ b/htdocs/compta/deplacement/class/deplacementstats.class.php @@ -64,13 +64,13 @@ class DeplacementStats extends Stats $this->where = " fk_statut > 0"; $this->where .= " AND entity = ".$conf->entity; - if ($this->socid) { - $this->where .= " AND fk_soc = ".$this->socid; + if ($this->socid > 0) { + $this->where .= " AND fk_soc = ".((int) $this->socid); } if (is_array($this->userid) && count($this->userid) > 0) { - $this->where .= ' AND fk_user IN ('.join(',', $this->userid).')'; + $this->where .= ' AND fk_user IN ('.$this->db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { - $this->where .= ' AND fk_user = '.$this->userid; + $this->where .= ' AND fk_user = '.((int) $this->userid); } } diff --git a/htdocs/compta/deplacement/index.php b/htdocs/compta/deplacement/index.php index 780835b0c5e..547f0676b7b 100644 --- a/htdocs/compta/deplacement/index.php +++ b/htdocs/compta/deplacement/index.php @@ -76,7 +76,7 @@ $sql = "SELECT count(d.rowid) as nb, sum(d.km) as km, d.type"; $sql .= " FROM ".MAIN_DB_PREFIX."deplacement as d"; $sql .= " WHERE d.entity = ".$conf->entity; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $sql .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND d.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } $sql .= " GROUP BY d.type"; $sql .= " ORDER BY d.type"; @@ -156,13 +156,13 @@ if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " WHERE u.rowid = d.fk_user"; $sql .= " AND d.entity = ".$conf->entity; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $sql .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND d.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " AND d.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND d.fk_soc = ".$socid; + $sql .= " AND d.fk_soc = ".((int) $socid); } $sql .= $db->order("d.tms", "DESC"); $sql .= $db->plimit($max, 0); diff --git a/htdocs/compta/deplacement/list.php b/htdocs/compta/deplacement/list.php index 46d17c30e96..61d30ea1345 100644 --- a/htdocs/compta/deplacement/list.php +++ b/htdocs/compta/deplacement/list.php @@ -102,17 +102,17 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " WHERE d.fk_user = u.rowid"; $sql .= " AND d.entity = ".$conf->entity; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $sql .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND d.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (sc.fk_user = ".$user->id." OR d.fk_soc IS NULL) "; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($search_ref) { - $sql .= " AND d.rowid=".$search_ref; + $sql .= " AND d.rowid = ".((int) $search_ref); } if ($search_name) { $sql .= natural_search('u.lastname', $search_name); diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 925885e4e7a..fd8a9c1045d 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -2571,7 +2571,7 @@ if (empty($reshook)) { $sql .= ' SET situation_cycle_ref='.$newCycle; $sql .= ' , situation_final=0'; $sql .= ' , situation_counter='.$object->situation_counter; - $sql .= ' WHERE rowid IN ('.implode(',', $linkedCreditNotesList).')'; + $sql .= ' WHERE rowid IN ('.$db->sanitize(implode(',', $linkedCreditNotesList)).')'; $resql = $db->query($sql); if (!$resql) { diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index ad44dbe6637..9c224b057ab 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -191,7 +191,7 @@ class Invoices extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index b0690675b53..c3544ba214e 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2248,7 +2248,7 @@ class Facture extends CommonInvoice if (count($list_rowid_det)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe_remise_except'; $sql .= ' SET fk_facture = NULL, fk_facture_line = NULL'; - $sql .= ' WHERE fk_facture_line IN ('.join(',', $list_rowid_det).')'; + $sql .= ' WHERE fk_facture_line IN ('.$this->db->sanitize(join(',', $list_rowid_det)).')'; dol_syslog(get_class($this)."::delete", LOG_DEBUG); if (!$this->db->query($sql)) { @@ -4033,7 +4033,7 @@ class Facture extends CommonInvoice $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND f.fk_statut = ".self::STATUS_DRAFT; @@ -4158,13 +4158,13 @@ class Facture extends CommonInvoice $sqlSit .= " AND fs.fk_statut in (".self::STATUS_VALIDATED.",".self::STATUS_CLOSED.")"; $sqlSit .= " GROUP BY fs.situation_cycle_ref"; $sqlSit .= " ORDER BY fs.situation_counter"; - $sql .= " AND ( f.type != ".self::TYPE_SITUATION." OR f.rowid IN (".$sqlSit.") )"; // Type non 5 si facture non avoir + $sql .= " AND ( f.type != ".self::TYPE_SITUATION." OR f.rowid IN (".$this->db->sanitize($sqlSit).") )"; // Type non 5 si facture non avoir } else { $sql .= " AND f.type != ".self::TYPE_SITUATION; // Type non 5 si facture non avoir } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " ORDER BY f.ref"; @@ -5367,9 +5367,11 @@ class FactureLigne extends CommonInvoiceLine return -1; } - // if buy price not defined, define buyprice as configured in margin admin + // if buy price not provided, define buyprice as configured in margin admin if ($this->pa_ht == 0 && $pa_ht_isemptystring) { - if (($result = $this->defineBuyPrice($this->subprice, $this->remise_percent, $this->fk_product)) < 0) { + // We call defineBuyPrice only if data was not provided (if input was '0', we will not go here and value will remaine '0') + $result = $this->defineBuyPrice($this->subprice, $this->remise_percent, $this->fk_product); + if ($result < 0) { return $result; } else { $this->pa_ht = $result; @@ -5410,7 +5412,7 @@ class FactureLigne extends CommonInvoiceLine $sql .= ", total_localtax2=".price2num($this->total_localtax2); } $sql .= ", fk_product_fournisseur_price=".(!empty($this->fk_fournprice) ? "'".$this->db->escape($this->fk_fournprice)."'" : "null"); - $sql .= ", buy_price_ht='".price2num($this->pa_ht)."'"; + $sql .= ", buy_price_ht=".(($this->pa_ht || $this->pa_ht === 0 || $this->pa_ht === '0') ? price2num($this->pa_ht) : "null"); // $this->pa_ht should always be defined (set to 0 or to sell price depending on option) $sql .= ", fk_parent_line=".($this->fk_parent_line > 0 ? $this->fk_parent_line : "null"); if (!empty($this->rang)) { $sql .= ", rang=".$this->rang; diff --git a/htdocs/compta/facture/index.php b/htdocs/compta/facture/index.php index 4939fbb6a95..a4d6dd6fec7 100644 --- a/htdocs/compta/facture/index.php +++ b/htdocs/compta/facture/index.php @@ -232,7 +232,7 @@ function getDraftTable($maxCount = 500, $socid = 0) $sql .= " AND f.entity IN (".getEntity('facture').")"; $sql .= " AND f.fk_statut = ".Facture::STATUS_DRAFT; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -329,7 +329,7 @@ function getLatestEditTable($maxCount = 5, $socid = 0) $sql .= " WHERE f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('facture').")"; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -432,7 +432,7 @@ function getOpenTable($maxCount = 500, $socid = 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY f.rowid DESC"; $sql .= $db->plimit($maxCount, 0); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 31365b33b58..6cf770cb79c 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -513,14 +513,7 @@ if ($userid) { if ($userid == -1) { $sql .= ' AND f.fk_user_author IS NULL'; } else { - $sql .= ' AND f.fk_user_author = '.$userid; - } -} -if ($filtre) { - $aFilter = explode(',', $filtre); - foreach ($aFilter as $filter) { - $filt = explode(':', $filter); - $sql .= ' AND '.$db->escape(trim($filt[0])).' = '.$db->escape(trim($filt[1])); + $sql .= ' AND f.fk_user_author = '.((int) $userid); } } if ($search_ref) { diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 2818fa5f3b9..96c414db350 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -103,16 +103,16 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($object_status).')'; } if (is_array($custcats) && !empty($custcats)) { $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)'; - $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')'; + $stats->where .= ' AND cat.fk_categorie IN ('.$db->sanitize(implode(',', $custcats)).')'; } } if ($mode == 'supplier') { if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($object_status).')'; } } diff --git a/htdocs/compta/index.php b/htdocs/compta/index.php index a4c19f4d039..9c3544b512e 100644 --- a/htdocs/compta/index.php +++ b/htdocs/compta/index.php @@ -1208,8 +1208,6 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU print ''; diff --git a/htdocs/compta/localtax/card.php b/htdocs/compta/localtax/card.php index d4091a6df90..451007932d7 100644 --- a/htdocs/compta/localtax/card.php +++ b/htdocs/compta/localtax/card.php @@ -33,6 +33,8 @@ $langs->loadLangs(array('compta', 'banks', 'bills')); $id = GETPOST("id", 'int'); $action = GETPOST("action", "alpha"); +$cancel = GETPOST('cancel'); + $refund = GETPOST("refund", "int"); if (empty($refund)) { $refund = 0; @@ -57,18 +59,18 @@ $hookmanager->initHooks(array('localtaxvatcard', 'globalcard')); * Actions */ -if ($_POST["cancel"] == $langs->trans("Cancel") && !$id) { +if ($cancel && !$id) { header("Location: list.php?localTaxType=".$lttype); exit; } -if ($action == 'add' && $_POST["cancel"] <> $langs->trans("Cancel")) { +if ($action == 'add' && $cancel) { $db->begin(); - $datev = dol_mktime(12, 0, 0, $_POST["datevmonth"], $_POST["datevday"], $_POST["datevyear"]); - $datep = dol_mktime(12, 0, 0, $_POST["datepmonth"], $_POST["datepday"], $_POST["datepyear"]); + $datev = dol_mktime(12, 0, 0, GETPOST("datevmonth"), GETPOST("datevday"), GETPOST("datevyear")); + $datep = dol_mktime(12, 0, 0, GETPOST("datepmonth"), GETPOST("datepday"), GETPOST("datepyear")); - $object->accountid = GETPOST("accountid"); + $object->accountid = GETPOST("accountid", 'int'); $object->paymenttype = GETPOST("paiementtype"); $object->datev = $datev; $object->datep = $datep; @@ -165,14 +167,14 @@ if ($action == 'create') { print ''; // Label - print ''; + print ''; // Amount print ''; if (!empty($conf->banque->enabled)) { print ''; print ''; - print '
'.dol_print_date($db->jdate($obj->dm), 'day').'".$obj->label."".$tva_static->getNomUrl(1)."'.price($obj->amount)."'.price($obj->amount_tva)."'.$tva_static->getNomUrl(1)."'.$ptva_static->getNomUrl(1)."'.dol_print_date($db->jdate($obj->dm), 'day')."'.dol_print_date($db->jdate($obj->date_payment), 'day')."'; @@ -360,7 +365,7 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { $i++; } print '
'.$langs->trans("Total").''.price($total).'    '.price($obj->amount)."'.$tva_static->getNomUrl(1)."'.$ptva_static->getNomUrl(1)."'.dol_print_date($db->jdate($obj->dp), 'day')."'.price($obj->amount)."'; print $langs->trans("BillsSuppliersUnpaid", $num).' '; print ''; - // TODO: "impayees.php" looks very outdatetd and should be set to deprecated or directly remove in the next version - // print ''.$num.''; print ''; print '
'.$langs->trans("Label").'transcountry(($lttype == 2 ? "LT2Payment" : "LT1Payment"), $mysoc->country_code)).'">
'.$langs->trans("Label").'transcountry(($lttype == 2 ? "LT2Payment" : "LT1Payment"), $mysoc->country_code)).'">
'.$langs->trans("Amount").'
'.$langs->trans("Account").''; - $form->select_comptes($_POST["accountid"], "accountid", 0, "courant=1", 2); // Affiche liste des comptes courant + $form->select_comptes(GETPOST("accountid", "int"), "accountid", 0, "courant=1", 2); // Affiche liste des comptes courant print '
'.$langs->trans("PaymentMode").''; diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index 847dae1bc29..86153e4b38d 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -117,9 +117,9 @@ if ($action == 'setref' && $user->rights->banque->cheque) { } } -if ($action == 'create' && $_POST["accountid"] > 0 && $user->rights->banque->cheque) { +if ($action == 'create' && GETPOST("accountid", "int") > 0 && $user->rights->banque->cheque) { if (is_array($_POST['toRemise'])) { - $result = $object->create($user, $_POST["accountid"], 0, $_POST['toRemise']); + $result = $object->create($user, GETPOST("accountid", "int"), 0, GETPOST('toRemise')); if ($result > 0) { if ($object->statut == 1) { // If statut is validated, we build doc $object->fetch($object->id); // To force to reload all properties in correct property name @@ -134,7 +134,7 @@ if ($action == 'create' && $_POST["accountid"] > 0 && $user->rights->banque->che $outputlangs = new Translate("", $conf); $outputlangs->setDefaultLang($newlang); } - $result = $object->generatePdf($_POST["model"], $outputlangs); + $result = $object->generatePdf(GETPOST("model"), $outputlangs); } header("Location: ".$_SERVER["PHP_SELF"]."?id=".$object->id); @@ -227,7 +227,7 @@ if ($action == 'builddoc' && $user->rights->banque->cheque) { $outputlangs = new Translate("", $conf); $outputlangs->setDefaultLang($newlang); } - $result = $object->generatePdf($_POST["model"], $outputlangs); + $result = $object->generatePdf(GETPOST("model"), $outputlangs); if ($result <= 0) { dol_print_error($db, $object->error); exit; diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index 42b05f39263..9dcc57a47f2 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -171,9 +171,9 @@ class Paiement extends CommonObject if ($id > 0) { $sql .= ' AND p.rowid = '.((int) $id); } elseif ($ref) { - $sql .= " AND p.ref = '".$ref."'"; + $sql .= " AND p.ref = '".$this->db->escape($ref)."'"; } elseif ($fk_bank) { - $sql .= ' AND p.fk_bank = '.$fk_bank; + $sql .= ' AND p.fk_bank = '.((int) $fk_bank); } $resql = $this->db->query($sql); @@ -1127,9 +1127,10 @@ class Paiement extends CommonObject * @param string $option Sur quoi pointe le lien * @param string $mode 'withlistofinvoices'=Include list of invoices into tooltip * @param int $notooltip 1=Disable tooltip + * @param string $morecss Add more CSS * @return string Chaine avec URL */ - public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0) + public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0, $morecss = '') { global $conf, $langs; @@ -1166,7 +1167,7 @@ class Paiement extends CommonObject $linkclose = ''; if (empty($notooltip)) { if (!empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { - $label = $langs->trans("ShowMyObject"); + $label = $langs->trans("Payment"); $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; } $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; diff --git a/htdocs/compta/paiement/list.php b/htdocs/compta/paiement/list.php index 269acd29600..75c63620b0b 100644 --- a/htdocs/compta/paiement/list.php +++ b/htdocs/compta/paiement/list.php @@ -200,13 +200,13 @@ if (GETPOST("orphelins", "alpha")) { $sql .= " AND sc.fk_user = ".$user->id; } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if ($userid) { if ($userid == -1) { $sql .= " AND f.fk_user_author IS NULL"; } else { - $sql .= " AND f.fk_user_author = ".$userid; + $sql .= " AND f.fk_user_author = ".((int) $userid); } } @@ -216,7 +216,7 @@ if (GETPOST("orphelins", "alpha")) { $sql .= natural_search('p.ref', $search_ref); } if ($search_account > 0) { - $sql .= " AND b.fk_account=".$search_account; + $sql .= " AND b.fk_account=".((int) $search_account); } if ($search_paymenttype != '') { $sql .= " AND c.code='".$db->escape($search_paymenttype)."'"; diff --git a/htdocs/compta/paiement/rapport.php b/htdocs/compta/paiement/rapport.php index 139188c7c1b..ba8c9b2a82f 100644 --- a/htdocs/compta/paiement/rapport.php +++ b/htdocs/compta/paiement/rapport.php @@ -70,14 +70,14 @@ if ($action == 'builddoc') { // We save charset_output to restore it because write_file can change it if needed for // output format that does not support UTF8. $sav_charset_output = $outputlangs->charset_output; - if ($rap->write_file($dir, $_POST["remonth"], $_POST["reyear"], $outputlangs) > 0) { + if ($rap->write_file($dir, GETPOST("remonth", "int"), GETPOST("reyear", "int"), $outputlangs) > 0) { $outputlangs->charset_output = $sav_charset_output; } else { $outputlangs->charset_output = $sav_charset_output; dol_print_error($db, $obj->error); } - $year = $_POST["reyear"]; + $year = GETPOST("reyear", "int"); } diff --git a/htdocs/compta/paiement_charge.php b/htdocs/compta/paiement_charge.php index bc79ff07d47..e796f039f80 100644 --- a/htdocs/compta/paiement_charge.php +++ b/htdocs/compta/paiement_charge.php @@ -32,6 +32,8 @@ $langs->load("bills"); $chid = GETPOST("id", 'int'); $action = GETPOST('action', 'aZ09'); +$cancel = GETPOST('cancel'); + $amounts = array(); // Security check @@ -50,15 +52,15 @@ $charge = new ChargeSociales($db); if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'yes')) { $error = 0; - if ($_POST["cancel"]) { + if ($cancel) { $loc = DOL_URL_ROOT.'/compta/sociales/card.php?id='.$chid; header("Location: ".$loc); exit; } - $datepaye = dol_mktime(12, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); + $datepaye = dol_mktime(12, 0, 0, GETPOST("remonth", "int"), GETPOST("reday", "int"), GETPOST("reyear", "int")); - if (!$_POST["paiementtype"] > 0) { + if (!(GETPOST("paiementtype") > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("PaymentMode")), null, 'errors'); $error++; $action = 'create'; @@ -68,7 +70,7 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y $error++; $action = 'create'; } - if (!empty($conf->banque->enabled) && !($_POST["accountid"] > 0)) { + if (!empty($conf->banque->enabled) && !(GETPOST("accountid") > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("AccountToCredit")), null, 'errors'); $error++; $action = 'create'; diff --git a/htdocs/compta/paiement_vat.php b/htdocs/compta/paiement_vat.php index c05e11c554c..7fc81e5ac27 100644 --- a/htdocs/compta/paiement_vat.php +++ b/htdocs/compta/paiement_vat.php @@ -33,6 +33,8 @@ $langs->loadLangs(array("banks", "bills")); $chid = GETPOST("id", 'int'); $action = GETPOST('action', 'alpha'); +$cancel = GETPOST('cancel'); + $amounts = array(); // Security check @@ -49,7 +51,7 @@ if ($user->socid > 0) { if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'yes')) { $error = 0; - if ($_POST["cancel"]) { + if ($cancel) { $loc = DOL_URL_ROOT.'/compta/tva/card.php?id='.$chid; header("Location: ".$loc); exit; @@ -73,23 +75,23 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y $action = 'create'; } + // Read possible payments + foreach ($_POST as $key => $value) { + if (substr($key, 0, 7) == 'amount_') { + $other_chid = substr($key, 7); + $amounts[$other_chid] = price2num(GETPOST($key)); + } + } + + if ($amounts[key($amounts)] <= 0) { + $error++; + setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Amount")), null, 'errors'); + $action = 'create'; + } + if (!$error) { $paymentid = 0; - // Read possible payments - foreach ($_POST as $key => $value) { - if (substr($key, 0, 7) == 'amount_') { - $other_chid = substr($key, 7); - $amounts[$other_chid] = price2num(GETPOST($key)); - } - } - - if (count($amounts) <= 0) { - $error++; - setEventMessages($langs->trans("ErrorNoPaymentDefined"), null, 'errors'); - $action = 'create'; - } - if (!$error) { $db->begin(); diff --git a/htdocs/compta/paymentbybanktransfer/index.php b/htdocs/compta/paymentbybanktransfer/index.php index 92bc7ec6ff8..a705353112c 100644 --- a/htdocs/compta/paymentbybanktransfer/index.php +++ b/htdocs/compta/paymentbybanktransfer/index.php @@ -115,7 +115,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index 24ea982f01b..d04e7131edc 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -351,12 +351,12 @@ if ($id > 0 || $ref) { $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes as pl"; $sql .= ", ".MAIN_DB_PREFIX."prelevement_bons as pb"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE pl.fk_prelevement_bons = ".$id; + $sql .= " WHERE pl.fk_prelevement_bons = ".((int) $id); $sql .= " AND pl.fk_prelevement_bons = pb.rowid"; $sql .= " AND pb.entity = ".$conf->entity; $sql .= " AND pl.fk_soc = s.rowid"; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php index deb5fe2fcd5..e12c50b75f5 100644 --- a/htdocs/compta/prelevement/create.php +++ b/htdocs/compta/prelevement/create.php @@ -319,7 +319,7 @@ if ($type == 'bank-transfer') { $sql .= " AND pfd.fk_facture = f.rowid"; } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $nbtotalofrecords = ''; diff --git a/htdocs/compta/prelevement/demandes.php b/htdocs/compta/prelevement/demandes.php index 9d0fa17d246..266097f7a2d 100644 --- a/htdocs/compta/prelevement/demandes.php +++ b/htdocs/compta/prelevement/demandes.php @@ -141,14 +141,14 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$status) { $sql .= " AND pfd.traite = 0"; } $sql .= " AND pfd.ext_payment_id IS NULL"; if ($status) { - $sql .= " AND pfd.traite = ".$status; + $sql .= " AND pfd.traite = ".((int) $status); } $sql .= " AND f.total_ttc > 0"; if (empty($conf->global->WITHDRAWAL_ALLOW_ANY_INVOICE_STATUS)) { diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index 301a5c7808c..23511a4a00a 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -195,10 +195,10 @@ if ($object->type != 'bank-transfer') { $sql .= " AND f.entity IN (".getEntity('supplier_invoice').")"; } if ($object->id > 0) { - $sql .= " AND p.rowid=".$object->id; + $sql .= " AND p.rowid = ".((int) $object->id); } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/compta/prelevement/fiche-rejet.php b/htdocs/compta/prelevement/fiche-rejet.php index 62c3c4849f8..9a4f209e134 100644 --- a/htdocs/compta/prelevement/fiche-rejet.php +++ b/htdocs/compta/prelevement/fiche-rejet.php @@ -177,7 +177,7 @@ $sql .= " AND pl.fk_soc = s.rowid"; $sql .= " AND pl.statut = 3 "; $sql .= " AND pr.fk_prelevement_lignes = pl.rowid"; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY pl.amount DESC"; diff --git a/htdocs/compta/prelevement/index.php b/htdocs/compta/prelevement/index.php index 2da8e1f0812..6e537159721 100644 --- a/htdocs/compta/prelevement/index.php +++ b/htdocs/compta/prelevement/index.php @@ -115,7 +115,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index 68ca3795fe3..73c985355b1 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -262,9 +262,9 @@ if ($id) { $sql .= " AND f.fk_soc = s.rowid"; $sql .= " AND pf.fk_facture = f.rowid"; $sql .= " AND f.entity IN (".getEntity('invoice').")"; - $sql .= " AND pl.rowid=".$id; + $sql .= " AND pl.rowid = ".((int) $id); if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY $sortfield $sortorder "; $sql .= $db->plimit($conf->liste_limit + 1, $offset); diff --git a/htdocs/compta/resultat/index.php b/htdocs/compta/resultat/index.php index e5b86ba762e..272d6808b32 100644 --- a/htdocs/compta/resultat/index.php +++ b/htdocs/compta/resultat/index.php @@ -347,7 +347,7 @@ if (!empty($conf->facture->enabled) && ($modecompta == 'CREANCES-DETTES' || $mod $sql .= " AND f.entity = ".$conf->entity; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " GROUP BY dm"; diff --git a/htdocs/compta/resultat/result.php b/htdocs/compta/resultat/result.php index 91932100565..8ef75bf5846 100644 --- a/htdocs/compta/resultat/result.php +++ b/htdocs/compta/resultat/result.php @@ -281,7 +281,7 @@ if ($modecompta == 'CREANCES-DETTES') { if (! empty($date_start) && ! empty($date_end)) $sql.= " AND t.doc_date >= '".$db->idate($date_start)."' AND t.doc_date <= '".$db->idate($date_end)."'"; if (! empty($month)) { - $sql .= " AND MONTH(t.doc_date) = " . $month; + $sql .= " AND MONTH(t.doc_date) = " . ((int) $month); } $resql = $db->query($sql); if ($resql) diff --git a/htdocs/compta/sociales/card.php b/htdocs/compta/sociales/card.php index 83a6a8f3b3a..c26c62fb7ed 100644 --- a/htdocs/compta/sociales/card.php +++ b/htdocs/compta/sociales/card.php @@ -180,7 +180,7 @@ if ($action == 'add' && $user->rights->tax->charges->creer) { } -if ($action == 'update' && !$_POST["cancel"] && $user->rights->tax->charges->creer) { +if ($action == 'update' && !GETPOST("cancel") && $user->rights->tax->charges->creer) { $amount = price2num(GETPOST('amount'), 'MT'); if (!$dateech) { diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index dff6a887f0f..48c6936a225 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -209,10 +209,6 @@ if ($year > 0) { $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')"; $sql .= ")"; } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_typeid) { $sql .= " AND cs.fk_type=".$db->escape($search_typeid); } diff --git a/htdocs/compta/stats/cabyprodserv.php b/htdocs/compta/stats/cabyprodserv.php index 25d9d4b9460..4ecbe6d56d0 100644 --- a/htdocs/compta/stats/cabyprodserv.php +++ b/htdocs/compta/stats/cabyprodserv.php @@ -323,9 +323,9 @@ if ($modecompta == 'CREANCES-DETTES') { $sql .= " AND (p.rowid IN "; $sql .= " (SELECT fk_product FROM ".MAIN_DB_PREFIX."categorie_product cp WHERE "; if ($subcat) { - $sql .= "cp.fk_categorie IN (".$listofcatsql.")"; + $sql .= "cp.fk_categorie IN (".$db->sanitize($listofcatsql).")"; } else { - $sql .= "cp.fk_categorie = ".$selected_cat; + $sql .= "cp.fk_categorie = ".((int) $selected_cat); } $sql .= "))"; } diff --git a/htdocs/compta/tva/card.php b/htdocs/compta/tva/card.php index 1aaf8c60748..fdb1e3336df 100755 --- a/htdocs/compta/tva/card.php +++ b/htdocs/compta/tva/card.php @@ -41,6 +41,7 @@ $langs->loadLangs(array('compta', 'banks', 'bills')); $id = GETPOST("id", 'int'); $action = GETPOST("action", "alpha"); +$cancel = GETPOST('cancel'); $confirm = GETPOST('confirm'); $refund = GETPOST("refund", "int"); if (GETPOSTISSET('auto_create_paiement') || $action === 'add') { @@ -74,7 +75,7 @@ $hookmanager->initHooks(array('taxvatcard', 'globalcard')); * Actions */ -if ($_POST["cancel"] == $langs->trans("Cancel") && !$id) { +if ($cancel && !$id) { header("Location: list.php"); exit; } @@ -135,7 +136,7 @@ if ($action == 'reopen' && $user->rights->tax->charges->creer) { } } -if ($action == 'add' && $_POST["cancel"] <> $langs->trans("Cancel")) { +if ($action == 'add' && $cancel) { $error = 0; $object->fk_account = GETPOST("accountid", 'int'); @@ -260,7 +261,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') { } } -if ($action == 'update' && !$_POST["cancel"] && $user->rights->tax->charges->creer) { +if ($action == 'update' && !GETPOST("cancel") && $user->rights->tax->charges->creer) { $amount = price2num(GETPOST('amount')); if (empty($amount)) { @@ -461,16 +462,14 @@ if ($action == 'create') { $reshook = $hookmanager->executeHooks('formObjectOptions', $parameters, $object, $action); // Note that $action and $object may have been modified by hook print $hookmanager->resPrint; - // Bouton Save payment - print '
'; - print $langs->trans("ClosePaidVATAutomatically"); - print '
'; print dol_get_fiche_end(); print '
'; + print ''; + print ' '.$langs->trans("ClosePaidVATAutomatically").''; + print '
'; print ''; print '     '; print ''; diff --git a/htdocs/compta/tva/clients.php b/htdocs/compta/tva/clients.php index 7ec5ad5b4f1..5b990258672 100644 --- a/htdocs/compta/tva/clients.php +++ b/htdocs/compta/tva/clients.php @@ -43,71 +43,7 @@ require_once DOL_DOCUMENT_ROOT.'/expensereport/class/paymentexpensereport.class. // Load translation files required by the page $langs->loadLangs(array("other", "compta", "banks", "bills", "companies", "product", "trips", "admin")); - -$now = dol_now(); -$current_date = dol_getdate($now); -if (empty($conf->global->SOCIETE_FISCAL_MONTH_START)) { - $conf->global->SOCIETE_FISCAL_MONTH_START = 1; -} - -// Date range -$year = GETPOST("year", "int"); -if (empty($year)) { - $year_current = $current_date['year']; - $year_start = $year_current; -} else { - $year_current = $year; - $year_start = $year; -} -$date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); -$date_end = dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear")); -// Set default period if not defined -if (empty($date_start) || empty($date_end)) { // We define date_start and date_end - $q = GETPOST("q", "int"); - if (empty($q)) { - if (GETPOST("month", 'int')) { - $date_start = dol_get_first_day($year_start, GETPOST("month", 'int'), false); - $date_end = dol_get_last_day($year_start, GETPOST("month", 'int'), false); - } else { - if (empty($conf->global->MAIN_INFO_VAT_RETURN) || $conf->global->MAIN_INFO_VAT_RETURN == 2) { // quaterly vat, we take last past complete quarter - $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -3 - (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) % 3), 'm'); - $date_end = dol_time_plus_duree($date_start, 3, 'm') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { // yearly vat - if ($current_date['mon'] < $conf->global->SOCIETE_FISCAL_MONTH_START) { - if (($conf->global->SOCIETE_FISCAL_MONTH_START - $current_date['mon']) > 6) { // If period started from less than 6 years, we show past year - $year_start--; - } - } else { - if (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) < 6) { // If perdio started from less than 6 years, we show past year - $year_start--; - } - } - $date_start = dol_get_first_day($year_start, $conf->global->SOCIETE_FISCAL_MONTH_START, false); - $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 1) { // monthly vat, we take last past complete month - $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -1, 'm'); - $date_end = dol_time_plus_duree($date_start, 1, 'm') - 1; - } - } - } else { - if ($q == 1) { - $date_start = dol_get_first_day($year_start, 1, false); - $date_end = dol_get_last_day($year_start, 3, false); - } - if ($q == 2) { - $date_start = dol_get_first_day($year_start, 4, false); - $date_end = dol_get_last_day($year_start, 6, false); - } - if ($q == 3) { - $date_start = dol_get_first_day($year_start, 7, false); - $date_end = dol_get_last_day($year_start, 9, false); - } - if ($q == 4) { - $date_start = dol_get_first_day($year_start, 10, false); - $date_end = dol_get_last_day($year_start, 12, false); - } - } -} +include DOL_DOCUMENT_ROOT.'/compta/tva/initdatesforvat.inc.php'; $min = price2num(GETPOST("min", "alpha")); if (empty($min)) { @@ -116,16 +52,16 @@ if (empty($min)) { // Define modetax (0 or 1) // 0=normal, 1=option vat for services is on debit, 2=option on payments for products -$modetax = $conf->global->TAX_MODE; +$modetax = (empty($conf->global->TAX_MODE) ? 0 : $conf->global->TAX_MODE); if (GETPOSTISSET("modetax")) { - $modetax = GETPOST("modetax", 'int'); + $modetax = GETPOSTINT("modetax"); } if (empty($modetax)) { $modetax = 0; } // Security check -$socid = GETPOST('socid', 'int'); +$socid = GETPOSTINT('socid'); if ($user->socid) { $socid = $user->socid; } @@ -184,7 +120,7 @@ if ($modetax == 2) { $calcmode .= ' ('.$langs->trans("TaxModuleSetupToModifyRules", DOL_URL_ROOT.'/admin/taxes.php').')'; // Set period $period = $form->selectDate($date_start, 'date_start', 0, 0, 0, '', 1, 0).' - '.$form->selectDate($date_end, 'date_end', 0, 0, 0, '', 1, 0); -$prevyear = $year_start; +$prevyear = $date_start_year; $prevquarter = $q; if ($prevquarter > 1) { $prevquarter--; @@ -192,7 +128,7 @@ if ($prevquarter > 1) { $prevquarter = 4; $prevyear--; } -$nextyear = $year_start; +$nextyear = $date_start_year; $nextquarter = $q; if ($nextquarter < 4) { $nextquarter++; @@ -262,6 +198,10 @@ $y = $year_current; $total = 0; $i = 0; $columns = 5; +$span = $columns; +if ($modetax != 1) { + $span += 2; +} // Load arrays of datas $x_coll = tax_by_thirdparty('vat', $db, 0, $date_start, $date_end, $modetax, 'sell'); @@ -290,14 +230,33 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_customer->id = $x_coll[$my_coll_thirdpartyid]['facid'][$id]; $invoice_customer->ref = $x_coll[$my_coll_thirdpartyid]['facnum'][$id]; $invoice_customer->type = $x_coll[$my_coll_thirdpartyid]['type'][$id]; - $company_static->fetch($x_coll[$my_coll_thirdpartyid]['company_id'][$id]); + + //$company_static->fetch($x_coll[$my_coll_thirdpartyid]['company_id'][$id]); + $company_static->id = $x_coll[$my_coll_thirdpartyid]['company_id'][$id]; + $company_static->name = $x_coll[$my_coll_thirdpartyid]['company_name'][$id]; + $company_static->name_alias = $x_coll[$my_coll_thirdpartyid]['company_alias'][$id]; + $company_static->email = $x_coll[$my_coll_thirdpartyid]['company_email'][$id]; + $company_static->tva_intra = $x_coll[$my_coll_thirdpartyid]['tva_intra'][$id]; + $company_static->client = $x_coll[$my_coll_thirdpartyid]['company_client'][$id]; + $company_static->fournisseur = $x_coll[$my_coll_thirdpartyid]['company_fournisseur'][$id]; + $company_static->status = $x_coll[$my_coll_thirdpartyid]['company_status'][$id]; + $company_static->code_client = $x_coll[$my_coll_thirdpartyid]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_coll[$my_coll_thirdpartyid]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_coll[$my_coll_thirdpartyid]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_coll[$my_coll_thirdpartyid]['company_supplier_accounting_code'][$id]; + $x_both[$my_coll_thirdpartyid]['coll']['detail'][] = array( 'id' =>$x_coll[$my_coll_thirdpartyid]['facid'][$id], 'descr' =>$x_coll[$my_coll_thirdpartyid]['descr'][$id], + 'pid' =>$x_coll[$my_coll_thirdpartyid]['pid'][$id], 'pref' =>$x_coll[$my_coll_thirdpartyid]['pref'][$id], 'ptype' =>$x_coll[$my_coll_thirdpartyid]['ptype'][$id], + 'pstatus' =>$x_paye[$my_coll_thirdpartyid]['pstatus'][$id], + 'pstatusbuy'=>$x_paye[$my_coll_thirdpartyid]['pstatusbuy'][$id], + 'payment_id'=>$x_coll[$my_coll_thirdpartyid]['payment_id'][$id], + 'payment_ref'=>$x_coll[$my_coll_thirdpartyid]['payment_ref'][$id], 'payment_amount'=>$x_coll[$my_coll_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc'=>$x_coll[$my_coll_thirdpartyid]['ftotal_ttc'][$id], 'dtotal_ttc'=>$x_coll[$my_coll_thirdpartyid]['dtotal_ttc'][$id], @@ -305,7 +264,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'drate' =>$x_coll[$my_coll_thirdpartyid]['drate'][$id], 'datef' =>$x_coll[$my_coll_thirdpartyid]['datef'][$id], 'datep' =>$x_coll[$my_coll_thirdpartyid]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_coll[$my_coll_thirdpartyid]['ddate_start'][$id], 'ddate_end' =>$x_coll[$my_coll_thirdpartyid]['ddate_end'][$id], 'totalht' =>$x_coll[$my_coll_thirdpartyid]['totalht_list'][$id], @@ -335,10 +296,15 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_both[$my_paye_thirdpartyid]['paye']['detail'][] = array( 'id' =>$x_paye[$my_paye_thirdpartyid]['facid'][$id], 'descr' =>$x_paye[$my_paye_thirdpartyid]['descr'][$id], + 'pid' =>$x_paye[$my_paye_thirdpartyid]['pid'][$id], 'pref' =>$x_paye[$my_paye_thirdpartyid]['pref'][$id], 'ptype' =>$x_paye[$my_paye_thirdpartyid]['ptype'][$id], + 'pstatus' =>$x_paye[$my_paye_thirdpartyid]['pstatus'][$id], + 'pstatusbuy' =>$x_paye[$my_paye_thirdpartyid]['pstatusbuy'][$id], + 'payment_id' =>$x_paye[$my_paye_thirdpartyid]['payment_id'][$id], + 'payment_ref' =>$x_paye[$my_paye_thirdpartyid]['payment_ref'][$id], 'payment_amount' =>$x_paye[$my_paye_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc' =>price2num($x_paye[$my_paye_thirdpartyid]['ftotal_ttc'][$id]), 'dtotal_ttc' =>price2num($x_paye[$my_paye_thirdpartyid]['dtotal_ttc'][$id]), @@ -354,14 +320,33 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_supplier->id = $x_paye[$my_paye_thirdpartyid]['facid'][$id]; $invoice_supplier->ref = $x_paye[$my_paye_thirdpartyid]['facnum'][$id]; $invoice_supplier->type = $x_paye[$my_paye_thirdpartyid]['type'][$id]; - $company_static->fetch($x_paye[$my_paye_thirdpartyid]['company_id'][$id]); + + //$company_static->fetch($x_paye[$my_paye_thirdpartyid]['company_id'][$id]); + $company_static->id = $x_paye[$my_paye_thirdpartyid]['company_id'][$id]; + $company_static->name = $x_paye[$my_paye_thirdpartyid]['company_name'][$id]; + $company_static->name_alias = $x_paye[$my_paye_thirdpartyid]['company_alias'][$id]; + $company_static->email = $x_paye[$my_paye_thirdpartyid]['company_email'][$id]; + $company_static->tva_intra = $x_paye[$my_paye_thirdpartyid]['tva_intra'][$id]; + $company_static->client = $x_paye[$my_paye_thirdpartyid]['company_client'][$id]; + $company_static->fournisseur = $x_paye[$my_paye_thirdpartyid]['company_fournisseur'][$id]; + $company_static->status = $x_paye[$my_paye_thirdpartyid]['company_status'][$id]; + $company_static->code_client = $x_paye[$my_paye_thirdpartyid]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_paye[$my_paye_thirdpartyid]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_paye[$my_paye_thirdpartyid]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_paye[$my_paye_thirdpartyid]['company_supplier_accounting_code'][$id]; + $x_both[$my_paye_thirdpartyid]['paye']['detail'][] = array( 'id' =>$x_paye[$my_paye_thirdpartyid]['facid'][$id], 'descr' =>$x_paye[$my_paye_thirdpartyid]['descr'][$id], + 'pid' =>$x_paye[$my_paye_thirdpartyid]['pid'][$id], 'pref' =>$x_paye[$my_paye_thirdpartyid]['pref'][$id], 'ptype' =>$x_paye[$my_paye_thirdpartyid]['ptype'][$id], + 'pstatus' =>$x_paye[$my_paye_thirdpartyid]['pstatus'][$id], + 'pstatusbuy'=>$x_paye[$my_paye_thirdpartyid]['pstatusbuy'][$id], + 'payment_id'=>$x_paye[$my_paye_thirdpartyid]['payment_id'][$id], + 'payment_ref'=>$x_paye[$my_paye_thirdpartyid]['payment_ref'][$id], 'payment_amount'=>$x_paye[$my_paye_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc'=>price2num($x_paye[$my_paye_thirdpartyid]['ftotal_ttc'][$id]), 'dtotal_ttc'=>price2num($x_paye[$my_paye_thirdpartyid]['dtotal_ttc'][$id]), @@ -369,7 +354,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'drate' =>$x_paye[$my_coll_thirdpartyid]['drate'][$id], 'datef' =>$x_paye[$my_paye_thirdpartyid]['datef'][$id], 'datep' =>$x_paye[$my_paye_thirdpartyid]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_paye[$my_paye_thirdpartyid]['ddate_start'][$id], 'ddate_end' =>$x_paye[$my_paye_thirdpartyid]['ddate_end'][$id], 'totalht' =>price2num($x_paye[$my_paye_thirdpartyid]['totalht_list'][$id]), @@ -389,11 +376,6 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_paye_sum = 0; $x_paye_ht = 0; - $span = $columns; - if ($modetax != 1) { - $span += 2; - } - //print ''..')'; // Customers invoices @@ -483,6 +465,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $product_static->id = $fields['pid']; $product_static->ref = $fields['pref']; $product_static->type = $fields['dtype']; // We force with the type of line to have type how line is registered + $product_static->status = $fields['pstatus']; + $product_static->status_buy = $fields['pstatusbuy']; + print $product_static->getNomUrl(1); if (dol_string_nohtmltag($fields['descr'])) { print ' - '.dol_trunc(dol_string_nohtmltag($fields['descr']), 24); @@ -528,7 +513,8 @@ if (!is_array($x_coll) || !is_array($x_paye)) { //print $fields['totalht']."-".$fields['payment_amount']."-".$fields['ftotal_ttc']; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $payment_static->id = $fields['payment_id']; - print $payment_static->getNomUrl(2); + $payment_static->ref = $fields['payment_ref']; + print $payment_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_SELL_PRODUCT == 'invoice') || ($type == 1 && $conf->global->TAX_MODE_SELL_SERVICE == 'invoice')) { @@ -578,7 +564,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { } } - if (count($x_coll) == 0) { // Show a total ine if nothing shown + if (count($x_coll) == 0) { // Show a total line if nothing shown print ''; print ''; print ''.$langs->trans("Total").':'; @@ -662,7 +648,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { } // Company name - print ''.$fields['company_link'].''; + print ''; + print $fields['company_link']; + print ''; // Description print ''; @@ -714,7 +702,8 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ''; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $paymentfourn_static->id = $fields['payment_id']; - print $paymentfourn_static->getNomUrl(2); + $paymentfourn_static->ref = $fields['payment_ref']; + print $paymentfourn_static->getNomUrl(2, '', '', 0); } if (($type == 0 && $conf->global->TAX_MODE_BUY_PRODUCT == 'invoice') diff --git a/htdocs/compta/tva/index.php b/htdocs/compta/tva/index.php index ba2669077c9..63b834d7821 100644 --- a/htdocs/compta/tva/index.php +++ b/htdocs/compta/tva/index.php @@ -37,99 +37,15 @@ require_once DOL_DOCUMENT_ROOT.'/compta/localtax/class/localtax.class.php'; // Load translation files required by the page $langs->loadLangs(array("other", "compta", "banks", "bills", "companies", "product", "trips", "admin")); -$form = new Form($db); -$now = dol_now(); -$current_date = dol_getdate($now); -if (empty($conf->global->SOCIETE_FISCAL_MONTH_START)) { - $conf->global->SOCIETE_FISCAL_MONTH_START = 1; -} - $refresh = GETPOSTISSET('submit') ? true : false; +$year_current = GETPOSTISSET('year') ? GETPOST('year', 'int') : dol_print_date($now, '%Y', 'tzserver'); +$year_start = $year_current; +$month_current = GETPOSTISSET('month') ? GETPOST('month', 'int') : dol_print_date($now, '%m', 'tzserver'); +$month_start = $month_current; -if ($refresh === false) { - $year_current = dol_print_date('%Y', $now); - $month_current = dol_print_date('%m', $now); +$refresh = true; - // 1 : Monthly (by default) - // 2 : Quarterly - // 3 : Annual - if ($conf->global->MAIN_INFO_VAT_RETURN == 2) { - // quarterly - $year = $year_current; - if ($month_current >= 7 && $month_current <= 9) { - $month_start = 4; - $month_end = 6; - } elseif ($month_current >= 10 && $month_current <= 12) { - $month_start = 7; - $month_end = 9; - } elseif ($month_current >= 1 && $month_current <= 3) { - $month_start = 10; - $month_end = 12; - $year--; - } else { - $month_start = 1; - $month_end = 3; - } - $date_start = dol_get_first_day($year, $month_start); - $date_end = dol_get_last_day($year, $month_end); - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { - // annual - $date_start = dol_get_first_day($year_current, 1); - $date_end = dol_get_last_day($year_current, 12); - } else { - // monthly by default - $year = $year_current; - $month_last = $month_current - 1; - if ($month_last <= 0) { - $month_last = $month_last + 12; - $year--; - } - $date_start = dol_get_first_day($year, $month_last); - $date_end = dol_get_last_day($year, $month_last); - } -} else { - // Date range - $year = GETPOST("year", "int"); - if (empty($year)) { - $year_current = dol_print_date(dol_now(), "%Y"); - if ($conf->global->SOCIETE_FISCAL_MONTH_START > dol_print_date(dol_now(), "%m")) $year_current--; - $year_start = $year_current; - } else { - $year_current = $year; - $year_start = $year; - } - $date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); - $date_end = dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear")); - if (empty($date_start) || empty($date_end)) {// We define date_start and date_end - $q = GETPOST("q", "int"); - if (empty($q)) { - if (GETPOST("month", "int")) { - $date_start = dol_get_first_day($year_start, GETPOST("month", "int"), false); - $date_end = dol_get_last_day($year_start, GETPOST("month", "int"), false); - } else { - $date_start = dol_get_first_day($year_start, $conf->global->SOCIETE_FISCAL_MONTH_START, false); - $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; - } - } else { - if ($q == 1) { - $date_start = dol_get_first_day($year_start, 1, false); - $date_end = dol_get_last_day($year_start, 3, false); - } - if ($q == 2) { - $date_start = dol_get_first_day($year_start, 4, false); - $date_end = dol_get_last_day($year_start, 6, false); - } - if ($q == 3) { - $date_start = dol_get_first_day($year_start, 7, false); - $date_end = dol_get_last_day($year_start, 9, false); - } - if ($q == 4) { - $date_start = dol_get_first_day($year_start, 10, false); - $date_end = dol_get_last_day($year_start, 12, false); - } - } - } -} +include DOL_DOCUMENT_ROOT.'/compta/tva/initdatesforvat.inc.php'; // Define modetax (0 or 1) // 0=normal, 1=option vat for services is on debit, 2=option on payments for products @@ -255,6 +171,7 @@ function pt($db, $sql, $date) * View */ +$form = new Form($db); $company_static = new Societe($db); $tva = new Tva($db); diff --git a/htdocs/compta/tva/initdatesforvat.inc.php b/htdocs/compta/tva/initdatesforvat.inc.php new file mode 100644 index 00000000000..8039fce728f --- /dev/null +++ b/htdocs/compta/tva/initdatesforvat.inc.php @@ -0,0 +1,98 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/compta/tva/initdatesforvat.inc.php + * \brief Set value for date_start and date_end + */ + +$now = dol_now(); +$current_date = dol_getdate($now); +if (empty($conf->global->SOCIETE_FISCAL_MONTH_START)) { + $conf->global->SOCIETE_FISCAL_MONTH_START = 1; +} + +// Date range +$year = GETPOST("year", "int"); +if (empty($year)) { + $year_current = $current_date['year']; + $year_start = $year_current; +} else { + $year_current = $year; + $year_start = $year; +} +$date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear"), 'tzserver'); +$date_end = dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear"), 'tzserver'); +// Set default period if not defined +if (empty($date_start) || empty($date_end)) { // We define date_start and date_end + $q = GETPOST("q", "int"); + if (empty($q)) { + if (GETPOST("month", 'int')) { + $date_start = dol_get_first_day($year_start, GETPOST("month", 'int'), 'tzserver'); + $date_end = dol_get_last_day($year_start, GETPOST("month", 'int'), 'tzserver'); + } else { + if (empty($conf->global->MAIN_INFO_VAT_RETURN) || $conf->global->MAIN_INFO_VAT_RETURN == 2) { // quaterly vat, we take last past complete quarter + $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -3 - (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) % 3), 'm'); + $date_end = dol_time_plus_duree($date_start, 3, 'm') - 1; + } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { // yearly vat + if ($current_date['mon'] < $conf->global->SOCIETE_FISCAL_MONTH_START) { + if (($conf->global->SOCIETE_FISCAL_MONTH_START - $current_date['mon']) > 6) { // If period started from less than 6 years, we show past year + $year_start--; + } + } else { + if (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) < 6) { // If perdio started from less than 6 years, we show past year + $year_start--; + } + } + $date_start = dol_get_first_day($year_start, $conf->global->SOCIETE_FISCAL_MONTH_START, 'tzserver'); + $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; + } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 1) { // monthly vat, we take last past complete month + $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -1, 'm'); + $date_end = dol_time_plus_duree($date_start, 1, 'm') - 1; + } + } + } else { + if ($q == 1) { + $date_start = dol_get_first_day($year_start, 1, 'tzserver'); + $date_end = dol_get_last_day($year_start, 3, 'tzserver'); + } + if ($q == 2) { + $date_start = dol_get_first_day($year_start, 4, 'tzserver'); + $date_end = dol_get_last_day($year_start, 6, 'tzserver'); + } + if ($q == 3) { + $date_start = dol_get_first_day($year_start, 7, 'tzserver'); + $date_end = dol_get_last_day($year_start, 9, 'tzserver'); + } + if ($q == 4) { + $date_start = dol_get_first_day($year_start, 10, 'tzserver'); + $date_end = dol_get_last_day($year_start, 12, 'tzserver'); + } + } +} + +//print dol_print_date($date_start, 'day').' '.dol_print_date($date_end, 'day'); + +$tmp = dol_getdate($date_start); +$date_start_day = $tmp['mday']; +$date_start_month = $tmp['mon']; +$date_start_year = $tmp['year']; +$tmp = dol_getdate($date_end); +$date_end_day = $tmp['mday']; +$date_end_month = $tmp['mon']; +$date_end_year = $tmp['year']; diff --git a/htdocs/compta/tva/payments.php b/htdocs/compta/tva/payments.php index 73e2dae0e05..4eec7ca85a1 100644 --- a/htdocs/compta/tva/payments.php +++ b/htdocs/compta/tva/payments.php @@ -122,7 +122,7 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { print_liste_field_titre("DatePayment", $_SERVER["PHP_SELF"], "ptva.datep", "", $param, 'align="center"', $sortfield, $sortorder); print_liste_field_titre("Type", $_SERVER["PHP_SELF"], "pct.code", "", $param, '', $sortfield, $sortorder); print_liste_field_titre("BankAccount", $_SERVER["PHP_SELF"], "bank.ref", "", $param, '', $sortfield, $sortorder); - print_liste_field_titre("LabelContrib", $_SERVER["PHP_SELF"], "tva.label", "", $param, '', $sortfield, $sortorder); + print_liste_field_titre("VATDeclaration", $_SERVER["PHP_SELF"], "tva.label", "", $param, '', $sortfield, $sortorder); //print_liste_field_titre("TypeContrib", $_SERVER["PHP_SELF"], "tva.fk_type", "", $param, '', $sortfield, $sortorder); print_liste_field_titre("PeriodEndDate", $_SERVER["PHP_SELF"], "tva.datev", "", $param, 'width="140px"', $sortfield, $sortorder); print_liste_field_titre("ExpectedToPay", $_SERVER["PHP_SELF"], "tva.amount", "", $param, 'class="right"', $sortfield, $sortorder); diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php index 590999c7b31..d3871968ed5 100644 --- a/htdocs/compta/tva/quadri_detail.php +++ b/htdocs/compta/tva/quadri_detail.php @@ -45,68 +45,11 @@ require_once DOL_DOCUMENT_ROOT.'/expensereport/class/paymentexpensereport.class. // Load translation files required by the page $langs->loadLangs(array("other", "compta", "banks", "bills", "companies", "product", "trips", "admin")); -$now = dol_now(); -$refresh = GETPOSTISSET('submit') ? true : false; +$refresh = (GETPOSTISSET('submit') || GETPOSTISSET('vat_rate_show') || GETPOSTISSET('invoice_type')) ? true : false; $invoice_type = GETPOSTISSET('invoice_type') ? GETPOST('invoice_type', 'alpha') : ''; $vat_rate_show = GETPOSTISSET('vat_rate_show') ? GETPOST('vat_rate_show', 'int') : -1; -$year_current = GETPOSTISSET('year') ? GETPOST('year', 'int') : intval(strftime('%Y', $now)); -$year_start = $year_current; -$month_current = GETPOSTISSET('month') ? GETPOST('month', 'int') : intval(strftime('%m', $now)); -$month_start = $month_current; -if ($refresh === false) { - $date_start = dol_get_first_day($year_start, $month_start); - $date_end = dol_get_last_day($year_start, $month_start); -} else { - // Date range - //$year=GETPOST("year", "int"); - //if (empty($year)) - //{ - // $year_current = strftime("%Y", dol_now()); - // $year_start = $year_current; - //} else { - // $year_current = $year; - // $year_start = $year; - //} - - $date_start=dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); - $date_end=dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear")); - // Quarter - if (empty($date_start) || empty($date_end)) { // We define date_start and date_end - $q=GETPOST("q", "int"); - if (empty($q)) { - if (GETPOST("month", "int")) { - $date_start=dol_get_first_day($year_start, GETPOST("month", "int"), false); - $date_end=dol_get_last_day($year_start, GETPOST("month", "int"), false); - } else { - $date_start=dol_get_first_day($year_start, empty($conf->global->SOCIETE_FISCAL_MONTH_START)?1:$conf->global->SOCIETE_FISCAL_MONTH_START, false); - if (empty($conf->global->MAIN_INFO_VAT_RETURN) || $conf->global->MAIN_INFO_VAT_RETURN == 2) { - $date_end=dol_time_plus_duree($date_start, 3, 'm') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { - $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 1) { - $date_end = dol_time_plus_duree($date_start, 1, 'm') - 1; - } - } - } else { - if ($q == 1) { - $date_start=dol_get_first_day($year_start, 1, false); $date_end=dol_get_last_day($year_start, 3, false); - } - if ($q == 2) { - $date_start=dol_get_first_day($year_start, 4, false); $date_end=dol_get_last_day($year_start, 6, false); - } - if ($q == 3) { - $date_start=dol_get_first_day($year_start, 7, false); $date_end=dol_get_last_day($year_start, 9, false); - } - if ($q == 4) { - $date_start=dol_get_first_day($year_start, 10, false); $date_end=dol_get_last_day($year_start, 12, false); - } - } - } -} - -$month_start = strftime('%m', $date_start); -$year_start = strftime('%Y', $date_start); +include DOL_DOCUMENT_ROOT.'/compta/tva/initdatesforvat.inc.php'; $min = price2num(GETPOST("min", "alpha")); if (empty($min)) { @@ -131,7 +74,6 @@ if ($user->socid) { $result = restrictedArea($user, 'tax', '', '', 'charges'); - /* * View */ @@ -154,7 +96,7 @@ foreach ($listofparams as $param) { } } -$title = $langs->trans("VATReport")." ".dol_print_date($date_start)." -> ".dol_print_date($date_end); +$title = $langs->trans("VATReport")." ".dol_print_date($date_start, '', 'tzserver')." -> ".dol_print_date($date_end, '', 'tzserver'); llxHeader('', $title, '', '', 0, 0, '', '', $morequerystring); @@ -182,8 +124,10 @@ if ($modetax == 2) { } $calcmode .= ' ('.$langs->trans("TaxModuleSetupToModifyRules", DOL_URL_ROOT.'/admin/taxes.php').')'; // Set period -$period = $form->selectDate($date_start, 'date_start', 0, 0, 0, '', 1, 0).' - '.$form->selectDate($date_end, 'date_end', 0, 0, 0, '', 1, 0); -$prevyear = $year_start; +$period = $form->selectDate($date_start, 'date_start', 0, 0, 0, '', 1, 0, 0, '', '', '', '', 1, '', '', 'tzserver'); +$period .= ' - '; +$period .= $form->selectDate($date_end, 'date_end', 0, 0, 0, '', 1, 0, 0, '', '', '', '', 1, '', '', 'tzserver'); +$prevyear = $date_start_year; $prevquarter = $q; if ($prevquarter > 1) { $prevquarter--; @@ -191,7 +135,7 @@ if ($prevquarter > 1) { $prevquarter = 4; $prevyear--; } -$nextyear = $year_start; +$nextyear = $date_start_year; $nextquarter = $q; if ($nextquarter < 4) { $nextquarter++; @@ -256,9 +200,13 @@ print '
'; print ''; $y = $year_current; -$total = 0; $i = 0; -$columns = 5; + +$columns = 7; +$span = $columns; +if ($modetax != 1) { + $span += 2; +} // Load arrays of datas $x_coll = tax_by_rate('vat', $db, 0, 0, $date_start, $date_end, $modetax, 'sell'); @@ -287,7 +235,21 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_customer->id = $x_coll[$my_coll_rate]['facid'][$id]; $invoice_customer->ref = $x_coll[$my_coll_rate]['facnum'][$id]; $invoice_customer->type = $x_coll[$my_coll_rate]['type'][$id]; - $company_static->fetch($x_coll[$my_coll_rate]['company_id'][$id]); + + //$company_static->fetch($x_coll[$my_coll_rate]['company_id'][$id]); + $company_static->id = $x_coll[$my_coll_rate]['company_id'][$id]; + $company_static->name = $x_coll[$my_coll_rate]['company_name'][$id]; + $company_static->name_alias = $x_coll[$my_coll_rate]['company_alias'][$id]; + $company_static->email = $x_coll[$my_coll_rate]['company_email'][$id]; + $company_static->tva_intra = $x_coll[$my_coll_rate]['tva_intra'][$id]; + $company_static->client = $x_coll[$my_coll_rate]['company_client'][$id]; + $company_static->fournisseur = $x_coll[$my_coll_rate]['company_fournisseur'][$id]; + $company_static->status = $x_coll[$my_coll_rate]['company_status'][$id]; + $company_static->code_client = $x_coll[$my_coll_rate]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_coll[$my_coll_rate]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_coll[$my_coll_rate]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_coll[$my_coll_rate]['company_supplier_accounting_code'][$id]; + $x_both[$my_coll_rate]['coll']['detail'][] = array( 'id' =>$x_coll[$my_coll_rate]['facid'][$id], 'descr' =>$x_coll[$my_coll_rate]['descr'][$id], @@ -295,13 +257,16 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pref' =>$x_coll[$my_coll_rate]['pref'][$id], 'ptype' =>$x_coll[$my_coll_rate]['ptype'][$id], 'payment_id'=>$x_coll[$my_coll_rate]['payment_id'][$id], + 'payment_ref'=>$x_coll[$my_coll_rate]['payment_ref'][$id], 'payment_amount'=>$x_coll[$my_coll_rate]['payment_amount'][$id], 'ftotal_ttc'=>$x_coll[$my_coll_rate]['ftotal_ttc'][$id], 'dtotal_ttc'=>$x_coll[$my_coll_rate]['dtotal_ttc'][$id], 'dtype' =>$x_coll[$my_coll_rate]['dtype'][$id], 'datef' =>$x_coll[$my_coll_rate]['datef'][$id], 'datep' =>$x_coll[$my_coll_rate]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_coll[$my_coll_rate]['ddate_start'][$id], 'ddate_end' =>$x_coll[$my_coll_rate]['ddate_end'][$id], 'totalht' =>$x_coll[$my_coll_rate]['totalht_list'][$id], @@ -335,6 +300,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pref' =>$x_paye[$my_paye_rate]['pref'][$id], 'ptype' =>$x_paye[$my_paye_rate]['ptype'][$id], 'payment_id' =>$x_paye[$my_paye_rate]['payment_id'][$id], + 'payment_ref' =>$x_paye[$my_paye_rate]['payment_ref'][$id], 'payment_amount' =>$x_paye[$my_paye_rate]['payment_amount'][$id], 'ftotal_ttc' =>price2num($x_paye[$my_paye_rate]['ftotal_ttc'][$id]), 'dtotal_ttc' =>price2num($x_paye[$my_paye_rate]['dtotal_ttc'][$id]), @@ -349,7 +315,20 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_supplier->id = $x_paye[$my_paye_rate]['facid'][$id]; $invoice_supplier->ref = $x_paye[$my_paye_rate]['facnum'][$id]; $invoice_supplier->type = $x_paye[$my_paye_rate]['type'][$id]; - $company_static->fetch($x_paye[$my_paye_rate]['company_id'][$id]); + + $company_static->id = $x_paye[$my_paye_rate]['company_id'][$id]; + $company_static->name = $x_paye[$my_paye_rate]['company_name'][$id]; + $company_static->name_alias = $x_paye[$my_paye_rate]['company_alias'][$id]; + $company_static->email = $x_paye[$my_paye_rate]['company_email'][$id]; + $company_static->tva_intra = $x_paye[$my_paye_rate]['tva_intra'][$id]; + $company_static->client = $x_paye[$my_paye_rate]['company_client'][$id]; + $company_static->fournisseur = $x_paye[$my_paye_rate]['company_fournisseur'][$id]; + $company_static->status = $x_paye[$my_paye_rate]['company_status'][$id]; + $company_static->code_client = $x_paye[$my_paye_rate]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_paye[$my_paye_rate]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_paye[$my_paye_rate]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_paye[$my_paye_rate]['company_supplier_accounting_code'][$id]; + $x_both[$my_paye_rate]['paye']['detail'][] = array( 'id' =>$x_paye[$my_paye_rate]['facid'][$id], 'descr' =>$x_paye[$my_paye_rate]['descr'][$id], @@ -357,13 +336,16 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pref' =>$x_paye[$my_paye_rate]['pref'][$id], 'ptype' =>$x_paye[$my_paye_rate]['ptype'][$id], 'payment_id'=>$x_paye[$my_paye_rate]['payment_id'][$id], + 'payment_ref'=>$x_paye[$my_paye_rate]['payment_ref'][$id], 'payment_amount'=>$x_paye[$my_paye_rate]['payment_amount'][$id], 'ftotal_ttc'=>price2num($x_paye[$my_paye_rate]['ftotal_ttc'][$id]), 'dtotal_ttc'=>price2num($x_paye[$my_paye_rate]['dtotal_ttc'][$id]), 'dtype' =>$x_paye[$my_paye_rate]['dtype'][$id], 'datef' =>$x_paye[$my_paye_rate]['datef'][$id], 'datep' =>$x_paye[$my_paye_rate]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_paye[$my_paye_rate]['ddate_start'][$id], 'ddate_end' =>$x_paye[$my_paye_rate]['ddate_end'][$id], 'totalht' =>price2num($x_paye[$my_paye_rate]['totalht_list'][$id]), @@ -383,11 +365,6 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_paye_sum = 0; $x_paye_ht = 0; - $span = $columns; - if ($modetax != 1) { - $span += 2; - } - //print ''; // Customers invoices @@ -429,7 +406,11 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ""; print ''; print ''."\n"; @@ -473,6 +454,19 @@ if (!is_array($x_coll) || !is_array($x_paye)) { if ($invoice_type == 'customer' && $vat_rate_show == $rate) { if (is_array($x_both[$rate]['coll']['detail'])) { foreach ($x_both[$rate]['coll']['detail'] as $index => $fields) { + /*$company_static->id = $fields['company_id']; + $company_static->name = $fields['company_name']; + $company_static->name_alias = $fields['company_alias']; + $company_static->email = $fields['company_email']; + $company_static->tva_intra = $fields['tva_intra']; + $company_static->client = $fields['company_client']; + $company_static->fournisseur = $fields['company_fournisseur']; + $company_static->status = $fields['company_status']; + $company_static->code_client = $fields['company_client']; + $company_static->code_compta_client = $fields['company_customer_code']; + $company_static->code_fournisseur = $fields['company_customer_accounting_code']; + $company_static->code_compta_fournisseur = $fields['company_supplier_accounting_code'];*/ + // Define type // We MUST use dtype (type in line). We can use something else, only if dtype is really unknown. $type = (isset($fields['dtype']) ? $fields['dtype'] : $fields['ptype']); @@ -499,7 +493,10 @@ if (!is_array($x_coll) || !is_array($x_paye)) { else print ''; // Company name - print ''; + print ''; // Description print ''; - // Print table headers for this quadri - expenses now + // Print table headers for this quadri - expenses print ''; print ''; print ''; @@ -642,7 +640,11 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ""; print ''; print ''."\n"; @@ -684,6 +686,19 @@ if (!is_array($x_coll) || !is_array($x_paye)) { if ($invoice_type == 'supplier' && $vat_rate_show == $rate) { foreach ($x_both[$rate]['paye']['detail'] as $index => $fields) { + /*$company_static->id = $fields['company_id']; + $company_static->name = $fields['company_name']; + $company_static->name_alias = $fields['company_alias']; + $company_static->email = $fields['company_email']; + $company_static->tva_intra = $fields['tva_intra']; + $company_static->client = $fields['company_client']; + $company_static->fournisseur = $fields['company_fournisseur']; + $company_static->status = $fields['company_status']; + $company_static->code_client = $fields['company_client']; + $company_static->code_compta_client = $fields['company_customer_code']; + $company_static->code_fournisseur = $fields['company_customer_accounting_code']; + $company_static->code_compta_fournisseur = $fields['company_supplier_accounting_code'];*/ + // Define type // We MUST use dtype (type in line). We can use something else, only if dtype is really unknown. $type = (isset($fields['dtype']) ? $fields['dtype'] : $fields['ptype']); @@ -713,7 +728,10 @@ if (!is_array($x_coll) || !is_array($x_paye)) { } // Company name - print ''; + print ''; // Description print ''; // Severity @@ -307,7 +313,7 @@ class FormTicket if ($this->withfile == 2) { // Can add other files $out .= ''; $out .= ' '; - $out .= ''; + $out .= ''; } $out .= "\n"; @@ -439,8 +445,8 @@ class FormTicket print dol_get_fiche_end(); } - print '
'; - print ''; + print '
'; + print ''; if ($this->withcancel) { print "      "; print ''; @@ -551,7 +557,7 @@ class FormTicket * * @param string $selected Id categorie pre-selectionnée * @param string $htmlname Nom de la zone select - * @param string $filtertype To filter on field type in llx_c_ticket_category (array('code'=>xx,'label'=>zz)) + * @param string $filtertype To filter on some properties in llx_c_ticket_category ('public = 1'). This parameter must not come from input of users. * @param int $format 0=id+libelle, 1=code+code, 2=code+libelle, 3=id+code * @param int $empty 1=peut etre vide, 0 sinon * @param int $noadmininfo 0=Add admin info, 1=Disable admin info @@ -567,12 +573,6 @@ class FormTicket dol_syslog(get_class($this)."::selectCategoryTickets ".$selected.", ".$htmlname.", ".$filtertype.", ".$format, LOG_DEBUG); - $filterarray = array(); - - if ($filtertype != '' && $filtertype != '-1') { - $filterarray = explode(',', $filtertype); - } - $ticketstat->loadCacheCategoriesTickets(); print ''; $out .= ' '; - $out .= ''; + $out .= ''; } $out .= "\n"; diff --git a/htdocs/core/class/notify.class.php b/htdocs/core/class/notify.class.php index add5ccda7b3..345ec5b38e3 100644 --- a/htdocs/core/class/notify.class.php +++ b/htdocs/core/class/notify.class.php @@ -3,6 +3,7 @@ * Copyright (C) 2004-2011 Laurent Destailleur * Copyright (C) 2014 Juanjo Menent * Copyright (C) 2018 Philippe Grand + * Copyright (C) 2021 Thibault FOUCART * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -25,7 +26,6 @@ */ require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; - /** * Class to manage notifications */ @@ -80,8 +80,8 @@ class Notify 'SHIPPING_VALIDATE', 'EXPENSE_REPORT_VALIDATE', 'EXPENSE_REPORT_APPROVE', - 'HOLIDAY_VALIDATE', - 'HOLIDAY_APPROVE', + 'HOLIDAY_VALIDATE', + 'HOLIDAY_APPROVE', 'ACTION_CREATE' ); @@ -442,49 +442,54 @@ class Notify switch ($notifcode) { case 'BILL_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->facture->dir_output; + $link = ''.$newref.''; + $dir_output = $conf->facture->dir_output."/".get_exdir(0, 0, 0, 1, $object, 'invoice'); $object_type = 'facture'; + $labeltouse = $conf->global->BILL_VALIDATE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextInvoiceValidated", $link); break; case 'BILL_PAYED': - $link = ''.$newref.''; - $dir_output = $conf->facture->dir_output; + $link = ''.$newref.''; + $dir_output = $conf->facture->dir_output."/".get_exdir(0, 0, 0, 1, $object, 'invoice'); $object_type = 'facture'; + $labeltouse = $conf->global->BILL_PAYED_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextInvoicePayed", $link); break; case 'ORDER_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->commande->dir_output; + $link = ''.$newref.''; + $dir_output = $conf->commande->dir_output."/".get_exdir(0, 0, 0, 1, $object, 'commande'); $object_type = 'order'; + $labeltouse = $conf->global->ORDER_VALIDATE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextOrderValidated", $link); break; case 'PROPAL_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->propal->multidir_output[$object->entity]; + $link = ''.$newref.''; + $dir_output = $conf->propal->multidir_output[$object->entity]."/".get_exdir(0, 0, 0, 1, $object, 'propal'); $object_type = 'propal'; + $labeltouse = $conf->global->PROPAL_VALIDATE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextProposalValidated", $link); break; case 'PROPAL_CLOSE_SIGNED': - $link = ''.$newref.''; - $dir_output = $conf->propal->multidir_output[$object->entity]; + $link = ''.$newref.''; + $dir_output = $conf->propal->multidir_output[$object->entity]."/".get_exdir(0, 0, 0, 1, $object, 'propal'); $object_type = 'propal'; + $labeltouse = $conf->global->PROPAL_CLOSE_SIGNED_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextProposalClosedSigned", $link); break; case 'FICHINTER_ADD_CONTACT': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->ficheinter->dir_output; $object_type = 'ficheinter'; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextInterventionAddedContact", $link); break; case 'FICHINTER_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->ficheinter->dir_output; $object_type = 'ficheinter'; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextInterventionValidated", $link); break; case 'ORDER_SUPPLIER_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->fournisseur->commande->dir_output; $object_type = 'order_supplier'; $mesg = $outputlangs->transnoentitiesnoconv("Hello").",\n\n"; @@ -492,7 +497,7 @@ class Notify $mesg .= "\n\n".$outputlangs->transnoentitiesnoconv("Sincerely").".\n\n"; break; case 'ORDER_SUPPLIER_APPROVE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->fournisseur->commande->dir_output; $object_type = 'order_supplier'; $mesg = $outputlangs->transnoentitiesnoconv("Hello").",\n\n"; @@ -500,7 +505,7 @@ class Notify $mesg .= "\n\n".$outputlangs->transnoentitiesnoconv("Sincerely").".\n\n"; break; case 'ORDER_SUPPLIER_REFUSE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->fournisseur->commande->dir_output; $object_type = 'order_supplier'; $mesg = $outputlangs->transnoentitiesnoconv("Hello").",\n\n"; @@ -508,56 +513,78 @@ class Notify $mesg .= "\n\n".$outputlangs->transnoentitiesnoconv("Sincerely").".\n\n"; break; case 'SHIPPING_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->expedition->dir_output.'/sending/'; + $link = ''.$newref.''; + $dir_output = $conf->expedition->dir_output."/sending/".get_exdir(0, 0, 0, 1, $object, 'shipment'); $object_type = 'expedition'; + $labeltouse = $conf->global->SHIPPING_VALIDATE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextExpeditionValidated", $link); break; case 'EXPENSE_REPORT_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->expensereport->dir_output; $object_type = 'expensereport'; + $labeltouse = $conf->global->EXPENSE_REPORT_VALIDATE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextExpenseReportValidated", $link); break; case 'EXPENSE_REPORT_APPROVE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->expensereport->dir_output; $object_type = 'expensereport'; + $labeltouse = $conf->global->EXPENSE_REPORT_APPROVE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextExpenseReportApproved", $link); break; case 'HOLIDAY_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->holiday->dir_output; $object_type = 'holiday'; + $labeltouse = $conf->global->HOLIDAY_VALIDATE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextHolidayValidated", $link); break; case 'HOLIDAY_APPROVE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->holiday->dir_output; $object_type = 'holiday'; + $labeltouse = $conf->global->HOLIDAY_APPROVE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextHolidayApproved", $link); - break; + break; case 'ACTION_CREATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->agenda->dir_output; $object_type = 'action'; + $labeltouse = $conf->global->ACTION_CREATE_TEMPLATE; $mesg = $outputlangs->transnoentitiesnoconv("EMailTextActionAdded", $link); break; } + + include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; + $formmail = new FormMail($this->db); + $arraydefaultmessage = null; + + if (!empty($labeltouse)) $arraydefaultmessage = $formmail->getEMailTemplate($this->db, $object_type.'_send', $user, $outputlangs, 0, 1, $labeltouse); + if (!empty($labeltouse) && is_object($arraydefaultmessage) && $arraydefaultmessage->id > 0) { + $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $object); + complete_substitutions_array($substitutionarray, $outputlangs, $object); + $subject = make_substitutions($arraydefaultmessage->topic, $substitutionarray, $outputlangs); + $message = make_substitutions($arraydefaultmessage->content, $substitutionarray, $outputlangs); + } else { + $message = $outputlangs->transnoentities("YouReceiveMailBecauseOfNotification", $application, $mysoc->name)."\n"; + $message .= $outputlangs->transnoentities("YouReceiveMailBecauseOfNotification2", $application, $mysoc->name)."\n"; + $message .= "\n"; + $message .= $mesg; + } + $ref = dol_sanitizeFileName($newref); - $pdf_path = $dir_output."/".$ref."/".$ref.".pdf"; + $pdf_path = $dir_output."/".$ref.".pdf"; if (!dol_is_file($pdf_path)) { // We can't add PDF as it is not generated yet. $filepdf = ''; } else { $filepdf = $pdf_path; + $filename_list[] = $filepdf; + $mimetype_list[] = mime_content_type($filepdf); + $mimefilename_list[] = $ref.".pdf"; } - $message = $outputlangs->transnoentities("YouReceiveMailBecauseOfNotification", $application, $mysoc->name)."\n"; - $message .= $outputlangs->transnoentities("YouReceiveMailBecauseOfNotification2", $application, $mysoc->name)."\n"; - $message .= "\n"; - $message .= $mesg; - $parameters = array('notifcode'=>$notifcode, 'sendto'=>$sendto, 'replyto'=>$replyto, 'file'=>$filename_list, 'mimefile'=>$mimetype_list, 'filename'=>$mimefilename_list); if (!isset($action)) { $action = ''; @@ -653,49 +680,49 @@ class Notify switch ($notifcode) { case 'BILL_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->facture->dir_output; + $link = ''.$newref.''; + $dir_output = $conf->facture->dir_output."/".get_exdir(0, 0, 0, 1, $object, 'invoice'); $object_type = 'facture'; $mesg = $langs->transnoentitiesnoconv("EMailTextInvoiceValidated", $link); break; case 'BILL_PAYED': - $link = ''.$newref.''; - $dir_output = $conf->facture->dir_output; + $link = ''.$newref.''; + $dir_output = $$conf->facture->dir_output."/".get_exdir(0, 0, 0, 1, $object, 'invoice'); $object_type = 'facture'; $mesg = $langs->transnoentitiesnoconv("EMailTextInvoicePayed", $link); break; case 'ORDER_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->commande->dir_output; + $link = ''.$newref.''; + $dir_output = $conf->commande->dir_output."/".get_exdir(0, 0, 0, 1, $object, 'commande'); $object_type = 'order'; $mesg = $langs->transnoentitiesnoconv("EMailTextOrderValidated", $link); break; case 'PROPAL_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->propal->multidir_output[$object->entity]; + $link = ''.$newref.''; + $dir_output = $conf->propal->multidir_output[$object->entity]."/".get_exdir(0, 0, 0, 1, $object, 'propal'); $object_type = 'propal'; $mesg = $langs->transnoentitiesnoconv("EMailTextProposalValidated", $link); break; case 'PROPAL_CLOSE_SIGNED': - $link = ''.$newref.''; - $dir_output = $conf->propal->multidir_output[$object->entity]; + $link = ''.$newref.''; + $dir_output = $conf->propal->multidir_output[$object->entity]."/".get_exdir(0, 0, 0, 1, $object, 'propal'); $object_type = 'propal'; $mesg = $langs->transnoentitiesnoconv("EMailTextProposalClosedSigned", $link); break; case 'FICHINTER_ADD_CONTACT': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->ficheinter->dir_output; $object_type = 'ficheinter'; $mesg = $langs->transnoentitiesnoconv("EMailTextInterventionAddedContact", $link); break; case 'FICHINTER_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->facture->dir_output; $object_type = 'ficheinter'; $mesg = $langs->transnoentitiesnoconv("EMailTextInterventionValidated", $link); break; case 'ORDER_SUPPLIER_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->fournisseur->commande->dir_output; $object_type = 'order_supplier'; $mesg = $langs->transnoentitiesnoconv("Hello").",\n\n"; @@ -703,7 +730,7 @@ class Notify $mesg .= "\n\n".$langs->transnoentitiesnoconv("Sincerely").".\n\n"; break; case 'ORDER_SUPPLIER_APPROVE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->fournisseur->commande->dir_output; $object_type = 'order_supplier'; $mesg = $langs->transnoentitiesnoconv("Hello").",\n\n"; @@ -711,7 +738,7 @@ class Notify $mesg .= "\n\n".$langs->transnoentitiesnoconv("Sincerely").".\n\n"; break; case 'ORDER_SUPPLIER_APPROVE2': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->fournisseur->commande->dir_output; $object_type = 'order_supplier'; $mesg = $langs->transnoentitiesnoconv("Hello").",\n\n"; @@ -719,7 +746,7 @@ class Notify $mesg .= "\n\n".$langs->transnoentitiesnoconv("Sincerely").".\n\n"; break; case 'ORDER_SUPPLIER_REFUSE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->fournisseur->dir_output.'/commande/'; $object_type = 'order_supplier'; $mesg = $langs->transnoentitiesnoconv("Hello").",\n\n"; @@ -727,37 +754,37 @@ class Notify $mesg .= "\n\n".$langs->transnoentitiesnoconv("Sincerely").".\n\n"; break; case 'SHIPPING_VALIDATE': - $link = ''.$newref.''; - $dir_output = $conf->expedition->dir_output.'/sending/'; + $link = ''.$newref.''; + $dir_output = $conf->expedition->dir_output."/sending/".get_exdir(0, 0, 0, 1, $object, 'shipment'); $object_type = 'order_supplier'; $mesg = $langs->transnoentitiesnoconv("EMailTextExpeditionValidated", $link); break; case 'EXPENSE_REPORT_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->expensereport->dir_output; $object_type = 'expensereport'; $mesg = $langs->transnoentitiesnoconv("EMailTextExpenseReportValidated", $link); break; case 'EXPENSE_REPORT_APPROVE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->expensereport->dir_output; $object_type = 'expensereport'; $mesg = $langs->transnoentitiesnoconv("EMailTextExpenseReportApproved", $link); break; case 'HOLIDAY_VALIDATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->holiday->dir_output; $object_type = 'holiday'; $mesg = $langs->transnoentitiesnoconv("EMailTextHolidayValidated", $link); break; case 'HOLIDAY_APPROVE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->holiday->dir_output; $object_type = 'holiday'; $mesg = $langs->transnoentitiesnoconv("EMailTextHolidayApproved", $link); - break; + break; case 'ACTION_CREATE': - $link = ''.$newref.''; + $link = ''.$newref.''; $dir_output = $conf->agenda->dir_output; $object_type = 'action'; $mesg = $langs->transnoentitiesnoconv("EMailTextActionAdded", $link); @@ -770,6 +797,9 @@ class Notify $filepdf = ''; } else { $filepdf = $pdf_path; + $filename_list[] = $pdf_path; + $mimetype_list[] = mime_content_type($filepdf); + $mimefilename_list[] = $ref.".pdf"; } $message .= $langs->transnoentities("YouReceiveMailBecauseOfNotification2", $application, $mysoc->name)."\n"; diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php index 0f09d232712..c11bdd5563d 100644 --- a/htdocs/core/class/rssparser.class.php +++ b/htdocs/core/class/rssparser.class.php @@ -181,7 +181,7 @@ class RssParser * @param string $urlRSS Url to parse * @param int $maxNb Max nb of records to get (0 for no limit) * @param int $cachedelay 0=No cache, nb of seconds we accept cache files (cachedir must also be defined) - * @param string $cachedir Directory where to save cache file + * @param string $cachedir Directory where to save cache file (For example $conf->externalrss->dir_temp) * @return int <0 if KO, >0 if OK */ public function parser($urlRSS, $maxNb = 0, $cachedelay = 60, $cachedir = '') @@ -189,6 +189,7 @@ class RssParser global $conf; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; + include_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php'; $rss = ''; $str = ''; // This will contain content of feed @@ -225,21 +226,10 @@ class RssParser $str = file_get_contents($newpathofdestfile); } else { try { - ini_set("user_agent", "Dolibarr ERP-CRM RSS reader"); - ini_set("max_execution_time", $conf->global->MAIN_USE_RESPONSE_TIMEOUT); - ini_set("default_socket_timeout", $conf->global->MAIN_USE_RESPONSE_TIMEOUT); - - $opts = array('http'=>array('method'=>"GET")); - if (!empty($conf->global->MAIN_USE_CONNECT_TIMEOUT)) { - $opts['http']['timeout'] = $conf->global->MAIN_USE_CONNECT_TIMEOUT; + $result = getURLContent($this->_urlRSS, 'GET', '', 1, array(), array('http', 'https'), 0); + if (!empty($result['content'])) { + $str = $result['content']; } - if (!empty($conf->global->MAIN_PROXY_USE)) { - $opts['http']['proxy'] = 'tcp://'.$conf->global->MAIN_PROXY_HOST.':'.$conf->global->MAIN_PROXY_PORT; - } - //var_dump($opts);exit; - $context = stream_context_create($opts); - - $str = file_get_contents($this->_urlRSS, false, $context); } catch (Exception $e) { print 'Error retrieving URL '.$this->_urlRSS.' - '.$e->getMessage(); } diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php index f391f2f6f50..f06bb32b62b 100644 --- a/htdocs/core/class/translate.class.php +++ b/htdocs/core/class/translate.class.php @@ -631,7 +631,7 @@ class Translate // We replace some HTML tags by __xx__ to avoid having them encoded by htmlentities because // we want to keep '"' '' '' '' '' '
' '< ' '' that are reliable HTML tags inside translation strings. $str = str_replace( - array('"', '', '', '', '', '', '', '
', '
', '', '', '', '
', '', '< ', '>'), // We accept '< ' but not '<'. We can accept however '>' + array('"', '', '', '', '', '', '
', '
', '', '', '', '
', '', '< ', '>'), // We accept '< ' but not '<'. We can accept however '>' array('__quot__', '__tagb__', '__tagbend__', '__tagu__', '__taguend__', '__tagi__', '__tagiend__', '__tagcenter__', '__tagcenterend__', '__tagb__', '__tagbend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__ltspace__', '__gt__'), $str ); @@ -646,7 +646,7 @@ class Translate // Restore reliable HTML tags into original translation string $str = str_replace( array('__quot__', '__tagb__', '__tagbend__', '__tagu__', '__taguend__', '__tagi__', '__tagiend__', '__tagcenter__', '__tagcenterend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__ltspace__', '__gt__'), - array('"', '', '', '', '', '', '', '
', '
', '', '
', '', '< ', '>'), + array('"', '', '', '', '', '', '
', '
', '', '
', '', '< ', '>'), $str ); diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php index 72de6036e8f..d2c75082318 100644 --- a/htdocs/core/lib/admin.lib.php +++ b/htdocs/core/lib/admin.lib.php @@ -303,14 +303,17 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle if ($offsetforchartofaccount > 0) { // Replace lines - // 'INSERT INTO llx_accounting_account (entity, rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (__ENTITY__, 1401, 'PCG99-ABREGE', 'CAPIT', '1234', 1400, '...', 1);' + // 'INSERT INTO llx_accounting_account (entity, rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (__ENTITY__, 1401, 'PCG99-ABREGE', 'CAPIT', '1234', 1400,...' // with - // 'INSERT INTO llx_accounting_account (entity, rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (__ENTITY__, 1401 + 200100000, 'PCG99-ABREGE','CAPIT', '1234', 1400 + 200100000, '...', 1);' - // Note: string with 1234 instead of '1234' is also supported + // 'INSERT INTO llx_accounting_account (entity, rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (__ENTITY__, 1401 + 200100000, 'PCG99-ABREGE','CAPIT', '1234', 1400 + 200100000,...' + // Note: string with 'PCG99-ABREGE','CAPIT', 1234 instead of 'PCG99-ABREGE','CAPIT', '1234' is also supported $newsql = preg_replace('/VALUES\s*\(__ENTITY__, \s*(\d+)\s*,(\s*\'[^\',]*\'\s*,\s*\'[^\',]*\'\s*,\s*\'?[^\',]*\'?\s*),\s*\'?([^\',]*)\'?/ims', 'VALUES (__ENTITY__, \1 + '.$offsetforchartofaccount.', \2, \3 + '.$offsetforchartofaccount, $newsql); $newsql = preg_replace('/([,\s])0 \+ '.$offsetforchartofaccount.'/ims', '\1 0', $newsql); //var_dump($newsql); $arraysql[$i] = $newsql; + + // FIXME Because we force the rowid during insert, we must also update the sequence with postgresql by running + // SELECT dol_util_rebuild_sequences(); } } @@ -568,7 +571,7 @@ function dolibarr_get_const($db, $name, $entity = 1) * @param DoliDB $db Database handler * @param string $name Name of constant * @param string $value Value of constant - * @param string $type Type of constante (chaine par defaut) + * @param string $type Type of constant ('chaine by default) * @param int $visible Is constant visible in Setup->Other page (0 by default) * @param string $note Note on parameter * @param int $entity Multi company id (0 means all entities) diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 05b3a717a49..3c2884e4b5b 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1087,7 +1087,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '') $sql .= natural_search($searchAddressPhoneDBFields, $search_address); } if (count($search_roles) > 0) { - $sql .= " AND t.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".implode(',', $search_roles)."))"; + $sql .= " AND t.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".$db->sanitize(implode(',', $search_roles))."))"; } // Add where from extra fields $extrafieldsobjectkey = $contactstatic->table_element; diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index b7e7ffd5e7e..0cd03ebb475 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2726,16 +2726,15 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $original_file = $conf->bank->dir_output.'/'.$original_file; } elseif ($modulepart == 'export' && !empty($conf->export->dir_temp)) { // Wrapping for export module - // Aucun test necessaire car on force le rep de download sur - // le rep export qui est propre a l'utilisateur - $accessallowed = 1; + // Note that a test may not be required because we force the dir of download on the directory of the user that export + $accessallowed = $user->rights->export->run; $original_file = $conf->export->dir_temp.'/'.$fuser->id.'/'.$original_file; } elseif ($modulepart == 'import' && !empty($conf->import->dir_temp)) { // Wrapping for import module - $accessallowed = 1; + $accessallowed = $user->rights->import->run; $original_file = $conf->import->dir_temp.'/'.$original_file; } elseif ($modulepart == 'editor' && !empty($conf->fckeditor->dir_output)) { - // Wrapping pour l'editeur wysiwyg + // Wrapping for wysiwyg editor $accessallowed = 1; $original_file = $conf->fckeditor->dir_output.'/'.$original_file; } elseif ($modulepart == 'systemtools' && !empty($conf->admin->dir_output)) { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index ab9a476c923..6769c9a58d7 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -355,6 +355,7 @@ function GETPOSTISSET($paramname) * 'int'=check it's numeric (integer or float) * 'intcomma'=check it's integer+comma ('1,2,3,4...') * 'alpha'=Same than alphanohtml since v13 + * 'alphawithlgt'=alpha with lgt * 'alphanohtml'=check there is no html content and no " and no ../ * 'aZ'=check it's a-z only * 'aZ09'=check it's simple alpha string (recommended for keys) @@ -745,20 +746,29 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = case 'alpha': // No html and no ../ and " case 'alphanohtml': // Recommended for most scalar parameters and search parameters if (!is_array($out)) { + $out = dol_string_nohtmltag($out, 0); // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '"'), '', trim($out)); - $out = str_replace(array('../'), '', $out); + $out = trim($out); + do { + $oldstringtoclean = $out; + // Note &, '&', '&'... is a simple char like '&' alone but there is no reason to accept such way to encode input data. + $out = str_ireplace(array('&', '&', '&', '"', '"', '"', '"', '"', '/', '/', '/', '../'), '', $out); + } while ($oldstringtoclean != $out); // keep lines feed - $out = dol_string_nohtmltag($out, 0); } break; case 'alphawithlgt': // No " and no ../ but we keep balanced < > tags with no special chars inside. Can be used for email string like "Name " if (!is_array($out)) { + $out = dol_html_entity_decode($out, ENT_COMPAT | ENT_HTML5, 'UTF-8'); // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '"'), '', trim($out)); - $out = str_replace(array('../'), '', $out); + $out = trim($out); + do { + $oldstringtoclean = $out; + // Note &, '&', '&'... is a simple char like '&' alone but there is no reason to accept such way to encode input data. + $out = str_ireplace(array('&', '&', '&', '"', '"', '"', '"', '"', '/', '/', '/', '../'), '', $out); + } while ($oldstringtoclean != $out); } break; case 'restricthtml': // Recommended for most html textarea @@ -3521,14 +3531,15 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'delete', 'dolly', 'dollyrevert', 'donation', 'download', 'edit', 'ellipsis-h', 'email', 'eraser', 'external-link-alt', 'external-link-square-alt', 'filter', 'file-code', 'file-export', 'file-import', 'file-upload', 'folder', 'folder-open', 'globe', 'globe-americas', 'grip', 'grip_title', 'group', 'help', 'holiday', - 'info', 'intervention', 'inventory', 'label', 'language', 'link', 'list', 'listlight', 'loan', 'lot', 'long-arrow-alt-right', + 'info', 'intervention', 'inventory', 'intracommreport', + 'label', 'language', 'link', 'list', 'listlight', 'loan', 'lot', 'long-arrow-alt-right', 'margin', 'map-marker-alt', 'member', 'meeting', 'money-bill-alt', 'movement', 'mrp', 'note', 'next', 'object_accounting', 'object_account', 'object_accountline', 'object_action', 'object_asset', 'object_barcode', 'object_bill', 'object_billr', 'object_billa', 'object_billd', 'object_bom', - 'object_category', 'object_conversation', 'object_bookmark', 'object_bug', 'object_clock', 'object_dolly', 'object_dollyrevert', + 'object_category', 'conferenceorbooth', 'object_conversation', 'object_bookmark', 'object_bug', 'object_clock', 'object_dolly', 'object_dollyrevert', 'object_folder', 'object_folder-open','object_generic', 'object_list-alt', 'object_calendar', 'object_calendarweek', 'object_calendarmonth', 'object_calendarday', 'object_calendarperuser', 'object_cash-register', 'object_company', 'object_contact', 'object_contract', 'object_cron', 'object_donation', 'object_dynamicprice', - 'object_globe', 'object_holiday', 'object_hrm', 'object_invoice', 'object_intervention', 'object_inventory', 'object_label', + 'object_globe', 'object_holiday', 'object_hrm', 'object_invoice', 'object_intervention', 'object_inventory', 'object_intracommreport', 'object_label', 'object_margin', 'object_members', 'object_money-bill-alt', 'object_multicurrency', 'object_order', 'object_payment', 'object_lot', 'object_mrp', 'object_other', 'object_payment', 'object_pdf', 'object_product', 'object_propal', @@ -3538,7 +3549,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'object_technic', 'object_ticket', 'object_trip', 'object_user', 'object_group', 'object_member', 'object_phoning', 'object_phoning_mobile', 'object_phoning_fax', 'object_email', 'object_website', 'object_movement', 'off', 'on', 'order', - 'paiment', 'play', 'pdf', 'playdisabled', 'previous', 'poll', 'pos', 'printer', 'product', 'propal', 'stock', 'resize', 'service', 'stats', 'trip', + 'paiment', 'play', 'pdf', 'phone', 'playdisabled', 'previous', 'poll', 'pos', 'printer', 'product', 'propal', 'stock', 'resize', 'service', 'stats', 'trip', 'setup', 'share-alt', 'sign-out', 'split', 'stripe', 'stripe-s', 'switch_off', 'switch_on', 'tools', 'unlink', 'uparrow', 'user', 'vcard', 'wrench', 'github', 'jabber', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'youtube', 'google-plus-g', 'whatsapp', 'chevron-left', 'chevron-right', 'chevron-down', 'chevron-top', 'commercial', 'companies', @@ -3549,7 +3560,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'shapes', 'supplier_proposal', 'supplier_order', 'supplier_invoice', 'timespent', 'title_setup', 'title_accountancy', 'title_bank', 'title_hrm', 'title_agenda', 'user-cog', 'website', - 'eventorganization', 'object_eventorganization' + 'conferenceorbooth', 'eventorganization', 'object_eventorganization' ))) { $pictowithouttext = str_replace('object_', '', $pictowithouttext); @@ -3576,7 +3587,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'email'=>'at', 'edit'=>'pencil-alt', 'grip_title'=>'arrows-alt', 'grip'=>'arrows-alt', 'help'=>'question-circle', 'generic'=>'file', 'holiday'=>'umbrella-beach', - 'info'=>'info-circle', 'inventory'=>'boxes', 'label'=>'layer-group', 'loan'=>'money-bill-alt', + 'info'=>'info-circle', 'inventory'=>'boxes', 'intracommreport'=>'globe-europe', 'label'=>'layer-group', 'loan'=>'money-bill-alt', 'member'=>'user-alt', 'meeting'=>'chalkboard-teacher', 'mrp'=>'cubes', 'next'=>'arrow-alt-circle-right', 'trip'=>'wallet', 'group'=>'users', 'movement'=>'people-carry', 'sign-out'=>'sign-out-alt', @@ -3597,7 +3608,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'uparrow'=>'mail-forward', 'vcard'=>'address-card', 'jabber'=>'comment-o', 'website'=>'globe-americas', - 'eventorganization'=>'id-badge' + 'conferenceorbooth'=>'chalkboard-teacher', 'eventorganization'=>'project-diagram' ); if ($pictowithouttext == 'off') { $fakey = 'fa-square'; @@ -3630,7 +3641,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ if (in_array($pictowithouttext, array('dollyrevert', 'member', 'members', 'contract', 'group', 'resource', 'shipment'))) { $morecss = 'em092'; } - if (in_array($pictowithouttext, array('collab', 'holiday', 'project'))) { + if (in_array($pictowithouttext, array('conferenceorbooth', 'collab', 'eventorganization', 'holiday', 'project'))) { $morecss = 'em088'; } if (in_array($pictowithouttext, array('intervention', 'info', 'payment', 'loan', 'stock', 'technic'))) { @@ -3652,6 +3663,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'action'=>'infobox-action', 'account'=>'infobox-bank_account', 'accountline'=>'infobox-bank_account', 'accountancy'=>'infobox-bank_account', 'asset'=>'infobox-bank_account', 'bank_account'=>'bg-infobox-bank_account', 'bill'=>'infobox-commande', 'billa'=>'infobox-commande', 'billr'=>'infobox-commande', 'billd'=>'infobox-commande', + 'conferenceorbooth'=>'infobox-project', 'cash-register'=>'infobox-bank_account', 'contract'=>'infobox-contrat', 'check'=>'font-status4', 'collab'=>'infobox-action', 'conversation'=>'infobox-contrat', 'donation'=>'infobox-commande', 'dollyrevert'=>'flip', 'ecm'=>'infobox-action', 'hrm'=>'infobox-adherent', 'group'=>'infobox-adherent', 'intervention'=>'infobox-contrat', @@ -3661,6 +3673,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'user'=>'infobox-adherent', 'users'=>'infobox-adherent', 'error'=>'pictoerror', 'warning'=>'pictowarning', 'switch_on'=>'font-status4', 'holiday'=>'infobox-holiday', 'info'=>'opacityhigh', 'invoice'=>'infobox-commande', 'loan'=>'infobox-bank_account', + 'eventorganization'=>'infobox-project', 'payment'=>'infobox-bank_account', 'poll'=>'infobox-adherent', 'pos'=>'infobox-bank_account', 'project'=>'infobox-project', 'projecttask'=>'infobox-project', 'propal'=>'infobox-propal', 'recruitmentjobposition'=>'infobox-adherent', 'recruitmentcandidature'=>'infobox-adherent', 'resource'=>'infobox-action', @@ -6265,16 +6278,20 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto = * @param int $cleanalsosomestyles Remove absolute/fixed positioning from inline styles * @param int $removeclassattribute 1=Remove the class attribute from tags * @param int $cleanalsojavascript Remove also occurence of 'javascript:'. + * @param int $allowiframe Allow iframe tags. * @return string String cleaned * * @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags() */ -function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0) +function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0) { $allowed_tags = array( "html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link", "ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6" ); + if ($allowiframe) { + $allowed_tags[] = "iframe"; + } $allowed_tags_string = join("><", $allowed_tags); $allowed_tags_string = '<'.$allowed_tags_string.'>'; @@ -6320,9 +6337,11 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, * * @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags() dol_string_neverthesehtmltags() */ -function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("alt", "class", "contenteditable", "data-html", "href", "id", "name", "src", "style", "target", "title")) +function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("allow", "allowfullscreen", "alt", "class", "contenteditable", "data-html", "frameborder", "height", "href", "id", "name", "src", "style", "target", "title", "width")) { if (class_exists('DOMDocument') && !empty($stringtoclean)) { + $stringtoclean = ''.$stringtoclean.''; + $dom = new DOMDocument(); $dom->loadHTML($stringtoclean, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL); if (is_object($dom)) { @@ -6336,7 +6355,12 @@ function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes } } - return $dom->saveHTML(); + $return = $dom->saveHTML(); + + //$return = 'aaaa

bb

ssdd

'."\n

aaa

aa

bb

"; + $return = preg_replace('/^/', '', $return); + $return = preg_replace('/<\/body><\/html>$/', '', $return); + return $return; } else { return $stringtoclean; } diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index 9fd7f5e7e8a..0703df95255 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -1230,7 +1230,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if ($bentityon) { // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { - $sql .= " AND entity IN (".$forceentity.")"; + $sql .= " AND entity IN (".$db->sanitize($forceentity).")"; } if ($where) { $sql .= $where; @@ -1290,7 +1290,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if ($bentityon) { // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { - $sql .= " AND entity IN (".$forceentity.")"; + $sql .= " AND entity IN (".$db->sanitize($forceentity).")"; } if ($where) { $sql .= $where; @@ -1351,7 +1351,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if ($bentityon) { // only if entity enable $maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { - $sql .= " AND entity IN (".$forceentity.")"; + $sql .= " AND entity IN (".$db->sanitize($forceentity).")"; } if ($where) { $maskrefclient_sql .= $where; //use the same optional where as general mask @@ -2254,7 +2254,7 @@ function cleanCorruptedTree($db, $tabletocleantree, $fieldfkparent) $sql = "UPDATE ".MAIN_DB_PREFIX.$tabletocleantree; $sql .= " SET ".$fieldfkparent." = 0"; - $sql .= " WHERE rowid IN (".join(',', $listofidtoclean).")"; // So we update only records detected wrong + $sql .= " WHERE rowid IN (".$db->sanitize(join(',', $listofidtoclean)).")"; // So we update only records detected wrong $resql = $db->query($sql); if ($resql) { $nb = $db->affected_rows($sql); @@ -2271,7 +2271,7 @@ function cleanCorruptedTree($db, $tabletocleantree, $fieldfkparent) // Check and clean orphelins $sql = "UPDATE ".MAIN_DB_PREFIX.$tabletocleantree; $sql .= " SET ".$fieldfkparent." = 0"; - $sql .= " WHERE ".$fieldfkparent." NOT IN (".join(',', $listofid).")"; // So we update only records linked to a non existing parent + $sql .= " WHERE ".$fieldfkparent." NOT IN (".$db->sanitize(join(',', $listofid), 1).")"; // So we update only records linked to a non existing parent $resql = $db->query($sql); if ($resql) { $nb = $db->affected_rows($sql); diff --git a/htdocs/core/lib/invoice2.lib.php b/htdocs/core/lib/invoice2.lib.php index ca5fc61b60a..e6680293b64 100644 --- a/htdocs/core/lib/invoice2.lib.php +++ b/htdocs/core/lib/invoice2.lib.php @@ -130,7 +130,7 @@ function rebuild_merge_pdf($db, $langs, $conf, $diroutputpdf, $newlangid, $filte } else { $sqlwhere .= " AND"; } - $sqlwhere .= ' f.fk_soc NOT IN ('.join(',', $thirdpartiesid).')'; + $sqlwhere .= ' f.fk_soc NOT IN ('.$db->sanitize(join(',', $thirdpartiesid)).')'; } if (in_array('onlythirdparties', $filter) && is_array($thirdpartiesid)) { if (empty($sqlwhere)) { @@ -138,7 +138,7 @@ function rebuild_merge_pdf($db, $langs, $conf, $diroutputpdf, $newlangid, $filte } else { $sqlwhere .= " AND"; } - $sqlwhere .= ' f.fk_soc IN ('.join(',', $thirdpartiesid).')'; + $sqlwhere .= ' f.fk_soc IN ('.$db->sanitize(join(',', $thirdpartiesid)).')'; } if ($sqlwhere) { $sql .= $sqlwhere; diff --git a/htdocs/core/lib/product.lib.php b/htdocs/core/lib/product.lib.php index d5d52761140..e8ce515317f 100644 --- a/htdocs/core/lib/product.lib.php +++ b/htdocs/core/lib/product.lib.php @@ -328,6 +328,11 @@ function product_lot_admin_prepare_head() $h = 0; $head = array(); + $head[$h][0] = DOL_URL_ROOT."/product/admin/product_lot.php"; + $head[$h][1] = $langs->trans('Parameters'); + $head[$h][2] = 'settings'; + $h++; + // Show more tabs from modules // Entries must be declared in modules descriptor with line // $this->tabs = array('entity:+tabname:Title:@mymodule:/mymodule/mypage.php?id=__ID__'); to add new tab diff --git a/htdocs/core/lib/project.lib.php b/htdocs/core/lib/project.lib.php index f2dbacc3ab4..8fef0916ff8 100644 --- a/htdocs/core/lib/project.lib.php +++ b/htdocs/core/lib/project.lib.php @@ -2378,9 +2378,9 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet"; } $sql .= " WHERE p.entity IN (".getEntity('project').")"; - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } if ($mytasks) { $sql .= " AND p.rowid = t.fk_projet"; @@ -2436,7 +2436,7 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks $sql2 .= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql2 .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = p.fk_soc"; $sql2 .= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet"; - $sql2 .= " WHERE p.rowid IN (".join(',', $arrayidofprojects).")"; + $sql2 .= " WHERE p.rowid IN (".$db->sanitize(join(',', $arrayidofprojects)).")"; $sql2 .= " GROUP BY p.rowid, p.ref, p.title, p.fk_soc, s.rowid, s.nom, s.name_alias, s.code_client, s.code_compta, s.client, s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur,"; $sql2 .= " s.logo, s.email, s.entity, p.fk_user_creat, p.public, p.fk_statut, p.fk_opp_status, p.opp_percent, p.opp_amount, p.dateo, p.datee"; $sql2 .= " ORDER BY p.title, p.ref"; diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 5bcad053795..57e3db85402 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -595,27 +595,27 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled)) { // Special for multicompany if (!empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { if ($conf->entity == 1 && $user->admin && !$user->entity) { - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IS NOT NULL"; } else { $sql .= ",".MAIN_DB_PREFIX."usergroup_user as ug"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND ((ug.fk_user = dbt.rowid"; $sql .= " AND ug.entity IN (".getEntity('usergroup')."))"; $sql .= " OR dbt.entity = 0)"; // Show always superadmin } } else { - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } else { $reg = array(); if ($parenttableforentity && preg_match('/(.*)@(.*)/', $parenttableforentity, $reg)) { $sql .= ", ".MAIN_DB_PREFIX.$reg[2]." as dbtp"; - $sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbtp.entity IN (".getEntity($sharedelement, 1).")"; } else { - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } @@ -630,7 +630,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql = "SELECT COUNT(sc.fk_soc) as nb"; $sql .= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql .= ", ".MAIN_DB_PREFIX."societe as s)"; - $sql .= " WHERE sc.fk_soc IN (".$objectid.")"; + $sql .= " WHERE sc.fk_soc IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND sc.fk_user = ".$user->id; $sql .= " AND sc.fk_soc = s.rowid"; $sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")"; @@ -638,7 +638,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand // If multicompany and internal users with all permissions, check user is in correct entity $sql = "SELECT COUNT(s.rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE s.rowid IN (".$objectid.")"; + $sql .= " WHERE s.rowid IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")"; } } elseif (in_array($feature, $checkother)) { // Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...). @@ -646,21 +646,21 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand if ($user->socid > 0) { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.fk_soc = ".$user->socid; } elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { // If internal user: Check permission for internal users that are restricted on their objects $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } elseif (!empty($conf->multicompany->enabled)) { // If multicompany and internal users with all permissions, check user is in correct entity $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } if ($feature == 'agenda') { @@ -686,7 +686,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand } else { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } elseif (in_array($feature, $checktask)) { @@ -704,7 +704,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand } else { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } elseif (!in_array($feature, $nocheck)) { // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield @@ -715,7 +715,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand } $sql = "SELECT COUNT(dbt.".$dbt_keyfield.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.rowid IN (".$objectid.")"; + $sql .= " WHERE dbt.rowid IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.".$dbt_keyfield." = ".$user->socid; } elseif (!empty($conf->societe->enabled) && !$user->rights->societe->client->voir) { // If internal user: Check permission for internal users that are restricted on their objects @@ -726,7 +726,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql = "SELECT COUNT(sc.fk_soc) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; $sql .= " AND sc.fk_soc = dbt.".$dbt_keyfield; $sql .= " AND sc.fk_user = ".$user->id; @@ -735,7 +735,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc = dbt.".$dbt_keyfield." AND sc.fk_user = ".$user->id; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; $sql .= " AND (sc.fk_user = ".$user->id." OR sc.fk_user IS NULL)"; } @@ -743,10 +743,11 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand // If multicompany and internal users with all permissions, check user is in correct entity $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } + //print $sql; if ($sql) { $resql = $db->query($sql); @@ -756,6 +757,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand return false; } } else { + dol_syslog("Bad forged sql in checkUserAccessToObject", LOG_WARNING); return false; } } diff --git a/htdocs/core/lib/tax.lib.php b/htdocs/core/lib/tax.lib.php index c66d16b6736..743a847b2f2 100644 --- a/htdocs/core/lib/tax.lib.php +++ b/htdocs/core/lib/tax.lib.php @@ -143,9 +143,13 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX."societe as s,"; $sql .= " ".MAIN_DB_PREFIX.$invoicedettable." as d"; @@ -167,7 +171,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -183,10 +188,14 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX.$paymentfacturetable." as pf,"; $sql .= " ".MAIN_DB_PREFIX.$paymenttable." as pa,"; @@ -212,7 +221,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -263,8 +273,20 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['dtype'][] = $assoc['dtype']; $list[$assoc['company_id']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['company_id']]['datep'][] = $db->jdate($assoc['datep']); + $list[$assoc['company_id']]['company_name'][] = $assoc['company_name']; $list[$assoc['company_id']]['company_id'][] = $assoc['company_id']; + $list[$assoc['company_id']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['company_id']]['company_email'][] = $assoc['company_email']; + $list[$assoc['company_id']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['company_id']]['company_client'][] = $assoc['company_client']; + $list[$assoc['company_id']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['company_id']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['company_id']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['company_id']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['company_id']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['company_id']]['company_status'][] = $assoc['company_status']; + $list[$assoc['company_id']]['drate'][] = $assoc['rate']; $list[$assoc['company_id']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['company_id']]['ddate_end'][] = $db->jdate($assoc['date_end']); @@ -306,9 +328,13 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX."societe as s,"; $sql .= " ".MAIN_DB_PREFIX.$invoicedettable." as d"; @@ -330,7 +356,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -346,10 +373,14 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX.$paymentfacturetable." as pf,"; $sql .= " ".MAIN_DB_PREFIX.$paymenttable." as pa,"; @@ -375,7 +406,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -426,8 +458,20 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['dtype'][] = $assoc['dtype']; $list[$assoc['company_id']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['company_id']]['datep'][] = $db->jdate($assoc['datep']); + $list[$assoc['company_id']]['company_name'][] = $assoc['company_name']; $list[$assoc['company_id']]['company_id'][] = $assoc['company_id']; + $list[$assoc['company_id']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['company_id']]['company_email'][] = $assoc['company_email']; + $list[$assoc['company_id']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['company_id']]['company_client'][] = $assoc['company_client']; + $list[$assoc['company_id']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['company_id']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['company_id']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['company_id']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['company_id']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['company_id']]['company_status'][] = $assoc['company_status']; + $list[$assoc['company_id']]['drate'][] = $assoc['rate']; $list[$assoc['company_id']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['company_id']]['ddate_end'][] = $db->jdate($assoc['date_end']); @@ -448,6 +492,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['ptype'][] = $assoc['ptype']; $list[$assoc['company_id']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['company_id']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['company_id']]['payment_amount'][] = $assoc['payment_amount']; $company_id = $assoc['company_id']; @@ -484,7 +529,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(p.datep,'%m') > ".(($q - 1) * 3)." AND date_format(p.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND p.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND p.datep >= '".$db->idate($date_start)."' AND p.datep <= '".$db->idate($date_end)."'"; @@ -534,8 +580,20 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['dtotal_ttc'][] = $assoc['total_ttc']; $list[$assoc['company_id']]['dtype'][] = 'ExpenseReportPayment'; $list[$assoc['company_id']]['datef'][] = $assoc['datef']; + $list[$assoc['company_id']]['company_name'][] = ''; $list[$assoc['company_id']]['company_id'][] = ''; + $list[$assoc['company_id']]['company_alias'][] = ''; + $list[$assoc['company_id']]['company_email'][] = ''; + $list[$assoc['company_id']]['company_tva_intra'][] = ''; + $list[$assoc['company_id']]['company_client'][] = ''; + $list[$assoc['company_id']]['company_fournisseur'][] = ''; + $list[$assoc['company_id']]['company_customer_code'][] = ''; + $list[$assoc['company_id']]['company_supplier_code'][] = ''; + $list[$assoc['company_id']]['company_customer_accounting_code'][] = ''; + $list[$assoc['company_id']]['company_supplier_accounting_code'][] = ''; + $list[$assoc['company_id']]['company_status'][] = ''; + $list[$assoc['company_id']]['user_id'][] = $assoc['fk_user_author']; $list[$assoc['company_id']]['drate'][] = $assoc['rate']; $list[$assoc['company_id']]['ddate_start'][] = $db->jdate($assoc['date_start']); @@ -557,6 +615,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['ptype'][] = 'ExpenseReportPayment'; $list[$assoc['company_id']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['company_id']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['company_id']]['payment_amount'][] = $assoc['payment_amount']; $company_id = $assoc['company_id']; @@ -630,7 +689,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $total_localtax2 = 'total_localtax2'; - // CAS DES BIENS/PRODUITS + // CASE OF PRODUCTS/GOODS // Define sql request $sql = ''; @@ -640,9 +699,13 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$invoicedettable." as d ON d.".$fk_facture."=f.rowid"; @@ -662,7 +725,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -678,10 +742,14 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymentfacturetable." as pf ON pf.".$fk_facture2." = f.rowid";; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymenttable." as pa ON pa.rowid = pf.".$fk_payment; @@ -703,7 +771,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -755,8 +824,20 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['dtype'][] = $assoc['dtype']; $list[$assoc['rate']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['rate']]['datep'][] = $db->jdate($assoc['datep']); + $list[$assoc['rate']]['company_name'][] = $assoc['company_name']; $list[$assoc['rate']]['company_id'][] = $assoc['company_id']; + $list[$assoc['rate']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['rate']]['company_email'][] = $assoc['company_email']; + $list[$assoc['rate']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['rate']]['company_client'][] = $assoc['company_client']; + $list[$assoc['rate']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['rate']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['rate']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['rate']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['rate']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['rate']]['company_status'][] = $assoc['company_status']; + $list[$assoc['rate']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['rate']]['ddate_end'][] = $db->jdate($assoc['date_end']); @@ -776,6 +857,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['ptype'][] = $assoc['ptype']; $list[$assoc['rate']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['rate']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['rate']]['payment_amount'][] = $assoc['payment_amount']; $rate = $assoc['rate']; @@ -787,7 +869,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire } - // CAS DES SERVICES + // CASE OF SERVICES // Define sql request $sql = ''; @@ -797,9 +879,13 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$invoicedettable." as d ON d.".$fk_facture." = f.rowid"; @@ -819,7 +905,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -835,10 +922,14 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymentfacturetable." as pf ON pf.".$fk_facture2." = f.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymenttable." as pa ON pa.rowid = pf.".$fk_payment; @@ -860,7 +951,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -912,11 +1004,23 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['dtype'][] = $assoc['dtype']; $list[$assoc['rate']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['rate']]['datep'][] = $db->jdate($assoc['datep']); - $list[$assoc['rate']]['company_name'][] = $assoc['company_name']; - $list[$assoc['rate']]['company_id'][] = $assoc['company_id']; + $list[$assoc['rate']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['rate']]['ddate_end'][] = $db->jdate($assoc['date_end']); + $list[$assoc['rate']]['company_name'][] = $assoc['company_name']; + $list[$assoc['rate']]['company_id'][] = $assoc['company_id']; + $list[$assoc['rate']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['rate']]['company_email'][] = $assoc['company_email']; + $list[$assoc['rate']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['rate']]['company_client'][] = $assoc['company_client']; + $list[$assoc['rate']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['rate']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['rate']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['rate']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['rate']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['rate']]['company_status'][] = $assoc['company_status']; + $list[$assoc['rate']]['facid'][] = $assoc['facid']; $list[$assoc['rate']]['facnum'][] = $assoc['facnum']; $list[$assoc['rate']]['type'][] = $assoc['type']; @@ -933,6 +1037,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['ptype'][] = $assoc['ptype']; $list[$assoc['rate']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['rate']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['rate']]['payment_amount'][] = $assoc['payment_amount']; $rate = $assoc['rate']; @@ -969,7 +1074,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(p.datep,'%m') > ".(($q - 1) * 3)." AND date_format(p.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND p.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND p.datep >= '".$db->idate($date_start)."' AND p.datep <= '".$db->idate($date_end)."'"; @@ -1042,6 +1148,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['ptype'][] = 'ExpenseReportPayment'; $list[$assoc['rate']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['rate']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['rate']]['payment_amount'][] = $assoc['payment_amount']; $rate = $assoc['rate']; diff --git a/htdocs/core/lib/usergroups.lib.php b/htdocs/core/lib/usergroups.lib.php index e12a0d9c8a7..3188a9b39e2 100644 --- a/htdocs/core/lib/usergroups.lib.php +++ b/htdocs/core/lib/usergroups.lib.php @@ -343,14 +343,14 @@ function showSkins($fuser, $edit = 0, $foruserprofile = false) // Title if ($foruserprofile) { - print '
'; + print ''; print ''; print ''; print ''; print ''; print ''; - print ''; + print ''; print ''; print ''; } else { @@ -359,7 +359,7 @@ function showSkins($fuser, $edit = 0, $foruserprofile = false) $dirthemestring .= '"'.$dirtheme.'" '; } - print ''; print ''; } - print ''; + print ''; print ''; print ''; // Fields from hook diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 5983d5e6b4e..a443fe10f62 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -165,19 +165,19 @@ if ($snom) { $sql .= natural_search("p.label", $snom); } if (!empty($tosell)) { - $sql .= " AND p.tosell = ".$tosell; + $sql .= " AND p.tosell = ".((int) $tosell); } if (!empty($tobuy)) { - $sql .= " AND p.tobuy = ".$tobuy; + $sql .= " AND p.tobuy = ".((int) $tobuy); } if (!empty($canvas)) { $sql .= " AND p.canvas = '".$db->escape($canvas)."'"; } -if ($catid) { - $sql .= " AND cp.fk_categorie = ".$catid; +if ($catid > 0) { + $sql .= " AND cp.fk_categorie = ".((int) $catid); } if ($fourn_id > 0) { - $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".$fourn_id; + $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".((int) $fourn_id); } // Insert categ filter if ($search_categ) { @@ -309,7 +309,7 @@ if ($resql) { $moreforfilter = ''; if (!empty($conf->categorie->enabled)) { $moreforfilter .= '
'; - $moreforfilter .= $langs->trans('Categories').': '; + $moreforfilter .= img_picto($langs->trans('Categories'), 'category', 'class="pictofixedwidth"'); $moreforfilter .= $htmlother->select_categories(Categorie::TYPE_PRODUCT, $search_categ, 'search_categ'); $moreforfilter .= '
'; } @@ -482,7 +482,10 @@ if ($resql) { //if ($objp->seuil_stock_alerte && ($objp->stock_physique < $objp->seuil_stock_alerte)) print img_warning($langs->trans("StockTooLow")).' '; print $objp->stock_physique; print ''; - print ''; + print ''; print ''; print ''; print ''; diff --git a/htdocs/product/stats/card.php b/htdocs/product/stats/card.php index a47bc79c84a..2dae292884e 100644 --- a/htdocs/product/stats/card.php +++ b/htdocs/product/stats/card.php @@ -184,9 +184,8 @@ if ($result || empty($id)) { // Tag if ($conf->categorie->enabled) { print ''; } @@ -205,7 +204,7 @@ if ($result || empty($id)) { $arrayyears[$currentyear] = $currentyear; } arsort($arrayyears); - print $form->selectarray('search_year', $arrayyears, $search_year, 1); + print $form->selectarray('search_year', $arrayyears, $search_year, 1, 0, 0, '', 0, 0, 0, '', 'width75'); print ''; print '
'..')
'; print $langs->trans('Rate') . ' : ' . vatrate($rate) . '%'; - print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; + print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; print '
' . $fields['company_link'] . ''; + //print $company_static->getNomUrl(1); + print $fields['company_link']; + print ''; @@ -552,7 +549,8 @@ if (!is_array($x_coll) || !is_array($x_paye)) { //print $fields['totalht']."-".$fields['payment_amount']."-".$fields['ftotal_ttc']; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $payment_static->id = $fields['payment_id']; - print $payment_static->getNomUrl(2); + $payment_static->ref = $fields['payment_ref']; + print $payment_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_SELL_PRODUCT == 'invoice') || ($type == 1 && $conf->global->TAX_MODE_SELL_SERVICE == 'invoice')) { @@ -618,7 +616,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { // Blank line print '
 
'.$elementsup.''.$langs->trans("DateInvoice").'
'; print $langs->trans('Rate') . ' : ' . vatrate($rate) . '%'; - print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; + print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; print '
' . $fields['company_link'] . ''; + //print $company_static->getNomUrl(1); + print $fields['company_link']; + print ''; @@ -765,7 +783,8 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ''; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $paymentfourn_static->id = $fields['payment_id']; - print $paymentfourn_static->getNomUrl(2); + $paymentfourn_static->ref = $fields['payment_ref']; + print $paymentfourn_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_BUY_PRODUCT == 'invoice') diff --git a/htdocs/contact/canvas/actions_contactcard_common.class.php b/htdocs/contact/canvas/actions_contactcard_common.class.php index a32263cd65e..332b7dd36c6 100644 --- a/htdocs/contact/canvas/actions_contactcard_common.class.php +++ b/htdocs/contact/canvas/actions_contactcard_common.class.php @@ -283,28 +283,28 @@ abstract class ActionsContactCardCommon // phpcs:enable global $langs, $mysoc; - $this->object->old_name = $_POST["old_name"]; - $this->object->old_firstname = $_POST["old_firstname"]; + $this->object->old_name = GETPOST("old_name"); + $this->object->old_firstname = GETPOST("old_firstname"); - $this->object->socid = $_POST["socid"]; - $this->object->lastname = $_POST["name"]; - $this->object->firstname = $_POST["firstname"]; - $this->object->civility_id = $_POST["civility_id"]; - $this->object->poste = $_POST["poste"]; - $this->object->address = $_POST["address"]; - $this->object->zip = $_POST["zipcode"]; - $this->object->town = $_POST["town"]; - $this->object->country_id = $_POST["country_id"] ? $_POST["country_id"] : $mysoc->country_id; - $this->object->state_id = $_POST["state_id"]; - $this->object->phone_pro = $_POST["phone_pro"]; - $this->object->phone_perso = $_POST["phone_perso"]; - $this->object->phone_mobile = $_POST["phone_mobile"]; - $this->object->fax = $_POST["fax"]; - $this->object->email = $_POST["email"]; - $this->object->jabberid = $_POST["jabberid"]; - $this->object->priv = $_POST["priv"]; - $this->object->note = $_POST["note"]; - $this->object->canvas = $_POST["canvas"]; + $this->object->socid = GETPOST("socid"); + $this->object->lastname = GETPOST("name"); + $this->object->firstname = GETPOST("firstname"); + $this->object->civility_id = GETPOST("civility_id"); + $this->object->poste = GETPOST("poste"); + $this->object->address = GETPOST("address"); + $this->object->zip = GETPOST("zipcode"); + $this->object->town = GETPOST("town"); + $this->object->country_id = GETPOST("country_id") ? GETPOST("country_id") : $mysoc->country_id; + $this->object->state_id = GETPOST("state_id"); + $this->object->phone_pro = GETPOST("phone_pro"); + $this->object->phone_perso = GETPOST("phone_perso"); + $this->object->phone_mobile = GETPOST("phone_mobile"); + $this->object->fax = GETPOST("fax"); + $this->object->email = GETPOST("email"); + $this->object->jabberid = GETPOST("jabberid"); + $this->object->priv = GETPOST("priv"); + $this->object->note = GETPOST("note", "restricthtml"); + $this->object->canvas = GETPOST("canvas"); // We set country_id, and country_code label of the chosen country if ($this->object->country_id) { diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index 421b88ea6b8..b337f0980e6 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -561,7 +561,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { $object->state_id = GETPOST("state_id"); // We set country_id, country_code and label for the selected country - $object->country_id = $_POST["country_id"] ?GETPOST("country_id") : (empty($objsoc->country_id) ? $mysoc->country_id : $objsoc->country_id); + $object->country_id = GETPOST("country_id") ? GETPOST("country_id", "int") : (empty($objsoc->country_id) ? $mysoc->country_id : $objsoc->country_id); if ($object->country_id) { $tmparray = getCountry($object->country_id, 'all'); $object->country_code = $tmparray['code']; diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 53ebbdfddd9..3890155f116 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -458,7 +458,7 @@ if ($search_societe) { $sql .= natural_search(empty($conf->global->SOCIETE_DISABLE_CONTACTS) ? 's.nom' : 'p.fk_soc', $search_societe); } if ($search_country) { - $sql .= " AND p.fk_pays IN (".$search_country.')'; + $sql .= " AND p.fk_pays IN (".$db->sanitize($search_country).')'; } if (strlen($search_poste)) { $sql .= natural_search('p.poste', $search_poste); @@ -492,9 +492,8 @@ if (strlen($search_town)) { $sql .= natural_search("p.town", $search_town); } if (count($search_roles) > 0) { - $sql .= " AND p.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".implode(',', $search_roles)."))"; + $sql .= " AND p.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".$db->sanitize(implode(',', $search_roles))."))"; } - if ($search_no_email != '' && $search_no_email >= 0) { $sql .= " AND p.no_email = ".$db->escape($search_no_email); } diff --git a/htdocs/contact/perso.php b/htdocs/contact/perso.php index 8d2969a1370..628c73b0afc 100644 --- a/htdocs/contact/perso.php +++ b/htdocs/contact/perso.php @@ -45,12 +45,12 @@ $object = new Contact($db); * Action */ -if ($action == 'update' && !$_POST["cancel"] && $user->rights->societe->contact->creer) { +if ($action == 'update' && !GETPOST("cancel") && $user->rights->societe->contact->creer) { $ret = $object->fetch($id); // Note: Correct date should be completed with location to have exact GM time of birth. - $object->birthday = dol_mktime(0, 0, 0, $_POST["birthdaymonth"], $_POST["birthdayday"], $_POST["birthdayyear"]); - $object->birthday_alert = $_POST["birthday_alert"]; + $object->birthday = dol_mktime(0, 0, 0, GETPOST("birthdaymonth"), GETPOST("birthdayday"), GETPOST("birthdayyear")); + $object->birthday_alert = GETPOST("birthday_alert"); if (GETPOST('deletephoto')) { $object->photo = ''; diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php index 217414aa30c..88627ca0698 100644 --- a/htdocs/contrat/card.php +++ b/htdocs/contrat/card.php @@ -2008,7 +2008,7 @@ if ($action == 'create') { if (empty($user->socid)) { if ($object->statut == 1) { if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->contrat->creer)) { - print '
'.$langs->trans('SendMail').'
'; + print '
'.$langs->trans('SendMail').'
'; } else { print '
'.$langs->trans('SendMail').'
'; } @@ -2017,14 +2017,14 @@ if ($action == 'create') { if ($object->statut == 0 && $nbofservices) { if ($user->rights->contrat->creer) { - print '
'.$langs->trans("Validate").'
'; + print '
'.$langs->trans("Validate").'
'; } else { print '
'.$langs->trans("Validate").'
'; } } if ($object->statut == 1) { if ($user->rights->contrat->creer) { - print '
'.$langs->trans("Modify").'
'; + print '
'.$langs->trans("Modify").'
'; } else { print '
'.$langs->trans("Modify").'
'; } @@ -2050,14 +2050,14 @@ if ($action == 'create') { if ($object->nbofservicesclosed > 0 || $object->nbofserviceswait > 0) { if ($user->rights->contrat->activer) { - print '
'.$langs->trans("ActivateAllContracts").'
'; + print '
'.$langs->trans("ActivateAllContracts").'
'; } else { print '
'.$langs->trans("ActivateAllContracts").'
'; } } if ($object->nbofservicesclosed < $nbofservices) { if ($user->rights->contrat->desactiver) { - print '
'.$langs->trans("CloseAllContracts").'
'; + print '
'.$langs->trans("CloseAllContracts").'
'; } else { print '
'.$langs->trans("CloseAllContracts").'
'; } @@ -2081,7 +2081,7 @@ if ($action == 'create') { // Clone if ($user->rights->contrat->creer) { - print '
'.$langs->trans("ToClone").'
'; + print '
'.$langs->trans("ToClone").'
'; } // On peut supprimer entite si diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index c6a834331c9..cf821ccb2c6 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -132,14 +132,14 @@ class Contracts extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 02929f281a8..64d2b5e2c0a 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -1172,7 +1172,7 @@ class Contrat extends CommonObject $this->db->free($resql); $sql = "DELETE FROM ".MAIN_DB_PREFIX."contratdet_log "; - $sql .= " WHERE ".MAIN_DB_PREFIX."contratdet_log.rowid IN (".implode(",", $tab_resql).")"; + $sql .= " WHERE ".MAIN_DB_PREFIX."contratdet_log.rowid IN (".$this->db->sanitize(implode(",", $tab_resql)).")"; dol_syslog(get_class($this)."::delete contratdet_log", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/contrat/note.php b/htdocs/contrat/note.php index d61ac357a40..bd96eac7b0d 100644 --- a/htdocs/contrat/note.php +++ b/htdocs/contrat/note.php @@ -180,6 +180,7 @@ if ($id > 0 || !empty($ref)) { //print '
'; + $cssclass='fieldtitle'; include DOL_DOCUMENT_ROOT.'/core/tpl/notes.tpl.php'; print dol_get_fiche_end(); diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php index 883ba664b5c..4662c3a1406 100644 --- a/htdocs/core/ajax/row.php +++ b/htdocs/core/ajax/row.php @@ -59,15 +59,52 @@ top_httphead(); print ''."\n"; // Registering the location of boxes -if (GETPOST('roworder', 'alpha') && GETPOST('table_element_line', 'alpha', 2) - && GETPOST('fk_element', 'alpha', 2) && GETPOST('element_id', 'int', 2)) { +if (GETPOST('roworder', 'alpha', 2) && GETPOST('table_element_line', 'aZ09', 2) + && GETPOST('fk_element', 'aZ09', 2) && GETPOST('element_id', 'int', 2)) { $roworder = GETPOST('roworder', 'alpha', 2); - $table_element_line = GETPOST('table_element_line', 'alpha', 2); - $fk_element = GETPOST('fk_element', 'alpha', 2); + $table_element_line = GETPOST('table_element_line', 'aZ09', 2); + $fk_element = GETPOST('fk_element', 'aZ09', 2); $element_id = GETPOST('element_id', 'int', 2); dol_syslog("AjaxRow roworder=".$roworder." table_element_line=".$table_element_line." fk_element=".$fk_element." element_id=".$element_id, LOG_DEBUG); + // Make test on pemrission + $perm = 0; + if ($table_element_line == 'propaldet' && $user->rights->propal->creer) { + $perm = 1; + } elseif ($table_element_line == 'commandedet' && $user->rights->commande->creer) { + $perm = 1; + } elseif ($table_element_line == 'facturedet' && $user->rights->facture->creer) { + $perm = 1; + } elseif ($table_element_line == 'facturerecdet' && $user->rights->facture->creer) { + $perm = 1; + } elseif ($table_element_line == 'ecm_files' && $user->rights->ecm->creer) { + $perm = 1; + } elseif ($table_element_line == 'emailcollector_emailcollectoraction' && $user->admin) { + $perm = 1; + } elseif ($table_element_line == 'bom_bomline' && $user->rights->bom->write) { + $perm = 1; + } elseif ($table_element_line == 'mrp_production' && $user->rights->mrp->write) { + $perm = 1; + } elseif ($table_element_line == 'supplier_proposaldet' && $user->rights->supplier_proposal->write) { + $perm = 1; + } elseif ($table_element_line == 'commande_fournisseurdet' && $user->rights->fourn->commande->creer) { + $perm = 1; + } elseif ($table_element_line == 'facture_fourn_det' && $user->rights->fourn->facture->creer) { + $perm = 1; + } else { + $tmparray = explode('_', $table_element_line); + $tmpmodule = $tmparray[0]; $tmpobject = preg_replace('/line$/', '', $tmparray[1]); + if (!empty($tmpmodule) && !empty($tmpobject) && !empty($conf->$tmpmodule->enabled) && !empty($user->rights->$tmpobject->write)) { + $perm = 1; + } + } + + if (! $perm) { + print 'Bad permission to modify position of lines for object in table '.$table_element_line; + accessforbidden('Bad permission to modify position of lines for object in table '.$table_element_line); + } + $rowordertab = explode(',', $roworder); $newrowordertab = array(); foreach ($rowordertab as $value) { @@ -88,4 +125,6 @@ if (GETPOST('roworder', 'alpha') && GETPOST('table_element_line', 'alpha', 2) if (in_array($fk_element, array('fk_facture', 'fk_propal', 'fk_commande'))) { $result = $row->line_order(true); } +} else { + print 'Bad parameters for row.php'; } diff --git a/htdocs/core/boxes/box_project.php b/htdocs/core/boxes/box_project.php index 04aa812ea34..9f1204c4dc4 100644 --- a/htdocs/core/boxes/box_project.php +++ b/htdocs/core/boxes/box_project.php @@ -103,7 +103,7 @@ class box_project extends ModeleBoxes $sql .= " WHERE p.entity IN (".getEntity('project').")"; // Only current entity or severals if permission ok $sql .= " AND p.fk_statut = 1"; // Only open projects if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } $sql .= " ORDER BY p.datec DESC"; diff --git a/htdocs/core/boxes/box_task.php b/htdocs/core/boxes/box_task.php index 0650b10a872..16cd41ce564 100644 --- a/htdocs/core/boxes/box_task.php +++ b/htdocs/core/boxes/box_task.php @@ -169,7 +169,7 @@ class box_task extends ModeleBoxes $sql .= " AND (pt.progress < 100 OR pt.progress IS NULL ) "; // 100% is done and not displayed $sql .= " AND p.usage_task = 1 "; if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } $sql .= " ORDER BY pt.datee ASC, pt.dateo ASC"; diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 253ed9a1d02..8fa0ad9c8a5 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1072,9 +1072,9 @@ abstract class CommonObject // Insert into database $sql = "INSERT INTO ".MAIN_DB_PREFIX."element_contact"; $sql .= " (element_id, fk_socpeople, datecreate, statut, fk_c_type_contact) "; - $sql .= " VALUES (".$this->id.", ".$fk_socpeople." , "; + $sql .= " VALUES (".$this->id.", ".((int) $fk_socpeople)." , "; $sql .= "'".$this->db->idate($datecreate)."'"; - $sql .= ", 4, ".$id_type_contact; + $sql .= ", 4, ".((int) $id_type_contact); $sql .= ")"; $resql = $this->db->query($sql); @@ -1218,7 +1218,7 @@ abstract class CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."element_contact"; $sql .= " WHERE element_id = ".$this->id; if ($listId) { - $sql .= " AND fk_c_type_contact IN (".$listId.")"; + $sql .= " AND fk_c_type_contact IN (".$this->db->sanitize($listId).")"; } dol_syslog(get_class($this)."::delete_linked_contact", LOG_DEBUG); @@ -3022,8 +3022,8 @@ abstract class CommonObject $fieldposition = 'position'; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.$rang; - $sql .= ' WHERE rowid = '.$rowid; + $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang); + $sql .= ' WHERE rowid = '.((int) $rowid); dol_syslog(get_class($this)."::updateRangOfLine", LOG_DEBUG); if (!$this->db->query($sql)) { @@ -7688,7 +7688,8 @@ abstract class CommonObject $buyPrice = 0; - if (($unitPrice > 0) && (isset($conf->global->ForceBuyingPriceIfNull) && $conf->global->ForceBuyingPriceIfNull == 1)) { // In most cases, test here is false + if (($unitPrice > 0) && (isset($conf->global->ForceBuyingPriceIfNull) && $conf->global->ForceBuyingPriceIfNull > 0)) { + // When ForceBuyingPriceIfNull is set $buyPrice = $unitPrice * (1 - $discountPercent / 100); } else { // Get cost price for margin calculation diff --git a/htdocs/core/class/defaultvalues.class.php b/htdocs/core/class/defaultvalues.class.php index 8c835ed649e..c6be235b89a 100644 --- a/htdocs/core/class/defaultvalues.class.php +++ b/htdocs/core/class/defaultvalues.class.php @@ -272,7 +272,7 @@ class DefaultValues extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (is_array($value)) { - $sqlwhere[] = $key.' IN ('.implode(',', $value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize(implode(',', $value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index 310f141fc1c..4afcf295d40 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -144,13 +144,13 @@ class DiscountAbsolute $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."facture as fsup ON sr.fk_invoice_supplier_source = fsup.rowid"; $sql .= " WHERE sr.entity IN (".getEntity('invoice').")"; if ($rowid) { - $sql .= " AND sr.rowid=".$rowid; + $sql .= " AND sr.rowid=".((int) $rowid); } if ($fk_facture_source) { - $sql .= " AND sr.fk_facture_source=".$fk_facture_source; + $sql .= " AND sr.fk_facture_source = ".((int) $fk_facture_source); } if ($fk_invoice_supplier_source) { - $sql .= " AND sr.fk_invoice_supplier_source=".$fk_invoice_supplier_source; + $sql .= " AND sr.fk_invoice_supplier_source = ".((int) $fk_invoice_supplier_source); } dol_syslog(get_class($this)."::fetch", LOG_DEBUG); @@ -597,12 +597,12 @@ class DiscountAbsolute $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f'; $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id; - $sql .= ' AND f.type IN ('.$invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION.')'; // Find discount coming from credit note or excess received + $sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION).')'; // Find discount coming from credit note or excess received } elseif ($invoice->element == 'invoice_supplier') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f'; $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id; - $sql .= ' AND f.type IN ('.$invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.')'; // Find discount coming from credit note or excess paid + $sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE).')'; // Find discount coming from credit note or excess paid } else { $this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter"; dol_print_error($this->error); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index d75ec44798f..36e7eca84b6 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1227,9 +1227,10 @@ class Form * @param int $hidelabel Hide label (0=no, 1=yes, 2=show search icon (before) and placeholder, 3 search icon after) * @param array $ajaxoptions Options for ajax_autocompleter * @param bool $multiple add [] in the name of element and add 'multiple' attribut (not working with ajax_autocompleter) + * @param array $excludeids Exclude IDs from the select combo * @return string HTML string with select box for thirdparty. */ - public function select_company($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $limit = 0, $morecss = 'minwidth100', $moreparam = '', $selected_input_value = '', $hidelabel = 1, $ajaxoptions = array(), $multiple = false) + public function select_company($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $limit = 0, $morecss = 'minwidth100', $moreparam = '', $selected_input_value = '', $hidelabel = 1, $ajaxoptions = array(), $multiple = false, $excludeids = array()) { // phpcs:enable global $conf, $user, $langs; @@ -1237,6 +1238,9 @@ class Form $out = ''; if (!empty($conf->use_javascript_ajax) && !empty($conf->global->COMPANY_USE_SEARCH_TO_SELECT) && !$forcecombo) { + if (is_null($ajaxoptions)) { + $ajaxoptions = array(); + } // No immediate load of all database $placeholder = ''; if ($selected && empty($selected_input_value)) { @@ -1247,7 +1251,7 @@ class Form unset($societetmp); } // mode 1 - $urloption = 'htmlname='.urlencode($htmlname).'&outjson=1&filter='.urlencode($filter).($showtype ? '&showtype='.urlencode($showtype) : ''); + $urloption = 'htmlname='.urlencode($htmlname).'&outjson=1&filter='.urlencode($filter).(empty($excludeids) ? '' : '&excludeids='.join(',', $excludeids)).($showtype ? '&showtype='.urlencode($showtype) : ''); $out .= ajax_autocompleter($selected, $htmlname, DOL_URL_ROOT.'/societe/ajax/company.php', $urloption, $conf->global->COMPANY_USE_SEARCH_TO_SELECT, 0, $ajaxoptions); $out .= ''; if (empty($hidelabel)) { @@ -1264,7 +1268,7 @@ class Form } } else { // Immediate load of all database - $out .= $this->select_thirdparty_list($selected, $htmlname, $filter, $showempty, $showtype, $forcecombo, $events, '', 0, $limit, $morecss, $moreparam, $multiple); + $out .= $this->select_thirdparty_list($selected, $htmlname, $filter, $showempty, $showtype, $forcecombo, $events, '', 0, $limit, $morecss, $moreparam, $multiple, $excludeids); } return $out; @@ -1277,7 +1281,7 @@ class Form * * @param string $selected Preselected type * @param string $htmlname Name of field in form - * @param string $filter Optional filters criteras (example: 's.rowid <> x', 's.client in (1,3)') + * @param string $filter Optional filters criteras (example: 's.rowid NOT IN (x)', 's.client IN (1,3)'). Do not use a filter coming from input of users. * @param string $showempty Add an empty field (Can be '1' or text to use on empty line like 'SelectThirdParty') * @param int $showtype Show third party type in combolist (customer, prospect or supplier) * @param int $forcecombo Force to use standard HTML select component without beautification @@ -1288,9 +1292,10 @@ class Form * @param string $morecss Add more css styles to the SELECT component * @param string $moreparam Add more parameters onto the select tag. For example 'style="width: 95%"' to avoid select2 component to go over parent container * @param bool $multiple add [] in the name of element and add 'multiple' attribut + * @param array $excludeids Exclude IDs from the select combo * @return string HTML string with */ - public function select_thirdparty_list($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $filterkey = '', $outputmode = 0, $limit = 0, $morecss = 'minwidth100', $moreparam = '', $multiple = false) + public function select_thirdparty_list($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $filterkey = '', $outputmode = 0, $limit = 0, $morecss = 'minwidth100', $moreparam = '', $multiple = false, $excludeids = array()) { // phpcs:enable global $conf, $user, $langs; @@ -1338,6 +1343,9 @@ class Form if (!empty($conf->global->COMPANY_HIDE_INACTIVE_IN_COMBOBOX)) { $sql .= " AND s.status <> 0"; } + if (!empty($excludeids)) { + $sql .= " AND rowid NOT IN (".$this->db->sanitize(join(',', $excludeids)).")"; + } // Add criteria if ($filterkey && $filterkey != '') { $sql .= " AND ("; @@ -1887,7 +1895,7 @@ class Form if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=u.entity"; if ($force_entity) { - $sql .= " WHERE u.entity IN (0,".$force_entity.")"; + $sql .= " WHERE u.entity IN (0, ".$force_entity.")"; } else { $sql .= " WHERE u.entity IS NOT NULL"; } @@ -1897,17 +1905,17 @@ class Form $sql .= " ON ug.fk_user = u.rowid"; $sql .= " WHERE ug.entity = ".$conf->entity; } else { - $sql .= " WHERE u.entity IN (0,".$conf->entity.")"; + $sql .= " WHERE u.entity IN (0, ".$conf->entity.")"; } } if (!empty($user->socid)) { $sql .= " AND u.fk_soc = ".$user->socid; } if (is_array($exclude) && $excludeUsers) { - $sql .= " AND u.rowid NOT IN (".$excludeUsers.")"; + $sql .= " AND u.rowid NOT IN (".$this->db->sanitize($excludeUsers).")"; } if ($includeUsers) { - $sql .= " AND u.rowid IN (".$includeUsers.")"; + $sql .= " AND u.rowid IN (".$this->db->sanitize($includeUsers).")"; } if (!empty($conf->global->USER_HIDE_INACTIVE_IN_COMBOBOX) || $noactive) { $sql .= " AND u.statut <> 0"; @@ -1994,7 +2002,9 @@ class Form if (!$obj->entity) { $moreinfo .= ($moreinfo ? ' - ' : ' (').$langs->trans("AllEntities"); } else { - $moreinfo .= ($moreinfo ? ' - ' : ' (').($obj->label ? $obj->label : $langs->trans("EntityNameNotDefined")); + if ($obj->entity != $conf->entity) { + $moreinfo .= ($moreinfo ? ' - ' : ' (').($obj->label ? $obj->label : $langs->trans("EntityNameNotDefined")); + } } } $moreinfo .= ($moreinfo ? ')' : ''); @@ -4129,7 +4139,7 @@ class Form * * @param string $selected Id shipping mode pre-selected * @param string $htmlname Name of select zone - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @param int $noinfoadmin 0=Add admin info, 1=Disable admin info @@ -4324,7 +4334,7 @@ class Form * @param string $selected Id account pre-selected * @param string $htmlname Name of select zone * @param int $status Status of searched accounts (0=open, 1=closed, 2=both) - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @param int $showcurrency Show currency in label @@ -4367,9 +4377,9 @@ class Form while ($i < $num) { $obj = $this->db->fetch_object($result); if ($selected == $obj->rowid || ($useempty == 2 && $num == 1 && empty($selected))) { - $out .= '
'; - $this->selectGroupTickets((GETPOST('category_code') ? GETPOST('category_code') : $this->category_code), 'category_code', '', 2, 0, 0, 0, 'minwidth200'); + $filter = ''; + if ($public) { + $filter = 'public=1'; + } + $this->selectGroupTickets((GETPOST('category_code') ? GETPOST('category_code') : $this->category_code), 'category_code', $filter, 2, 0, 0, 0, 'minwidth200'); print '
'.$langs->trans("Parameter").''.$langs->trans("DefaultValue").'
'.$langs->trans("Parameter").''.$langs->trans("DefaultValue").' 
'.$langs->trans("DefaultSkin").''.$conf->global->MAIN_THEME.' '.$langs->trans("UsePersonalValue").' '.$langs->trans("UsePersonalValue").' 
'; + print '
'; print $form->textwithpicto($langs->trans("DefaultSkin"), $langs->trans("ThemeDir").' : '.$dirthemestring); print ''; @@ -448,7 +448,7 @@ function showSkins($fuser, $edit = 0, $foruserprofile = false) // Nothing } else { // Show logo - print '
'.$langs->trans("EnableShowLogo").''; + print '
'.$langs->trans("EnableShowLogo").''; if ($edit) { print ajax_constantonoff('MAIN_SHOW_LOGO', array(), null, 0, 0, 1); //print $form->selectyesno('MAIN_SHOW_LOGO', $conf->global->MAIN_SHOW_LOGO, 1); diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php index 2eb44c517f7..170202717c8 100644 --- a/htdocs/core/lib/website.lib.php +++ b/htdocs/core/lib/website.lib.php @@ -859,7 +859,7 @@ function getPagesFromSearchCriterias($type, $algo, $searchstring, $max = 25, $so foreach ($tmparrayoftype as $tmptype) { $typestring .= ($typestring ? ", " : "")."'".$db->escape(trim($tmptype))."'"; } - $sql .= " AND wp.type_container IN (".$typestring.")"; + $sql .= " AND wp.type_container IN (".$db->sanitize($typestring, 1).")"; } $sql .= " AND ("; $searchalgo = ''; diff --git a/htdocs/core/lib/website2.lib.php b/htdocs/core/lib/website2.lib.php index 2efeec151a3..e9a5aa6309f 100644 --- a/htdocs/core/lib/website2.lib.php +++ b/htdocs/core/lib/website2.lib.php @@ -214,7 +214,7 @@ function dolSavePageContent($filetpl, Website $object, WebsitePage $objectpage) } } // Add "has translation pages" - $sql = 'SELECT rowid as id, lang, pageurl from '.MAIN_DB_PREFIX.'website_page where fk_page IN ('.$objectpage->id.($translationof ? ", ".$translationof : "").")"; + $sql = 'SELECT rowid as id, lang, pageurl from '.MAIN_DB_PREFIX.'website_page where fk_page IN ('.$db->sanitize($objectpage->id.($translationof ? ', '.$translationof : '')).")"; $resql = $db->query($sql); if ($resql) { $num_rows = $db->num_rows($resql); diff --git a/htdocs/core/menus/init_menu_auguria.sql b/htdocs/core/menus/init_menu_auguria.sql index efa0c44a4ff..1a5550f3e72 100644 --- a/htdocs/core/menus/init_menu_auguria.sql +++ b/htdocs/core/menus/init_menu_auguria.sql @@ -233,7 +233,7 @@ insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, left insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2301__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/card.php?mainmenu=billing&leftmenu=tax_vat&action=create', 'New', 2, 'companies', '$user->rights->tax->charges->creer', '', 0, 0, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2302__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/list.php?mainmenu=billing&leftmenu=tax_vat', 'List', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 1, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2303__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/index.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByMonth', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 2, __ENTITY__); -insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2304__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/clients.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByCustomers', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 3, __ENTITY__); +insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2304__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/clients.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByThirdparties', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 3, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2305__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/quadri_detail.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByQuarter', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 4, __ENTITY__); -- Salary insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->salaries->enabled', __HANDLER__, 'left', 2210__+MAX_llx_menu__, 'billing', 'tax_sal', 6__+MAX_llx_menu__, '/salaries/list.php?mainmenu=billing&leftmenu=tax_salary', 'Salaries', 0, 'salaries', '$user->rights->salaries->read', '', 0, 10, __ENTITY__); diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index 89e63c16db4..99fcea707e2 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -1104,7 +1104,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM $newmenu->add("/compta/tva/list.php?leftmenu=tax_vat", $langs->trans("List"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/tva/payments.php?mode=tvaonly&leftmenu=tax_vat", $langs->trans("Payments"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/tva/index.php?leftmenu=tax_vat", $langs->trans("ReportByMonth"), 2, $user->rights->tax->charges->lire); - $newmenu->add("/compta/tva/clients.php?leftmenu=tax_vat", $langs->trans("ReportByCustomers"), 2, $user->rights->tax->charges->lire); + $newmenu->add("/compta/tva/clients.php?leftmenu=tax_vat", $langs->trans("ReportByThirdparties"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/tva/quadri_detail.php?leftmenu=tax_vat", $langs->trans("ReportByQuarter"), 2, $user->rights->tax->charges->lire); } @@ -1115,7 +1115,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM $newmenu->add("/compta/localtax/card.php?leftmenu=tax_1_vat&action=create&localTaxType=1", $langs->trans("New"), 2, $user->rights->tax->charges->creer); $newmenu->add("/compta/localtax/list.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("List"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/index.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByMonth"), 2, $user->rights->tax->charges->lire); - $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByCustomers"), 2, $user->rights->tax->charges->lire); + $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByThirdparties"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/quadri_detail.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByQuarter"), 2, $user->rights->tax->charges->lire); } } @@ -1126,7 +1126,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM $newmenu->add("/compta/localtax/card.php?leftmenu=tax_2_vat&action=create&localTaxType=2", $langs->trans("New"), 2, $user->rights->tax->charges->creer); $newmenu->add("/compta/localtax/list.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("List"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/index.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByMonth"), 2, $user->rights->tax->charges->lire); - $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByCustomers"), 2, $user->rights->tax->charges->lire); + $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByThirdparties"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/quadri_detail.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByQuarter"), 2, $user->rights->tax->charges->lire); } } diff --git a/htdocs/core/modules/expensereport/doc/index.html b/htdocs/core/modules/expensereport/doc/index.html new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/htdocs/core/modules/expensereport/doc/index.html @@ -0,0 +1 @@ + diff --git a/htdocs/core/modules/mailings/advthirdparties.modules.php b/htdocs/core/modules/mailings/advthirdparties.modules.php index 9f434be9498..cbf668b6c67 100644 --- a/htdocs/core/modules/mailings/advthirdparties.modules.php +++ b/htdocs/core/modules/mailings/advthirdparties.modules.php @@ -79,7 +79,7 @@ class mailing_advthirdparties extends MailingTargets $sql = "SELECT s.rowid as id, s.email as email, s.nom as name, null as fk_contact"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s LEFT OUTER JOIN ".MAIN_DB_PREFIX."societe_extrafields se ON se.fk_object=s.rowid"; $sql .= " WHERE s.entity IN (".getEntity('societe').")"; - $sql .= " AND s.rowid IN (".implode(',', $socid).")"; + $sql .= " AND s.rowid IN (".$this->db->sanitize(implode(',', $socid)).")"; $sql .= " ORDER BY email"; // Stock recipients emails into targets table @@ -125,10 +125,10 @@ class mailing_advthirdparties extends MailingTargets $sql .= " FROM ".MAIN_DB_PREFIX."socpeople as socp"; $sql .= " WHERE socp.entity IN (".getEntity('socpeople').")"; if (count($contactid) > 0) { - $sql .= " AND socp.rowid IN (".implode(',', $contactid).")"; + $sql .= " AND socp.rowid IN (".$this->db->sanitize(implode(',', $contactid)).")"; } if (count($socid) > 0) { - $sql .= " AND socp.fk_soc IN (".implode(',', $socid).")"; + $sql .= " AND socp.fk_soc IN (".$this->db->sanitize(implode(',', $socid)).")"; } $sql .= " ORDER BY email"; diff --git a/htdocs/core/modules/mailings/thirdparties.modules.php b/htdocs/core/modules/mailings/thirdparties.modules.php index 8b8a57f6628..b3b88224df6 100644 --- a/htdocs/core/modules/mailings/thirdparties.modules.php +++ b/htdocs/core/modules/mailings/thirdparties.modules.php @@ -83,13 +83,13 @@ class mailing_thirdparties extends MailingTargets if (GETPOSTISSET("filter_client") && GETPOST("filter_client") <> '-1') { $addFilter .= " AND s.client=".((int) GETPOST("filter_client", 'int')); $addDescription = $langs->trans('ProspectCustomer')."="; - if ($_POST["filter_client"] == 0) { + if (GETPOST("filter_client") == 0) { $addDescription .= $langs->trans('NorProspectNorCustomer'); - } elseif ($_POST["filter_client"] == 1) { + } elseif (GETPOST("filter_client") == 1) { $addDescription .= $langs->trans('Customer'); - } elseif ($_POST["filter_client"] == 2) { + } elseif (GETPOST("filter_client") == 2) { $addDescription .= $langs->trans('Prospect'); - } elseif ($_POST["filter_client"] == 3) { + } elseif (GETPOST("filter_client") == 3) { $addDescription .= $langs->trans('ProspectCustomer'); } else { $addDescription .= "Unknown status ".GETPOST("filter_client"); diff --git a/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php b/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php index 2718a33247b..7b5d4f38737 100644 --- a/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php +++ b/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php @@ -197,7 +197,7 @@ class mailing_thirdparties_services_expired extends MailingTargets $sql .= " WHERE s.entity IN (".getEntity('societe').")"; $sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''"; $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid"; - $sql .= " AND p.ref IN ('".join("','", $this->arrayofproducts)."')"; + $sql .= " AND p.ref IN (".$this->db->sanitize("'".join("','", $this->arrayofproducts)."'", 1).")"; $sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'"; $a = parent::getNbOfRecipients($sql); diff --git a/htdocs/core/modules/modCommande.class.php b/htdocs/core/modules/modCommande.class.php index 29f4dc60515..6a44075822c 100644 --- a/htdocs/core/modules/modCommande.class.php +++ b/htdocs/core/modules/modCommande.class.php @@ -368,7 +368,7 @@ class modCommande extends DolibarrModules //Import CPV Lines $r++; $this->import_code[$r] = 'commande_lines_'.$r; - $this->import_label[$r] = 'OrderLine'; + $this->import_label[$r] = 'SaleOrderLines'; $this->import_icon[$r] = $this->picto; $this->import_entities_array[$r] = []; $this->import_tables_array[$r] = ['cd' => MAIN_DB_PREFIX.'commandedet', 'extra' => MAIN_DB_PREFIX.'commandedet_extrafields']; diff --git a/htdocs/core/modules/modDeplacement.class.php b/htdocs/core/modules/modDeplacement.class.php index 0f92e8a7e6c..f0f06395565 100644 --- a/htdocs/core/modules/modDeplacement.class.php +++ b/htdocs/core/modules/modDeplacement.class.php @@ -143,7 +143,7 @@ class modDeplacement extends DolibarrModules $childids[] = $user->id; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $this->export_sql_end[$r] .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $this->export_sql_end[$r] .= ' AND d.fk_user IN ('.$this->db->sanitize(join(',', $childids)).')'; } } } diff --git a/htdocs/core/modules/modEventOrganization.class.php b/htdocs/core/modules/modEventOrganization.class.php index 386da21d798..244b4f41cab 100644 --- a/htdocs/core/modules/modEventOrganization.class.php +++ b/htdocs/core/modules/modEventOrganization.class.php @@ -341,6 +341,7 @@ class modEventOrganization extends DolibarrModules 'fk_menu'=>'fk_mainmenu=project', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'left', // This is a Left menu entry 'titre'=>'EventOrganizationMenuLeft', + 'prefix' => img_picto('', 'eventorganization', 'class="paddingright pictofixedwidth"'), 'mainmenu'=>'project', 'leftmenu'=>'eventorganization', 'url'=>'', @@ -355,7 +356,7 @@ class modEventOrganization extends DolibarrModules 'fk_menu'=>'fk_mainmenu=project,fk_leftmenu=eventorganization', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'left', // This is a Left menu entry 'titre'=>'List', - 'url'=>'/projet/list.php?search_usage_event_organization=1&mainmenu=project', + 'url'=>'/projet/list.php?search_usage_event_organization=1&mainmenu=project&contextpage=organizedevents', 'langs'=>'eventorganization@eventorganization', // Lang file to use (without .lang) by module. File must be in langs/code_CODE/ directory. 'position'=>1000+$r, 'enabled'=>'$conf->eventorganization->enabled', // Define condition to show or hide menu entry. Use '$conf->eventorganization->enabled' if entry must be visible if module is enabled. Use '$leftmenu==\'system\'' to show if leftmenu system is selected. @@ -378,7 +379,8 @@ class modEventOrganization extends DolibarrModules $this->menu[$r++]=array( 'fk_menu'=>'fk_mainmenu=project', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'left', // This is a Left menu entry - 'titre'=>'EventOrganizationMenuLeft', + 'titre'=>'ConferenceOrBooth', + 'prefix' => img_picto('', 'conferenceorbooth', 'class="paddingright pictofixedwidth"'), 'mainmenu'=>'project', 'leftmenu'=>'eventorganizationconforbooth', 'url'=>'', diff --git a/htdocs/core/modules/modExpedition.class.php b/htdocs/core/modules/modExpedition.class.php index ba8568ba13e..238eef2d6fe 100644 --- a/htdocs/core/modules/modExpedition.class.php +++ b/htdocs/core/modules/modExpedition.class.php @@ -313,7 +313,7 @@ class modExpedition extends DolibarrModules $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p on cd.fk_product = p.rowid'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product_extrafields as extraprod ON p.rowid = extraprod.fk_object'; if ($idcontacts && !empty($conf->global->SHIPMENT_ADD_CONTACTS_IN_EXPORT)) { - $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$idcontacts.')'; + $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$this->db->sanitize($idcontacts).')'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople as sp ON sp.rowid = ee.fk_socpeople'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople_extrafields as extra3 ON sp.rowid = extra3.fk_object'; } diff --git a/htdocs/core/modules/modExternalSite.class.php b/htdocs/core/modules/modExternalSite.class.php index a996a55ddaa..71c3387ff5e 100644 --- a/htdocs/core/modules/modExternalSite.class.php +++ b/htdocs/core/modules/modExternalSite.class.php @@ -67,7 +67,7 @@ class modExternalSite extends DolibarrModules $this->dirs = array(); // Config pages. Put here list of php page names stored in admmin directory used to setup module - $this->config_page_url = array("externalsite.php@externalsite"); + $this->config_page_url = array("index.php@externalsite"); // Dependencies $this->depends = array(); // List of modules id that must be enabled if this module is enabled diff --git a/htdocs/core/modules/modFournisseur.class.php b/htdocs/core/modules/modFournisseur.class.php index 46d6dd7bead..71f101014ad 100644 --- a/htdocs/core/modules/modFournisseur.class.php +++ b/htdocs/core/modules/modFournisseur.class.php @@ -666,7 +666,7 @@ class modFournisseur extends DolibarrModules $r++; $this->import_code[$r] = $this->rights_class.'_'.$r; - $this->import_label[$r] = "Supplier Invoice"; // Translation key + $this->import_label[$r] = "SupplierInvoices"; // Translation key $this->import_icon[$r] = $this->picto; $this->import_entities_array[$r] = []; // We define here only fields that use another icon that the one defined into import_icon $this->import_tables_array[$r] = ['f' => MAIN_DB_PREFIX.'facture_fourn', 'extra' => MAIN_DB_PREFIX.'facture_fourn_extrafields']; @@ -759,7 +759,7 @@ class modFournisseur extends DolibarrModules //Import Supplier Invoice Lines $r++; $this->import_code[$r] = $this->rights_class.'_'.$r; - $this->import_label[$r] = "Supplier Invoice Lines"; // Translation key + $this->import_label[$r] = "SupplierInvoiceLines"; // Translation key $this->import_icon[$r] = $this->picto; $this->import_entities_array[$r] = []; // We define here only fields that use another icon that the one defined into import_icon $this->import_tables_array[$r] = ['fd' => MAIN_DB_PREFIX.'facture_fourn_det', 'extra' => MAIN_DB_PREFIX.'facture_fourn_det_extrafields']; @@ -839,7 +839,7 @@ class modFournisseur extends DolibarrModules //Import Purchase Orders $r++; $this->import_code[$r] = 'commande_fournisseur_'.$r; - $this->import_label[$r] = 'Purchase Orders'; + $this->import_label[$r] = 'SuppliersOrders'; $this->import_icon[$r] = $this->picto; $this->import_entities_array[$r] = []; $this->import_tables_array[$r] = ['c' => MAIN_DB_PREFIX.'commande_fournisseur', 'extra' => MAIN_DB_PREFIX.'commande_fournisseur_extrafields']; @@ -922,7 +922,7 @@ class modFournisseur extends DolibarrModules //Import PO Lines $r++; $this->import_code[$r] = 'commande_fournisseurdet_'.$r; - $this->import_label[$r] = 'PO Lines'; + $this->import_label[$r] = 'PurchaseOrderLines'; $this->import_icon[$r] = $this->picto; $this->import_entities_array[$r] = []; $this->import_tables_array[$r] = ['cd' => MAIN_DB_PREFIX.'commande_fournisseurdet', 'extra' => MAIN_DB_PREFIX.'commande_fournisseurdet_extrafields']; diff --git a/htdocs/core/modules/modIntracommreport.class.php b/htdocs/core/modules/modIntracommreport.class.php index 077f51ab519..47ef889e2dd 100644 --- a/htdocs/core/modules/modIntracommreport.class.php +++ b/htdocs/core/modules/modIntracommreport.class.php @@ -44,13 +44,13 @@ class modIntracommreport extends DolibarrModules $this->numero = 68000; $this->family = "financial"; - $this->module_position = '100'; + $this->module_position = '60'; // Module label (no space allowed), used if translation string 'ModuleXXXName' not found (where XXX is value of numeric property 'numero' of module) $this->name = preg_replace('/^mod/i', '', get_class($this)); $this->description = "Intracomm report management (Support for French DEB/DES format)"; // Possible values for version are: 'development', 'experimental', 'dolibarr' or 'dolibarr_deprecated' or version - $this->version = 'development'; + $this->version = 'experimental'; $this->const_name = 'MAIN_MODULE_'.strtoupper($this->name); $this->picto = 'intracommreport'; diff --git a/htdocs/core/modules/modProductBatch.class.php b/htdocs/core/modules/modProductBatch.class.php index 166b8f6e637..79529898bb0 100644 --- a/htdocs/core/modules/modProductBatch.class.php +++ b/htdocs/core/modules/modProductBatch.class.php @@ -64,8 +64,8 @@ class modProductBatch extends DolibarrModules // Data directories to create when module is enabled. $this->dirs = array(); - // Config pages. Put here list of php page, stored into /product/admin/ directory, to setup the module. - $this->config_page_url = array("product_lot_extrafields.php@product"); + // Config pages. Put here list of php page, stored into productdluo/admin directory, to use to setup module. + $this->config_page_url = array("product_lot.php@product"); // Dependencies $this->hidden = false; // A condition to hide module @@ -76,8 +76,24 @@ class modProductBatch extends DolibarrModules $this->need_dolibarr_version = array(3, 0); // Minimum version of Dolibarr required by module $this->langfiles = array("productbatch"); + // Constants // Constants $this->const = array(); + $r = 0; + + $this->const[$r][0] = "PRODUCTBATCH_LOT_ADDON"; + $this->const[$r][1] = "chaine"; + $this->const[$r][2] = "mod_lot_free"; + $this->const[$r][3] = 'Module to control product codes'; + $this->const[$r][4] = 0; + $r++; + + $this->const[$r][0] = "PRODUCTBATCH_SN_ADDON"; + $this->const[$r][1] = "chaine"; + $this->const[$r][2] = "mod_sn_free"; + $this->const[$r][3] = 'Module to control product codes'; + $this->const[$r][4] = 0; + $r++; $this->tabs = array(); diff --git a/htdocs/core/modules/modPropale.class.php b/htdocs/core/modules/modPropale.class.php index 687d8ea3669..c13a92e744e 100644 --- a/htdocs/core/modules/modPropale.class.php +++ b/htdocs/core/modules/modPropale.class.php @@ -350,7 +350,7 @@ class modPropale extends DolibarrModules //Import Proposal Lines $r++; $this->import_code[$r] = $this->rights_class.'line_'.$r; - $this->import_label[$r] = "ProposalLine"; // Translation key + $this->import_label[$r] = "ProposalLines"; // Translation key $this->import_icon[$r] = $this->picto; $this->import_entities_array[$r] = []; // We define here only fields that use another icon that the one defined into import_icon $this->import_tables_array[$r] = [ diff --git a/htdocs/core/modules/modReception.class.php b/htdocs/core/modules/modReception.class.php index 247a4faeddc..02f17cf0fbe 100644 --- a/htdocs/core/modules/modReception.class.php +++ b/htdocs/core/modules/modReception.class.php @@ -236,7 +236,7 @@ class modReception extends DolibarrModules $this->export_sql_end[$r] .= ' , '.MAIN_DB_PREFIX.'commande_fournisseurdet as cd'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p on cd.fk_product = p.rowid'; if ($idcontacts && !empty($conf->global->RECEPTION_ADD_CONTACTS_IN_EXPORT)) { - $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$idcontacts.')'; + $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$this->db->sanitize($idcontacts).')'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople as sp ON sp.rowid = ee.fk_socpeople'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople_extrafields as extra3 ON sp.rowid = extra3.fk_object'; } diff --git a/htdocs/core/modules/modSociete.class.php b/htdocs/core/modules/modSociete.class.php index 38ca03ffe3b..f30709445b3 100644 --- a/htdocs/core/modules/modSociete.class.php +++ b/htdocs/core/modules/modSociete.class.php @@ -343,7 +343,7 @@ class modSociete extends DolibarrModules $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' '; if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) { $subordinatesids = $user->getAllChildIds(); - $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.implode(',', $subordinatesids).')' : ''; + $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : ''; } $this->export_sql_end[$r] .= ')'; } @@ -413,7 +413,7 @@ class modSociete extends DolibarrModules $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' '; if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) { $subordinatesids = $user->getAllChildIds(); - $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.implode(',', $subordinatesids).')' : ''; + $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : ''; } $this->export_sql_end[$r] .= ')'; } diff --git a/htdocs/core/modules/modTicket.class.php b/htdocs/core/modules/modTicket.class.php index a1318266334..b374000c74c 100644 --- a/htdocs/core/modules/modTicket.class.php +++ b/htdocs/core/modules/modTicket.class.php @@ -127,16 +127,21 @@ class modTicket extends DolibarrModules 'tabsql' => array( 'SELECT f.rowid as rowid, f.code, f.pos, f.label, f.active, f.use_default FROM '.MAIN_DB_PREFIX.'c_ticket_type as f', 'SELECT f.rowid as rowid, f.code, f.pos, f.label, f.active, f.use_default FROM '.MAIN_DB_PREFIX.'c_ticket_severity as f', - 'SELECT f.rowid as rowid, f.code, f.pos, f.label, f.active, f.use_default FROM '.MAIN_DB_PREFIX.'c_ticket_category as f', + 'SELECT f.rowid as rowid, f.code, f.pos, f.label, f.active, f.use_default, f.public FROM '.MAIN_DB_PREFIX.'c_ticket_category as f', 'SELECT f.rowid as rowid, f.code, f.pos, f.label, f.active, f.use_default FROM '.MAIN_DB_PREFIX.'c_ticket_resolution as f' ), 'tabsqlsort' => array("pos ASC", "pos ASC", "pos ASC", "pos ASC"), - 'tabfield' => array("code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default"), - 'tabfieldvalue' => array("code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default"), - 'tabfieldinsert' => array("code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default"), + 'tabfield' => array("code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default,public", "code,label,pos,use_default"), + 'tabfieldvalue' => array("code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default,public", "code,label,pos,use_default"), + 'tabfieldinsert' => array("code,label,pos,use_default", "code,label,pos,use_default", "code,label,pos,use_default,public", "code,label,pos,use_default"), 'tabrowid' => array("rowid", "rowid", "rowid", "rowid"), 'tabcond' => array($conf->ticket->enabled, $conf->ticket->enabled, $conf->ticket->enabled, $conf->ticket->enabled), - 'tabhelp' => array(array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1")), array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1")), array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1")), array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1"))), + 'tabhelp' => array( + array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1")), + array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1")), + array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1"), 'public'=>$langs->trans("Enter0or1").'
'.$langs->trans("TicketGroupIsPublicDesc")), + array('code'=>$langs->trans("EnterAnyCode"), 'use_default'=>$langs->trans("Enter0or1")) + ), ); // Boxes diff --git a/htdocs/core/modules/movement/doc/index.html b/htdocs/core/modules/movement/doc/index.html new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/htdocs/core/modules/movement/doc/index.html @@ -0,0 +1 @@ + diff --git a/htdocs/core/modules/product/doc/index.html b/htdocs/core/modules/product/doc/index.html new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/htdocs/core/modules/product/doc/index.html @@ -0,0 +1 @@ + diff --git a/htdocs/core/modules/product_batch/mod_lot_advanced.php b/htdocs/core/modules/product_batch/mod_lot_advanced.php new file mode 100644 index 00000000000..d8629b92dd6 --- /dev/null +++ b/htdocs/core/modules/product_batch/mod_lot_advanced.php @@ -0,0 +1,145 @@ + + * Copyright (C) 2004-2007 Laurent Destailleur + * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2008 Raphael Bertrand (Resultic) + * Copyright (C) 2019 Frédéric France + * Copyright (C) 2021 Christophe Battarel + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/modules/product_batch/mod_lot_advanced.php + * \ingroup productbatch + * \brief File containing class for numbering model of Lot advanced + */ + +require_once DOL_DOCUMENT_ROOT.'/core/modules/product_batch/modules_product_batch.class.php'; + + +/** + * Class to manage Batch numbering rules advanced + */ +class mod_lot_advanced extends ModeleNumRefBatch +{ + /** + * Dolibarr version of the loaded document + * @var string + */ + public $version = 'dolibarr'; // 'development', 'experimental', 'dolibarr' + + /** + * @var string Error message + */ + public $error = ''; + + /** + * @var string name + */ + public $name = 'lot_advanced'; + + + /** + * Returns the description of the numbering model + * + * @return string Texte descripif + */ + public function info() + { + global $conf, $langs, $db; + + $langs->load("bills"); + + $form = new Form($db); + + $texte = $langs->trans('GenericNumRefModelDesc')."
\n"; + $texte .= '
'; + $texte .= ''; + $texte .= ''; + $texte .= ''; + $texte .= ''; + + $tooltip = $langs->trans("GenericMaskCodes", $langs->transnoentities("Batch"), $langs->transnoentities("Batch")); + $tooltip .= $langs->trans("GenericMaskCodes2"); + $tooltip .= $langs->trans("GenericMaskCodes3"); + $tooltip .= $langs->trans("GenericMaskCodes4a", $langs->transnoentities("Batch"), $langs->transnoentities("Batch")); + $tooltip .= $langs->trans("GenericMaskCodes5"); + + // Parametrage du prefix + $texte .= ''; + $texte .= ''; + + $texte .= ''; + + $texte .= ''; + + $texte .= '
'.$langs->trans("Mask").':'.$form->textwithpicto('', $tooltip, 1, 1).' 
'; + $texte .= '
'; + + return $texte; + } + + /** + * Return an example of numbering + * + * @return string Example + */ + public function getExample() + { + global $conf, $langs, $mysoc; + + $old_code_client = $mysoc->code_client; + $old_code_type = $mysoc->typent_code; + $mysoc->code_client = 'CCCCCCCCCC'; + $mysoc->typent_code = 'TTTTTTTTTT'; + $numExample = $this->getNextValue($mysoc, ''); + $mysoc->code_client = $old_code_client; + $mysoc->typent_code = $old_code_type; + + if (!$numExample) { + $numExample = $langs->trans('NotConfigured'); + } + return $numExample; + } + + /** + * Return next free value + * + * @param Product $objprod Object product + * @param Object $object Object we need next value for + * @return string Value if KO, <0 if KO + */ + public function getNextValue($objprod, $object) + { + global $db, $conf; + + require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; + + // We get cursor rule + $mask = $conf->global->BATCH_ADVANCED_MASK; + + if (!$mask) { + $this->error = 'NotConfigured'; + return 0; + } + + $date = $object->date; + + $numFinal = get_next_value($db, $mask, 'product_lot', 'ref', '', null, $date); + + return $numFinal; + } +} diff --git a/htdocs/core/modules/product_batch/mod_lot_free.php b/htdocs/core/modules/product_batch/mod_lot_free.php new file mode 100644 index 00000000000..0f069143ab1 --- /dev/null +++ b/htdocs/core/modules/product_batch/mod_lot_free.php @@ -0,0 +1,105 @@ + + * Copyright (C) 2006-2009 Laurent Destailleur + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/modules/product/mod_lot_free.php + * \ingroup productbatch + * \brief File containing class for numbering model of Lot free + */ + +require_once DOL_DOCUMENT_ROOT.'/core/modules/product_batch/modules_product_batch.class.php'; + +/** + * \class mod_codeproduct_leopard + * \brief Classe permettant la gestion leopard des codes produits + */ +class mod_lot_free extends ModeleNumRefBatch +{ + /* + * Attention ce module est utilise par defaut si aucun module n'a + * ete definit dans la configuration + * + * Le fonctionnement de celui-ci doit donc rester le plus ouvert possible + */ + + + /** + * @var string model name + */ + public $name = 'lot_free'; + + public $code_modifiable; // Code modifiable + + public $code_modifiable_invalide; // Code modifiable si il est invalide + + public $code_modifiable_null; // Code modifiables si il est null + + public $code_null; // Code facultatif + + /** + * Dolibarr version of the loaded document + * @var string + */ + public $version = 'dolibarr'; // 'development', 'experimental', 'dolibarr' + + /** + * @var int Automatic numbering + */ + public $code_auto; + + + /** + * Constructor + */ + public function __construct() + { + $this->code_null = 1; + $this->code_modifiable = 1; + $this->code_modifiable_invalide = 1; + $this->code_modifiable_null = 1; + $this->code_auto = 0; + } + + + /** + * Return description of module + * + * @return string Description of module + */ + public function info() + { + global $langs; + $langs->load("companies"); + return $langs->trans("LeopardNumRefModelDesc"); + } + + + /** + * Return an example of result returned by getNextValue + * + * @param product $objproduct Object product + * @param int $type Type of third party (1:customer, 2:supplier, -1:autodetect) + * @return string Return next value + */ + public function getNextValue($objproduct = 0, $type = -1) + { + global $langs; + return ''; + } +} diff --git a/htdocs/core/modules/product_batch/mod_lot_standard.php b/htdocs/core/modules/product_batch/mod_lot_standard.php new file mode 100644 index 00000000000..0d2b5a55139 --- /dev/null +++ b/htdocs/core/modules/product_batch/mod_lot_standard.php @@ -0,0 +1,145 @@ + + * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2021 Christophe Battarel + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/modules/product_batch/mod_lot_standard.php + * \ingroup productbatch + * \brief File of class to manage Lot numbering rules standard + */ +require_once DOL_DOCUMENT_ROOT.'/core/modules/product_batch/modules_product_batch.class.php'; + +/** + * Class to manage MO numbering rules standard + */ +class mod_lot_standard extends ModeleNumRefBatch +{ + /** + * Dolibarr version of the loaded document + * @var string + */ + public $version = 'dolibarr'; // 'development', 'experimental', 'dolibarr' + + public $prefix = 'LOT'; + + /** + * @var string Error code (or message) + */ + public $error = ''; + + /** + * @var string name + */ + public $name = 'lot_standard'; + + + /** + * Return description of numbering module + * + * @return string Text with description + */ + public function info() + { + global $langs; + return $langs->trans("SimpleNumRefModelDesc", $this->prefix); + } + + + /** + * Return an example of numbering + * + * @return string Example + */ + public function getExample() + { + return $this->prefix."0501-0001"; + } + + + /** + * Checks if the numbers already in the database do not + * cause conflicts that would prevent this numbering working. + * + * @return boolean false if conflict, true if ok + */ + public function canBeActivated() + { + global $conf, $langs, $db; + + $coyymm = ''; $max = ''; + + $posindice = strlen($this->prefix) + 6; + $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_lot"; + $sql .= " WHERE ref LIKE '".$db->escape($this->prefix)."____-%'"; + $sql .= " AND entity = ".$conf->entity; + + $resql = $db->query($sql); + if ($resql) { + $row = $db->fetch_row($resql); + if ($row) { $coyymm = substr($row[0], 0, 6); $max = $row[0]; } + } + if ($coyymm && !preg_match('/'.$this->prefix.'[0-9][0-9][0-9][0-9]/i', $coyymm)) { + $langs->load("errors"); + $this->error = $langs->trans('ErrorNumRefModel', $max); + return false; + } + + return true; + } + + /** + * Return next free value + * + * @param Product $objprod Object product + * @param Object $object Object we need next value for + * @return string Value if KO, <0 if KO + */ + public function getNextValue($objprod, $object) + { + global $db, $conf; + + // First, we get the max value + $posindice = strlen($this->prefix) + 6; + $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_lot"; + $sql .= " WHERE ref LIKE '".$db->escape($this->prefix)."____-%'"; + $sql .= " AND entity = ".$conf->entity; + + $resql = $db->query($sql); + if ($resql) { + $obj = $db->fetch_object($resql); + if ($obj) $max = intval($obj->max); + else $max = 0; + } else { + dol_syslog("mod_lot_standard::getNextValue", LOG_DEBUG); + return -1; + } + + //$date=time(); + $date = $object->date_creation; + $yymm = strftime("%y%m", $date); + + if ($max >= (pow(10, 4) - 1)) $num = $max + 1; // If counter > 9999, we do not format on 4 chars, we take number as it is + else $num = sprintf("%04s", $max + 1); + + dol_syslog("mod_lot_standard::getNextValue return ".$this->prefix.$yymm."-".$num); + return $this->prefix.$yymm."-".$num; + } +} diff --git a/htdocs/core/modules/product_batch/mod_sn_advanced.php b/htdocs/core/modules/product_batch/mod_sn_advanced.php new file mode 100644 index 00000000000..89d70a8239d --- /dev/null +++ b/htdocs/core/modules/product_batch/mod_sn_advanced.php @@ -0,0 +1,145 @@ + + * Copyright (C) 2004-2007 Laurent Destailleur + * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2008 Raphael Bertrand (Resultic) + * Copyright (C) 2019 Frédéric France + * Copyright (C) 2021 Christophe Battarel + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/modules/product_batch/mod_batch_advanced.php + * \ingroup productbatch + * \brief File containing class for numbering model of SN advanced + */ + +require_once DOL_DOCUMENT_ROOT.'/core/modules/product_batch/modules_product_batch.class.php'; + + +/** + * Class to manage Batch numbering rules advanced + */ +class mod_sn_advanced extends ModeleNumRefBatch +{ + /** + * Dolibarr version of the loaded document + * @var string + */ + public $version = 'dolibarr'; // 'development', 'experimental', 'dolibarr' + + /** + * @var string Error message + */ + public $error = ''; + + /** + * @var string name + */ + public $name = 'sn_advanced'; + + + /** + * Returns the description of the numbering model + * + * @return string Texte descripif + */ + public function info() + { + global $conf, $langs, $db; + + $langs->load("bills"); + + $form = new Form($db); + + $texte = $langs->trans('GenericNumRefModelDesc')."
\n"; + $texte .= '
'; + $texte .= ''; + $texte .= ''; + $texte .= ''; + $texte .= ''; + + $tooltip = $langs->trans("GenericMaskCodes", $langs->transnoentities("Batch"), $langs->transnoentities("Batch")); + $tooltip .= $langs->trans("GenericMaskCodes2"); + $tooltip .= $langs->trans("GenericMaskCodes3"); + $tooltip .= $langs->trans("GenericMaskCodes4a", $langs->transnoentities("Batch"), $langs->transnoentities("Batch")); + $tooltip .= $langs->trans("GenericMaskCodes5"); + + // Parametrage du prefix + $texte .= ''; + $texte .= ''; + + $texte .= ''; + + $texte .= ''; + + $texte .= '
'.$langs->trans("Mask").':'.$form->textwithpicto('', $tooltip, 1, 1).' 
'; + $texte .= '
'; + + return $texte; + } + + /** + * Return an example of numbering + * + * @return string Example + */ + public function getExample() + { + global $conf, $langs, $mysoc; + + $old_code_client = $mysoc->code_client; + $old_code_type = $mysoc->typent_code; + $mysoc->code_client = 'CCCCCCCCCC'; + $mysoc->typent_code = 'TTTTTTTTTT'; + $numExample = $this->getNextValue($mysoc, ''); + $mysoc->code_client = $old_code_client; + $mysoc->typent_code = $old_code_type; + + if (!$numExample) { + $numExample = $langs->trans('NotConfigured'); + } + return $numExample; + } + + /** + * Return next free value + * + * @param Product $objprod Object product + * @param Object $object Object we need next value for + * @return string Value if KO, <0 if KO + */ + public function getNextValue($objprod, $object) + { + global $db, $conf; + + require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; + + // We get cursor rule + $mask = $conf->global->BATCH_ADVANCED_MASK; + + if (!$mask) { + $this->error = 'NotConfigured'; + return 0; + } + + $date = $object->date; + + $numFinal = get_next_value($db, $mask, 'product_sn', 'ref', '', null, $date); + + return $numFinal; + } +} diff --git a/htdocs/core/modules/product_batch/mod_sn_free.php b/htdocs/core/modules/product_batch/mod_sn_free.php new file mode 100644 index 00000000000..95e1bd20359 --- /dev/null +++ b/htdocs/core/modules/product_batch/mod_sn_free.php @@ -0,0 +1,104 @@ + + * Copyright (C) 2006-2009 Laurent Destailleur + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/modules/product/mod_sn_free.php + * \ingroup productbatch + * \brief File containing class for numbering model of SN free + */ + +require_once DOL_DOCUMENT_ROOT.'/core/modules/product_batch/modules_product_batch.class.php'; + +/** + * \class mod_codeproduct_leopard + * \brief Classe permettant la gestion leopard des codes produits + */ +class mod_sn_free extends ModeleNumRefBatch +{ + /* + * Attention ce module est utilise par defaut si aucun module n'a + * ete definit dans la configuration + * + * Le fonctionnement de celui-ci doit donc rester le plus ouvert possible + */ + + /** + * @var string model name + */ + public $name = 'sn_free'; + + public $code_modifiable; // Code modifiable + + public $code_modifiable_invalide; // Code modifiable si il est invalide + + public $code_modifiable_null; // Code modifiables si il est null + + public $code_null; // Code facultatif + + /** + * Dolibarr version of the loaded document + * @var string + */ + public $version = 'dolibarr'; // 'development', 'experimental', 'dolibarr' + + /** + * @var int Automatic numbering + */ + public $code_auto; + + + /** + * Constructor + */ + public function __construct() + { + $this->code_null = 1; + $this->code_modifiable = 1; + $this->code_modifiable_invalide = 1; + $this->code_modifiable_null = 1; + $this->code_auto = 0; + } + + + /** + * Return description of module + * + * @return string Description of module + */ + public function info() + { + global $langs; + $langs->load("companies"); + return $langs->trans("LeopardNumRefModelDesc"); + } + + + /** + * Return an example of result returned by getNextValue + * + * @param product $objproduct Object product + * @param int $type Type of third party (1:customer, 2:supplier, -1:autodetect) + * @return string Return next value + */ + public function getNextValue($objproduct = 0, $type = -1) + { + global $langs; + return ''; + } +} diff --git a/htdocs/core/modules/product_batch/mod_sn_standard.php b/htdocs/core/modules/product_batch/mod_sn_standard.php new file mode 100644 index 00000000000..bef5efcd9f8 --- /dev/null +++ b/htdocs/core/modules/product_batch/mod_sn_standard.php @@ -0,0 +1,145 @@ + + * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2021 Christophe Battarel + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/modules/product_batch/mod_sn_standard.php + * \ingroup productbatch + * \brief File of class to manage SN numbering rules standard + */ +require_once DOL_DOCUMENT_ROOT.'/core/modules/product_batch/modules_product_batch.class.php'; + +/** + * Class to manage MO numbering rules standard + */ +class mod_sn_standard extends ModeleNumRefBatch +{ + /** + * Dolibarr version of the loaded document + * @var string + */ + public $version = 'dolibarr'; // 'development', 'experimental', 'dolibarr' + + public $prefix = 'SN'; + + /** + * @var string Error code (or message) + */ + public $error = ''; + + /** + * @var string name + */ + public $name = 'sn_standard'; + + + /** + * Return description of numbering module + * + * @return string Text with description + */ + public function info() + { + global $langs; + return $langs->trans("SimpleNumRefModelDesc", $this->prefix); + } + + + /** + * Return an example of numbering + * + * @return string Example + */ + public function getExample() + { + return $this->prefix."0501-0001"; + } + + + /** + * Checks if the numbers already in the database do not + * cause conflicts that would prevent this numbering working. + * + * @return boolean false if conflict, true if ok + */ + public function canBeActivated() + { + global $conf, $langs, $db; + + $coyymm = ''; $max = ''; + + $posindice = strlen($this->prefix) + 6; + $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_lot"; + $sql .= " WHERE ref LIKE '".$db->escape($this->prefix)."____-%'"; + $sql .= " AND entity = ".$conf->entity; + + $resql = $db->query($sql); + if ($resql) { + $row = $db->fetch_row($resql); + if ($row) { $coyymm = substr($row[0], 0, 6); $max = $row[0]; } + } + if ($coyymm && !preg_match('/'.$this->prefix.'[0-9][0-9][0-9][0-9]/i', $coyymm)) { + $langs->load("errors"); + $this->error = $langs->trans('ErrorNumRefModel', $max); + return false; + } + + return true; + } + + /** + * Return next free value + * + * @param Product $objprod Object product + * @param Object $object Object we need next value for + * @return string Value if KO, <0 if KO + */ + public function getNextValue($objprod, $object) + { + global $db, $conf; + + // First, we get the max value + $posindice = strlen($this->prefix) + 6; + $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_lot"; + $sql .= " WHERE ref LIKE '".$db->escape($this->prefix)."____-%'"; + $sql .= " AND entity = ".$conf->entity; + + $resql = $db->query($sql); + if ($resql) { + $obj = $db->fetch_object($resql); + if ($obj) $max = intval($obj->max); + else $max = 0; + } else { + dol_syslog("mod_sn_standard::getNextValue", LOG_DEBUG); + return -1; + } + + //$date=time(); + $date = $object->date_creation; + $yymm = strftime("%y%m", $date); + + if ($max >= (pow(10, 4) - 1)) $num = $max + 1; // If counter > 9999, we do not format on 4 chars, we take number as it is + else $num = sprintf("%04s", $max + 1); + + dol_syslog("mod_sn_standard::getNextValue return ".$this->prefix.$yymm."-".$num); + return $this->prefix.$yymm."-".$num; + } +} diff --git a/htdocs/core/modules/product_batch/modules_product_batch.class.php b/htdocs/core/modules/product_batch/modules_product_batch.class.php index f5ef6ac3dda..42d4d052bfe 100644 --- a/htdocs/core/modules/product_batch/modules_product_batch.class.php +++ b/htdocs/core/modules/product_batch/modules_product_batch.class.php @@ -65,3 +65,89 @@ abstract class ModelePDFProductBatch extends CommonDocGenerator return $list; } } + +/** + * Parent class to manage numbering of batch products + */ +abstract class ModeleNumRefBatch +{ + /** + * @var string Error code (or message) + */ + public $error = ''; + + /** + * Return if a module can be used or not + * + * @return boolean true if module can be used + */ + public function isEnabled() + { + return true; + } + + /** + * Returns the default description of the numbering template + * + * @return string Texte descripif + */ + public function info() + { + global $langs; + $langs->load("productbatch"); + return $langs->trans("NoDescription"); + } + + /** + * Returns an example of numbering + * + * @return string Example + */ + public function getExample() + { + global $langs; + $langs->load("productbatch"); + return $langs->trans("NoExample"); + } + + /** + * Checks if the numbers already in the database do not + * cause conflicts that would prevent this numbering working. + * + * @return boolean false if conflict, true if ok + */ + public function canBeActivated() + { + return true; + } + + /** + * Returns next assigned value + * + * @param Societe $objsoc Object thirdparty + * @param Object $object Object we need next value for + * @return string Valeur + */ + public function getNextValue($objsoc, $object) + { + global $langs; + return $langs->trans("NotAvailable"); + } + + /** + * Returns version of numbering module + * + * @return string Valeur + */ + public function getVersion() + { + global $langs; + $langs->load("admin"); + + if ($this->version == 'development') return $langs->trans("VersionDevelopment"); + if ($this->version == 'experimental') return $langs->trans("VersionExperimental"); + if ($this->version == 'dolibarr') return DOL_VERSION; + if ($this->version) return $this->version; + return $langs->trans("NotAvailable"); + } +} diff --git a/htdocs/core/modules/stock/doc/index.html b/htdocs/core/modules/stock/doc/index.html new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/htdocs/core/modules/stock/doc/index.html @@ -0,0 +1 @@ + diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php index 008e524f299..b3079691cd5 100644 --- a/htdocs/core/photos_resize.php +++ b/htdocs/core/photos_resize.php @@ -487,8 +487,8 @@ print load_fiche_titre($title); $infoarray = dol_getImageSize($dir."/".GETPOST("file", 'alpha')); $height = $infoarray['height']; $width = $infoarray['width']; -print $langs->trans("CurrentInformationOnImage").': '; -print $langs->trans("Width").': '.$width.' x '.$langs->trans("Height").': '.$height.'
'; +print ''.$langs->trans("CurrentInformationOnImage").': '; +print $langs->trans("Width").': '.$width.' x '.$langs->trans("Height").': '.$height.'
'; print '
'."\n"; diff --git a/htdocs/core/tpl/extrafields_view.tpl.php b/htdocs/core/tpl/extrafields_view.tpl.php index 3940f0c38e5..9f77eaca415 100644 --- a/htdocs/core/tpl/extrafields_view.tpl.php +++ b/htdocs/core/tpl/extrafields_view.tpl.php @@ -81,7 +81,7 @@ if (empty($reshook) && is_array($extrafields->attributes[$object->table_element] if ($perms && isset($extrafields->attributes[$object->table_element]['perms'][$tmpkeyextra])) { $perms = dol_eval($extrafields->attributes[$object->table_element]['perms'][$tmpkeyextra], 1); } - //print $tmpkeyextra.'-'.$enabled.'-'.$perms.'-'.$tmplabelextra.$_POST["options_" . $tmpkeyextra].'
'."\n"; + //print $tmpkeyextra.'-'.$enabled.'-'.$perms.'
'."\n"; if (empty($enabled)) { continue; // 0 = Never visible field diff --git a/htdocs/core/tpl/notes.tpl.php b/htdocs/core/tpl/notes.tpl.php index b1d9664af57..60b541d8afb 100644 --- a/htdocs/core/tpl/notes.tpl.php +++ b/htdocs/core/tpl/notes.tpl.php @@ -24,7 +24,7 @@ if (empty($object) || !is_object($object)) { } // $permissionnote must be defined by caller. For example $permissionnote=$user->rights->module->create -// $cssclass must be defined by caller. For example $cssclass='fieldtitle" +// $cssclass must be defined by caller. For example $cssclass='fieldtitle' $module = $object->element; $note_public = 'note_public'; $note_private = 'note_private'; diff --git a/htdocs/don/list.php b/htdocs/don/list.php index 9798cd02eea..9a2d1402e17 100644 --- a/htdocs/don/list.php +++ b/htdocs/don/list.php @@ -106,7 +106,7 @@ $sql .= " p.rowid as pid, p.ref, p.title, p.public"; $sql .= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p"; $sql .= " ON p.rowid = d.fk_projet WHERE d.entity IN (".getEntity('donation').")"; if ($search_status != '' && $search_status != '-4') { - $sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; + $sql .= " AND d.fk_statut IN (".$db->sanitize($search_status).")"; } if (trim($search_ref) != '') { $sql .= natural_search('d.ref', $search_ref); diff --git a/htdocs/don/payment/payment.php b/htdocs/don/payment/payment.php index ca33d6ffc23..d571940cc9b 100644 --- a/htdocs/don/payment/payment.php +++ b/htdocs/don/payment/payment.php @@ -29,9 +29,10 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; $langs->load("bills"); -$chid = GETPOST("rowid"); +$chid = GETPOST("rowid", 'int'); $action = GETPOST('action', 'aZ09'); $amounts = array(); +$cancel = GETPOST('cancel'); // Security check $socid = 0; @@ -49,15 +50,15 @@ $object = new Don($db); if ($action == 'add_payment') { $error = 0; - if ($_POST["cancel"]) { + if ($cancel) { $loc = DOL_URL_ROOT.'/don/card.php?rowid='.$chid; header("Location: ".$loc); exit; } - $datepaid = dol_mktime(12, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); + $datepaid = dol_mktime(12, 0, 0, GETPOST("remonth"), GETPOST("reday"), GETPOST("reyear")); - if (!$_POST["paymenttype"] > 0) { + if (!(GETPOST("paymenttype") > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("PaymentMode")), null, 'errors'); $error++; } @@ -65,7 +66,7 @@ if ($action == 'add_payment') { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Date")), null, 'errors'); $error++; } - if (!empty($conf->banque->enabled) && !$_POST["accountid"] > 0) { + if (!empty($conf->banque->enabled) && !(GETPOST("accountid", 'int') > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("AccountToCredit")), null, 'errors'); $error++; } @@ -183,8 +184,8 @@ if ($action == 'create') { print ''; print '"; print ''; diff --git a/htdocs/eventorganization/class/conferenceorbooth.class.php b/htdocs/eventorganization/class/conferenceorbooth.class.php index 7f28d40dd29..d91181d0c51 100644 --- a/htdocs/eventorganization/class/conferenceorbooth.class.php +++ b/htdocs/eventorganization/class/conferenceorbooth.class.php @@ -61,7 +61,7 @@ class ConferenceOrBooth extends ActionComm /** * @var string String with name of icon for conferenceorbooth. Must be the part after the 'object_' into object_conferenceorbooth.png */ - public $picto = 'conferenceorbooth@eventorganization'; + public $picto = 'conferenceorbooth'; const STATUS_DRAFT = 0; diff --git a/htdocs/eventorganization/conferenceorbooth_card.php b/htdocs/eventorganization/conferenceorbooth_card.php index 495d0334a10..29bbd0f19bd 100644 --- a/htdocs/eventorganization/conferenceorbooth_card.php +++ b/htdocs/eventorganization/conferenceorbooth_card.php @@ -202,9 +202,6 @@ if ($action == 'create') { print dol_get_fiche_head(array(), ''); - // Set some default values - //if (! GETPOSTISSET('fieldname')) $_POST['fieldname'] = 'myvalue'; - print '
'.$langs->trans("Date").''; - $datepaid = dol_mktime(12, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); - $datepayment = empty($conf->global->MAIN_AUTOFILL_DATE) ? (empty($_POST["remonth"]) ?-1 : $datepaid) : 0; + $datepaid = dol_mktime(12, 0, 0, GETPOST("remonth"), GETPOST("reday"), GETPOST("reyear")); + $datepayment = empty($conf->global->MAIN_AUTOFILL_DATE) ? (GETPOST("remonth") ? $datepaid : -1) : 0; print $form->selectDate($datepayment, '', 0, 0, 0, "add_payment", 1, 1, 0, '', '', $object->date, '', 1, $langs->trans("DonationDate")); print "
'."\n"; // Common attributes diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php index f4cda255cdb..89e614cc3ba 100644 --- a/htdocs/eventorganization/conferenceorbooth_list.php +++ b/htdocs/eventorganization/conferenceorbooth_list.php @@ -265,7 +265,7 @@ if ($projectid > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->project->all->lire) { $objectsListId = $project->getProjectsAuthorizedForUser($user, 0, 0); - $project->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $project->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($project, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -554,9 +554,9 @@ print ''; print ''; print ''; -$newcardbutton = dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', dol_buildpath('/eventorganization/conferenceorbooth_card.php', 1).'?action=create'.(!empty($project->id)?'&fk_project='.$project->id:'').(!empty($project->socid)?'&fk_soc='.$project->socid:'').'&backtopage='.urlencode($_SERVER['PHP_SELF']).(!empty($project->id)?'?projectid='.$project->id:''), '', $permissiontoadd); +$newcardbutton = dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/eventorganization/conferenceorbooth_card.php?action=create'.(!empty($project->id)?'&fk_project='.$project->id:'').(!empty($project->socid)?'&fk_soc='.$project->socid:'').'&backtopage='.urlencode($_SERVER['PHP_SELF']).(!empty($project->id)?'?projectid='.$project->id:''), '', $permissiontoadd); -print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'object_'.$object->picto, 0, $newcardbutton, '', $limit, 0, 0, 1); +print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, $object->picto, 0, $newcardbutton, '', $limit, 0, 0, 1); // Add code for pre mass action (confirmation or email presend form) $topicmail = "SendConferenceOrBoothRef"; diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php index 7e10b5b5f1f..c543ef40880 100644 --- a/htdocs/expedition/card.php +++ b/htdocs/expedition/card.php @@ -281,8 +281,8 @@ if (empty($reshook)) { $totalqty += $subtotalqty; } else { - // No detail were provided for lots - if (!empty($_POST[$qty])) { + // No detail were provided for lots, so if a qty was provided, we can show an error. + if (GETPOST($qty)) { // We try to set an amount // Case we dont use the list of available qty for each warehouse/lot // GUI does not allow this yet diff --git a/htdocs/expedition/class/api_shipments.class.php b/htdocs/expedition/class/api_shipments.class.php index 42564f7dd72..cc5267cdd47 100644 --- a/htdocs/expedition/class/api_shipments.class.php +++ b/htdocs/expedition/class/api_shipments.class.php @@ -129,7 +129,7 @@ class Shipments extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index 327e9a030e0..a4a09e06808 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -313,13 +313,13 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_tracking) { $sql .= natural_search("e.tracking_number", $search_tracking); } if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_sale > 0) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale; diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 020c34dc0c6..1c3e8594c41 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -2257,7 +2257,7 @@ if ($action == 'create') { // VAT print ''; // Unit price diff --git a/htdocs/expensereport/class/api_expensereports.class.php b/htdocs/expensereport/class/api_expensereports.class.php index 98da4534e0c..13148e4247a 100644 --- a/htdocs/expensereport/class/api_expensereports.class.php +++ b/htdocs/expensereport/class/api_expensereports.class.php @@ -108,7 +108,7 @@ class ExpenseReports extends DolibarrApi $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as t"; $sql .= ' WHERE t.entity IN ('.getEntity('expensereport').')'; if ($user_ids) { - $sql .= " AND t.fk_user_author IN (".$user_ids.")"; + $sql .= " AND t.fk_user_author IN (".$this->db->sanitize($user_ids).")"; } // Add sql filters diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index 89178693a43..496f57812a6 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -2367,8 +2367,8 @@ class ExpenseReport extends CommonObject $sql .= " AND ex.entity IN (".getEntity('expensereport').")"; if (empty($user->rights->expensereport->readall)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (ex.fk_user_author IN (".join(',', $userchildids).")"; - $sql .= " OR ex.fk_user_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (ex.fk_user_author IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR ex.fk_user_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); @@ -2414,8 +2414,8 @@ class ExpenseReport extends CommonObject $sql .= " AND ex.entity IN (".getEntity('expensereport').")"; if (empty($user->rights->expensereport->readall)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (ex.fk_user_author IN (".join(',', $userchildids).")"; - $sql .= " OR ex.fk_user_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (ex.fk_user_author IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR ex.fk_user_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); diff --git a/htdocs/expensereport/class/expensereportstats.class.php b/htdocs/expensereport/class/expensereportstats.class.php index 3d627cbce8d..ec71f530f51 100644 --- a/htdocs/expensereport/class/expensereportstats.class.php +++ b/htdocs/expensereport/class/expensereportstats.class.php @@ -78,11 +78,11 @@ class ExpenseReportStats extends Stats if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) { $childids = $user->getAllChildIds(); $childids[] = $user->id; - $this->where .= " AND e.fk_user_author IN (".(join(',', $childids)).")"; + $this->where .= " AND e.fk_user_author IN (".$this->db->sanitize(join(',', $childids)).")"; } if ($this->userid > 0) { - $this->where .= ' AND e.fk_user_author = '.$this->userid; + $this->where .= ' AND e.fk_user_author = '.((int) $this->userid); } } diff --git a/htdocs/expensereport/index.php b/htdocs/expensereport/index.php index 541c2c0738e..f9792d5b68c 100644 --- a/htdocs/expensereport/index.php +++ b/htdocs/expensereport/index.php @@ -91,7 +91,7 @@ if (empty($user->rights->expensereport->readall) && empty($user->rights->expense && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) { $childids = $user->getAllChildIds(); $childids[] = $user->id; - $sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n"; + $sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n"; } $sql .= " GROUP BY tf.code, tf.label"; @@ -180,11 +180,11 @@ if (empty($user->rights->expensereport->readall) && empty($user->rights->expense && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) { $childids = $user->getAllChildIds(); $childids[] = $user->id; - $sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n"; + $sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n"; } $sql .= ' AND d.entity IN ('.getEntity('expensereport').')'; if (!$user->rights->societe->client->voir && !$user->socid) { - $sql .= " AND d.fk_user_author = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + $sql .= " AND d.fk_user_author = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } if ($socid) { $sql .= " AND d.fk_user_author = ".$socid; diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 35642ead0c4..51022f8c40b 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -290,12 +290,12 @@ if ($search_user != '' && $search_user >= 0) { } // Status if ($search_status != '' && $search_status >= 0) { - $sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; + $sql .= " AND d.fk_statut IN (".$db->sanitize($search_status).")"; } // RESTRICT RIGHTS if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous) && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) { - $sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n"; + $sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n"; } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/expensereport/payment/payment.php b/htdocs/expensereport/payment/payment.php index 926559769b4..d50f6336669 100644 --- a/htdocs/expensereport/payment/payment.php +++ b/htdocs/expensereport/payment/payment.php @@ -36,6 +36,7 @@ $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); $amounts = array(); $accountid = GETPOST('accountid', 'int'); +$cancel = GETPOST('cancel'); // Security check $socid = 0; @@ -51,7 +52,7 @@ if ($user->socid > 0) { if ($action == 'add_payment') { $error = 0; - if ($_POST["cancel"]) { + if ($cancel) { $loc = DOL_URL_ROOT.'/expensereport/card.php?id='.$id; header("Location: ".$loc); exit; @@ -64,9 +65,9 @@ if ($action == 'add_payment') { setEventMessages($expensereport->error, $expensereport->errors, 'errors'); } - $datepaid = dol_mktime(12, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); + $datepaid = dol_mktime(12, 0, 0, GETPOST("remonth", 'int'), GETPOST("reday", 'int'), GETPOST("reyear", 'int')); - if (!($_POST["fk_typepayment"] > 0)) { + if (!(GETPOST("fk_typepayment", 'int') > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("PaymentMode")), null, 'errors'); $error++; } diff --git a/htdocs/externalsite/admin/index.html b/htdocs/externalsite/admin/index.html deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/htdocs/externalsite/admin/externalsite.php b/htdocs/externalsite/admin/index.php similarity index 90% rename from htdocs/externalsite/admin/externalsite.php rename to htdocs/externalsite/admin/index.php index 47f0a3d57be..1710a570c45 100644 --- a/htdocs/externalsite/admin/externalsite.php +++ b/htdocs/externalsite/admin/index.php @@ -21,9 +21,9 @@ */ /** - * \file htdocs/externalsite/admin/externalsite.php + * \file htdocs/externalsite/admin/index.php * \ingroup externalsite - * \brief Page de configuration du module externalsite + * \brief Page to setup module external site */ if (!defined('NOSCANPOSTFORINJECTION')) { @@ -41,18 +41,24 @@ if (!$user->admin) { // Load translation files required by the page $langs->loadLangs(array('admin', 'other', 'externalsite')); -$def = array(); - $action = GETPOST('action', 'aZ09'); + +/* + * Actions + */ + // Sauvegardes parametres if ($action == 'update') { $i = 0; $db->begin(); - $label = GETPOST('EXTERNALSITE_LABEL', 'alpha'); - $exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml'); + $label = GETPOST('EXTERNALSITE_LABEL', 'alphanohtml'); + + $exturl = GETPOST('EXTERNALSITE_URL', 'none'); + $exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1); + $exturl = dol_string_onlythesehtmlattributes($exturl); $i += dolibarr_set_const($db, 'EXTERNALSITE_LABEL', trim($label), 'chaine', 0, '', $conf->entity); $i += dolibarr_set_const($db, 'EXTERNALSITE_URL', trim($exturl), 'chaine', 0, '', $conf->entity); @@ -77,7 +83,7 @@ $linkback = ''; -print $langs->trans("Module100Desc")."
\n"; +print ''.$langs->trans("Module100Desc")."
\n"; print '
'; print '
'; diff --git a/htdocs/fichinter/card.php b/htdocs/fichinter/card.php index ebc884eb033..88c5a1cefc0 100644 --- a/htdocs/fichinter/card.php +++ b/htdocs/fichinter/card.php @@ -875,9 +875,9 @@ if ($action == 'create') { print ''; print ''; $defaultpassive = GETPOST("FTP_PASSIVE_".($lastftpentry + 1)); - if (!isset($_POST["FTP_PASSIVE_".($lastftpentry + 1)])) { + if (!GETPOSTISSET("FTP_PASSIVE_".($lastftpentry + 1))) { $defaultpassive = empty($conf->global->FTP_SUGGEST_PASSIVE_BYDEFAULT) ? 0 : 1; } print ''; diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index 7943df254c1..4b5c742b3f1 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -479,7 +479,7 @@ class Holiday extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua"; $sql .= " WHERE cp.entity IN (".getEntity('holiday').")"; $sql .= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid"; // Hack pour la recherche sur le tableau - $sql .= " AND cp.fk_user IN (".$user_id.")"; + $sql .= " AND cp.fk_user IN (".$this->db->sanitize($user_id).")"; // Selection filter if (!empty($filter)) { @@ -1122,7 +1122,7 @@ class Holiday extends CommonObject $sql .= " AND cp.fk_user = ".(int) $fk_user; $sql .= " AND cp.date_debut <= '".$this->db->idate($timestamp)."' AND cp.date_fin >= '".$this->db->idate($timestamp)."'"; if ($status != '-1') { - $sql .= " AND cp.statut IN (".$this->db->sanitize($this->db->escape($status)).")"; + $sql .= " AND cp.statut IN (".$this->db->sanitize($status).")"; } $resql = $this->db->query($sql); @@ -2209,8 +2209,8 @@ class Holiday extends CommonObject $sql .= " AND h.entity IN (".getEntity('holiday').")"; if (empty($user->rights->expensereport->readall)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (h.fk_user IN (".join(',', $userchildids).")"; - $sql .= " OR h.fk_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (h.fk_user IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR h.fk_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); @@ -2251,8 +2251,8 @@ class Holiday extends CommonObject $sql .= " AND h.entity IN (".getEntity('holiday').")"; if (empty($user->rights->expensereport->read_all)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (h.fk_user IN (".join(',', $userchildids).")"; - $sql .= " OR h.fk_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (h.fk_user IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR h.fk_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); diff --git a/htdocs/holiday/define_holiday.php b/htdocs/holiday/define_holiday.php index e57e12dcaee..b3d2c25adda 100644 --- a/htdocs/holiday/define_holiday.php +++ b/htdocs/holiday/define_holiday.php @@ -230,7 +230,7 @@ $filters = ''; $userchilds = array(); if (empty($user->rights->holiday->readall)) { $userchilds = $user->getAllChildIds(1); - $filters .= ' AND u.rowid IN ('.join(', ', $userchilds).')'; + $filters .= ' AND u.rowid IN ('.$db->sanitize(join(', ', $userchilds)).')'; } if (!empty($search_name)) { $filters .= natural_search(array('u.firstname', 'u.lastname'), $search_name); diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 4474aecf748..f49a3145af9 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -341,10 +341,10 @@ if (!empty($search_status) && $search_status != -1) { } if (empty($user->rights->holiday->readall)) { - $sql .= ' AND cp.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND cp.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } if ($id > 0) { - $sql .= " AND cp.fk_user IN (".$id.")"; + $sql .= " AND cp.fk_user IN (".$db->sanitize($id).")"; } // Add where from extra fields diff --git a/htdocs/holiday/month_report.php b/htdocs/holiday/month_report.php index 37497fd1810..62991a6e0ee 100644 --- a/htdocs/holiday/month_report.php +++ b/htdocs/holiday/month_report.php @@ -154,7 +154,7 @@ if (!empty($search_employee)) { $sql .= " AND cp.fk_user = '".$db->escape($search_employee)."'"; } if (!empty($search_type)) { - $sql .= ' AND cp.fk_type IN ('.$db->escape($search_type).')'; + $sql .= ' AND cp.fk_type IN ('.$db->sanitize($search_type).')'; } if (!empty($search_description)) { $sql .= natural_search('cp.description', $search_description); diff --git a/htdocs/hrm/establishment/card.php b/htdocs/hrm/establishment/card.php index a46ebfa28f3..96874db6504 100644 --- a/htdocs/hrm/establishment/card.php +++ b/htdocs/hrm/establishment/card.php @@ -80,9 +80,9 @@ if ($action == 'confirm_delete' && $confirm == "yes") { if (empty($error)) { $object->address = GETPOST('address', 'alpha'); - $object->zip = GETPOST('zipcode', 'alpha'); - $object->town = GETPOST('town', 'alpha'); - $object->country_id = $_POST["country_id"]; + $object->zip = GETPOST('zipcode', 'alpha'); + $object->town = GETPOST('town', 'alpha'); + $object->country_id = GETPOST("country_id", 'int'); $object->status = GETPOST('status', 'int'); $object->fk_user_author = $user->id; $object->datec = dol_now(); diff --git a/htdocs/hrm/index.php b/htdocs/hrm/index.php index e40ceb3f9ba..f169ce60b37 100644 --- a/htdocs/hrm/index.php +++ b/htdocs/hrm/index.php @@ -182,7 +182,7 @@ if (!empty($conf->holiday->enabled) && $user->rights->holiday->read) { $sql .= " WHERE u.rowid = x.fk_user"; $sql .= " AND x.entity = ".$conf->entity; if (empty($user->rights->holiday->readall)) { - $sql .= ' AND x.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND x.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; //if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid; @@ -263,7 +263,7 @@ if (!empty($conf->expensereport->enabled) && $user->rights->expensereport->lire) $sql .= " WHERE u.rowid = x.fk_user_author"; $sql .= " AND x.entity = ".$conf->entity; if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) { - $sql .= ' AND x.fk_user_author IN ('.join(',', $childids).')'; + $sql .= ' AND x.fk_user_author IN ('.$db->sanitize(join(',', $childids)).')'; } //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; //if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid; diff --git a/htdocs/install/fileconf.php b/htdocs/install/fileconf.php index cfe42adc79f..0ca5805ba24 100644 --- a/htdocs/install/fileconf.php +++ b/htdocs/install/fileconf.php @@ -33,7 +33,7 @@ global $langs; $err = 0; -$setuplang = GETPOST("selectlang", '', 3) ?GETPOST("selectlang", '', 3) : (isset($_GET["lang"]) ? $_GET["lang"] : 'auto'); +$setuplang = GETPOST("selectlang", '', 3) ? GETPOST("selectlang", '', 3) : (GETPOST('lang', 'alpha', 1) ? GETPOST('lang', 'alpha', 1) : 'auto'); $langs->setDefaultLang($setuplang); $langs->loadLangs(array("install", "errors")); diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php index 91ceae9eaaa..27a3fc01abd 100644 --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -518,7 +518,7 @@ function pFooter($nonext = 0, $setuplang = '', $jscheckfunction = '', $withpleas } } if ($setuplang) { - print ''; + print ''; } print ''."\n"; diff --git a/htdocs/install/mysql/data/llx_accounting_account_dz.sql b/htdocs/install/mysql/data/llx_accounting_account_dz.sql index 0a80cf0f4b4..3895c1ff604 100644 --- a/htdocs/install/mysql/data/llx_accounting_account_dz.sql +++ b/htdocs/install/mysql/data/llx_accounting_account_dz.sql @@ -24,7 +24,7 @@ -- ID 15000 - 15811 -- ADD 1300000 to rowid # Do no remove this comment -- -INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (17000,'NSCF','CAPIT','1',0,'Comptes de capitaux','1'); +INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15000,'NSCF','CAPIT','1',0,'Comptes de capitaux','1'); INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15001,'NSCF','CAPIT','10',17000,'Capital, réserves et assimilés','1'); INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15002,'NSCF','CAPIT','101',15001,'Capital émis','1'); INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15003,'NSCF','CAPIT','1011',15002,'Capital souscrit, non appelé','1'); diff --git a/htdocs/install/mysql/data/llx_c_forme_juridique.sql b/htdocs/install/mysql/data/llx_c_forme_juridique.sql index 7b02ee60ffa..b3182846723 100644 --- a/htdocs/install/mysql/data/llx_c_forme_juridique.sql +++ b/htdocs/install/mysql/data/llx_c_forme_juridique.sql @@ -8,8 +8,13 @@ -- Copyright (C) 2010-2016 Juanjo Menent -- Copyright (C) 2012 Sebastian Neuwert -- Copyright (C) 2012 Tommaso Basilici --- Copyright (C) 2012 Ricardo Schluter --- Copyright (C) 2013 Cedric GROSS +-- Copyright (C) 2012 Ricardo Schluter +-- Copyright (C) 2013 Cedric GROSS +-- Copyright (C) 2020-2021 Udo Tamm +-- + + +-- LICENSE --------------------------------------------------------------- -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by @@ -25,14 +30,24 @@ -- along with this program. If not, see . -- +-- WARNING ---------------------------------------------------------------- -- +-- EN: +-- Do not put a comment at the end of the line, this file is parsed during +-- install and all '--' symbols are removed. +-- +-- FR: -- Ne pas placer de commentaire en fin de ligne, ce fichier est parsé lors -- de l'install et tous les sigles '--' sont supprimés. -- +-- CONTENT ---------------------------------------------------------------- -- --- Formes juridiques +-- Legal Formes (en) / Formes juridiques (fr) -- +-- fk_pays = country_id +-- + delete from llx_c_forme_juridique; @@ -54,6 +69,7 @@ INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (23, ' INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (23, '2312', 'Sociedad Anónima con Participación Estatal Mayoritaria', 1); INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (23, '2313', 'Sociedad en Comandita por Acciones (arts. 315 a 324, LSC)', 1); + -- Austria INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (41, '4100', 'GmbH - Gesellschaft mit beschränkter Haftung', 1); INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (41, '4101', 'GesmbH - Gesellschaft mit beschränkter Haftung', 1); @@ -71,6 +87,31 @@ INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (41, ' INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (41, '4113', 'GesnbR - Gesellschaft nach bürgerlichem Recht', 1); INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle, active) VALUES (41, '4114', 'e.U. - eingetragener Einzelunternehmer', 1); + +-- Belgium +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '200', 'Indépendant'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '201', 'SRL - Société à responsabilité limitée'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '202', 'SA - Société Anonyme'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '203', 'SCRL - Société coopérative à responsabilité limitée'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '204', 'ASBL - Association sans but Lucratif'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '205', 'SCRI - Société coopérative à responsabilité illimitée'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '206', 'SCS - Société en commandite simple'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '207', 'SCA - Société en commandite par action'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '208', 'SNC - Société en nom collectif'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '209', 'GIE - Groupement d intérêt économique'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '210', 'GEIE - Groupement européen d intérêt économique'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '220', 'Eenmanszaak'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '221', 'BVBA - Besloten vennootschap met beperkte aansprakelijkheid'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '222', 'NV - Naamloze Vennootschap'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '223', 'CVBA - Coöperatieve vennootschap met beperkte aansprakelijkheid'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '224', 'VZW - Vereniging zonder winstoogmerk'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '225', 'CVOA - Coöperatieve vennootschap met onbeperkte aansprakelijkheid '); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '226', 'GCV - Gewone commanditaire vennootschap'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '227', 'Comm.VA - Commanditaire vennootschap op aandelen'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '228', 'VOF - Vennootschap onder firma'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '229', 'VS0 - Vennootschap met sociaal oogmerk'); + + -- France: Extrait de http://www.insee.fr/fr/nom_def_met/nomenclatures/cj/cjniveau2.htm insert into llx_c_forme_juridique (fk_pays, code, libelle) values (1,'11','Artisan Commerçant (EI)'); insert into llx_c_forme_juridique (fk_pays, code, libelle) values (1,'12','Commerçant (EI)'); @@ -127,28 +168,6 @@ insert into llx_c_forme_juridique (fk_pays, code, libelle) values (1,'92','Assoc insert into llx_c_forme_juridique (fk_pays, code, libelle) values (1,'93','Fondation'); insert into llx_c_forme_juridique (fk_pays, code, libelle) values (1,'99','Personne morale de droit privé'); --- Belgium -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '200', 'Indépendant'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '201', 'SRL - Société à responsabilité limitée'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '202', 'SA - Société Anonyme'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '203', 'SCRL - Société coopérative à responsabilité limitée'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '204', 'ASBL - Association sans but Lucratif'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '205', 'SCRI - Société coopérative à responsabilité illimitée'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '206', 'SCS - Société en commandite simple'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '207', 'SCA - Société en commandite par action'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '208', 'SNC - Société en nom collectif'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '209', 'GIE - Groupement d intérêt économique'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '210', 'GEIE - Groupement européen d intérêt économique'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '220', 'Eenmanszaak'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '221', 'BVBA - Besloten vennootschap met beperkte aansprakelijkheid'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '222', 'NV - Naamloze Vennootschap'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '223', 'CVBA - Coöperatieve vennootschap met beperkte aansprakelijkheid'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '224', 'VZW - Vereniging zonder winstoogmerk'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '225', 'CVOA - Coöperatieve vennootschap met onbeperkte aansprakelijkheid '); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '226', 'GCV - Gewone commanditaire vennootschap'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '227', 'Comm.VA - Commanditaire vennootschap op aandelen'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '228', 'VOF - Vennootschap onder firma'); -insert into llx_c_forme_juridique (fk_pays, code, libelle) values (2, '229', 'VS0 - Vennootschap met sociaal oogmerk'); -- Germany insert into llx_c_forme_juridique (fk_pays, code, libelle) values (5, '500', 'GmbH - Gesellschaft mit beschränkter Haftung'); @@ -160,6 +179,8 @@ insert into llx_c_forme_juridique (fk_pays, code, libelle) values (5, '505', 'Gb insert into llx_c_forme_juridique (fk_pays, code, libelle) values (5, '506', 'KG - Kommanditgesellschaft'); insert into llx_c_forme_juridique (fk_pays, code, libelle) values (5, '507', 'Ltd. - Limited Company'); insert into llx_c_forme_juridique (fk_pays, code, libelle) values (5, '508', 'OHG - Offene Handelsgesellschaft'); +insert into llx_c_forme_juridique (fk_pays, code, libelle) values (5, '509', 'eG - eingetragene Genossenschaft'); + -- Denmark INSERT INTO llx_c_forme_juridique (fk_pays, code, libelle) VALUES (80, '8001', 'Aktieselvskab A/S'); diff --git a/htdocs/install/mysql/migration/13.0.0-14.0.0.sql b/htdocs/install/mysql/migration/13.0.0-14.0.0.sql index 717d4060aec..f908d57a5af 100644 --- a/htdocs/install/mysql/migration/13.0.0-14.0.0.sql +++ b/htdocs/install/mysql/migration/13.0.0-14.0.0.sql @@ -279,7 +279,7 @@ DELETE FROM llx_boxes_def WHERE file IN ('box_graph_ticket_by_severity', 'box_ti -- VMYSQL4.1 INSERT INTO llx_boxes_def (file, entity) SELECT 'box_graph_nb_tickets_type.php', 1 FROM DUAL WHERE NOT EXISTS (SELECT * FROM llx_boxes_def WHERE file = 'box_graph_nb_tickets_type.php' AND entity = 1); -- VMYSQL4.1 INSERT INTO llx_boxes_def (file, entity) SELECT 'box_graph_new_vs_close_ticket.php', 1 FROM DUAL WHERE NOT EXISTS (SELECT * FROM llx_boxes_def WHERE file = 'box_graph_new_vs_close_ticket.php' AND entity = 1); -create table llx_product_accountancy +create table llx_product_perentity ( rowid integer AUTO_INCREMENT PRIMARY KEY, fk_product integer, @@ -292,10 +292,10 @@ create table llx_product_accountancy accountancy_code_buy_export varchar(32) -- Buying accountancy code for vat import )ENGINE=innodb; -ALTER TABLE llx_product_accountancy ADD INDEX idx_product_accountancy_fk_product (fk_product); -ALTER TABLE llx_product_accountancy ADD UNIQUE INDEX uk_product_accountancy (fk_product, entity); +ALTER TABLE llx_product_perentity ADD INDEX idx_product_perentity_fk_product (fk_product); +ALTER TABLE llx_product_perentity ADD UNIQUE INDEX uk_product_perentity (fk_product, entity); -create table llx_societe_accountancy +create table llx_societe_perentity ( rowid integer AUTO_INCREMENT PRIMARY KEY, fk_soc integer, @@ -306,5 +306,9 @@ create table llx_societe_accountancy accountancy_code_buy varchar(32) -- Buying accountancy code )ENGINE=innodb; -ALTER TABLE llx_societe_accountancy ADD INDEX idx_societe_accountancy_fk_soc (fk_soc); -ALTER TABLE llx_societe_accountancy ADD UNIQUE INDEX uk_societe_accountancy (fk_soc, entity); +ALTER TABLE llx_societe_perentity ADD INDEX idx_societe_perentity_fk_soc (fk_soc); +ALTER TABLE llx_societe_perentity ADD UNIQUE INDEX uk_societe_perentity (fk_soc, entity); + +ALTER TABLE llx_c_ticket_category ADD COLUMN public integer DEFAULT 0; + + diff --git a/htdocs/install/mysql/tables/llx_c_ticket_category.sql b/htdocs/install/mysql/tables/llx_c_ticket_category.sql index 58126633ce1..c42c3f029d4 100644 --- a/htdocs/install/mysql/tables/llx_c_ticket_category.sql +++ b/htdocs/install/mysql/tables/llx_c_ticket_category.sql @@ -20,10 +20,11 @@ create table llx_c_ticket_category rowid integer AUTO_INCREMENT PRIMARY KEY, entity integer DEFAULT 1, code varchar(32) NOT NULL, - pos varchar(32) NOT NULL, label varchar(128) NOT NULL, - active integer DEFAULT 1, + pos varchar(32) NOT NULL, + public integer DEFAULT 0, use_default integer DEFAULT 1, + active integer DEFAULT 1, fk_parent integer DEFAULT 0 NOT NULL, -- Parent group force_severity varchar(32) NULL, -- To force the severity if we choosed this category description varchar(255) diff --git a/htdocs/install/pgsql/functions/functions.sql b/htdocs/install/pgsql/functions/functions.sql index cd98cdfef2e..17339c1f605 100644 --- a/htdocs/install/pgsql/functions/functions.sql +++ b/htdocs/install/pgsql/functions/functions.sql @@ -52,6 +52,7 @@ CREATE OR REPLACE FUNCTION DAY(TIMESTAMP WITH TIME ZONE) RETURNS INTEGER AS $$ S CREATE OR REPLACE FUNCTION DAY(DATE) RETURNS INTEGER AS $$ SELECT EXTRACT(DAY FROM $1)::INTEGER; $$ LANGUAGE SQL IMMUTABLE; CREATE OR REPLACE FUNCTION dol_util_rebuild_sequences() RETURNS integer as $body$ DECLARE sequencedefs RECORD; c integer ; BEGIN FOR sequencedefs IN SELECT DISTINCT constraint_column_usage.table_name as tablename, constraint_column_usage.table_name as tablename, constraint_column_usage.column_name as columnname, replace(replace(columns.column_default,'''::regclass)',''),'nextval(''','') as sequencename from information_schema.constraint_column_usage, information_schema.columns, information_schema.sequences where constraint_column_usage.table_schema ='public' AND columns.table_schema = 'public' AND columns.table_name=constraint_column_usage.table_name AND constraint_column_usage.column_name IN ('rowid','id') AND constraint_column_usage.column_name = columns.column_name AND columns.column_default is not null AND replace(replace(columns.column_default,'''::regclass)',''),'nextval(''','')=sequence_name LOOP EXECUTE 'select max('||sequencedefs.columnname||') from ' || sequencedefs.tablename INTO c; IF c is null THEN c = 0; END IF; IF c is not null THEN c = c+ 1; END IF; EXECUTE 'alter sequence ' || sequencedefs.sequencename ||' restart with ' || c; END LOOP; RETURN 1; END; $body$ LANGUAGE plpgsql; +-- You can call the function with SELECT dol_util_rebuild_sequences(); CREATE OR REPLACE FUNCTION dol_util_triggerall(DoEnable boolean) RETURNS integer AS $BODY$ DECLARE mytables RECORD; BEGIN FOR mytables IN SELECT relname FROM pg_class WHERE relhastriggers IS TRUE AND relkind = 'r' AND NOT relname LIKE 'pg_%' LOOP IF DoEnable THEN EXECUTE 'ALTER TABLE ' || mytables.relname || ' ENABLE TRIGGER ALL'; ELSE EXECUTE 'ALTER TABLE ' || mytables.relname || ' DISABLE TRIGGER ALL'; END IF; END LOOP; RETURN 1; END; $BODY$ LANGUAGE plpgsql; diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index 80678abe24f..1d695f40249 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -94,6 +94,8 @@ print 'Option repair_link_dispatch_lines_supplier_order_lines, (\'test\' or \'co print 'Option set_empty_time_spent_amount (\'test\' or \'confirmed\') is '.(GETPOST('set_empty_time_spent_amount', 'alpha') ?GETPOST('set_empty_time_spent_amount', 'alpha') : 'undefined').'
'."\n"; // Structure print 'Option force_utf8_on_tables, for mysql/mariadb only (\'test\' or \'confirmed\') is '.(GETPOST('force_utf8_on_tables', 'alpha') ?GETPOST('force_utf8_on_tables', 'alpha') : 'undefined').'
'."\n"; +// Rebuild sequence +print 'Option rebuild_sequences, for postgresql only (\'test\' or \'confirmed\') is '.(GETPOST('rebuild_sequences', 'alpha') ?GETPOST('rebuild_sequences', 'alpha') : 'undefined').'
'."\n"; print '
'; print '
'; - print $form->load_tva('vatrate', (isset($_POST["vatrate"]) ? $_POST["vatrate"] : $line->vatrate), $mysoc, '', 0, 0, '', false, 1); + print $form->load_tva('vatrate', (GETPOSTISSET("vatrate") ? GETPOST("vatrate") : $line->vatrate), $mysoc, '', 0, 0, '', false, 1); print '
'.$langs->trans("Project").''; /* Fix: If a project must be linked to any companies (suppliers or not), project must be not be set as limited to customer but must be not linked to any particular thirdparty if ($societe->fournisseur==1) - $numprojet=select_projects(-1,$_POST["projectid"],'projectid'); + $numprojet=select_projects(-1, GETPOST("projectid", 'int'), 'projectid'); else - $numprojet=select_projects($societe->id,$_POST["projectid"],'projectid'); + $numprojet=select_projects($societe->id, GETPOST("projectid", 'int'), 'projectid'); */ $numprojet = $formproject->select_projects($soc->id, $projectid, 'projectid'); if ($numprojet == 0) { diff --git a/htdocs/fichinter/class/api_interventions.class.php b/htdocs/fichinter/class/api_interventions.class.php index a5ba127a54d..17aa2b3db53 100644 --- a/htdocs/fichinter/class/api_interventions.class.php +++ b/htdocs/fichinter/class/api_interventions.class.php @@ -136,14 +136,14 @@ class Interventions extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php index 6db5ba5cad3..3d67f025d6a 100644 --- a/htdocs/fourn/card.php +++ b/htdocs/fourn/card.php @@ -654,7 +654,7 @@ if ($object->id > 0) { $sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY).")"; // Must match filter in htdocs/fourn/commande/list.php } else { // CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY - $sql2 .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")"; + $sql2 .= " AND c.fk_statut IN (".$db->sanitize($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS).")"; } $sql2 .= " AND c.billed = 0"; // Find order that are not already invoiced diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 953092120e4..5e977473146 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -130,7 +130,7 @@ class SupplierInvoices extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale diff --git a/htdocs/fourn/class/api_supplier_orders.class.php b/htdocs/fourn/class/api_supplier_orders.class.php index d75abb17e90..8076900b100 100644 --- a/htdocs/fourn/class/api_supplier_orders.class.php +++ b/htdocs/fourn/class/api_supplier_orders.class.php @@ -131,10 +131,10 @@ class SupplierOrders extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if (!empty($product_ids)) { - $sql .= " AND cd.fk_commande = t.rowid AND cd.fk_product IN (".$product_ids.")"; + $sql .= " AND cd.fk_commande = t.rowid AND cd.fk_product IN (".$this->db->sanitize($product_ids).")"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index dccb3901069..e7a7766e3be 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -1196,7 +1196,7 @@ class FactureFournisseur extends CommonInvoice if (count($list_rowid_det)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe_remise_except'; $sql .= ' SET fk_invoice_supplier = NULL, fk_invoice_supplier_line = NULL'; - $sql .= ' WHERE fk_invoice_supplier_line IN ('.join(',', $list_rowid_det).')'; + $sql .= ' WHERE fk_invoice_supplier_line IN ('.$this->db->sanitize(join(',', $list_rowid_det)).')'; dol_syslog(get_class($this)."::delete", LOG_DEBUG); if (!$this->db->query($sql)) { diff --git a/htdocs/fourn/class/paiementfourn.class.php b/htdocs/fourn/class/paiementfourn.class.php index 41c780f70c8..b64cd32e4d6 100644 --- a/htdocs/fourn/class/paiementfourn.class.php +++ b/htdocs/fourn/class/paiementfourn.class.php @@ -529,9 +529,10 @@ class PaiementFourn extends Paiement * @param string $option Sur quoi pointe le lien * @param string $mode 'withlistofinvoices'=Include list of invoices into tooltip * @param int $notooltip 1=Disable tooltip + * @param string $morecss Add more CSS * @return string Chaine avec URL */ - public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0) + public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0, $morecss = '') { global $langs; @@ -547,13 +548,26 @@ class PaiementFourn extends Paiement $text = $langs->trans($reg[1]); } - $label = ''.$langs->trans("Payment").'
'; + $label = img_picto('', $this->picto).' '.$langs->trans("Payment").'
'; $label .= ''.$langs->trans("Ref").': '.$text; if ($this->datepaye ? $this->datepaye : $this->date) { - $label .= '
'.$langs->trans("Date").': '.dol_print_date($this->datepaye ? $this->datepaye : $this->date, 'dayhour'); + $label .= '
'.$langs->trans("Date").': '.dol_print_date($this->datepaye ? $this->datepaye : $this->date, 'dayhour', 'tzuser'); } - $linkstart = ''; + $linkclose = ''; + if (empty($notooltip)) { + if (!empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { + $label = $langs->trans("Payment"); + $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + } + $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; + } else { + $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); + } + + $linkstart = ''; $linkend = ''; $result .= $linkstart; diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index fe854c72d48..6def24cf64b 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -1883,7 +1883,7 @@ if ($action == 'create') { // Confirmation de l'envoi de la commande if ($action == 'commande') { $date_com = dol_mktime(GETPOST('rehour'), GETPOST('remin'), GETPOST('resec'), GETPOST("remonth"), GETPOST("reday"), GETPOST("reyear")); - $formconfirm = $form->formconfirm($_SERVER['PHP_SELF']."?id=".$object->id."&datecommande=".$date_com."&methode=".$_POST["methodecommande"]."&comment=".urlencode($_POST["comment"]), $langs->trans("MakeOrder"), $langs->trans("ConfirmMakeOrder", dol_print_date($date_com, 'day')), "confirm_commande", '', 0, 2); + $formconfirm = $form->formconfirm($_SERVER['PHP_SELF']."?id=".$object->id."&datecommande=".$date_com."&methode=".GETPOST("methodecommande")."&comment=".urlencode(GETPOST("comment")), $langs->trans("MakeOrder"), $langs->trans("ConfirmMakeOrder", dol_print_date($date_com, 'day')), "confirm_commande", '', 0, 2); } // Confirmation to delete line diff --git a/htdocs/fourn/commande/dispatch.php b/htdocs/fourn/commande/dispatch.php index 0d48c7d30dd..0402fa7a99b 100644 --- a/htdocs/fourn/commande/dispatch.php +++ b/htdocs/fourn/commande/dispatch.php @@ -1046,7 +1046,7 @@ if ($id > 0 || !empty($ref)) { if (empty($conf->reception->enabled)) { print $langs->trans("Comment").' : '; print 'trans("DispatchSupplierOrder", $object->ref); + print GETPOSTISSET("comment") ? GETPOST("comment") : $langs->trans("DispatchSupplierOrder", $object->ref); // print ' / '.$object->ref_supplier; // Not yet available print '" class="flat">
'; diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index d22006a52d0..0312c851de3 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -417,13 +417,11 @@ if (empty($reshook)) { dol_print_error($db, $object->error); } } elseif ($action == "setabsolutediscount" && $usercancreate) { - // POST[remise_id] or POST[remise_id_for_payment] - // We use the credit to reduce amount of invoice - if (!empty($_POST["remise_id"])) { + if (GETPOST("remise_id", "int")) { $ret = $object->fetch($id); if ($ret > 0) { - $result = $object->insert_discount($_POST["remise_id"]); + $result = $object->insert_discount(GETPOST("remise_id", "int")); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); } @@ -432,10 +430,10 @@ if (empty($reshook)) { } } // We use the credit to reduce remain to pay - if (!empty($_POST["remise_id_for_payment"])) { + if (GETPOST("remise_id_for_payment", "int")) { require_once DOL_DOCUMENT_ROOT.'/core/class/discount.class.php'; $discount = new DiscountAbsolute($db); - $discount->fetch($_POST["remise_id_for_payment"]); + $discount->fetch(GETPOST("remise_id_for_payment", "int")); //var_dump($object->getRemainToPay(0)); //var_dump($discount->amount_ttc);exit; @@ -1082,14 +1080,14 @@ if (empty($reshook)) { $prod = new Product($db); $prod->fetch(GETPOST('productid')); $label = $prod->description; - if (trim($_POST['product_desc']) != trim($label)) { - $label = $_POST['product_desc']; + if (trim(GETPOST('product_desc', 'restricthtml')) != trim($label)) { + $label = GETPOST('product_desc', 'restricthtml'); } $type = $prod->type; } else { - $label = $_POST['product_desc']; - $type = $_POST["type"] ? $_POST["type"] : 0; + $label = GETPOST('product_desc', 'restricthtml'); + $type = GETPOST("type") ? GETPOST("type") : 0; } $date_start = dol_mktime(GETPOST('date_starthour'), GETPOST('date_startmin'), GETPOST('date_startsec'), GETPOST('date_startmonth'), GETPOST('date_startday'), GETPOST('date_startyear')); diff --git a/htdocs/fourn/facture/impayees.php b/htdocs/fourn/facture/impayees.php deleted file mode 100644 index 7019b90b868..00000000000 --- a/htdocs/fourn/facture/impayees.php +++ /dev/null @@ -1,327 +0,0 @@ - - * Copyright (C) 2004 Eric Seigne - * Copyright (C) 2004-2012 Laurent Destailleur - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2012 Vinicius Nogueira - * Copyright (C) 2012 Juanjo Menent - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -/** - * \file htdocs/fourn/facture/impayees.php - * \ingroup facture - * \brief Page to list all unpaid invoices - */ - -require '../../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.class.php'; -require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.facture.class.php'; -require_once DOL_DOCUMENT_ROOT.'/compta/paiement/class/paiement.class.php'; - -if (!$user->rights->fournisseur->facture->lire) { - accessforbidden(); -} - -$langs->loadLangs(array("companies", "bills")); - -$socid = GETPOST('socid', 'int'); -$option = GETPOST('option'); - -// Security check -if ($user->socid > 0) { - $action = ''; - $socid = $user->socid; -} - -$sortfield = GETPOST("sortfield", 'alpha'); -$sortorder = GETPOST("sortorder", 'alpha'); - -$search_ref = GETPOST('search_ref', 'alpha'); -$search_ref_supplier = GETPOST('search_ref_supplier', 'alpha'); -$search_company = GETPOST('search_company', 'alpha'); -$search_amount_no_tax = GETPOST('search_amount_no_tax', 'alpha'); -$search_amount_all_tax = GETPOST('search_amount_all_tax', 'alpha'); - -$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); -if (empty($page) || $page == -1) { - $page = 0; -} // If $page is not defined, or '' or -1 -$offset = $limit * $page; -$pageprev = $page - 1; -$pagenext = $page + 1; -if (!$sortfield) { - $sortfield = "f.date_lim_reglement"; -} -if (!$sortorder) { - $sortorder = "ASC"; -} - -if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', 'alpha')) { // Both test are required to be compatible with all browsers - $search_ref = ""; - $search_ref_supplier = ""; - $search_company = ""; - $search_amount_no_tax = ""; - $search_amount_all_tax = ""; -} - -/* - * View - */ - -$now = dol_now(); - -llxHeader('', $langs->trans("BillsSuppliersUnpaid")); - -$title = $langs->trans("BillsSuppliersUnpaid"); - -$facturestatic = new FactureFournisseur($db); -$companystatic = new Societe($db); - -if ($user->rights->fournisseur->facture->lire) { - $sql = "SELECT s.rowid as socid, s.nom as name,"; - $sql .= " f.rowid, f.ref, f.ref_supplier, f.total_ht, f.total_ttc,"; - $sql .= " f.datef as df, f.date_lim_reglement as datelimite, "; - $sql .= " f.paye as paye, f.rowid as facid, f.fk_statut"; - $sql .= " ,sum(pf.amount) as am"; - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= ", sc.fk_soc, sc.fk_user "; - } - $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - } - $sql .= ",".MAIN_DB_PREFIX."facture_fourn as f"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as pf ON f.rowid=pf.fk_facturefourn "; - $sql .= " WHERE f.entity = ".$conf->entity; - $sql .= " AND f.fk_soc = s.rowid"; - $sql .= " AND f.paye = 0 AND f.fk_statut = 1"; - if ($option == 'late') { - $sql .= " AND f.date_lim_reglement < '".$db->idate(dol_now() - $conf->facture->fournisseur->warning_delay)."'"; - } - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - } - if ($socid) { - $sql .= " AND s.rowid = ".$socid; - } - - if (GETPOST('filtre')) { - $filtrearr = explode(",", GETPOST('filtre')); - foreach ($filtrearr as $fil) { - $filt = explode(":", $fil); - $sql .= " AND ".$filt[0]." = ".$filt[1]; - } - } - - if ($search_ref) { - $sql .= " AND f.ref LIKE '%".$db->escape($search_ref)."%'"; - } - if ($search_ref_supplier) { - $sql .= " AND f.ref_supplier LIKE '%".$db->escape($search_ref_supplier)."%'"; - } - - if ($search_company) { - $sql .= " AND s.nom LIKE '%".$db->escape($search_company)."%'"; - } - - if ($search_amount_no_tax) { - $sql .= " AND f.total_ht = '".$db->escape($search_amount_no_tax)."'"; - } - - if ($search_amount_all_tax) { - $sql .= " AND f.total_ttc = '".$db->escape($search_amount_all_tax)."'"; - } - - if (dol_strlen(GETPOST('sf_re')) > 0) { - $sql .= " AND f.ref_supplier LIKE '%".$db->escape(GETPOST('sf_re'))."%'"; - } - - $sql .= " GROUP BY s.rowid, s.nom, f.rowid, f.ref, f.ref_supplier, f.total_ht, f.total_ttc, f.datef, f.date_lim_reglement, f.paye, f.fk_statut"; - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= ", sc.fk_soc, sc.fk_user "; - } - $sql .= $db->order($sortfield, $sortorder); - if (!in_array("f.ref_supplier", explode(',', $sortfield))) { - $sql .= ", f.ref_supplier DESC"; - } - - $resql = $db->query($sql); - if ($resql) { - $num = $db->num_rows($resql); - - if ($socid) { - $soc = new Societe($db); - $soc->fetch($socid); - } - - $param = ''; - if ($socid) { - $param .= "&socid=".$socid; - } - - if ($search_ref) { - $param .= '&search_ref='.urlencode($search_ref); - } - if ($search_ref_supplier) { - $param .= '&search_ref_supplier='.urlencode($search_ref_supplier); - } - if ($search_company) { - $param .= '&search_company='.urlencode($search_company); - } - if ($search_amount_no_tax) { - $param .= '&search_amount_no_tax='.urlencode($search_amount_no_tax); - } - if ($search_amount_all_tax) { - $param .= '&search_amount_all_tax='.urlencode($search_amount_all_tax); - } - - $param .= ($option ? "&option=".$option : ""); - if (!empty($late)) { - $param .= '&late='.urlencode($late); - } - $urlsource = str_replace('&', '&', $param); - - $titre = ($socid ? $langs->trans("BillsSuppliersUnpaidForCompany", $soc->name) : $langs->trans("BillsSuppliersUnpaid")); - - if ($option == 'late') { - $titre .= ' ('.$langs->trans("Late").')'; - } else { - $titre .= ' ('.$langs->trans("All").')'; - } - - $link = ''; - if (empty($option)) { - $link = ''.$langs->trans("ShowUnpaidLateOnly").''; - } elseif ($option == 'late') { - $link = ''.$langs->trans("ShowUnpaidAll").''; - } - print load_fiche_titre($titre, $link); - - print_barre_liste('', '', $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', 0); // We don't want pagination on this page - $i = 0; - print ''; - - print ''; - print ''; - print_liste_field_titre("Ref", $_SERVER["PHP_SELF"], "f.rowid", "", $param, "", $sortfield, $sortorder); - print_liste_field_titre("RefSupplier", $_SERVER["PHP_SELF"], "f.ref_supplier", "", $param, "", $sortfield, $sortorder); - print_liste_field_titre("Date", $_SERVER["PHP_SELF"], "f.datef", "", $param, '', $sortfield, $sortorder, 'center '); - print_liste_field_titre("DateDue", $_SERVER["PHP_SELF"], "f.date_lim_reglement", "", $param, '', $sortfield, $sortorder, 'center '); - print_liste_field_titre("Company", $_SERVER["PHP_SELF"], "s.nom", "", $param, "", $sortfield, $sortorder); - print_liste_field_titre("AmountHT", $_SERVER["PHP_SELF"], "f.total_ht", "", $param, '', $sortfield, $sortorder, 'right '); - print_liste_field_titre("AmountTTC", $_SERVER["PHP_SELF"], "f.total_ttc", "", $param, '', $sortfield, $sortorder, 'right '); - print_liste_field_titre("AlreadyPaid", $_SERVER["PHP_SELF"], "am", "", $param, '', $sortfield, $sortorder, 'right '); - print_liste_field_titre("Status", $_SERVER["PHP_SELF"], "fk_statut,paye,am", "", $param, '', $sortfield, $sortorder, 'right '); - print "\n"; - - // Lines with filter fields - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - print "\n"; - - if ($num > 0) { - $total_ht = 0; - $total_ttc = 0; - $total_paid = 0; - - while ($i < $num) { - $objp = $db->fetch_object($resql); - - $facturestatic->statut = $objp->fk_statut; - $facturestatic->date_echeance = $db->jdate($objp->datelimite); - - - - print ''; - $classname = "impayee"; - - print '\n"; - - print ''; - - print '\n"; - print '\n"; - - print ''; - - print ""; - print ""; - print ""; - - // Show invoice status - print ''; - - print "\n"; - $total_ht += $objp->total_ht; - $total_ttc += $objp->total_ttc; - $total_paid += $objp->am; - - $i++; - } - - print ''; - print ""; - print ""; - print ""; - print ""; - print ''; - print "\n"; - } - - print "
'; - print ''; - print '  '; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - $searchpicto = $form->showFilterAndCheckAddButtons(0); - print $searchpicto; - print '
'; - $facturestatic->id = $objp->facid; - $facturestatic->ref = $objp->ref; - print $facturestatic->getNomUrl(1); - print "'.dol_trunc($objp->ref_supplier, 12).''.dol_print_date($db->jdate($objp->df), 'day')."'.dol_print_date($db->jdate($objp->datelimite), 'day'); - if ($facturestatic->hasDelay()) { - print img_warning($langs->trans("Late")); - } - print "'; - $companystatic->id = $objp->socid; - $companystatic->name = $objp->name; - print $companystatic->getNomUrl(1, 'supplier', 32); - print '".price($objp->total_ht)."".price($objp->total_ttc)."".price($objp->am)."'; - print $facturestatic->LibStatut($objp->paye, $objp->fk_statut, 5, $objp->am); - print '
".$langs->trans("Total").": ".price($total_ht)."".price($total_ttc)."".price($total_paid)." 
"; - - print ''; - - $db->free($resql); - } else { - dol_print_error($db); - } -} - -// End of page -llxFooter(); -$db->close(); diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index 7c6ed0c5e16..50fdfef6e47 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -475,14 +475,14 @@ $sql .= " state.code_departement as state_code, state.nom as state_name,"; $sql .= " country.code as country_code,"; $sql .= " p.rowid as project_id, p.ref as project_ref, p.title as project_label,"; $sql .= " u.login"; +if ($search_categ_sup && $search_categ_sup != '-1') { + $sql .= ", cs.fk_categorie, cs.fk_soc"; +} // We need dynamount_payed to be able to sort on status (value is surely wrong because we can count several lines several times due to other left join or link with contacts. But what we need is just 0 or > 0) // TODO Better solution to be able to sort on already payed or remain to pay is to store amount_payed in a denormalized field. if (!$search_all) { $sql .= ', SUM(pf.amount) as dynamount_payed'; } -if ($search_categ_sup) { - $sql .= ", cs.fk_categorie, cs.fk_soc"; -} // Add fields from extrafields if (!empty($extrafields->attributes[$object->table_element]['label'])) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) { @@ -580,10 +580,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty != '' && $search_type_thirdparty >= 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_montant_ht != '') { $sql .= natural_search('f.total_ht', $search_montant_ht, 1); @@ -677,6 +677,9 @@ if (!$search_all) { $sql .= ' country.code,'; $sql .= " p.rowid, p.ref, p.title,"; $sql .= " u.login"; + if ($search_categ_sup && $search_categ_sup != '-1') { + $sql .= ", cs.fk_categorie, cs.fk_soc"; + } if (!empty($extrafields->attributes[$object->table_element]['label'])) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) { //prevent error with sql_mode=only_full_group_by diff --git a/htdocs/ftp/admin/ftpclient.php b/htdocs/ftp/admin/ftpclient.php index ab673e45447..5094f178cea 100644 --- a/htdocs/ftp/admin/ftpclient.php +++ b/htdocs/ftp/admin/ftpclient.php @@ -58,8 +58,8 @@ if ($result) { } if ($action == 'add' || GETPOST('modify', 'alpha')) { - $ftp_name = "FTP_NAME_".$entry; // $_POST["numero_entry"]; - $ftp_server = "FTP_SERVER_".$entry; //$_POST["numero_entry"]; + $ftp_name = "FTP_NAME_".$entry; + $ftp_server = "FTP_SERVER_".$entry; $error = 0; @@ -203,7 +203,7 @@ if (!function_exists('ftp_connect')) { print '
'.$langs->trans("FTPPassiveMode").''.$form->selectyesno('FTP_PASSIVE_'.($lastftpentry + 1), $defaultpassive, 2).'
'; @@ -172,7 +174,8 @@ $oneoptionset = 0; $oneoptionset = (GETPOST('standard', 'alpha') || GETPOST('restore_thirdparties_logos', 'alpha') || GETPOST('clean_linked_elements', 'alpha') || GETPOST('clean_menus', 'alpha') || GETPOST('clean_orphelin_dir', 'alpha') || GETPOST('clean_product_stock_batch', 'alpha') || GETPOST('set_empty_time_spent_amount', 'alpha') || GETPOST('rebuild_product_thumbs', 'alpha') || GETPOST('clean_perm_table', 'alpha') - || GETPOST('force_disable_of_modules_not_found', 'alpha') || GETPOST('force_utf8_on_tables', 'alpha')); + || GETPOST('force_disable_of_modules_not_found', 'alpha') || GETPOST('force_utf8_on_tables', 'alpha') + || GETPOST('rebuild_sequences', 'alpha')); if ($ok && $oneoptionset) { // Show wait message @@ -1175,7 +1178,7 @@ if ($ok && GETPOST('clean_perm_table', 'alpha')) { foreach ($conf->modules as $key => $val) { $listofmods .= ($listofmods ? ',' : '')."'".$val."'"; } - $sql = 'SELECT id, libelle as label, module from '.MAIN_DB_PREFIX.'rights_def WHERE module not in ('.$listofmods.') AND id > 100000'; + $sql = 'SELECT id, libelle as label, module from '.MAIN_DB_PREFIX.'rights_def WHERE module NOT IN ('.$db->sanitize($listofmods).') AND id > 100000'; $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); @@ -1253,6 +1256,25 @@ if ($ok && GETPOST('force_utf8_on_tables', 'alpha')) { } } + +// rebuild sequences for pgsql +if ($ok && GETPOST('rebuild_sequences', 'alpha')) { + print ''; + + if ($db->type == "pgsql") { + $rebuild_sequence = GETPOST('rebuild_sequences', 'alpha'); + + if ($rebuild_sequence == 'confirmed') { + $sql = "SELECT dol_util_rebuild_sequences();"; + print ''; + $resql = $db->query($sql); + } + } else { + print ''; + } +} + + // if ($ok && GETPOST('repair_link_dispatch_lines_supplier_order_lines')) { /* diff --git a/htdocs/install/step1.php b/htdocs/install/step1.php index e841a352b40..86e970f8194 100644 --- a/htdocs/install/step1.php +++ b/htdocs/install/step1.php @@ -231,7 +231,6 @@ if (!$error) { $databasefortest = 'master'; } } - //print $_POST["db_type"].",".$_POST["db_host"].",$userroot,$passroot,$databasefortest,".$_POST["db_port"]; $db = getDoliDBInstance($db_type, $db_host, $userroot, $passroot, $databasefortest, $db_port); diff --git a/htdocs/langs/en_US/banks.lang b/htdocs/langs/en_US/banks.lang index f0f5dfd0a8e..8e2d828c12a 100644 --- a/htdocs/langs/en_US/banks.lang +++ b/htdocs/langs/en_US/banks.lang @@ -174,7 +174,7 @@ YourSEPAMandate=Your SEPA mandate FindYourSEPAMandate=This is your SEPA mandate to authorize our company to make direct debit order to your bank. Return it signed (scan of the signed document) or send it by mail to AutoReportLastAccountStatement=Automatically fill the field 'number of bank statement' with last statement number when making reconciliation CashControl=POS cash desk control -NewCashFence=New cash desk closing +NewCashFence=New cash desk opening or closing BankColorizeMovement=Colorize movements BankColorizeMovementDesc=If this function is enable, you can choose specific background color for debit or credit movements BankColorizeMovementName1=Background color for debit movement diff --git a/htdocs/langs/en_US/bills.lang b/htdocs/langs/en_US/bills.lang index a1e04809a36..11b6f5bf1fe 100644 --- a/htdocs/langs/en_US/bills.lang +++ b/htdocs/langs/en_US/bills.lang @@ -52,11 +52,12 @@ Invoices=Invoices InvoiceLine=Invoice line InvoiceCustomer=Customer invoice CustomerInvoice=Customer invoice -CustomersInvoices=Customers invoices +CustomersInvoices=Customer invoices SupplierInvoice=Vendor invoice -SuppliersInvoices=Vendors invoices +SuppliersInvoices=Vendor invoices +SupplierInvoiceLines=Vendor invoice lines SupplierBill=Vendor invoice -SupplierBills=suppliers invoices +SupplierBills=Vendor invoices Payment=Payment PaymentBack=Refund CustomerInvoicePaymentBack=Refund diff --git a/htdocs/langs/en_US/companies.lang b/htdocs/langs/en_US/companies.lang index 42180dde04f..93e1f560f5e 100644 --- a/htdocs/langs/en_US/companies.lang +++ b/htdocs/langs/en_US/companies.lang @@ -43,9 +43,10 @@ Individual=Private individual ToCreateContactWithSameName=Will automatically create a contact/address with same information as the third party under the third party. In most cases, even if your third party is a physical person, creating a third party alone is enough. ParentCompany=Parent company Subsidiaries=Subsidiaries -ReportByMonth=Report by month -ReportByCustomers=Report by customer -ReportByQuarter=Report by rate +ReportByMonth=Report per month +ReportByCustomers=Report per customer +ReportByThirdparties=Report per thirdparty +ReportByQuarter=Report per rate CivilityCode=Civility code RegisteredOffice=Registered office Lastname=Last name diff --git a/htdocs/langs/en_US/compta.lang b/htdocs/langs/en_US/compta.lang index 3f892e3b29c..d42d8845aeb 100644 --- a/htdocs/langs/en_US/compta.lang +++ b/htdocs/langs/en_US/compta.lang @@ -86,7 +86,7 @@ PaymentCustomerInvoice=Customer invoice payment PaymentSupplierInvoice=vendor invoice payment PaymentSocialContribution=Social/fiscal tax payment PaymentVat=VAT payment -AutomaticCreationPayment=Automatically record the payment of the salary +AutomaticCreationPayment=Automatically record the payment ListPayment=List of payments ListOfCustomerPayments=List of customer payments ListOfSupplierPayments=List of vendor payments diff --git a/htdocs/langs/en_US/eventorganization.lang b/htdocs/langs/en_US/eventorganization.lang index 5444ed59e3d..82f18107a5c 100644 --- a/htdocs/langs/en_US/eventorganization.lang +++ b/htdocs/langs/en_US/eventorganization.lang @@ -32,8 +32,8 @@ EventOrganizationConferenceOrBoothMenuLeft = Conference Or Booth EventOrganizationSetup = Event Organization setup Settings = Settings EventOrganizationSetupPage = Event Organization setup page -EVENTORGANIZATION_TASK_LABEL = Task label created when validate -EVENTORGANIZATION_TASK_LABELTooltip = When validate a Conference or a booth, some tasks will be created in the project

for example:
Send Call for Conference
Send Call for Booth
Receive call for conferences
Receive call for Booth
Open subscriptions to events for attendees
Send remind of event to speakers
Send remind of event to Booth hoster
Send remind of event to attendees +EVENTORGANIZATION_TASK_LABEL = Label of tasks to create automatically when project is validated +EVENTORGANIZATION_TASK_LABELTooltip = When you validate an organized event, some tasks can be automatically created in the project

For example:
Send Call for Conference
Send Call for Booth
Receive call for conferences
Receive call for Booth
Open subscriptions to events for attendees
Send remind of event to speakers
Send remind of event to Booth hoster
Send remind of event to attendees EVENTORGANIZATION_CATEG_THIRDPARTY_CONF = Category to add to third-parties automatically created when someone suggests a conference EVENTORGANIZATION_CATEG_THIRDPARTY_BOOTH = Category to add to third-parties automatically created when they suggests a booth EVENTORGANIZATION_TEMPLATE_EMAIL_ASK_CONF = Template of email to send after receiving a suggestion of a conference. diff --git a/htdocs/langs/en_US/margins.lang b/htdocs/langs/en_US/margins.lang index 76ea8ad5c4d..ad5406409b4 100644 --- a/htdocs/langs/en_US/margins.lang +++ b/htdocs/langs/en_US/margins.lang @@ -22,7 +22,7 @@ ProductService=Product or Service AllProducts=All products and services ChooseProduct/Service=Choose product or service ForceBuyingPriceIfNull=Force buying/cost price to selling price if not defined -ForceBuyingPriceIfNullDetails=If buying/cost price not defined, and this option "ON", margin will be zero on line (buying/cost price = selling price), otherwise ("OFF"), marge will be equal to suggested default. +ForceBuyingPriceIfNullDetails=If buying/cost price not provided when we add a new line, and this option is "ON", the margin will be 0 on the new line (buying/cost price = selling price). If this option is "OFF" (recommended), margin will be equal to the value suggested by default (and may be 100% if no default value can be found). MARGIN_METHODE_FOR_DISCOUNT=Margin method for global discounts UseDiscountAsProduct=As a product UseDiscountAsService=As a service diff --git a/htdocs/langs/en_US/orders.lang b/htdocs/langs/en_US/orders.lang index ad91e1eef63..87d196eb22f 100644 --- a/htdocs/langs/en_US/orders.lang +++ b/htdocs/langs/en_US/orders.lang @@ -16,6 +16,8 @@ ToOrder=Make order MakeOrder=Make order SupplierOrder=Purchase order SuppliersOrders=Purchase orders +SaleOrderLines=Sale order lines +PurchaseOrderLines=Puchase order lines SuppliersOrdersRunning=Current purchase orders CustomerOrder=Sales Order CustomersOrders=Sales Orders diff --git a/htdocs/langs/en_US/productbatch.lang b/htdocs/langs/en_US/productbatch.lang index 36adfd571fb..9e299baf8f3 100644 --- a/htdocs/langs/en_US/productbatch.lang +++ b/htdocs/langs/en_US/productbatch.lang @@ -26,3 +26,5 @@ ShowLogOfMovementIfLot=Show log of movements for couple product/lot StockDetailPerBatch=Stock detail per lot SerialNumberAlreadyInUse=Serial number %s is already used for product %s TooManyQtyForSerialNumber=You can only have one product %s for serial number %S +BatchLotNumberingModules=Options for automatic generation of batch products managed by lots +BatchSerialNumberingModules=Options for automatic generation of batch products managed by serial numbers \ No newline at end of file diff --git a/htdocs/langs/en_US/propal.lang b/htdocs/langs/en_US/propal.lang index 557df2f840f..edbc08236d3 100644 --- a/htdocs/langs/en_US/propal.lang +++ b/htdocs/langs/en_US/propal.lang @@ -59,6 +59,7 @@ ConfirmClonePropal=Are you sure you want to clone the commercial proposal %s< ConfirmReOpenProp=Are you sure you want to open back the commercial proposal %s? ProposalsAndProposalsLines=Commercial proposal and lines ProposalLine=Proposal line +ProposalLines=Proposal lines AvailabilityPeriod=Availability delay SetAvailability=Set availability delay AfterOrder=after order diff --git a/htdocs/langs/en_US/stocks.lang b/htdocs/langs/en_US/stocks.lang index 4585841911b..8e949661c49 100644 --- a/htdocs/langs/en_US/stocks.lang +++ b/htdocs/langs/en_US/stocks.lang @@ -106,7 +106,7 @@ LieuWareHouse=Localisation warehouse WarehousesAndProducts=Warehouses and products WarehousesAndProductsBatchDetail=Warehouses and products (with detail per lot/serial) AverageUnitPricePMPShort=Weighted average price -AverageUnitPricePMPDesc=The input average unit price we had to pay to suppliers to get the product into our stock. +AverageUnitPricePMPDesc=The input average unit price we had to expense to get 1 unit of product into our stock. SellPriceMin=Selling Unit Price EstimatedStockValueSellShort=Value for sell EstimatedStockValueSell=Value for sell diff --git a/htdocs/langs/en_US/suppliers.lang b/htdocs/langs/en_US/suppliers.lang index 03b03c75269..ca9ee174d29 100644 --- a/htdocs/langs/en_US/suppliers.lang +++ b/htdocs/langs/en_US/suppliers.lang @@ -1,6 +1,7 @@ # Dolibarr language file - Source file is en_US - vendors Suppliers=Vendors SuppliersInvoice=Vendor invoice +SupplierInvoices=Vendor invoices ShowSupplierInvoice=Show Vendor Invoice NewSupplier=New vendor History=History diff --git a/htdocs/langs/en_US/ticket.lang b/htdocs/langs/en_US/ticket.lang index 93f55289351..50fa8c970ae 100644 --- a/htdocs/langs/en_US/ticket.lang +++ b/htdocs/langs/en_US/ticket.lang @@ -70,6 +70,8 @@ Deleted=Deleted # Dict Type=Type Severity=Severity +TicketGroupIsPublic=Group is public +TicketGroupIsPublicDesc=If a ticket group is public, it will be visible in the form when creating a ticket from the public interface # Email templates MailToSendTicketMessage=To send email from ticket message @@ -114,8 +116,8 @@ TicketsShowModuleLogo=Display the logo of the module in the public interface TicketsShowModuleLogoHelp=Enable this option to hide the logo module in the pages of the public interface TicketsShowCompanyLogo=Display the logo of the company in the public interface TicketsShowCompanyLogoHelp=Enable this option to hide the logo of the main company in the pages of the public interface -TicketsEmailAlsoSendToMainAddress=Also send notification to main email address -TicketsEmailAlsoSendToMainAddressHelp=Enable this option to send an email to "Notification email from" address (see setup below) +TicketsEmailAlsoSendToMainAddress=Also send a notification to the main email address +TicketsEmailAlsoSendToMainAddressHelp=Enable this option to also send an email to the address defined into setup "%s" (see tab "%s") TicketsLimitViewAssignedOnly=Restrict the display to tickets assigned to the current user (not effective for external users, always be limited to the third party they depend on) TicketsLimitViewAssignedOnlyHelp=Only tickets assigned to the current user will be visible. Does not apply to a user with tickets management rights. TicketsActivatePublicInterface=Activate public interface @@ -126,10 +128,10 @@ TicketNumberingModules=Tickets numbering module TicketsModelModule=Document templates for tickets TicketNotifyTiersAtCreation=Notify third party at creation TicketsDisableCustomerEmail=Always disable emails when a ticket is created from public interface -TicketsPublicNotificationNewMessage=Send email(s) when a new message is added +TicketsPublicNotificationNewMessage=Send email(s) when a new message/comment is added to a ticket TicketsPublicNotificationNewMessageHelp=Send email(s) when a new message is added from public interface (to assigned user or the notifications email to (update) and/or the notifications email to) TicketPublicNotificationNewMessageDefaultEmail=Notifications email to (update) -TicketPublicNotificationNewMessageDefaultEmailHelp=Send email new message notifications to this address if the ticket don't have a user assigned or the user don't have a email. +TicketPublicNotificationNewMessageDefaultEmailHelp=Send an email to this address for each new message notifications if the ticket doesn't have a user assigned to it or if the user doesn't have any known email. # # Index & list page # diff --git a/htdocs/langs/en_US/users.lang b/htdocs/langs/en_US/users.lang index d4326fc08c9..727773a9606 100644 --- a/htdocs/langs/en_US/users.lang +++ b/htdocs/langs/en_US/users.lang @@ -72,7 +72,7 @@ ExportDataset_user_1=Users and their properties DomainUser=Domain user %s Reactivate=Reactivate CreateInternalUserDesc=This form allows you to create an internal user in your company/organization. To create an external user (customer, vendor etc. ..), use the button 'Create Dolibarr User' from that third-party's contact card. -InternalExternalDesc=An internal user is a user that is part of your company/organization.
An external user is a customer, vendor or other that must view only data related to himself (Creating an external user for a third-party can be done from the contact record of the third-party).

In both cases, permissions defines rights on Dolibarr, also external user can have a different menu manager than internal user (See Home - Setup - Display) +InternalExternalDesc=An internal user is a user that is part of your company/organization, or is a partner user outside of your organization that may need to see more data than data related to his company (the permission system will define what he can or can't see or do).
An external user is a customer, vendor or other that must view ONLY data related to himself (Creating an external user for a third-party can be done from the contact record of the third-party).

In both cases, you must grant permissions on the features that the user need. PermissionInheritedFromAGroup=Permission granted because inherited from one of a user's group. Inherited=Inherited UserWillBe=Created user will be diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang index 639428eac1d..ef48fc0a82d 100644 --- a/htdocs/langs/fr_FR/admin.lang +++ b/htdocs/langs/fr_FR/admin.lang @@ -1786,6 +1786,7 @@ ApiSetup=Configuration du module API REST ApiDesc=En activant ce module, Dolibarr devient aussi serveur de services API de type REST ApiProductionMode=Activer le mode « production » (ceci activera l'utilisation du cache pour la gestion des services) ApiExporerIs=Vous pouvez explorer et tester les API par l'URL +SwaggerDescriptionFile=Swagger JSON description file of APIs OnlyActiveElementsAreExposed=Seuls les éléments en rapport avec un module actif sont présentés. ApiKey=Clé pour l'API WarningAPIExplorerDisabled=L'explorateur d'API est désactivé. L'explorateur d'API n'est pas nécessaire pour le fonctionnement des API. il s'agit d'un outil pour les développeurs pour en tester les services. Si cet outil vous est nécessaire, activez le module API REST dans la liste des modules. diff --git a/htdocs/langs/fr_FR/productbatch.lang b/htdocs/langs/fr_FR/productbatch.lang index 94ceb434bfd..eed5a063318 100644 --- a/htdocs/langs/fr_FR/productbatch.lang +++ b/htdocs/langs/fr_FR/productbatch.lang @@ -26,3 +26,5 @@ ShowLogOfMovementIfLot=Afficher l'historique des mouvements de couple produit / StockDetailPerBatch=Stock détaillé par lot SerialNumberAlreadyInUse=Le numéro de série %s est déjà utilisé pour le produit %s TooManyQtyForSerialNumber=Vous ne pouvez avoir qu'un produit %s avec le numéro de série %s +BatchLotNumberingModules=Modèle de génération et contrôle des numéros de lot +BatchSerialNumberingModules=Modèle de génération et contrôle des numéros de série \ No newline at end of file diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 94c90c226e1..436870a20c3 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -434,7 +434,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl // Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request) $arrayofactiontoforcetokencheck = array( 'activate', 'add', 'addtimespent', 'update', 'install', - 'confirm_create_user', 'confirm_create_thirdparty', 'confirm_reject_check', + 'confirm_create_user', 'confirm_create_thirdparty', 'confirm_purge', 'confirm_reject_check', 'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'disable', 'doprev', 'donext', 'dvprev', 'dvnext', 'enable' @@ -2073,8 +2073,7 @@ function top_menu_user($hideloginname = 0, $urllogout = '') $btnUser = '

*** Force to rebuild sequences (for postgresql only)
Not available with database type '.$db->type.'
'; +print ''; +print ''; +print ''; +print ''; +print ''; +print ''; +print ''."\n"; + +clearstatcache(); + +foreach ($dirmodels as $reldir) { + $dir = dol_buildpath($reldir."core/modules/product_batch/"); + + if (is_dir($dir)) { + $handle = opendir($dir); + if (is_resource($handle)) { + while (($file = readdir($handle)) !== false) { + if (substr($file, 0, 8) == 'mod_lot_' && substr($file, dol_strlen($file) - 3, 3) == 'php') { + $file = substr($file, 0, dol_strlen($file) - 4); + + require_once $dir.$file.'.php'; + + $module = new $file($db); + + // Show modules according to features level + if ($module->version == 'development' && $conf->global->MAIN_FEATURES_LEVEL < 2) continue; + if ($module->version == 'experimental' && $conf->global->MAIN_FEATURES_LEVEL < 1) continue; + + if ($module->isEnabled()) { + print ''; + + // Show example of numbering model + print ''."\n"; + + print ''; + + $batch = new Productlot($db); + $batch->initAsSpecimen(); + + // Info + $htmltooltip = ''; + $htmltooltip .= ''.$langs->trans("Version").': '.$module->getVersion().'
'; + $nextval = $module->getNextValue($mysoc, $batch); + if ("$nextval" != $langs->trans("NotAvailable")) { // Keep " on nextval + $htmltooltip .= ''.$langs->trans("NextValue").': '; + if ($nextval) { + if (preg_match('/^Error/', $nextval) || $nextval == 'NotConfigured') + $nextval = $langs->trans($nextval); + $htmltooltip .= $nextval.'
'; + } else { + $htmltooltip .= $langs->trans($module->error).'
'; + } + } + + print ''; + + print "\n"; + } + } + } + closedir($handle); + } + } +} + +print "
'.$langs->trans("Name").''.$langs->trans("Description").''.$langs->trans("Example").''.$langs->trans("Status").''.$langs->trans("ShortInfo").'
'.$module->name."\n"; + print $module->info(); + print ''; + $tmp = $module->getExample(); + if (preg_match('/^Error/', $tmp)) print '
'.$langs->trans($tmp).'
'; + elseif ($tmp == 'NotConfigured') print $langs->trans($tmp); + else print $tmp; + print '		'; + if ($conf->global->PRODUCTBATCH_LOT_ADDON == $file) { + print img_picto($langs->trans("Activated"), 'switch_on'); + } else { + print ''; + print img_picto($langs->trans("Disabled"), 'switch_off'); + print ''; + } + print ''; + print $form->textwithpicto('', $htmltooltip, 1, 0); + print '

\n"; + + +/* + * Serials Numbering models + */ + +print load_fiche_titre($langs->trans("BatchSerialNumberingModules"), '', ''); + +print ''; +print ''; +print ''; +print ''; +print ''; +print ''; +print ''; +print ''."\n"; + +clearstatcache(); + +foreach ($dirmodels as $reldir) { + $dir = dol_buildpath($reldir."core/modules/product_batch/"); + + if (is_dir($dir)) { + $handle = opendir($dir); + if (is_resource($handle)) { + while (($file = readdir($handle)) !== false) { + if (substr($file, 0, 7) == 'mod_sn_' && substr($file, dol_strlen($file) - 3, 3) == 'php') { + $file = substr($file, 0, dol_strlen($file) - 4); + + require_once $dir.$file.'.php'; + + $module = new $file($db); + + // Show modules according to features level + if ($module->version == 'development' && $conf->global->MAIN_FEATURES_LEVEL < 2) continue; + if ($module->version == 'experimental' && $conf->global->MAIN_FEATURES_LEVEL < 1) continue; + + if ($module->isEnabled()) { + print ''; + + // Show example of numbering model + print ''."\n"; + + print ''; + + $batch = new Productlot($db); + $batch->initAsSpecimen(); + + // Info + $htmltooltip = ''; + $htmltooltip .= ''.$langs->trans("Version").': '.$module->getVersion().'
'; + $nextval = $module->getNextValue($mysoc, $batch); + if ("$nextval" != $langs->trans("NotAvailable")) { // Keep " on nextval + $htmltooltip .= ''.$langs->trans("NextValue").': '; + if ($nextval) { + if (preg_match('/^Error/', $nextval) || $nextval == 'NotConfigured') + $nextval = $langs->trans($nextval); + $htmltooltip .= $nextval.'
'; + } else { + $htmltooltip .= $langs->trans($module->error).'
'; + } + } + + print ''; + + print "\n"; + } + } + } + closedir($handle); + } + } +} + +print "
'.$langs->trans("Name").''.$langs->trans("Description").''.$langs->trans("Example").''.$langs->trans("Status").''.$langs->trans("ShortInfo").'
'.$module->name."\n"; + print $module->info(); + print ''; + $tmp = $module->getExample(); + if (preg_match('/^Error/', $tmp)) print '
'.$langs->trans($tmp).'
'; + elseif ($tmp == 'NotConfigured') print $langs->trans($tmp); + else print $tmp; + print '		'; + if ($conf->global->PRODUCTBATCH_SN_ADDON == $file) { + print img_picto($langs->trans("Activated"), 'switch_on'); + } else { + print ''; + print img_picto($langs->trans("Disabled"), 'switch_off'); + print ''; + } + print ''; + print $form->textwithpicto('', $htmltooltip, 1, 0); + print '

\n"; + +// End of page +llxFooter(); +$db->close(); diff --git a/htdocs/product/admin/product_lot_extrafields.php b/htdocs/product/admin/product_lot_extrafields.php index fc14b4c142c..38af3a41f8d 100644 --- a/htdocs/product/admin/product_lot_extrafields.php +++ b/htdocs/product/admin/product_lot_extrafields.php @@ -77,7 +77,7 @@ print load_fiche_titre($title, $linkback, 'title_setup'); $head = product_lot_admin_prepare_head(); -print dol_get_fiche_head($head, 'attributes', $textobject, -1, 'stock'); +print dol_get_fiche_head($head, 'attributes', $textobject, -1, 'lot'); require DOL_DOCUMENT_ROOT.'/core/tpl/admin_extrafields_view.tpl.php'; diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 352256f5c42..2c0531acaea 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -405,8 +405,8 @@ if (empty($reshook)) { if (!empty($conf->global->PRODUIT_MULTIPRICES)) { for ($i = 2; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) { if (GETPOSTISSET("price_".$i)) { - $object->multiprices["$i"] = price2num($_POST["price_".$i], 'MU'); - $object->multiprices_base_type["$i"] = $_POST["multiprices_base_type_".$i]; + $object->multiprices["$i"] = price2num(GETPOST("price_".$i), 'MU'); + $object->multiprices_base_type["$i"] = GETPOST("multiprices_base_type_".$i); } else { $object->multiprices["$i"] = ""; } @@ -1135,6 +1135,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if ($type != 1 && !empty($conf->stock->enabled)) { // Default warehouse print '
'.$langs->trans("DefaultWarehouse").''; + print img_picto($langs->trans("DefaultWarehouse"), 'stock', 'pictofixedwidth'); print $formproduct->selectWarehouses(GETPOST('fk_default_warehouse'), 'fk_default_warehouse', 'warehouseopen', 1); print ' '; print ''; diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 56efd8565d1..718acef6970 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -116,13 +116,13 @@ class FormProduct } $sql .= " WHERE e.entity IN (".getEntity('stock').")"; if (count($warehouseStatus)) { - $sql .= " AND e.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND e.statut IN (".$this->db->sanitize(implode(',', $warehouseStatus)).")"; } else { $sql .= " AND e.statut = 1"; } if (!empty($exclude)) { - $sql .= ' AND e.rowid NOT IN('.$this->db->escape(implode(',', $exclude)).')'; + $sql .= ' AND e.rowid NOT IN('.$this->db->sanitize(implode(',', $exclude)).')'; } // minimum stock @@ -646,7 +646,7 @@ class FormProduct $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.rowid = pb.fk_product_stock"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on e.rowid = ps.fk_entrepot AND e.entity IN (".getEntity('stock').")"; if (!empty($productIdList)) { - $sql .= " WHERE ps.fk_product IN (".$productIdList.")"; + $sql .= " WHERE ps.fk_product IN (".$this->db->sanitize($productIdList).")"; } $sql .= " ORDER BY e.ref, pb.batch"; diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 787e8cadd49..17f68476a35 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -2820,7 +2820,7 @@ class Product extends CommonObject $sql .= " JOIN ".MAIN_DB_PREFIX."facture f ON fd.fk_facture = f.rowid "; $sql .= " JOIN ".MAIN_DB_PREFIX."element_element el ON el.fk_target = f.rowid and el.targettype = 'facture' and sourcetype = 'commande'"; $sql .= " JOIN ".MAIN_DB_PREFIX."commande c ON el.fk_source = c.rowid "; - $sql .= " WHERE c.fk_statut IN (".$filtrestatut.") AND c.facture = 0 AND fd.fk_product = ".$this->id; + $sql .= " WHERE c.fk_statut IN (".$this->db->sanitize($filtrestatut).") AND c.facture = 0 AND fd.fk_product = ".((int) $this->id); dol_syslog(__METHOD__.":: sql $sql", LOG_NOTICE); $resql = $this->db->query($sql); @@ -3613,7 +3613,7 @@ class Product extends CommonObject $sql .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid > 0) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $morefilter; $sql .= " GROUP BY date_format(p.date_valid,'%Y%m')"; @@ -5050,7 +5050,7 @@ class Product extends CommonObject $sql .= " AND w.rowid = ps.fk_entrepot"; $sql .= " AND ps.fk_product = ".$this->id; if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$this->db->sanitize(implode(',', $warehouseStatus)).")"; } dol_syslog(get_class($this)."::load_stock", LOG_DEBUG); diff --git a/htdocs/product/composition/card.php b/htdocs/product/composition/card.php index 9a1fa1adf69..6dd6a0ac89d 100644 --- a/htdocs/product/composition/card.php +++ b/htdocs/product/composition/card.php @@ -167,18 +167,18 @@ if ($action == 'search') { } $title = $langs->trans('ProductServiceCard'); -$helpurl = ''; +$help_url = ''; $shortlabel = dol_trunc($object->label, 16); if (GETPOST("type") == '0' || ($object->type == Product::TYPE_PRODUCT)) { $title = $langs->trans('Product')." ".$shortlabel." - ".$langs->trans('AssociatedProducts'); - $helpurl = 'EN:Module_Products|FR:Module_Produits|ES:Módulo_Productos'; + $help_url = 'EN:Module_Products|FR:Module_Produits|ES:Módulo_Productos'; } if (GETPOST("type") == '1' || ($object->type == Product::TYPE_SERVICE)) { $title = $langs->trans('Service')." ".$shortlabel." - ".$langs->trans('AssociatedProducts'); - $helpurl = 'EN:Module_Services_En|FR:Module_Services|ES:Módulo_Servicios'; + $help_url = 'EN:Module_Services_En|FR:Module_Services|ES:Módulo_Servicios'; } -llxHeader('', $title, $helpurl); +llxHeader('', $title, $help_url); $head = product_prepare_head($object); $titre = $langs->trans("CardProduct".$object->type); diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 371713f0250..77659142744 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -217,7 +217,7 @@ if (empty($reshook)) { $langs->load("errors"); setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Supplier")), null, 'errors'); } - if (price2num($_POST["price"]) < 0 || $_POST["price"] == '') { + if (price2num(GETPOST("price")) < 0 || GETPOST("price") == '') { if ($price_expression === '') { // Return error of missing price only if price_expression not set $error++; $langs->load("errors"); diff --git a/htdocs/product/list.php b/htdocs/product/list.php index e6714bdd53b..64ab0b592b7 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -484,13 +484,13 @@ if ($fourn_id > 0) { $sql .= " AND pfp.fk_soc = ".((int) $fourn_id); } if ($search_country) { - $sql .= " AND p.fk_country = ".$search_country; + $sql .= " AND p.fk_country = ".((int) $search_country); } if ($search_state) { - $sql .= " AND p.fk_state = ".$search_state; + $sql .= " AND p.fk_state = ".((int) $search_state); } if ($search_finished >= 0 && $search_finished !== '') { - $sql .= " AND p.finished = ".$search_finished; + $sql .= " AND p.finished = ".((int) $search_finished); } if ($search_accountancy_code_sell) { $sql .= natural_search($alias_product_accounting . '.accountancy_code_sell', $search_accountancy_code_sell); @@ -640,7 +640,7 @@ if ($resql) { $param = "&search_vatrate=".urlencode($search_vatrate); } if ($fourn_id > 0) { - $param .= ($fourn_id ? "&fourn_id=".$fourn_id : ""); + $param .= "&fourn_id=".urlencode($fourn_id); } //if ($seach_categ) $param.=($search_categ?"&search_categ=".urlencode($search_categ):""); if ($show_childproducts) { @@ -769,7 +769,7 @@ if ($resql) { $moreforfilter = ''; if (!empty($conf->categorie->enabled) && $user->rights->categorie->lire) { $moreforfilter .= '
'; - $moreforfilter .= $langs->trans('Categories').': '; + $moreforfilter .= img_picto($langs->trans('Categories'), 'category', 'class="pictofixedwidth"'); $categoriesProductArr = $form->select_all_categories(Categorie::TYPE_PRODUCT, '', '', 64, 0, 1); $categoriesProductArr[-2] = '- '.$langs->trans('NotCategorized').' -'; $moreforfilter .= Form::multiselectarray('search_category_product_list', $categoriesProductArr, $searchCategoryProductList, 0, 0, 'minwidth300'); diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index 001635be24b..2b84f11ac66 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -140,7 +140,7 @@ $sql .= ", ".MAIN_DB_PREFIX."product as p"; $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; $sql .= " AND p.rowid = pd.fk_product"; if ($type !== '') { - $sql .= " AND fk_product_type = ".$type; + $sql .= " AND fk_product_type = ".((int) $type); } $sql .= " GROUP BY p.rowid, p.label, p.ref, p.fk_product_type"; diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php index e0d1d7447a0..5e0720e106c 100644 --- a/htdocs/product/reassort.php +++ b/htdocs/product/reassort.php @@ -177,19 +177,19 @@ if ($snom) { $sql .= natural_search('p.label', $snom); } if (!empty($tosell)) { - $sql .= " AND p.tosell = ".$tosell; + $sql .= " AND p.tosell = ".((int) $tosell); } if (!empty($tobuy)) { - $sql .= " AND p.tobuy = ".$tobuy; + $sql .= " AND p.tobuy = ".((int) $tobuy); } if (!empty($canvas)) { $sql .= " AND p.canvas = '".$db->escape($canvas)."'"; } -if ($catid) { - $sql .= " AND cp.fk_categorie = ".$catid; +if ($catid > 0) { + $sql .= " AND cp.fk_categorie = ".((int) $catid); } if ($fourn_id > 0) { - $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".$fourn_id; + $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".((int) $fourn_id); } // Insert categ filter if ($search_categ) { @@ -307,7 +307,7 @@ if ($resql) { $moreforfilter = ''; if (!empty($conf->categorie->enabled)) { $moreforfilter .= '
'; - $moreforfilter .= $langs->trans('Categories').': '; + $moreforfilter .= img_picto($langs->trans('Categories'), 'category', 'class="pictofixedwidth"'); $moreforfilter .= $htmlother->select_categories(Categorie::TYPE_PRODUCT, $search_categ, 'search_categ'); $moreforfilter .= '
'; } @@ -493,7 +493,10 @@ if ($resql) { if (!empty($conf->global->PRODUCT_USE_UNITS)) { print '
'.$objp->unit_short.''.$langs->trans("Movements").''; + print img_picto($langs->trans("StockMovement"), 'movement', 'class="pictofixedwidth"'); + print ''.$langs->trans("Movements").''; + print ''.$product->LibStatut($objp->statut, 5, 0).''.$product->LibStatut($objp->tobuy, 5, 1).''.$langs->trans("Movements").''; + print img_picto($langs->trans("StockMovement"), 'movement', 'class="pictofixedwidth"'); + print ''.$langs->trans("Movements").''; + print ''.$product_static->LibStatut($objp->statut, 5, 0).''.$product_static->LibStatut($objp->tobuy, 5, 1).'
'.$langs->trans("Categories").''; - //$moreforfilter.='
'; + $moreforfilter .= img_picto($langs->trans("Categories"), 'category', 'paddingright'); $moreforfilter .= $htmlother->select_categories(Categorie::TYPE_PRODUCT, $search_categ, 'search_categ', 1); - //$moreforfilter.='
'; print $moreforfilter; print '
'; print '
'; @@ -337,7 +336,7 @@ if ($result || empty($id)) { $categ = new Categorie($db); $categ->fetch($search_categ); $listofprodids = $categ->getObjectsInCateg('product', 1); - $morefilters = ' AND d.fk_product IN ('.((is_array($listofprodids) && count($listofprodids)) ? join(',', $listofprodids) : '0').')'; + $morefilters = ' AND d.fk_product IN ('.$db->sanitize((is_array($listofprodids) && count($listofprodids)) ? join(',', $listofprodids) : '0').')'; } if ($search_categ == -2) { $morefilters = ' AND d.fk_product NOT IN (SELECT cp.fk_product from '.MAIN_DB_PREFIX.'categorie_product as cp)'; diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php index cb5087c63f2..fe8016f362a 100644 --- a/htdocs/product/stats/commande.php +++ b/htdocs/product/stats/commande.php @@ -153,16 +153,16 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_commande = c.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(c.date_commande) IN ('.$search_month.')'; + $sql .= ' AND MONTH(c.date_commande) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(c.date_commande) IN ('.$search_year.')'; + $sql .= ' AND YEAR(c.date_commande) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index 16dd040887d..bc8346e39b1 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -153,16 +153,16 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_commande = c.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(c.date_commande) IN ('.$search_month.')'; + $sql .= ' AND MONTH(c.date_commande) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(c.date_commande) IN ('.$search_year.')'; + $sql .= ' AND YEAR(c.date_commande) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php index 93778a19047..e419593208c 100644 --- a/htdocs/product/stats/contrat.php +++ b/htdocs/product/stats/contrat.php @@ -148,7 +148,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " GROUP BY c.rowid, c.ref, c.ref_customer, c.ref_supplier, c.date_contrat, c.statut, s.nom, s.rowid, s.code_client"; $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php index 271a834570b..fa7d4fae24f 100644 --- a/htdocs/product/stats/facture.php +++ b/htdocs/product/stats/facture.php @@ -170,16 +170,16 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_facture = f.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(f.datef) IN ('.$search_month.')'; + $sql .= ' AND MONTH(f.datef) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(f.datef) IN ('.$search_year.')'; + $sql .= ' AND YEAR(f.datef) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php index a42615fdaa9..018f1c28f02 100644 --- a/htdocs/product/stats/facture_fournisseur.php +++ b/htdocs/product/stats/facture_fournisseur.php @@ -153,16 +153,16 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_facture_fourn = f.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(f.datef) IN ('.$search_month.')'; + $sql .= ' AND MONTH(f.datef) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(f.datef) IN ('.$search_year.')'; + $sql .= ' AND YEAR(f.datef) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " ORDER BY $sortfield $sortorder "; diff --git a/htdocs/product/stats/mo.php b/htdocs/product/stats/mo.php index 479dbdd1a17..1cabfd9ef85 100644 --- a/htdocs/product/stats/mo.php +++ b/htdocs/product/stats/mo.php @@ -140,7 +140,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND c.entity IN (".getEntity('mo').")"; $sql .= " AND cd.fk_product =".$product->id; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " GROUP BY c.rowid, c.ref, c.date_valid, c.status"; //$sql .= ", s.nom, s.rowid, s.code_client"; diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index 7d08f3ab9c3..7dfc8b6d1db 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -154,16 +154,16 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_propal = p.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(p.datep) IN ('.$search_month.')'; + $sql .= ' AND MONTH(p.datep) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(p.datep) IN ('.$search_year.')'; + $sql .= ' AND YEAR(p.datep) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index e18dc17867f..86689786b2d 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -154,16 +154,16 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_supplier_proposal = p.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(p.datep) IN ('.$search_month.')'; + $sql .= ' AND MONTH(p.datep) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(p.datep) IN ('.$search_year.')'; + $sql .= ' AND YEAR(p.datep) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 294c31d49ba..7f2f8f58bb5 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -449,8 +449,10 @@ if ($action == 'create') { } print ''.$langs->trans("LastMovement").''; if ($lastmovementdate) { - print dol_print_date($lastmovementdate, 'dayhour').' '; - print '('.$langs->trans("FullList").')'; + print dol_print_date($lastmovementdate, 'dayhour'); + print '     '; + print img_picto($langs->trans('LastMovement'), 'movement', 'class="pictofixedwidth"'); + print ''.$langs->trans("FullList").''; } else { print $langs->trans("None"); } @@ -515,11 +517,11 @@ if ($action == 'create') { print ""; print_liste_field_titre("Product", "", "p.ref", "&id=".$id, "", "", $sortfield, $sortorder); print_liste_field_titre("Label", "", "p.label", "&id=".$id, "", "", $sortfield, $sortorder); - print_liste_field_titre("Units", "", "ps.reel", "&id=".$id, "", '', $sortfield, $sortorder, 'right '); + print_liste_field_titre("NumberOfUnit", "", "ps.reel", "&id=".$id, "", '', $sortfield, $sortorder, 'right '); if (!empty($conf->global->PRODUCT_USE_UNITS)) { print_liste_field_titre("Unit", "", "p.fk_unit", "&id=".$id, "", 'align="left"', $sortfield, $sortorder); } - print_liste_field_titre("AverageUnitPricePMPShort", "", "p.pmp", "&id=".$id, "", '', $sortfield, $sortorder, 'right '); + print_liste_field_titre($form->textwithpicto($langs->trans("AverageUnitPricePMPShort"), $langs->trans("AverageUnitPricePMPDesc")), "", "p.pmp", "&id=".$id, "", '', $sortfield, $sortorder, 'right '); print_liste_field_titre("EstimatedStockValueShort", "", "", "&id=".$id, "", '', $sortfield, $sortorder, 'right '); if (empty($conf->global->PRODUIT_MULTIPRICES)) { print_liste_field_titre("SellPriceMin", "", "p.price", "&id=".$id, "", '', $sortfield, $sortorder, 'right '); @@ -628,13 +630,15 @@ if ($action == 'create') { if ($user->rights->stock->mouvement->creer) { print ''; - print img_picto($langs->trans("StockMovement"), 'uparrow.png', 'class="hideonsmartphone"').' '.$langs->trans("StockMovement"); + print img_picto($langs->trans("TransferStock"), 'add', 'class="hideonsmartphone pictofixedwidth" style="color: #a69944"'); + print $langs->trans("TransferStock"); print ""; } if ($user->rights->stock->creer) { print ''; - print $langs->trans("StockCorrection"); + print img_picto($langs->trans("CorrectStock"), 'add', 'class="hideonsmartphone pictofixedwidth" style="color: #a69944"'); + print $langs->trans("CorrectStock"); print ""; } if (!empty($conf->global->PRODUCT_USE_UNITS)) { diff --git a/htdocs/product/stock/class/entrepot.class.php b/htdocs/product/stock/class/entrepot.class.php index 9d601dc9687..30dba05e417 100644 --- a/htdocs/product/stock/class/entrepot.class.php +++ b/htdocs/product/stock/class/entrepot.class.php @@ -547,7 +547,7 @@ class Entrepot extends CommonObject $sql = "SELECT rowid, ref as label"; $sql .= " FROM ".MAIN_DB_PREFIX."entrepot"; $sql .= " WHERE entity IN (".getEntity('stock').")"; - $sql .= " AND statut = ".$status; + $sql .= " AND statut = ".((int) $status); $result = $this->db->query($sql); $i = 0; diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php index 830e8aa56e9..5a5808b04f3 100644 --- a/htdocs/product/stock/massstockmove.php +++ b/htdocs/product/stock/massstockmove.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2013-2021 Laurent Destaileur * Copyright (C) 2014 Regis Houssin * * This program is free software: you can redistribute it and/or modify @@ -344,14 +344,14 @@ print ''; print ''; // From warehouse print ''; -print $formproduct->selectWarehouses($id_sw, 'id_sw', 'warehouseopen,warehouseinternal', 1, 0, 0, '', 0, 0, array(), 'minwidth200imp maxwidth200'); +print img_picto($langs->trans("WarehouseSource"), 'stock', 'class="paddingright"').$formproduct->selectWarehouses($id_sw, 'id_sw', 'warehouseopen,warehouseinternal', 1, 0, 0, '', 0, 0, array(), 'minwidth200imp maxwidth200'); print ''; // To warehouse print ''; -print $formproduct->selectWarehouses($id_tw, 'id_tw', 'warehouseopen,warehouseinternal', 1, 0, 0, '', 0, 0, array(), 'minwidth200imp maxwidth200'); +print img_picto($langs->trans("WarehouseTarget"), 'stock', 'class="paddingright"').$formproduct->selectWarehouses($id_tw, 'id_tw', 'warehouseopen,warehouseinternal', 1, 0, 0, '', 0, 0, array(), 'minwidth200imp maxwidth200'); print ''; // Product -print ''; +print ''; $filtertype = 0; if (!empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $filtertype = ''; @@ -362,11 +362,13 @@ if ($conf->global->PRODUIT_LIMIT_SIZE <= 0) { $limit = $conf->global->PRODUIT_LIMIT_SIZE; } -$form->select_produits($id_product, 'productid', $filtertype, $limit, 0, -1, 2, '', 1, array(), 0, '1', 0, 'minwidth200imp maxwidth300', 1); +print img_picto($langs->trans("Product"), 'product', 'class="paddingright"'); +print $form->select_produits($id_product, 'productid', $filtertype, $limit, 0, -1, 2, '', 1, array(), 0, '1', 0, 'minwidth200imp maxwidth300', 1, '', null, 1); print ''; // Batch number if ($conf->productbatch->enabled) { print ''; + print img_picto($langs->trans("LotSerial"), 'lot', 'class="paddingright"'); print ''; print ''; } diff --git a/htdocs/product/stock/movement_card.php b/htdocs/product/stock/movement_card.php index 6dc3c665e15..3221c23aa8d 100644 --- a/htdocs/product/stock/movement_card.php +++ b/htdocs/product/stock/movement_card.php @@ -179,7 +179,7 @@ if ($action == "correct_stock") { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Product")), null, 'errors'); $action = 'correction'; } - if (!is_numeric($_POST["nbpiece"])) { + if (!is_numeric(GETPOST("nbpiece"))) { $error++; setEventMessages($langs->trans("ErrorFieldMustBeANumeric", $langs->transnoentitiesnoconv("NumberOfUnit")), null, 'errors'); $action = 'correction'; @@ -456,7 +456,7 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON m.fk_user_author = u.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON m.batch = pl.batch AND m.fk_product = pl.fk_product"; $sql .= " WHERE m.fk_product = p.rowid"; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; @@ -464,7 +464,7 @@ if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; } if ($id > 0) { - $sql .= " AND e.rowid ='".$id."'"; + $sql .= " AND e.rowid = ".((int) $id); } $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); if ($idproduct > 0) { diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index 62cbe7f8620..50982e0e084 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -247,7 +247,7 @@ if ($action == "correct_stock") { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Product")), null, 'errors'); $action = 'correction'; } - if (!is_numeric($_POST["nbpiece"])) { + if (!is_numeric(GETPOST("nbpiece"))) { $error++; setEventMessages($langs->trans("ErrorFieldMustBeANumeric", $langs->transnoentitiesnoconv("NumberOfUnit")), null, 'errors'); $action = 'correction'; @@ -503,7 +503,7 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON m.fk_user_author = u.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON m.batch = pl.batch AND m.fk_product = pl.fk_product"; $sql .= " WHERE m.fk_product = p.rowid"; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; @@ -511,7 +511,7 @@ if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; } if ($id > 0) { - $sql .= " AND e.rowid ='".$id."'"; + $sql .= " AND e.rowid = ".((int) $id); } if (!empty($search_date_start)) { $sql .= " AND m.datem >= '" . $db->idate($search_date_start) . "'"; @@ -836,9 +836,9 @@ if ($resql) { } if ($id > 0) { - print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'stock', 0, '', '', $limit, 0, 0, 1); + print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'movement', 0, '', '', $limit, 0, 0, 1); } else { - print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'stock', 0, '', '', $limit, 0, 0, 1); + print_barre_liste($texte, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'movement', 0, '', '', $limit, 0, 0, 1); } // Add code for pre mass action (confirmation or email presend form) @@ -886,6 +886,7 @@ if ($resql) { print ''; } if (! empty($arrayfields['m.datem']['checked'])) { + // Date print ''; print '
'; print $form->selectDate($search_date_start?$search_date_start:-1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From'), 'tzuserrel'); @@ -1014,7 +1015,7 @@ if ($resql) { print_liste_field_titre($arrayfields['m.rowid']['label'], $_SERVER["PHP_SELF"], 'm.rowid', '', $param, '', $sortfield, $sortorder); } if (!empty($arrayfields['m.datem']['checked'])) { - print_liste_field_titre($arrayfields['m.datem']['label'], $_SERVER["PHP_SELF"], 'm.datem', '', $param, '', $sortfield, $sortorder); + print_liste_field_titre($arrayfields['m.datem']['label'], $_SERVER["PHP_SELF"], 'm.datem', '', $param, '', $sortfield, $sortorder, 'center '); } if (!empty($arrayfields['p.ref']['checked'])) { print_liste_field_titre($arrayfields['p.ref']['label'], $_SERVER["PHP_SELF"], 'p.ref', '', $param, '', $sortfield, $sortorder); @@ -1125,11 +1126,14 @@ if ($resql) { print ''; // Id movement if (!empty($arrayfields['m.rowid']['checked'])) { - print ''.$objp->mid.''; // This is primary not movement id + print ''; + print img_picto($langs->trans("StockMovement"), 'movement', 'class="pictofixedwidth"'); + print $objp->mid; + print ''; // This is primary not movement id } if (!empty($arrayfields['m.datem']['checked'])) { // Date - print ''.dol_print_date($db->jdate($objp->datem), 'dayhour', 'tzuserrel').''; + print ''.dol_print_date($db->jdate($objp->datem), 'dayhour', 'tzuserrel').''; } if (!empty($arrayfields['p.ref']['checked'])) { // Product ref diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index e45f48d9ef8..f6d77bdb6c0 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -564,7 +564,9 @@ if ($id > 0 || $ref) { print ''; // AWP - print ''.$form->textwithpicto($langs->trans("AverageUnitPricePMPShort"), $langs->trans("AverageUnitPricePMPDesc")).''; + print ''; + print $form->textwithpicto($langs->trans("AverageUnitPricePMPShort"), $langs->trans("AverageUnitPricePMPDesc")); + print ''; print ''; if ($object->pmp > 0) { print price($object->pmp).' '.$langs->trans("HT"); @@ -765,8 +767,11 @@ if ($id > 0 || $ref) { print ''.$langs->trans("LastMovement").''; if ($lastmovementdate) { print dol_print_date($lastmovementdate, 'dayhour').' '; - print '    '.$langs->trans("FullList").''; + print '     '; + print img_picto($langs->trans("StockMovement"), 'movement', 'class="pictofixedwidth"'); + print ''.$langs->trans("FullList").''; } else { + print img_picto($langs->trans("StockMovement"), 'movement', 'class="pictofixedwidth"'); print ''.$langs->trans("None").''; } print ""; @@ -811,20 +816,19 @@ if (empty($reshook)) { if ($user->rights->stock->mouvement->creer) { if (!$variants || !empty($conf->global->VARIANT_ALLOW_STOCK_MOVEMENT_ON_VARIANT_PARENT)) { - print ''.$langs->trans("CorrectStock").''; + print ''.$langs->trans("TransferStock").''; } else { - print ''.$langs->trans("CorrectStock").''; + print ''.$langs->trans("TransferStock").''; } } else { print ''.$langs->trans("CorrectStock").''; } - //if (($user->rights->stock->mouvement->creer) && ! $object->hasbatch()) if ($user->rights->stock->mouvement->creer) { if (!$variants || !empty($conf->global->VARIANT_ALLOW_STOCK_MOVEMENT_ON_VARIANT_PARENT)) { - print ''.$langs->trans("TransferStock").''; + print ''.$langs->trans("CorrectStock").''; } else { - print ''.$langs->trans("TransferStock").''; + print ''.$langs->trans("CorrectStock").''; } } else { print ''.$langs->trans("CorrectStock").''; @@ -850,28 +854,32 @@ if (!$variants) { print ''.$langs->trans("EstimatedStockValueShort").''; print ''.$langs->trans("SellPriceMin").''; print ''.$langs->trans("EstimatedStockValueSellShort").''; + print ''; + print ''; print ''; if ((!empty($conf->productbatch->enabled)) && $object->hasbatch()) { $colspan = 3; - print ''; - print ''.$langs->trans("batch_number").''; + print ''; + print ''.$langs->trans("batch_number").''; if (empty($conf->global->PRODUCT_DISABLE_EATBY)) { $colspan--; - print ''.$langs->trans("EatByDate").''; + print ''.$langs->trans("EatByDate").''; } if (empty($conf->global->PRODUCT_DISABLE_SELLBY)) { $colspan--; - print ''.$langs->trans("SellByDate").''; + print ''.$langs->trans("SellByDate").''; } print ''; print ''; print ''; print ''; print ''; + print ''; + print ''; print ''; } - $sql = "SELECT e.rowid, e.ref, e.lieu, e.fk_parent, e.statut, ps.reel, ps.rowid as product_stock_id, p.pmp"; + $sql = "SELECT e.rowid, e.ref, e.lieu, e.fk_parent, e.statut as status, ps.reel, ps.rowid as product_stock_id, p.pmp"; $sql .= " FROM ".MAIN_DB_PREFIX."entrepot as e,"; $sql .= " ".MAIN_DB_PREFIX."product_stock as ps"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = ps.fk_product"; @@ -901,7 +909,8 @@ if (!$variants) { $entrepotstatic->label = $obj->ref; $entrepotstatic->lieu = $obj->lieu; $entrepotstatic->fk_parent = $obj->fk_parent; - $entrepotstatic->statut = $obj->statut; + $entrepotstatic->statut = $obj->status; + $entrepotstatic->status = $obj->status; $stock_real = price2num($obj->reel, 'MS'); print ''; @@ -922,10 +931,13 @@ if (!$variants) { // Value sell print ''; if (empty($conf->global->PRODUIT_MULTIPRICES)) { - print price(price2num($object->price * $obj->reel, 'MT'), 1).''; + print price(price2num($object->price * $obj->reel, 'MT'), 1); } else { print $langs->trans("Variable"); } + print ''; + print ''; + print ''; print ''; $total += $obj->reel; if (price2num($object->pmp)) { @@ -967,16 +979,14 @@ if (!$variants) { print ''; print ''; print ''; - print ''; + print ''; + print ''; + print ''; + print ''; } else { - print "\n".''; - print img_picto($langs->trans("Tranfer"), 'uparrow', 'class="hideonsmartphone"').' '; - print 'id.'">'.$langs->trans("TransferStock").''; - // Disabled, because edition of stock content must use the "Correct stock menu". - // Do not use this, or data will be wrong (bad tracking of movement label, inventory code, ... - //print 'id.'#'.$pdluo->id.'">'; - //print img_edit().''; - print ''; + print "\n".''; + print ''; + print ''; print $product_lot_static->getNomUrl(1); print ''; $colspan = 3; @@ -990,6 +1000,30 @@ if (!$variants) { } print ''.$pdluo->qty.($pdluo->qty < 0 ? ' '.img_warning() : '').''; print ''; + print ''; + if ($entrepotstatic->status != $entrepotstatic::STATUS_CLOSED) { + print 'id.'">'; + print img_picto($langs->trans("TransferStock"), 'add', 'class="hideonsmartphone paddingright" style="color: #a69944"'); + print $langs->trans("TransferStock"); + print ''; + // Disabled, because edition of stock content must use the "Correct stock menu". + // Do not use this, or data will be wrong (bad tracking of movement label, inventory code, ... + //print 'id.'#'.$pdluo->id.'">'; + //print img_edit().''; + } + print ''; + print ''; + if ($entrepotstatic->status != $entrepotstatic::STATUS_CLOSED) { + print 'id.'">'; + print img_picto($langs->trans("CorrectStock"), 'add', 'class="hideonsmartphone paddingright" style="color: #a69944"'); + print $langs->trans("CorrectStock"); + print ''; + // Disabled, because edition of stock content must use the "Correct stock menu". + // Do not use this, or data will be wrong (bad tracking of movement label, inventory code, ... + //print 'id.'#'.$pdluo->id.'">'; + //print img_edit().''; + } + print ''; print ''; } } @@ -1025,6 +1059,8 @@ if (!$variants) { print $langs->trans("Variable"); } print ''; + print ''; + print ''; print ""; print ""; diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index 5a3b0cb0a9c..bdac3a70f54 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -133,7 +133,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize(implode(',', $warehouseStatus)).")"; } if ($productid > 0) { $sql .= " AND ps.fk_product = ".$productid; @@ -183,7 +183,7 @@ if ($date && $dateIsValid) { $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = sm.fk_entrepot"; if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize(implode(',', $warehouseStatus)).")"; } if ($mode == 'future') { $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; @@ -191,10 +191,10 @@ if ($date && $dateIsValid) { $sql .= " AND sm.datem >= '".$db->idate($date)."'"; } if ($productid > 0) { - $sql .= " AND sm.fk_product = ".$productid; + $sql .= " AND sm.fk_product = ".((int) $productid); } if ($fk_warehouse > 0) { - $sql .= " AND sm.fk_entrepot = ".$fk_warehouse; + $sql .= " AND sm.fk_entrepot = ".((int) $fk_warehouse); } $sql .= " GROUP BY sm.fk_product, sm.fk_entrepot"; $resql = $db->query($sql); diff --git a/htdocs/product/stock/tpl/stocktransfer.tpl.php b/htdocs/product/stock/tpl/stocktransfer.tpl.php index e98244e5eed..dcd19be4ad6 100644 --- a/htdocs/product/stock/tpl/stocktransfer.tpl.php +++ b/htdocs/product/stock/tpl/stocktransfer.tpl.php @@ -72,7 +72,10 @@ print ''; if ($object->element == 'product') { print ''.$langs->trans("WarehouseSource").''; print ''; - print img_picto('', 'stock').$formproduct->selectWarehouses((GETPOST("dwid") ?GETPOST("dwid", 'int') : (GETPOST('id_entrepot') ?GETPOST('id_entrepot', 'int') : ($object->element == 'product' && $object->fk_default_warehouse ? $object->fk_default_warehouse : 'ifone'))), 'id_entrepot', 'warehouseopen,warehouseinternal', 1); + print img_picto('', 'stock'); + $selected = (GETPOST("dwid") ?GETPOST("dwid", 'int') : (GETPOST('id_entrepot') ?GETPOST('id_entrepot', 'int') : ($object->element == 'product' && $object->fk_default_warehouse ? $object->fk_default_warehouse : 'ifone'))); + $warehousestatus = 'warehouseopen,warehouseinternal'; + print $formproduct->selectWarehouses($selected, 'id_entrepot', $warehousestatus, 1); print ''; } if ($object->element == 'stock') { diff --git a/htdocs/projet/activity/index.php b/htdocs/projet/activity/index.php index c49ca736bbb..fe2188de904 100644 --- a/htdocs/projet/activity/index.php +++ b/htdocs/projet/activity/index.php @@ -454,7 +454,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on } if ($mine) { // this may duplicate record if we are contact twice - $sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; + $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; } if ($socid) { $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php index 1309ae4455e..5b30d77ca21 100644 --- a/htdocs/projet/activity/perday.php +++ b/htdocs/projet/activity/perday.php @@ -601,8 +601,10 @@ if (!empty($arrayfields['t.progress']['checked'])) { if ($usertoprocess->id == $user->id) print ''.$langs->trans("TimeSpentByYou").''; else print ''.$langs->trans("TimeSpentByUser").'';*/ print ''.$langs->trans("TimeSpent").'
'; +print ''; print 'Photo'; print ''.$langs->trans("Everybody").''; +print ''; print ''; print ''.$langs->trans("TimeSpent").($usertoprocess->firstname ? '
'.$usertoprocess->getNomUrl(-2).''.dol_trunc($usertoprocess->firstname, 10).'' : '').''; print ''.$langs->trans("HourStart").''; diff --git a/htdocs/projet/activity/permonth.php b/htdocs/projet/activity/permonth.php index d023dcc69d3..7f40ab1c9a1 100644 --- a/htdocs/projet/activity/permonth.php +++ b/htdocs/projet/activity/permonth.php @@ -491,9 +491,11 @@ print ''.$langs->trans("ProgressDeclared"). /*print ''.$langs->trans("TimeSpent").''; if ($usertoprocess->id == $user->id) print ''.$langs->trans("TimeSpentByYou").''; else print ''.$langs->trans("TimeSpentByUser").'';*/ -print ''.$langs->trans("TimeSpent").'
'; +print ''.$langs->trans("TimeSpent").'
'; +print ''; print 'Photo'; print ''.$langs->trans("Everybody").''; +print ''; print ''; print ''.$langs->trans("TimeSpent").($usertoprocess->firstname ? '
'.$usertoprocess->getNomUrl(-2).''.dol_trunc($usertoprocess->firstname, 10).'' : '').''; diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php index 028bb97726c..b6cd2c04f10 100644 --- a/htdocs/projet/activity/perweek.php +++ b/htdocs/projet/activity/perweek.php @@ -657,9 +657,11 @@ if (!empty($arrayfields['t.progress']['checked'])) { /*print ''.$langs->trans("TimeSpent").''; if ($usertoprocess->id == $user->id) print ''.$langs->trans("TimeSpentByYou").''; else print ''.$langs->trans("TimeSpentByUser").'';*/ -print ''.$langs->trans("TimeSpent").'
'; +print ''.$langs->trans("TimeSpent").'
'; +print ''; print 'Photo'; print ''.$langs->trans("Everybody").''; +print ''; print ''; print ''.$langs->trans("TimeSpent").($usertoprocess->firstname ? '
'.$usertoprocess->getNomUrl(-2).''.dol_trunc($usertoprocess->firstname, 10).'' : '').''; diff --git a/htdocs/projet/card.php b/htdocs/projet/card.php index 5d0f197568c..916f23eb056 100644 --- a/htdocs/projet/card.php +++ b/htdocs/projet/card.php @@ -52,7 +52,7 @@ $status = GETPOST('status', 'int'); $opp_status = GETPOST('opp_status', 'int'); $opp_percent = price2num(GETPOST('opp_percent', 'alpha')); -if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && !$_POST["cancel"])) { +if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && !GETPOST("cancel"))) { accessforbidden(); } @@ -224,12 +224,10 @@ if (empty($reshook)) { if (empty($ref)) { $error++; - //$_GET["id"]=$_POST["id"]; // We return on the project card setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Ref")), null, 'errors'); } - if (empty($_POST["title"])) { + if (!GETPOST("title")) { $error++; - //$_GET["id"]=$_POST["id"]; // We return on the project card setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("ProjectLabel")), null, 'errors'); } @@ -512,7 +510,7 @@ if ($action == 'create' && $user->rights->projet->creer) { } // Ref - $suggestedref = ($_POST["ref"] ? $_POST["ref"] : $defaultref); + $suggestedref = (GETPOST("ref") ? GETPOST("ref") : $defaultref); print ''.$langs->trans("Ref").''; print ' '.$form->textwithpicto('', $langs->trans("YouCanCompleteRef", $suggestedref)); print ''; @@ -978,7 +976,7 @@ if ($action == 'create' && $user->rights->projet->creer) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index c650512c5dd..47536986a80 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -131,14 +131,14 @@ class Projects extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Select projects of given category if ($category > 0) { diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index 518b3576e34..748d9ce2594 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -135,14 +135,14 @@ class Tasks extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 137757eae1a..8bf9c727f4e 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -653,19 +653,19 @@ class Project extends CommonObject $ids = $this->id; if ($type == 'agenda') { - $sql = "SELECT id as rowid FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project IN (".$ids.") AND entity IN (".getEntity('agenda').")"; + $sql = "SELECT id as rowid FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project IN (".$this->db->sanitize($ids).") AND entity IN (".getEntity('agenda').")"; } elseif ($type == 'expensereport') { - $sql = "SELECT ed.rowid FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet IN (".$ids.")"; + $sql = "SELECT ed.rowid FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet IN (".$this->db->sanitize($ids).")"; } elseif ($type == 'project_task') { - $sql = "SELECT DISTINCT pt.rowid FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet IN (".$ids.")"; + $sql = "SELECT DISTINCT pt.rowid FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet IN (".$this->db->sanitize($ids).")"; } elseif ($type == 'project_task_time') { // Case we want to duplicate line foreach user - $sql = "SELECT DISTINCT pt.rowid, ptt.fk_user FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet IN (".$ids.")"; + $sql = "SELECT DISTINCT pt.rowid, ptt.fk_user FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet IN (".$this->db->sanitize($ids).")"; } elseif ($type == 'stock_mouvement') { - $sql = 'SELECT ms.rowid, ms.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin IN (".$ids.") AND ms.type_mouvement = 1"; + $sql = 'SELECT ms.rowid, ms.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin IN (".$this->db->sanitize($ids).") AND ms.type_mouvement = 1"; } elseif ($type == 'loan') { - $sql = 'SELECT l.rowid, l.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet IN (".$ids.")"; + $sql = 'SELECT l.rowid, l.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet IN (".$this->db->sanitize($ids).")"; } else { - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." IN (".$ids.") AND entity IN (".getEntity($type).")"; + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." IN (".$this->db->sanitize($ids).") AND entity IN (".getEntity($type).")"; } if ($dates > 0 && $type == 'loan') { @@ -1386,13 +1386,13 @@ class Project extends CommonObject if ($mode == 0) { $sql .= " AND ( p.public = 1"; - $sql .= " OR ( ec.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).")"; + $sql .= " OR ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")"; $sql .= " AND ec.fk_socpeople = ".$user->id.")"; $sql .= " )"; } elseif ($mode == 1) { $sql .= " AND ec.element_id = p.rowid"; $sql .= " AND ("; - $sql .= " ( ec.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).")"; + $sql .= " ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")"; $sql .= " AND ec.fk_socpeople = ".$user->id.")"; $sql .= " )"; } elseif ($mode == 2) { @@ -1974,7 +1974,7 @@ class Project extends CommonObject $sql .= " WHERE p.fk_statut = 1"; $sql .= " AND p.entity IN (".getEntity('project').')'; if (!empty($projectsListId)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; @@ -2055,7 +2055,7 @@ class Project extends CommonObject $sql .= " p.entity IN (".getEntity('project').")"; if (!$user->rights->projet->all->lire) { $projectsListId = $this->getProjectsAuthorizedForUser($user, 0, 1); - $sql .= "AND p.rowid IN (".$projectsListId.")"; + $sql .= "AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } $resql = $this->db->query($sql); diff --git a/htdocs/projet/class/projectstats.class.php b/htdocs/projet/class/projectstats.class.php index 3ec82edf366..42c5ae2135f 100644 --- a/htdocs/projet/class/projectstats.class.php +++ b/htdocs/projet/class/projectstats.class.php @@ -180,11 +180,11 @@ class ProjectStats extends Stats } if (!empty($this->status)) { - $sqlwhere[] = " t.fk_opp_status IN (".$this->status.")"; + $sqlwhere[] = " t.fk_opp_status IN (".$this->db->sanitize($this->status).")"; } if (!$user->rights->projet->all->lire) { - $sqlwhere[] = " t.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sqlwhere[] = " t.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } if (count($sqlwhere) > 0) { diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 9a72124199c..091409539a8 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -868,13 +868,13 @@ class Task extends CommonObject $sql .= " AND p.fk_soc = ".$socid; } if ($projectid) { - $sql .= " AND p.rowid in (".$projectid.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectid).")"; } if ($filteronproj) { $sql .= natural_search(array("p.ref", "p.title"), $filteronproj); } if ($filteronprojstatus && $filteronprojstatus != '-1') { - $sql .= " AND p.fk_statut IN (".$filteronprojstatus.")"; + $sql .= " AND p.fk_statut IN (".$this->db->sanitize($filteronprojstatus).")"; } if ($morewherefilter) { $sql .= $morewherefilter; @@ -1062,10 +1062,10 @@ class Task extends CommonObject $sql .= " AND ctc.source = 'internal'"; if ($projectid) { if ($userp) { - $sql .= " AND pt.rowid in (".$projectid.")"; + $sql .= " AND pt.rowid IN (".$this->db->sanitize($projectid).")"; } if ($usert) { - $sql .= " AND pt.fk_projet in (".$projectid.")"; + $sql .= " AND pt.fk_projet IN (".$this->db->sanitize($projectid).")"; } } if ($taskid) { @@ -1073,7 +1073,7 @@ class Task extends CommonObject $sql .= " ERROR SHOULD NOT HAPPENS"; } if ($usert) { - $sql .= " AND pt.rowid = ".$taskid; + $sql .= " AND pt.rowid = ".((int) $taskid); } } //print $sql; @@ -1266,10 +1266,10 @@ class Task extends CommonObject $sql .= $morewherefilter; } if ($id > 0) { - $sql .= " AND t.fk_task = ".$id; + $sql .= " AND t.fk_task = ".((int) $id); } if ($userid > 0) { - $sql .= " AND t.fk_user = ".$userid; + $sql .= " AND t.fk_user = ".((int) $userid); } dol_syslog(get_class($this)."::getSummaryOfTimeSpent", LOG_DEBUG); @@ -2002,12 +2002,12 @@ class Task extends CommonObject $sql .= " AND t.fk_projet = p.rowid"; $sql .= " AND (t.progress IS NULL OR t.progress < 100)"; // tasks to do if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser // if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; @@ -2076,7 +2076,7 @@ class Task extends CommonObject $sql .= " WHERE p.entity IN (".getEntity('project', 0).')'; $sql .= " AND t.fk_projet = p.rowid"; // tasks to do if ($mine || !$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; diff --git a/htdocs/projet/class/taskstats.class.php b/htdocs/projet/class/taskstats.class.php index d18950ec482..8a5234b956f 100644 --- a/htdocs/projet/class/taskstats.class.php +++ b/htdocs/projet/class/taskstats.class.php @@ -154,9 +154,8 @@ class TaskStats extends Stats if (!empty($this->yearmonth)) { $sqlwhere[] = " t.datec BETWEEN '".$this->db->idate(dol_get_first_day($this->yearmonth))."' AND '".$this->db->idate(dol_get_last_day($this->yearmonth))."'"; } - - if (!empty($this->status)) { - $sqlwhere[] = " t.priority IN (".$this->priority.")"; + if (!empty($this->priority)) { + $sqlwhere[] = " t.priority IN (".$this->db->sanitize($this->priority, 1).")"; } if (count($sqlwhere) > 0) { diff --git a/htdocs/projet/comment.php b/htdocs/projet/comment.php index ac00e0adfad..5ddd2cd163b 100644 --- a/htdocs/projet/comment.php +++ b/htdocs/projet/comment.php @@ -112,7 +112,7 @@ $morehtmlref .= '
'; // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php index 8fc018ab8ab..fe434891fa9 100644 --- a/htdocs/projet/contact.php +++ b/htdocs/projet/contact.php @@ -300,7 +300,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/document.php b/htdocs/projet/document.php index 795e10f2739..d7bcd722988 100644 --- a/htdocs/projet/document.php +++ b/htdocs/projet/document.php @@ -141,7 +141,7 @@ if ($object->id > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/element.php b/htdocs/projet/element.php index f72b1eba7d2..a71d8c4a602 100644 --- a/htdocs/projet/element.php +++ b/htdocs/projet/element.php @@ -222,7 +222,7 @@ $morehtmlref .= '
'; // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " te.rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " te.rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/ganttview.php b/htdocs/projet/ganttview.php index b4dbc21e894..c5e5b20fb88 100644 --- a/htdocs/projet/ganttview.php +++ b/htdocs/projet/ganttview.php @@ -123,7 +123,7 @@ if (($id > 0 && is_numeric($id)) || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/graph_opportunities.inc.php b/htdocs/projet/graph_opportunities.inc.php index cf8cc1dd34d..b6b4470dd15 100644 --- a/htdocs/projet/graph_opportunities.inc.php +++ b/htdocs/projet/graph_opportunities.inc.php @@ -23,10 +23,10 @@ if (!empty($conf->global->PROJECT_USE_OPPORTUNITIES)) { $sql .= " WHERE p.entity IN (".getEntity('project').")"; $sql .= " AND p.fk_statut = 1"; // Opend projects only if ($mine || empty($user->rights->projet->all->lire)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; } - if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + if ($socid > 0) { + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } $sql .= " GROUP BY p.fk_opp_status, cls.code"; $resql = $db->query($sql); diff --git a/htdocs/projet/index.php b/htdocs/projet/index.php index 600a246cf94..78e9d85aa1a 100644 --- a/htdocs/projet/index.php +++ b/htdocs/projet/index.php @@ -238,7 +238,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid"; $sql .= " WHERE p.entity IN (".getEntity('project').")"; if ($mine || empty($user->rights->projet->all->lire)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // If we have this test true, it also means projectset is not 2 + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // If we have this test true, it also means projectset is not 2 } if ($socid) { $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; @@ -338,10 +338,10 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid"; $sql .= " WHERE p.entity IN (".getEntity('project').")"; $sql .= " AND p.fk_statut = 1"; if ($mine || empty($user->rights->projet->all->lire)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // If we have this test true, it also means projectset is not 2 + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // If we have this test true, it also means projectset is not 2 } -if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; +if ($socid > 0) { + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } $sql .= " GROUP BY s.rowid, s.nom, s.name_alias, s.code_client, s.code_compta, s.client, s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur, s.logo, s.email, s.entity, s.canvas, s.status"; $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/projet/info.php b/htdocs/projet/info.php index d99da02caa6..b8c6ae046cf 100644 --- a/htdocs/projet/info.php +++ b/htdocs/projet/info.php @@ -136,7 +136,7 @@ $morehtmlref .= '
'; // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index e6b381a6650..e907ab3b06e 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -370,11 +370,11 @@ if (!empty($conf->categorie->enabled)) { $sql .= Categorie::getFilterSelectQuery(Categorie::TYPE_PROJECT, "p.rowid", $search_category_array); } if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } // No need to check if company is external user, as filtering of projects must be done by getProjectsAuthorizedForUser if ($socid > 0) { - $sql .= " AND (p.fk_soc = ".$socid.")"; // This filter if when we use a hard coded filter on company on url (not related to filter for external users) + $sql .= " AND (p.fk_soc = ".((int) $socid).")"; // This filter if when we use a hard coded filter on company on url (not related to filter for external users) } if ($search_ref) { $sql .= natural_search('p.ref', $search_ref); @@ -414,7 +414,7 @@ if ($search_opp_status) { $sql .= " AND p.fk_opp_status IS NOT NULL AND p.fk_opp_status <> -1 AND p.fk_opp_status NOT IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code IN ('WON','LOST'))"; } if ($search_opp_status == 'notopenedopp') { - $sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1 OR p.fk_opp_status IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code IN ('WON')))"; + $sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1 OR p.fk_opp_status IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code = 'WON'))"; } if ($search_opp_status == 'none') { $sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1)"; @@ -426,12 +426,12 @@ if ($search_public != '') { // For external user, no check is done on company permission because readability is managed by public status of project and assignement. //if ($socid > 0) $sql.= " AND s.rowid = ".$socid; if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; if ($search_project_user > 0) { - $sql .= " AND ecp.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; + $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; } if ($search_opp_amount != '') { $sql .= natural_search('p.opp_amount', $search_opp_amount, 1); diff --git a/htdocs/projet/note.php b/htdocs/projet/note.php index a1ef737ddc7..8b65156570a 100644 --- a/htdocs/projet/note.php +++ b/htdocs/projet/note.php @@ -101,7 +101,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index 07724753f2d..df4a94b6dfd 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -297,7 +297,7 @@ if ($action == 'createtask' && $user->rights->projet->creer) { $taskid = $task->create($user); if ($taskid > 0) { - $result = $task->add_contact($_POST["userid"], 'TASKEXECUTIVE', 'internal'); + $result = $task->add_contact(GETPOST("userid", 'int'), 'TASKEXECUTIVE', 'internal'); } else { if ($db->lasterrno() == 'DB_ERROR_RECORD_ALREADY_EXISTS') { $langs->load("projects"); @@ -450,7 +450,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/tasks/comment.php b/htdocs/projet/tasks/comment.php index 8ce97133493..c0ebc6850cc 100644 --- a/htdocs/projet/tasks/comment.php +++ b/htdocs/projet/tasks/comment.php @@ -135,7 +135,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -289,7 +289,7 @@ if ($id > 0 || !empty($ref)) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/contact.php b/htdocs/projet/tasks/contact.php index 7916c236fb3..c6a7fcb3b45 100644 --- a/htdocs/projet/tasks/contact.php +++ b/htdocs/projet/tasks/contact.php @@ -197,7 +197,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -320,7 +320,7 @@ if ($id > 0 || !empty($ref)) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/document.php b/htdocs/projet/tasks/document.php index afa63f7eee4..967cc0438da 100644 --- a/htdocs/projet/tasks/document.php +++ b/htdocs/projet/tasks/document.php @@ -154,7 +154,7 @@ if ($object->id > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -278,7 +278,7 @@ if ($object->id > 0) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 57f9ec2b24f..801c792cf7d 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -334,17 +334,17 @@ if ($search_task_user > 0) { $sql .= " WHERE t.fk_projet = p.rowid"; $sql .= " AND p.entity IN (".getEntity('project').')'; if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".($projectsListId ? $projectsListId : '0').")"; // public and assigned to projects, or restricted to company for external users + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId ? $projectsListId : '0').")"; // public and assigned to projects, or restricted to company for external users } if (is_object($projectstatic) && $projectstatic->id > 0) { - $sql .= " AND p.rowid = ".$projectstatic->id; + $sql .= " AND p.rowid = ".((int) $projectstatic->id); } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } if ($search_categ > 0) { - $sql .= " AND cs.fk_categorie = ".$db->escape($search_categ); + $sql .= " AND cs.fk_categorie = ".((int) $search_categ); } if ($search_categ == -2) { $sql .= " AND cs.fk_categorie IS NULL"; @@ -389,10 +389,10 @@ if ($search_public != '') { $sql .= " AND p.public = ".$db->escape($search_public); } if ($search_project_user > 0) { - $sql .= " AND ecp.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; + $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; } if ($search_task_user > 0) { - $sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$search_task_user; + $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$search_task_user; } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/projet/tasks/note.php b/htdocs/projet/tasks/note.php index 2452cc71d86..4d581afc30a 100644 --- a/htdocs/projet/tasks/note.php +++ b/htdocs/projet/tasks/note.php @@ -129,7 +129,7 @@ if ($object->id > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -247,7 +247,7 @@ if ($object->id > 0) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/task.php b/htdocs/projet/tasks/task.php index 828b32c599f..0f6b67a0482 100644 --- a/htdocs/projet/tasks/task.php +++ b/htdocs/projet/tasks/task.php @@ -73,14 +73,14 @@ if ($reshook < 0) { * Actions */ -if ($action == 'update' && !$_POST["cancel"] && $user->rights->projet->creer) { +if ($action == 'update' && !GETPOST("cancel") && $user->rights->projet->creer) { $error = 0; if (empty($taskref)) { $error++; setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Ref")), null, 'errors'); } - if (empty($_POST["label"])) { + if (!GETPOST("label")) { $error++; setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Label")), null, 'errors'); } @@ -240,7 +240,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -479,7 +479,7 @@ if ($id > 0 || !empty($ref)) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/time.php b/htdocs/projet/tasks/time.php index eb1c394d8cf..2fb226b5eb2 100644 --- a/htdocs/projet/tasks/time.php +++ b/htdocs/projet/tasks/time.php @@ -158,7 +158,7 @@ if ($action == 'addtimespent' && $user->rights->projet->lire) { setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentitiesnoconv("Duration")), null, 'errors'); $error++; } - if (empty($_POST["userid"])) { + if (!GETPOST("userid", 'int')) { $langs->load("errors"); setEventMessages($langs->trans('ErrorUserNotAssignedToTask'), null, 'errors'); $error++; @@ -185,19 +185,19 @@ if ($action == 'addtimespent' && $user->rights->projet->lire) { $action = 'createtime'; $error++; } else { - $object->timespent_note = $_POST["timespent_note"]; + $object->timespent_note = GETPOST("timespent_note"); if (GETPOST('progress', 'int') > 0) { $object->progress = GETPOST('progress', 'int'); // If progress is -1 (not defined), we do not change value } - $object->timespent_duration = $_POST["timespent_durationhour"] * 60 * 60; // We store duration in seconds - $object->timespent_duration += ($_POST["timespent_durationmin"] ? $_POST["timespent_durationmin"] : 0) * 60; // We store duration in seconds + $object->timespent_duration = GETPOST("timespent_durationhour") * 60 * 60; // We store duration in seconds + $object->timespent_duration += (GETPOST("timespent_durationmin") ? GETPOST("timespent_durationmin") : 0) * 60; // We store duration in seconds if (GETPOST("timehour") != '' && GETPOST("timehour") >= 0) { // If hour was entered $object->timespent_date = dol_mktime(GETPOST("timehour"), GETPOST("timemin"), 0, GETPOST("timemonth"), GETPOST("timeday"), GETPOST("timeyear")); $object->timespent_withhour = 1; } else { $object->timespent_date = dol_mktime(12, 0, 0, GETPOST("timemonth"), GETPOST("timeday"), GETPOST("timeyear")); } - $object->timespent_fk_user = $_POST["userid"]; + $object->timespent_fk_user = GETPOST("userid", 'int'); $result = $object->addTimeSpent($user); if ($result >= 0) { setEventMessages($langs->trans("RecordSaved"), null, 'mesgs'); @@ -233,17 +233,17 @@ if (($action == 'updateline' || $action == 'updatesplitline') && !$cancel && $us $result = $object->delTimeSpent($user); $object->fetch($id, $ref); - $object->timespent_note = $_POST["timespent_note_line"]; - $object->timespent_old_duration = $_POST["old_duration"]; - $object->timespent_duration = $_POST["new_durationhour"] * 60 * 60; // We store duration in seconds - $object->timespent_duration += ($_POST["new_durationmin"] ? $_POST["new_durationmin"] : 0) * 60; // We store duration in seconds + $object->timespent_note = GETPOST("timespent_note_line"); + $object->timespent_old_duration = GETPOST("old_duration"); + $object->timespent_duration = GETPOST("new_durationhour") * 60 * 60; // We store duration in seconds + $object->timespent_duration += (GETPOST("new_durationmin") ? GETPOST("new_durationmin") : 0) * 60; // We store duration in seconds if (GETPOST("timelinehour") != '' && GETPOST("timelinehour") >= 0) { // If hour was entered $object->timespent_date = dol_mktime(GETPOST("timelinehour"), GETPOST("timelinemin"), 0, GETPOST("timelinemonth"), GETPOST("timelineday"), GETPOST("timelineyear")); $object->timespent_withhour = 1; } else { $object->timespent_date = dol_mktime(12, 0, 0, GETPOST("timelinemonth"), GETPOST("timelineday"), GETPOST("timelineyear")); } - $object->timespent_fk_user = $_POST["userid_line"]; + $object->timespent_fk_user = GETPOST("userid_line", 'int'); $result = $object->addTimeSpent($user); if ($result >= 0) { setEventMessages($langs->trans("RecordSaved"), null, 'mesgs'); @@ -255,18 +255,18 @@ if (($action == 'updateline' || $action == 'updatesplitline') && !$cancel && $us $object->fetch($id, $ref); // TODO Check that ($task_time->fk_user == $user->id || in_array($task_time->fk_user, $childids)) - $object->timespent_id = $_POST["lineid"]; - $object->timespent_note = $_POST["timespent_note_line"]; - $object->timespent_old_duration = $_POST["old_duration"]; - $object->timespent_duration = $_POST["new_durationhour"] * 60 * 60; // We store duration in seconds - $object->timespent_duration += ($_POST["new_durationmin"] ? $_POST["new_durationmin"] : 0) * 60; // We store duration in seconds + $object->timespent_id = GETPOST("lineid", 'int'); + $object->timespent_note = GETPOST("timespent_note_line"); + $object->timespent_old_duration = GETPOST("old_duration"); + $object->timespent_duration = GETPOST("new_durationhour") * 60 * 60; // We store duration in seconds + $object->timespent_duration += (GETPOST("new_durationmin") ? GETPOST("new_durationmin") : 0) * 60; // We store duration in seconds if (GETPOST("timelinehour") != '' && GETPOST("timelinehour") >= 0) { // If hour was entered $object->timespent_date = dol_mktime(GETPOST("timelinehour"), GETPOST("timelinemin"), 0, GETPOST("timelinemonth"), GETPOST("timelineday"), GETPOST("timelineyear")); $object->timespent_withhour = 1; } else { $object->timespent_date = dol_mktime(12, 0, 0, GETPOST("timelinemonth"), GETPOST("timelineday"), GETPOST("timelineyear")); } - $object->timespent_fk_user = $_POST["userid_line"]; + $object->timespent_fk_user = GETPOST("userid_line", 'int'); $result = $object->updateTimeSpent($user); if ($result >= 0) { @@ -429,7 +429,7 @@ if ($action == 'confirm_generateinvoice') { // Update lineid into line of timespent $sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id; - $sql .= ' WHERE rowid in ('.join(',', $toselect).') AND fk_user = '.$userid; + $sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).') AND fk_user = '.((int) $userid); $result = $db->query($sql); if (!$result) { $error++; @@ -468,7 +468,7 @@ if ($action == 'confirm_generateinvoice') { // Update lineid into line of timespent $sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id; - $sql .= ' WHERE rowid in ('.join(',', $toselect).') AND fk_user = '.$userid; + $sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).') AND fk_user = '.((int) $userid); $result = $db->query($sql); if (!$result) { $error++; @@ -504,7 +504,7 @@ if ($action == 'confirm_generateinvoice') { // Update lineid into line of timespent $sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id; - $sql .= ' WHERE rowid in ('.join(',', $toselect).')'; + $sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).')'; $result = $db->query($sql); if (!$result) { $error++; @@ -600,7 +600,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -761,7 +761,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } @@ -1036,7 +1036,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) { if (empty($projectidforalltimes)) { $sql .= " AND t.fk_task =".$object->id; } else { - $sql .= " AND pt.fk_projet IN (".$projectidforalltimes.")"; + $sql .= " AND pt.fk_projet IN (".$db->sanitize($projectidforalltimes).")"; } if ($search_note) { $sql .= natural_search('t.note', $search_note); @@ -1141,7 +1141,6 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) { // Date print ''; - //$newdate=dol_mktime(12,0,0,$_POST["timemonth"],$_POST["timeday"],$_POST["timeyear"]); $newdate = ''; print $form->selectDate($newdate, 'time', ($conf->browser->layout == 'phone' ? 2 : 1), 1, 2, "timespent_date", 1, 0); print ''; diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php index 90dab0379ff..5f5446ae3f1 100644 --- a/htdocs/public/opensurvey/studs.php +++ b/htdocs/public/opensurvey/studs.php @@ -203,7 +203,6 @@ if ($testmodifier) { //var_dump($_POST);exit; $nouveauchoix = ''; for ($i = 0; $i < $nbcolonnes; $i++) { - //var_dump($_POST["choix$i"]); if (GETPOSTISSET("choix".$i) && GETPOST("choix".$i) == '1') { $nouveauchoix .= "1"; } elseif (GETPOSTISSET("choix".$i) && GETPOST("choix".$i) == '2') { @@ -217,7 +216,7 @@ if ($testmodifier) { accessforbidden('', 0, 0, 1); } - $idtomodify = $_POST["idtomodify".$modifier]; + $idtomodify = GETPOST("idtomodify".$modifier); $sql = 'UPDATE '.MAIN_DB_PREFIX."opensurvey_user_studs"; $sql .= " SET reponses = '".$db->escape($nouveauchoix)."'"; $sql .= " WHERE id_users = '".$db->escape($idtomodify)."'"; diff --git a/htdocs/public/project/new.php b/htdocs/public/project/new.php index f25843f69e4..048df9c41b3 100644 --- a/htdocs/public/project/new.php +++ b/htdocs/public/project/new.php @@ -223,11 +223,11 @@ if (empty($reshook) && $action == 'add') { $error++; $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv('Nature'))."
\n"; } - if (empty($_POST["lastname"])) { + if (!GETPOST("lastname")) { $error++; $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Lastname"))."
\n"; } - if (empty($_POST["firstname"])) { + if (!GETPOST("firstname")) { $error++; $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Firstname"))."
\n"; } diff --git a/htdocs/public/recruitment/index.php b/htdocs/public/recruitment/index.php index c7381059a39..5118f7ebfc0 100644 --- a/htdocs/public/recruitment/index.php +++ b/htdocs/public/recruitment/index.php @@ -261,7 +261,7 @@ if ($display_ticket_list) { $sql .= ' AND '.$key.' = \''.$value.'\''; } elseif ($key == 't.fk_statut') { if (is_array($value) && count($value) > 0) { - $sql .= 'AND '.$key.' IN ('.implode(',', $value).')'; + $sql .= 'AND '.$key.' IN ('.$db->sanitize(implode(',', $value)).')'; } else { $sql .= ' AND '.$key.' = '.$db->escape($value); } diff --git a/htdocs/public/ticket/create_ticket.php b/htdocs/public/ticket/create_ticket.php index 5b7ba4ecf22..85b40430d4c 100644 --- a/htdocs/public/ticket/create_ticket.php +++ b/htdocs/public/ticket/create_ticket.php @@ -392,7 +392,7 @@ if ($action != "infos_success") { print '
'; } else { print '
'.$langs->trans('TicketPublicInfoCreateTicket').'
'; - $formticket->showForm(); + $formticket->showForm(0, 'edit', 1); } } diff --git a/htdocs/public/ticket/index.php b/htdocs/public/ticket/index.php index 81d13832ca4..31ee838f6f5 100644 --- a/htdocs/public/ticket/index.php +++ b/htdocs/public/ticket/index.php @@ -82,9 +82,9 @@ llxHeaderTicket($langs->trans("Tickets"), "", 0, 0, $arrayofjs, $arrayofcss); print '
'; print '

'.($conf->global->TICKET_PUBLIC_TEXT_HOME ? $conf->global->TICKET_PUBLIC_TEXT_HOME : $langs->trans("TicketPublicDesc")).'

'; print '
'; -print '

'.dol_escape_htmltag($langs->trans("CreateTicket")).'
'; -print '

'.dol_escape_htmltag($langs->trans("ViewMyTicketList")).'
'; -print '
'.img_picto('', 'ticket').'
'.dol_escape_htmltag($langs->trans("ShowTicketWithTrackId")).'
'; +print '

'.dol_escape_htmltag($langs->trans("CreateTicket")).'
'; +print '

'.dol_escape_htmltag($langs->trans("ViewMyTicketList")).'
'; +print '
'.img_picto('', 'ticket', 'class="fa-15x"').'
'.dol_escape_htmltag($langs->trans("ShowTicketWithTrackId")).'
'; print '
'; print '
'; print '
'; diff --git a/htdocs/public/ticket/list.php b/htdocs/public/ticket/list.php index befeee00a7b..125aa5acd82 100644 --- a/htdocs/public/ticket/list.php +++ b/htdocs/public/ticket/list.php @@ -364,7 +364,7 @@ if ($action == "view_ticketlist") { $sql .= " AND ".$key." = '".$db->escape($value)."'"; } elseif ($key == 't.fk_statut') { if (is_array($value) && count($value) > 0) { - $sql .= 'AND '.$key.' IN ('.implode(',', $value).')'; + $sql .= 'AND '.$key.' IN ('.$db->sanitize(implode(',', $value)).')'; } else { $sql .= ' AND '.$key.' = '.$db->escape($value); } @@ -432,7 +432,7 @@ if ($action == "view_ticketlist") { if (!empty($arrayfields['category.code']['checked'])) { print ''; - $formTicket->selectGroupTickets($search_category, 'search_category', '', 2, 1, 1); + $formTicket->selectGroupTickets($search_category, 'search_category', 'public=1', 2, 1, 1); print ''; } diff --git a/htdocs/reception/card.php b/htdocs/reception/card.php index 83701e59e40..bbfccb3b945 100644 --- a/htdocs/reception/card.php +++ b/htdocs/reception/card.php @@ -317,11 +317,16 @@ if (empty($reshook)) { //var_dump($_POST);exit; for ($i = 1; $i <= $num; $i++) { $lineToTest = ''; + $lineId = GETPOST($idl, 'int'); foreach ($objectsrc->lines as $linesrc) { - if ($linesrc->id == GETPOST($idl, 'int')) { + if ($linesrc->id == $lineId) { $lineToTest = $linesrc; + break; } } + if (empty($lineToTest)) { + continue; + } $qty = "qtyl".$i; $comment = "comment".$i; $eatby = "dlc".$i; @@ -340,7 +345,7 @@ if (empty($reshook)) { if ($entrepot_id < 0) { $entrepot_id = ''; } - if (!($linesrc->fk_product > 0) && empty($conf->global->STOCK_SUPPORTS_SERVICES)) { + if (!($lineToTest->fk_product > 0) && empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $entrepot_id = 0; } $eatby = GETPOST($eatby, 'alpha'); diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php index 661c14c9d01..b77742dd71d 100644 --- a/htdocs/reception/list.php +++ b/htdocs/reception/list.php @@ -472,10 +472,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_ref_rcp) { $sql .= natural_search('e.ref', $search_ref_rcp); diff --git a/htdocs/recruitment/class/recruitmentcandidature.class.php b/htdocs/recruitment/class/recruitmentcandidature.class.php index 99ac555ba8e..db9c4eaaa4a 100644 --- a/htdocs/recruitment/class/recruitmentcandidature.class.php +++ b/htdocs/recruitment/class/recruitmentcandidature.class.php @@ -106,7 +106,7 @@ class RecruitmentCandidature extends CommonObject 'rowid' => array('type'=>'integer', 'label'=>'TechnicalID', 'enabled'=>'1', 'position'=>1, 'notnull'=>1, 'visible'=>0, 'noteditable'=>'1', 'index'=>1, 'comment'=>"Id"), 'entity' => array('type'=>'integer', 'label'=>'Entity', 'enabled'=>1, 'visible'=>0, 'position'=>5, 'notnull'=>1, 'default'=>'1', 'index'=>1), 'ref' => array('type'=>'varchar(128)', 'label'=>'Ref', 'enabled'=>'1', 'position'=>10, 'notnull'=>1, 'visible'=>4, 'noteditable'=>'1', 'default'=>'(PROV)', 'index'=>1, 'searchall'=>1, 'showoncombobox'=>'1', 'comment'=>"Reference of candidature"), - 'fk_recruitmentjobposition' => array('type'=>'integer:RecruitmentJobPosition:recruitment/class/recruitmentjobposition.class.php', 'label'=>'Job', 'enabled'=>'1', 'position'=>15, 'notnull'=>0, 'visible'=>1, 'index'=>1), + 'fk_recruitmentjobposition' => array('type'=>'integer:RecruitmentJobPosition:recruitment/class/recruitmentjobposition.class.php', 'label'=>'Job', 'enabled'=>'1', 'position'=>15, 'notnull'=>0, 'visible'=>1, 'index'=>1, 'picto'=>'recruitmentjobposition', 'css'=>'maxwidth500'), 'note_public' => array('type'=>'html', 'label'=>'NotePublic', 'enabled'=>'1', 'position'=>61, 'notnull'=>0, 'visible'=>0,), 'note_private' => array('type'=>'html', 'label'=>'NotePrivate', 'enabled'=>'1', 'position'=>62, 'notnull'=>0, 'visible'=>0,), 'date_creation' => array('type'=>'datetime', 'label'=>'DateCreation', 'enabled'=>'1', 'position'=>500, 'notnull'=>1, 'visible'=>-2,), @@ -116,7 +116,7 @@ class RecruitmentCandidature extends CommonObject 'lastname' => array('type'=>'varchar(128)', 'label'=>'Lastname', 'enabled'=>'1', 'position'=>20, 'notnull'=>0, 'visible'=>1,), 'firstname' => array('type'=>'varchar(128)', 'label'=>'Firstname', 'enabled'=>'1', 'position'=>21, 'notnull'=>0, 'visible'=>1,), 'email' => array('type'=>'varchar(255)', 'label'=>'EMail', 'enabled'=>'1', 'position'=>30, 'notnull'=>1, 'visible'=>1, 'picto'=>'email'), - 'phone' => array('type'=>'varchar(64)', 'label'=>'Phone', 'enabled'=>'1', 'position'=>31, 'notnull'=>0, 'visible'=>1,), + 'phone' => array('type'=>'phone', 'label'=>'Phone', 'enabled'=>'1', 'position'=>31, 'notnull'=>0, 'visible'=>1, 'picto'=>'phone'), 'date_birth' => array('type'=>'date', 'label'=>'DateOfBirth', 'enabled'=>'1', 'position'=>70, 'visible'=>-1,), 'email_msgid' => array('type'=>'varchar(255)', 'label'=>'EmailMsgID', 'visible'=>-2, 'enabled'=>1, 'position'=>540, 'notnull'=>-1, 'help'=>'EmailMsgIDDesc'), //'fk_recruitment_origin' => array('type'=>'integer:CRecruitmentOrigin:recruitment/class/crecruitmentorigin.class.php', 'label'=>'Origin', 'enabled'=>'1', 'position'=>45, 'visible'=>1, 'index'=>1), @@ -819,6 +819,9 @@ class RecruitmentCandidature extends CommonObject if ($status == self::STATUS_CANCELED) { $statusType = 'status6'; } + if ($status == self::STATUS_REFUSED) { + $statusType = 'status10'; + } return dolGetStatus($this->labelStatus[$status], $this->labelStatusShort[$status], '', $statusType, $mode); } diff --git a/htdocs/recruitment/recruitmentcandidature_agenda.php b/htdocs/recruitment/recruitmentcandidature_agenda.php index 2930b3889c6..b70fd7cd0b6 100644 --- a/htdocs/recruitment/recruitmentcandidature_agenda.php +++ b/htdocs/recruitment/recruitmentcandidature_agenda.php @@ -111,12 +111,13 @@ if ($id > 0 || !empty($ref)) { $upload_dir = $conf->recruitment->multidir_output[$object->entity]."/".$object->id; } +$permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php + // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'recruitment', $object->id); - -$permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentcandidature', 'recruitmentjobposition', '', 'rowid', $isdraft); /* diff --git a/htdocs/recruitment/recruitmentcandidature_card.php b/htdocs/recruitment/recruitmentcandidature_card.php index 653b38c90b3..4826dc735ef 100644 --- a/htdocs/recruitment/recruitmentcandidature_card.php +++ b/htdocs/recruitment/recruitmentcandidature_card.php @@ -132,10 +132,8 @@ $upload_dir = $conf->recruitment->multidir_output[isset($object->entity) ? $obje // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$isdraft = (($object->statut == $object::STATUS_DRAFT) ? 1 : 0); -//$result = restrictedArea($user, 'recruitment', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); - -//if (!$permissiontoread) accessforbidden(); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentcandidature', 'recruitmentjobposition', '', 'rowid', $isdraft); /* @@ -555,55 +553,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print dol_get_fiche_end(); - - /* - * Lines - */ - - if (!empty($object->table_element_line)) { - // Show object lines - $result = $object->getLinesArray(); - - print '
- - - - - '; - - if (!empty($conf->use_javascript_ajax) && $object->status == 0) { - include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php'; - } - - print '
'; - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print ''; - } - - if (!empty($object->lines)) { - $object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1); - } - - // Form to add new line - if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') { - if ($action != 'editline') { - // Add products/services form - $object->formAddObjectLine(1, $mysoc, $soc); - - $parameters = array(); - $reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - } - } - - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print '
'; - } - print '
'; - - print "
\n"; - } - - // Buttons for actions if ($action != 'presend' && $action != 'editline') { diff --git a/htdocs/recruitment/recruitmentcandidature_document.php b/htdocs/recruitment/recruitmentcandidature_document.php index ee79a4c59a5..2d736e1564b 100644 --- a/htdocs/recruitment/recruitmentcandidature_document.php +++ b/htdocs/recruitment/recruitmentcandidature_document.php @@ -106,7 +106,8 @@ if ($id > 0 || !empty($ref)) { // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'recruitment', $object->id); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentcandidature', 'recruitmentjobposition', '', 'rowid', $isdraft); $permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php diff --git a/htdocs/recruitment/recruitmentcandidature_list.php b/htdocs/recruitment/recruitmentcandidature_list.php index 05f007fcb1a..515ddfe80c0 100644 --- a/htdocs/recruitment/recruitmentcandidature_list.php +++ b/htdocs/recruitment/recruitmentcandidature_list.php @@ -180,17 +180,11 @@ $permissiontoread = $user->rights->recruitment->recruitmentjobposition->read; $permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; $permissiontodelete = $user->rights->recruitment->recruitmentjobposition->delete; -// Security check -if (empty($conf->recruitment->enabled)) { - accessforbidden('Module not enabled'); -} -$socid = 0; -if ($user->socid > 0) { // Protection if external user - //$socid = $user->socid; - accessforbidden(); -} -//$result = restrictedArea($user, 'recruitment', $id, ''); -//if (!$permissiontoread) accessforbidden(); +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', 0, 'recruitment_recruitmentcandidature', 'recruitmentjobposition'); diff --git a/htdocs/recruitment/recruitmentcandidature_note.php b/htdocs/recruitment/recruitmentcandidature_note.php index 9dbe3909f2c..d4c18155c5d 100644 --- a/htdocs/recruitment/recruitmentcandidature_note.php +++ b/htdocs/recruitment/recruitmentcandidature_note.php @@ -74,11 +74,6 @@ $hookmanager->initHooks(array('recruitmentjobpositionnote', 'globalcard')); // N // Fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'recruitment', $id); - // Load object include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals if ($id > 0 || !empty($ref)) { @@ -88,6 +83,11 @@ if ($id > 0 || !empty($ref)) { $permissionnote = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_setnotes.inc.php $permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentcandidature', 'recruitmentjobposition', '', 'rowid', $isdraft); /* diff --git a/htdocs/recruitment/recruitmentjobposition_agenda.php b/htdocs/recruitment/recruitmentjobposition_agenda.php index 388d4e8eadc..253bf2a7e0c 100644 --- a/htdocs/recruitment/recruitmentjobposition_agenda.php +++ b/htdocs/recruitment/recruitmentjobposition_agenda.php @@ -111,12 +111,13 @@ if ($id > 0 || !empty($ref)) { $upload_dir = $conf->recruitment->multidir_output[$object->entity]."/".$object->id; } +$permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php + // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'recruitment', $object->id); - -$permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentjobposition', 'recruitmentjobposition', '', 'rowid', $isdraft); /* diff --git a/htdocs/recruitment/recruitmentjobposition_applications.php b/htdocs/recruitment/recruitmentjobposition_applications.php index c126c594c3a..95daeae54a6 100644 --- a/htdocs/recruitment/recruitmentjobposition_applications.php +++ b/htdocs/recruitment/recruitmentjobposition_applications.php @@ -131,10 +131,8 @@ $upload_dir = $conf->recruitment->multidir_output[isset($object->entity) ? $obje // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$isdraft = (($object->statut == $object::STATUS_DRAFT) ? 1 : 0); -//$result = restrictedArea($user, 'recruitment', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); - -//if (!$permissiontoread) accessforbidden(); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentjobposition', 'recruitmentjobposition', '', 'rowid', $isdraft); /* @@ -412,54 +410,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print dol_get_fiche_end(); - - /* - * Lines - */ - - if (!empty($object->table_element_line)) { - // Show object lines - $result = $object->getLinesArray(); - - print '
- - - - - '; - - if (!empty($conf->use_javascript_ajax) && $object->status == 0) { - include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php'; - } - - print '
'; - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print ''; - } - - if (!empty($object->lines)) { - $object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1); - } - - // Form to add new line - if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') { - if ($action != 'editline') { - // Add products/services form - $object->formAddObjectLine(1, $mysoc, $soc); - - $parameters = array(); - $reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - } - } - - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print '
'; - } - print '
'; - - print "
\n"; - } - print '
'.$langs->trans("FeatureNotYetAvailable"); } diff --git a/htdocs/recruitment/recruitmentjobposition_card.php b/htdocs/recruitment/recruitmentjobposition_card.php index 2b832b3b467..45e6ddab01f 100644 --- a/htdocs/recruitment/recruitmentjobposition_card.php +++ b/htdocs/recruitment/recruitmentjobposition_card.php @@ -133,10 +133,8 @@ $usercanclose = $permissiontoadd; // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$isdraft = (($object->statut == $object::STATUS_DRAFT) ? 1 : 0); -//$result = restrictedArea($user, 'recruitment', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); - -//if (!$permissiontoread) accessforbidden(); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentjobposition', 'recruitmentjobposition', '', 'rowid', $isdraft); /* @@ -440,54 +438,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print dol_get_fiche_end(); - /* - * Lines - */ - - if (!empty($object->table_element_line)) { - // Show object lines - $result = $object->getLinesArray(); - - print '
- - - - - '; - - if (!empty($conf->use_javascript_ajax) && $object->status == 0) { - include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php'; - } - - print '
'; - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print ''; - } - - if (!empty($object->lines)) { - $object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1); - } - - // Form to add new line - if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') { - if ($action != 'editline') { - // Add products/services form - $object->formAddObjectLine(1, $mysoc, $soc); - - $parameters = array(); - $reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - } - } - - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print '
'; - } - print '
'; - - print "
\n"; - } - - // Buttons for actions if ($action != 'presend' && $action != 'editline') { diff --git a/htdocs/recruitment/recruitmentjobposition_document.php b/htdocs/recruitment/recruitmentjobposition_document.php index 9a3339b5130..0f1bdeef0fc 100644 --- a/htdocs/recruitment/recruitmentjobposition_document.php +++ b/htdocs/recruitment/recruitmentjobposition_document.php @@ -106,7 +106,8 @@ if ($id > 0 || !empty($ref)) { // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'recruitment', $object->id); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentjobposition', 'recruitmentjobposition', '', 'rowid', $isdraft); $permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php diff --git a/htdocs/recruitment/recruitmentjobposition_list.php b/htdocs/recruitment/recruitmentjobposition_list.php index d497fa3d998..c28a55e0b2d 100644 --- a/htdocs/recruitment/recruitmentjobposition_list.php +++ b/htdocs/recruitment/recruitmentjobposition_list.php @@ -181,17 +181,11 @@ $permissiontoread = $user->rights->recruitment->recruitmentjobposition->read; $permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; $permissiontodelete = $user->rights->recruitment->recruitmentjobposition->delete; -// Security check -if (empty($conf->recruitment->enabled)) { - accessforbidden('Module not enabled'); -} -$socid = 0; -if ($user->socid > 0) { // Protection if external user - //$socid = $user->socid; - accessforbidden(); -} -//$result = restrictedArea($user, 'recruitment', $id, ''); -//if (!$permissiontoread) accessforbidden(); +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', 0, 'recruitment_recruitmentjobposition', 'recruitmentjobposition'); diff --git a/htdocs/recruitment/recruitmentjobposition_note.php b/htdocs/recruitment/recruitmentjobposition_note.php index 9dcb5ad9d7d..9dbcd0e1180 100644 --- a/htdocs/recruitment/recruitmentjobposition_note.php +++ b/htdocs/recruitment/recruitmentjobposition_note.php @@ -88,6 +88,11 @@ if ($id > 0 || !empty($ref)) { $permissionnote = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_setnotes.inc.php $permissiontoadd = $user->rights->recruitment->recruitmentjobposition->write; // Used by the include of actions_addupdatedelete.inc.php +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'recruitment', $object->id, 'recruitment_recruitmentjobposition', 'recruitmentjobposition', '', 'rowid', $isdraft); /* diff --git a/htdocs/salaries/admin/index.html b/htdocs/salaries/admin/index.html new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/htdocs/salaries/admin/index.html @@ -0,0 +1 @@ + diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php index 775221caeb2..e1225f15258 100755 --- a/htdocs/salaries/card.php +++ b/htdocs/salaries/card.php @@ -282,7 +282,7 @@ if ($action == 'confirm_delete') { } -if ($action == 'update' && !$_POST["cancel"] && $user->rights->salaries->write) { +if ($action == 'update' && !GETPOST("cancel") && $user->rights->salaries->write) { $amount = price2num(GETPOST('amount'), 'MT', 2); if (empty($amount)) { diff --git a/htdocs/salaries/class/salariesstats.class.php b/htdocs/salaries/class/salariesstats.class.php index 123dc044a4a..f8a7d618fb0 100644 --- a/htdocs/salaries/class/salariesstats.class.php +++ b/htdocs/salaries/class/salariesstats.class.php @@ -67,7 +67,7 @@ class SalariesStats extends Stats $this->where .= " AND fk_soc = ".$this->socid; } if (is_array($this->userid) && count($this->userid) > 0) { - $this->where .= ' AND fk_user IN ('.join(',', $this->userid).')'; + $this->where .= ' AND fk_user IN ('.$this->db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { $this->where .= ' AND fk_user = '.$this->userid; } diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index 7bc75f52793..b192fa14011 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -234,7 +234,7 @@ $help_url = ''; $title = $langs->trans('Salaries'); $sql = "SELECT u.rowid as uid, u.lastname, u.firstname, u.login, u.email, u.admin, u.salary as current_salary, u.fk_soc as fk_soc, u.statut as status,"; -$sql .= " s.rowid, s.fk_account, s.paye, s.fk_user, s.amount, s.salary, s.label, s.datesp, s.dateep, ps.fk_typepayment as paymenttype, "; +$sql .= " s.rowid, s.fk_account, s.paye, s.fk_user, s.amount, s.salary, s.label, s.datesp, s.dateep, s.fk_typepayment as paymenttype, "; $sql .= " ba.rowid as bid, ba.ref as bref, ba.number as bnumber, ba.account_number, ba.fk_accountancy_journal, ba.label as blabel,"; $sql .= " pst.code as payment_code,"; $sql .= " SUM(ps.amount) as alreadypayed"; @@ -247,7 +247,7 @@ $sql .= " ".MAIN_DB_PREFIX."user as u"; $sql .= " WHERE u.rowid = s.fk_user"; $sql .= " AND s.entity IN (".getEntity('payment_salaries').")"; if (empty($user->rights->salaries->readall)) { - $sql .= " AND s.fk_user IN (".join(',', $childids).")"; + $sql .= " AND s.fk_user IN (".$db->sanitize(join(',', $childids)).")"; } // Search criteria @@ -275,15 +275,11 @@ if ($search_account > 0) { if ($search_status != '' && $search_status >= 0) { $sql .= " AND s.paye = ".$db->escape($search_status); } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_type_id) { $sql .= " AND s.fk_typepayment=".$search_type_id; } $sql .= " GROUP BY u.rowid, u.lastname, u.firstname, u.login, u.email, u.admin, u.salary, u.fk_soc, u.statut,"; -$sql .= " s.rowid, s.fk_account, s.paye, s.fk_user, s.amount, s.salary, s.label, s.datesp, s.dateep, ps.fk_typepayment, s.fk_bank,"; +$sql .= " s.rowid, s.fk_account, s.paye, s.fk_user, s.amount, s.salary, s.label, s.datesp, s.dateep, s.fk_typepayment, s.fk_bank,"; $sql .= " ba.rowid, ba.ref, ba.number, ba.account_number, ba.fk_accountancy_journal, ba.label,"; $sql .= " pst.code"; $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/salaries/paiement_salary.php b/htdocs/salaries/paiement_salary.php index ac70d5c4a8c..eb9fe8bfd17 100644 --- a/htdocs/salaries/paiement_salary.php +++ b/htdocs/salaries/paiement_salary.php @@ -33,6 +33,7 @@ $langs->load("bills"); $chid = GETPOST("id", 'int'); $action = GETPOST('action', 'alpha'); +$cancel = GETPOST('cancel', 'alpha'); $amounts = array(); // Security check @@ -49,7 +50,7 @@ if ($user->socid > 0) { if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'yes')) { $error = 0; - if ($_POST["cancel"]) { + if ($cancel) { $loc = DOL_URL_ROOT.'/salaries/card.php?id='.$chid; header("Location: ".$loc); exit; @@ -73,23 +74,23 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y $action = 'create'; } + // Read possible payments + foreach ($_POST as $key => $value) { + if (substr($key, 0, 7) == 'amount_') { + $other_chid = substr($key, 7); + $amounts[$other_chid] = price2num($_POST[$key]); + } + } + + if ($amounts[key($amounts)] <= 0) { + $error++; + setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Amount")), null, 'errors'); + $action = 'create'; + } + if (!$error) { $paymentid = 0; - // Read possible payments - foreach ($_POST as $key => $value) { - if (substr($key, 0, 7) == 'amount_') { - $other_chid = substr($key, 7); - $amounts[$other_chid] = price2num($_POST[$key]); - } - } - - if (count($amounts) <= 0) { - $error++; - setEventMessages($langs->trans("ErrorNoPaymentDefined"), null, 'errors'); - $action = 'create'; - } - if (!$error) { $db->begin(); @@ -174,7 +175,7 @@ if ($action == 'create') { print ''; print ''; - print dol_get_fiche_end(); + print dol_get_fiche_head(); print ''; @@ -198,21 +199,21 @@ if ($action == 'create') { print '';*/ print '"; print ''; print '\n"; print ''; print ''; print ''; print ''; // Number @@ -270,12 +271,13 @@ if ($action == 'create') { if ($sumpaid < $objp->amount) { $namef = "amount_".$objp->id; $nameRemain = "remain_".$objp->id; + /* Disabled, we autofil the amount with remain to pay by default if (!empty($conf->use_javascript_ajax)) { print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowid='".$namef."' data-value='".($objp->amount - $sumpaid)."'"); - } + } */ $remaintopay = $objp->amount - $sumpaid; print ''; - print ''; + print ''; } else { print '-'; } diff --git a/htdocs/salaries/payment_salary/index.html b/htdocs/salaries/payment_salary/index.html new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/htdocs/salaries/payment_salary/index.html @@ -0,0 +1 @@ + diff --git a/htdocs/salaries/payments.php b/htdocs/salaries/payments.php index 5c0b0c73956..3e6630dbaf1 100644 --- a/htdocs/salaries/payments.php +++ b/htdocs/salaries/payments.php @@ -190,22 +190,18 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON b.fk_account = ba.ro $sql .= " ".MAIN_DB_PREFIX."user as u"; $sql .= " WHERE u.rowid = sal.fk_user"; $sql .= " AND s.entity IN (".getEntity('payment_salaries').")"; -if (empty($user->rights->salaries->readall)) $sql .= " AND s.fk_user IN (".join(',', $childids).")"; +if (empty($user->rights->salaries->readall)) $sql .= " AND s.fk_user IN (".$db->sanitize(join(',', $childids)).")"; // Search criteria if ($search_ref) $sql .= " AND s.rowid=".((int) $search_ref); -if ($search_ref_salary) $sql .= " AND sal.rowid=".((int) $search_ref_salary); +if ($search_ref_salary) $sql .= " AND sal.rowid=".((int) $search_ref_salary); if ($search_user) $sql .= natural_search(array('u.login', 'u.lastname', 'u.firstname', 'u.email'), $search_user); if ($search_label) $sql .= natural_search(array('sal.label'), $search_label); if ($search_date_start) $sql .= " AND s.datep >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND s.datep <= '".$db->idate($search_date_end)."'"; if ($search_amount) $sql .= natural_search("s.amount", $search_amount, 1); if ($search_account > 0) $sql .= " AND b.fk_account=".((int) $search_account); -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} -if ($search_type_id) { +if ($search_type_id > 0) { $sql .= " AND s.fk_typepayment=".$search_type_id; } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/societe/ajax/company.php b/htdocs/societe/ajax/company.php index ba33386f360..57edbcebc1d 100644 --- a/htdocs/societe/ajax/company.php +++ b/htdocs/societe/ajax/company.php @@ -48,6 +48,7 @@ $filter = GETPOST('filter', 'alpha'); $outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0); $action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); +$excludeids = GETPOST('excludeids', 'intcomma'); $showtype = GETPOST('showtype', 'int'); @@ -102,6 +103,11 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { if (!is_object($form)) { $form = new Form($db); } + + if (!empty($excludeids)) { + $filter .= 'rowid NOT IN ('.$db->sanitize($excludeids).')'; + } + $arrayresult = $form->select_thirdparty_list(0, $htmlname, $filter, 1, $showtype, 0, null, $searchkey, $outjson); $db->close(); diff --git a/htdocs/societe/canvas/actions_card_common.class.php b/htdocs/societe/canvas/actions_card_common.class.php index da7e68d4849..53748c1465a 100644 --- a/htdocs/societe/canvas/actions_card_common.class.php +++ b/htdocs/societe/canvas/actions_card_common.class.php @@ -387,40 +387,40 @@ abstract class ActionsCardCommon // phpcs:enable global $langs, $mysoc; - $this->object->id = $_POST["socid"]; - $this->object->name = $_POST["nom"]; - $this->object->prefix_comm = $_POST["prefix_comm"]; - $this->object->client = $_POST["client"]; - $this->object->code_client = $_POST["code_client"]; - $this->object->fournisseur = $_POST["fournisseur"]; - $this->object->code_fournisseur = $_POST["code_fournisseur"]; - $this->object->address = $_POST["adresse"]; - $this->object->zip = $_POST["zipcode"]; - $this->object->town = $_POST["town"]; - $this->object->country_id = $_POST["country_id"] ? $_POST["country_id"] : $mysoc->country_id; - $this->object->state_id = $_POST["state_id"]; - $this->object->phone = $_POST["tel"]; - $this->object->fax = $_POST["fax"]; - $this->object->email = $_POST["email"]; - $this->object->url = $_POST["url"]; - $this->object->capital = $_POST["capital"]; - $this->object->idprof1 = $_POST["idprof1"]; - $this->object->idprof2 = $_POST["idprof2"]; - $this->object->idprof3 = $_POST["idprof3"]; - $this->object->idprof4 = $_POST["idprof4"]; - $this->object->typent_id = $_POST["typent_id"]; - $this->object->effectif_id = $_POST["effectif_id"]; - $this->object->barcode = $_POST["barcode"]; - $this->object->forme_juridique_code = $_POST["forme_juridique_code"]; - $this->object->default_lang = $_POST["default_lang"]; - $this->object->commercial_id = $_POST["commercial_id"]; + $this->object->id = GETPOST("socid"); + $this->object->name = GETPOST("nom"); + $this->object->prefix_comm = GETPOST("prefix_comm"); + $this->object->client = GETPOST("client"); + $this->object->code_client = GETPOST("code_client"); + $this->object->fournisseur = GETPOST("fournisseur"); + $this->object->code_fournisseur = GETPOST("code_fournisseur"); + $this->object->address = GETPOST("adresse"); + $this->object->zip = GETPOST("zipcode"); + $this->object->town = GETPOST("town"); + $this->object->country_id = GETPOST("country_id") ? GETPOST("country_id") : $mysoc->country_id; + $this->object->state_id = GETPOST("state_id"); + $this->object->phone = GETPOST("tel"); + $this->object->fax = GETPOST("fax"); + $this->object->email = GETPOST("email", 'alphawithlgt'); + $this->object->url = GETPOST("url"); + $this->object->capital = GETPOST("capital"); + $this->object->idprof1 = GETPOST("idprof1"); + $this->object->idprof2 = GETPOST("idprof2"); + $this->object->idprof3 = GETPOST("idprof3"); + $this->object->idprof4 = GETPOST("idprof4"); + $this->object->typent_id = GETPOST("typent_id"); + $this->object->effectif_id = GETPOST("effectif_id"); + $this->object->barcode = GETPOST("barcode"); + $this->object->forme_juridique_code = GETPOST("forme_juridique_code"); + $this->object->default_lang = GETPOST("default_lang"); + $this->object->commercial_id = GETPOST("commercial_id"); - $this->object->tva_assuj = $_POST["assujtva_value"] ? $_POST["assujtva_value"] : 1; - $this->object->tva_intra = $_POST["tva_intra"]; + $this->object->tva_assuj = GETPOST("assujtva_value") ? GETPOST("assujtva_value") : 1; + $this->object->tva_intra = GETPOST("tva_intra"); //Local Taxes - $this->object->localtax1_assuj = $_POST["localtax1assuj_value"]; - $this->object->localtax2_assuj = $_POST["localtax2assuj_value"]; + $this->object->localtax1_assuj = GETPOST("localtax1assuj_value"); + $this->object->localtax2_assuj = GETPOST("localtax2assuj_value"); // We set country_id, and country_code label of the chosen country if ($this->object->country_id) { diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index e7d40037155..fd4fde95243 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -2067,8 +2067,8 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { print ''; // EMail / Web - print ''; - print ''; + print ''; + print ''; print ''; print ''; @@ -2399,7 +2399,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { 'name' => 'soc_origin', 'label' => $langs->trans('MergeOriginThirdparty'), 'type' => 'other', - 'value' => $form->select_company('', 'soc_origin', 's.rowid <> '.$object->id, 'SelectThirdParty', 0, 0, array(), 0, 'minwidth200') + 'value' => $form->select_company('', 'soc_origin', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth200', '', '', 1, null, false, array($object->id)) ) ); @@ -2773,7 +2773,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { print '
'.$langs->trans("RemainderToPay").''.price($total-$sumpaid,0,$outputlangs,1,-1,-1,$conf->currency).'
'.$langs->trans("Date").''; - $datepaye = dol_mktime(12, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); - $datepayment = empty($conf->global->MAIN_AUTOFILL_DATE) ? (empty($_POST["remonth"]) ?-1 : $datepaye) : ''; + $datepaye = dol_mktime(12, 0, 0, GETPOST("remonth", 'int'), GETPOST("reday", 'int'), GETPOST("reyear", 'int')); + $datepayment = empty($conf->global->MAIN_AUTOFILL_DATE) ? (GETPOST("remonth") ? $datepaye : -1) : ''; print $form->selectDate($datepayment, '', '', '', '', "add_payment", 1, 1); print "
'.$langs->trans("PaymentMode").''; - $form->select_types_paiements(isset($_POST["paiementtype"]) ? $_POST["paiementtype"] : $salary->type_payment, "paiementtype"); + $form->select_types_paiements(GETPOSTISSET("paiementtype") ? GETPOST("paiementtype") : $salary->type_payment, "paiementtype"); print "
'.$langs->trans('AccountToDebit').''; - $form->select_comptes(isset($_POST["accountid"]) ? $_POST["accountid"] : $salary->accountid, "accountid", 0, '', 1); // Show opend bank account list + $form->select_comptes(GETPOSTISSET("accountid") ? GETPOST("accountid", 'int') : $salary->accountid, "accountid", 0, '', 1); // Show opend bank account list print '
'.img_picto('', 'object_phoning_fax').'
'.$form->editfieldkey('EMail', 'email', GETPOST('email', 'alpha'), $object, 0, 'string', '', (!empty($conf->global->SOCIETE_EMAIL_MANDATORY))).''.img_picto('', 'object_email').'
'.$form->editfieldkey('EMail', 'email', GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL), $object, 0, 'string', '', (!empty($conf->global->SOCIETE_EMAIL_MANDATORY))).''.img_picto('', 'object_email').'
'.$form->editfieldkey('Web', 'url', GETPOST('url', 'alpha'), $object, 0).''.img_picto('', 'globe').'
'; print ''; $html_name = ($action == 'editparentcompany') ? 'parent_id' : 'none'; - $form->form_thirdparty($_SERVER['PHP_SELF'].'?socid='.$object->id, $object->parent, $html_name, 's.rowid <> '.$object->id, 1); + $form->form_thirdparty($_SERVER['PHP_SELF'].'?socid='.$object->id, $object->parent, $html_name, '', 1, 0, 0, null, 0, array($object->id)); print ''; } diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 37ad82602fb..3993ad38e5f 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -192,7 +192,7 @@ class Contacts extends DolibarrApi $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON t.fk_soc = s.rowid"; $sql .= ' WHERE t.entity IN ('.getEntity('socpeople').')'; if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) { @@ -203,7 +203,7 @@ class Contacts extends DolibarrApi } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Select contacts of given category diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index ed62e5a224f..ddc9fa41fdb 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -187,14 +187,14 @@ class Thirdparties extends DolibarrApi } //if ($email != NULL) $sql.= " AND s.email = \"".$email."\""; if ($socids) { - $sql .= " AND t.rowid IN (".$socids.")"; + $sql .= " AND t.rowid IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { @@ -1364,10 +1364,10 @@ class Thirdparties extends DolibarrApi $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_rib"; if ($id) { - $sql .= " WHERE fk_soc = ".$id." "; + $sql .= " WHERE fk_soc = ".((int) $id); } if ($companybankid) { - $sql .= " AND rowid = ".$companybankid.""; + $sql .= " AND rowid = ".((int) $companybankid); } $i = 0; @@ -1433,9 +1433,9 @@ class Thirdparties extends DolibarrApi * We select all the records that match the socid */ $sql = "SELECT rowid, fk_soc, key_account, site, date_creation, tms FROM ".MAIN_DB_PREFIX."societe_account"; - $sql .= " WHERE fk_soc = $id"; + $sql .= " WHERE fk_soc = ".((int) $id); if ($site) { - $sql .= " AND site ='$site'"; + $sql .= " AND site ='".$this->db->escape($site)."'"; } $result = $this->db->query($sql); diff --git a/htdocs/societe/index.php b/htdocs/societe/index.php index b76a80e1148..c87d260f23e 100644 --- a/htdocs/societe/index.php +++ b/htdocs/societe/index.php @@ -101,8 +101,8 @@ $sql .= ' WHERE s.entity IN ('.getEntity('societe').')'; if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } -if ($socid) { - $sql .= " AND s.rowid = ".$socid; +if ($socid > 0) { + $sql .= " AND s.rowid = ".((int) $socid); } if (!$user->rights->fournisseur->lire) { $sql .= " AND (s.fournisseur <> 1 OR s.client <> 0)"; // client=0, fournisseur=0 must be visible diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 74685d37b05..47ef99490cb 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -584,7 +584,7 @@ if ($search_region) { $sql .= natural_search("region.nom", $search_region); } if ($search_country && $search_country != '-1') { - $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_email) { $sql .= natural_search("s.email", $search_email); @@ -621,7 +621,7 @@ if (strlen($search_vat)) { } // Filter on type of thirdparty if ($search_type > 0 && in_array($search_type, array('1,3', '1,2,3', '2,3'))) { - $sql .= " AND s.client IN (".$db->sanitize($db->escape($search_type)).")"; + $sql .= " AND s.client IN (".$db->sanitize($search_type).")"; } if ($search_type > 0 && in_array($search_type, array('4'))) { $sql .= " AND s.fournisseur = 1"; @@ -960,7 +960,7 @@ if (empty($type) || $type == 'f') { if ($user->rights->societe->client->voir || $socid) { $moreforfilter .= '
'; $moreforfilter .= img_picto('', 'user', 'class="pictofixedwidth"'); - $moreforfilter .= $formother->select_salesrepresentatives($search_sale, 'search_sale', $user, 0, $langs->trans('SalesRepresentatives'), 'maxwidth300', 1); + $moreforfilter .= $formother->select_salesrepresentatives($search_sale, 'search_sale', $user, 0, $langs->trans('SalesRepresentatives'), ($conf->dol_optimize_smallscreen ? 'maxwidth200' : 'maxwidth300'), 1); $moreforfilter .= '
'; } if ($moreforfilter) { @@ -1525,13 +1525,13 @@ while ($i < min($num, $limit)) { } } if (!empty($arrayfields['s.phone']['checked'])) { - print "".dol_print_phone($obj->phone, $obj->country_code, 0, $obj->rowid, 'AC_TEL', ' ', 'phone')."\n"; + print ''.dol_print_phone($obj->phone, $obj->country_code, 0, $obj->rowid, 'AC_TEL', ' ', 'phone')."\n"; if (!$i) { $totalarray['nbfield']++; } } if (!empty($arrayfields['s.fax']['checked'])) { - print "".dol_print_phone($obj->fax, $obj->country_code, 0, $obj->rowid, 'AC_TEL', ' ', 'fax')."\n"; + print ''.dol_print_phone($obj->fax, $obj->country_code, 0, $obj->rowid, 'AC_TEL', ' ', 'fax')."\n"; if (!$i) { $totalarray['nbfield']++; } diff --git a/htdocs/societe/website.php b/htdocs/societe/website.php index e7a1e086228..e34672bfd1d 100644 --- a/htdocs/societe/website.php +++ b/htdocs/societe/website.php @@ -283,7 +283,7 @@ if ($objectwebsiteaccount->ismultientitymanaged == 1) { } else { $sql .= " WHERE 1 = 1"; } -$sql .= " AND fk_soc = ".$object->id; +$sql .= " AND fk_soc = ".((int) $object->id); foreach ($search as $key => $val) { $mode_search = (($objectwebsiteaccount->isInt($objectwebsiteaccount->fields[$key]) || $objectwebsiteaccount->isFloat($objectwebsiteaccount->fields[$key])) ? 1 : 0); if ($search[$key] != '') { diff --git a/htdocs/stripe/admin/stripe.php b/htdocs/stripe/admin/stripe.php index edac0a79833..1e4e2ae9c1d 100644 --- a/htdocs/stripe/admin/stripe.php +++ b/htdocs/stripe/admin/stripe.php @@ -37,7 +37,10 @@ $servicename = 'Stripe'; // Load translation files required by the page $langs->loadLangs(array('admin', 'other', 'paypal', 'paybox', 'stripe')); -if (!$user->admin) { +if (empty($user->admin)) { + accessforbidden(); +} +if (empty($conf->stripe->enabled)) { accessforbidden(); } @@ -207,24 +210,21 @@ print ''; if (empty($conf->stripeconnect->enabled)) { print ''; print ''.$langs->trans("STRIPE_TEST_PUBLISHABLE_KEY").''; - print ''; - print '   '.$langs->trans("Example").': pk_test_xxxxxxxxxxxxxxxxxxxxxxxx'; + print ''; print ''; print ''; print ''.$langs->trans("STRIPE_TEST_SECRET_KEY").''; - print ''; - print '   '.$langs->trans("Example").': sk_test_xxxxxxxxxxxxxxxxxxxxxxxx<'; + print ''; print ''; print ''; print ''.$langs->trans("STRIPE_TEST_WEBHOOK_KEY").''; if ($conf->global->MAIN_FEATURES_LEVEL >= 2) { - print ''; - print '   '.$langs->trans("Example").': we_xxxxxxxxxxxxxxxxxxxxxxxx
'; + print ''; + print '
'; } - print ''; - print '   '.$langs->trans("Example").': whsec_xxxxxxxxxxxxxxxxxxxxxxxx'; + print ''; $out = img_picto('', 'globe').' '.$langs->trans("ToOfferALinkForTestWebhook").' '; $url = dol_buildpath('/public/stripe/ipn.php?test', 3); $out .= ''; @@ -254,7 +254,7 @@ if (empty($conf->stripeconnect->enabled)) { } //print $endpoint; } else { - print img_picto($langs->trans("inactive"), 'statut5'); + print img_picto($langs->trans("Inactive"), 'statut5'); } } print''; @@ -272,24 +272,21 @@ if (empty($conf->stripeconnect->enabled)) { if (empty($conf->stripeconnect->enabled)) { print ''; print ''.$langs->trans("STRIPE_LIVE_PUBLISHABLE_KEY").''; - print ''; - print '   '.$langs->trans("Example").': pk_live_xxxxxxxxxxxxxxxxxxxxxxxx'; + print ''; print ''; print ''; print ''.$langs->trans("STRIPE_LIVE_SECRET_KEY").''; - print ''; - print '   '.$langs->trans("Example").': sk_live_xxxxxxxxxxxxxxxxxxxxxxxx'; + print ''; print ''; print ''; print ''.$langs->trans("STRIPE_LIVE_WEBHOOK_KEY").''; if ($conf->global->MAIN_FEATURES_LEVEL >= 2) { - print ''; - print '   '.$langs->trans("Example").': we_xxxxxxxxxxxxxxxxxxxxxxxx
'; + print ''; + print '
'; } - print ''; - print '   '.$langs->trans("Example").': whsec_xxxxxxxxxxxxxxxxxxxxxxxx'; + print ''; $out = img_picto('', 'globe').' '.$langs->trans("ToOfferALinkForLiveWebhook").' '; $url = dol_buildpath('/public/stripe/ipn.php', 3); $out .= ''; @@ -319,7 +316,7 @@ if (empty($conf->stripeconnect->enabled)) { } //print $endpoint; } else { - print img_picto($langs->trans("inactive"), 'statut5'); + print img_picto($langs->trans("Inactive"), 'statut5'); } } print ''; diff --git a/htdocs/stripe/charge.php b/htdocs/stripe/charge.php index a3598f1d29f..c6a07593a04 100644 --- a/htdocs/stripe/charge.php +++ b/htdocs/stripe/charge.php @@ -52,6 +52,7 @@ $offset = $limit * $page; $pageprev = $page - 1; $pagenext = $page + 1; +$result = restrictedArea($user, 'banque'); /* diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php index 9caf72c20e1..7f325090b5e 100644 --- a/htdocs/stripe/class/stripe.class.php +++ b/htdocs/stripe/class/stripe.class.php @@ -100,7 +100,7 @@ class Stripe extends CommonObject $sql .= " WHERE service = '".$this->db->escape($mode)."'"; $sql .= " AND entity = ".((int) $entity); if ($fk_soc > 0) { - $sql .= " AND fk_soc = ".$fk_soc; + $sql .= " AND fk_soc = ".((int) $fk_soc); } else { $sql .= " AND fk_soc IS NULL"; } diff --git a/htdocs/stripe/payout.php b/htdocs/stripe/payout.php index 68d3a759bf5..75c24ef0561 100644 --- a/htdocs/stripe/payout.php +++ b/htdocs/stripe/payout.php @@ -52,6 +52,7 @@ $offset = $limit * $page; $pageprev = $page - 1; $pagenext = $page + 1; +$result = restrictedArea($user, 'banque'); /* diff --git a/htdocs/stripe/transaction.php b/htdocs/stripe/transaction.php index cde14647061..0d43c830e8e 100644 --- a/htdocs/stripe/transaction.php +++ b/htdocs/stripe/transaction.php @@ -53,6 +53,8 @@ $pageprev = $page - 1; $pagenext = $page + 1; $optioncss = GETPOST('optioncss', 'alpha'); +$result = restrictedArea($user, 'banque'); + /* * View diff --git a/htdocs/supplier_proposal/card.php b/htdocs/supplier_proposal/card.php index 1b10c92b0dc..92b43902405 100644 --- a/htdocs/supplier_proposal/card.php +++ b/htdocs/supplier_proposal/card.php @@ -118,6 +118,7 @@ $usercancreateorder = $user->rights->fournisseur->commande->creer; $permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php $permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php $permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php +$permissiontoadd = $usercancreate; /* @@ -485,7 +486,6 @@ if (empty($reshook)) { // Actions to build doc $upload_dir = $conf->supplier_proposal->dir_output; - $permissiontoadd = $usercancreate; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; @@ -505,9 +505,9 @@ if (empty($reshook)) { $object->generateDocument($object->model_pdf, $outputlangs, $hidedetails, $hidedesc, $hideref); } } elseif ($action == "setabsolutediscount" && $usercancreate) { - if ($_POST["remise_id"]) { + if (GETPOST("remise_id", 'int')) { if ($object->id > 0) { - $result = $object->insert_discount($_POST["remise_id"]); + $result = $object->insert_discount(GETPOST("remise_id", 'int')); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); } diff --git a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php index 953f1d274fe..1368cce7811 100644 --- a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php +++ b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php @@ -124,14 +124,14 @@ class Supplierproposals extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 78b1df5f6a4..158829ea425 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -1209,9 +1209,9 @@ class SupplierProposal extends CommonObject $sql .= " WHERE p.fk_statut = c.id"; $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")"; if ($ref) { - $sql .= " AND p.ref='".$ref."'"; + $sql .= " AND p.ref = '".$this->db->escape($ref)."'"; } else { - $sql .= " AND p.rowid=".$rowid; + $sql .= " AND p.rowid = ".((int) $rowid); } dol_syslog(get_class($this)."::fetch", LOG_DEBUG); diff --git a/htdocs/supplier_proposal/contact.php b/htdocs/supplier_proposal/contact.php index 527ba87cb3e..d106ce0506f 100644 --- a/htdocs/supplier_proposal/contact.php +++ b/htdocs/supplier_proposal/contact.php @@ -58,7 +58,7 @@ if ($action == 'addcontact' && $permissiontoedit) { if ($result > 0 && $id > 0) { $contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid')); - $result = $object->add_contact($contactid, $_POST["type"], $_POST["source"]); + $result = $object->add_contact($contactid, GETPOST("type"), GETPOST("source")); } if ($result >= 0) { diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index 3ad210b2f77..6851bbb4021 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -329,10 +329,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_ref) { $sql .= natural_search('sp.ref', $search_ref); diff --git a/htdocs/takepos/admin/other.php b/htdocs/takepos/admin/other.php index 7d0ce8897e3..f933472a443 100644 --- a/htdocs/takepos/admin/other.php +++ b/htdocs/takepos/admin/other.php @@ -63,9 +63,6 @@ if ($resql) { if (GETPOST('action', 'alpha') == 'set') { $db->begin(); - if (GETPOST('socid', 'int') < 0) { - $_POST["socid"] = ''; - } $res = dolibarr_set_const($db, "CASHDESK_SERVICES", GETPOST('CASHDESK_SERVICES', 'alpha'), 'chaine', 0, '', $conf->entity); $res = dolibarr_set_const($db, "TAKEPOS_ROOT_CATEGORY_ID", GETPOST('TAKEPOS_ROOT_CATEGORY_ID', 'alpha'), 'chaine', 0, '', $conf->entity); diff --git a/htdocs/takepos/admin/setup.php b/htdocs/takepos/admin/setup.php index 67bc8edcdf3..0364ff4e64f 100644 --- a/htdocs/takepos/admin/setup.php +++ b/htdocs/takepos/admin/setup.php @@ -70,9 +70,6 @@ $error = 0; if ($action == 'set') { $db->begin(); - if (GETPOST('socid', 'int') < 0) { - $_POST["socid"] = ''; - } $res = dolibarr_set_const($db, "TAKEPOS_ROOT_CATEGORY_ID", GETPOST('TAKEPOS_ROOT_CATEGORY_ID', 'alpha'), 'chaine', 0, '', $conf->entity); $res = dolibarr_set_const($db, "TAKEPOS_SUPPLEMENTS_CATEGORY", GETPOST('TAKEPOS_SUPPLEMENTS_CATEGORY', 'alpha'), 'chaine', 0, '', $conf->entity); diff --git a/htdocs/takepos/admin/terminal.php b/htdocs/takepos/admin/terminal.php index 3e5bb4ccc46..52f451ae163 100644 --- a/htdocs/takepos/admin/terminal.php +++ b/htdocs/takepos/admin/terminal.php @@ -67,9 +67,6 @@ $terminaltouse = $terminal; if (GETPOST('action', 'alpha') == 'set') { $db->begin(); - if (GETPOST('socid', 'int') < 0) { - $_POST["socid"] = ''; - } $res = dolibarr_set_const($db, "CASHDESK_ID_THIRDPARTY".$terminaltouse, (GETPOST('socid', 'int') > 0 ? GETPOST('socid', 'int') : ''), 'chaine', 0, '', $conf->entity); diff --git a/htdocs/takepos/ajax/ajax.php b/htdocs/takepos/ajax/ajax.php index c9cdb681267..0ccdeb86b9b 100644 --- a/htdocs/takepos/ajax/ajax.php +++ b/htdocs/takepos/ajax/ajax.php @@ -111,7 +111,7 @@ if ($action == 'getProducts') { $sql = 'SELECT rowid, ref, label, tosell, tobuy, barcode, price FROM '.MAIN_DB_PREFIX.'product as p'; $sql .= ' WHERE entity IN ('.getEntity('product').')'; if ($filteroncategids) { - $sql .= ' AND EXISTS (SELECT cp.fk_product FROM '.MAIN_DB_PREFIX.'categorie_product as cp WHERE cp.fk_product = p.rowid AND cp.fk_categorie IN ('.$filteroncategids.'))'; + $sql .= ' AND EXISTS (SELECT cp.fk_product FROM '.MAIN_DB_PREFIX.'categorie_product as cp WHERE cp.fk_product = p.rowid AND cp.fk_categorie IN ('.$db->sanitize($filteroncategids).'))'; } $sql .= ' AND tosell = 1'; $sql .= natural_search(array('ref', 'label', 'barcode'), $term); diff --git a/htdocs/takepos/invoice.php b/htdocs/takepos/invoice.php index 7fd162c5fbd..669b37bf806 100644 --- a/htdocs/takepos/invoice.php +++ b/htdocs/takepos/invoice.php @@ -1419,7 +1419,7 @@ if ($placeid > 0) { $sql .= " ".MAIN_DB_PREFIX."product_stock as ps"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = ps.fk_product"; $sql .= " WHERE ps.reel != 0"; - $sql .= " AND ps.fk_entrepot = ".$conf->global->$constantforkey; + $sql .= " AND ps.fk_entrepot = ".((int) $conf->global->$constantforkey); $sql .= " AND e.entity IN (".getEntity('stock').")"; $sql .= " AND ps.fk_product = ".$line->fk_product; $resql = $db->query($sql); diff --git a/htdocs/theme/eldy/badges.inc.php b/htdocs/theme/eldy/badges.inc.php index f3f311eccca..dcb61499b63 100644 --- a/htdocs/theme/eldy/badges.inc.php +++ b/htdocs/theme/eldy/badges.inc.php @@ -205,7 +205,7 @@ a.badge-dark:focus, a.badge-dark:hover { /* STATUS BADGES */ em; + margin: 0em em; padding: 0.6em em; display: inline-block; text-align: center; diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php index 6549a4d38cb..62d040f2aff 100644 --- a/htdocs/theme/eldy/global.inc.php +++ b/htdocs/theme/eldy/global.inc.php @@ -364,6 +364,9 @@ td.rightborder { border-right: 1px solid #ccc; } +td.amount { + color: #006666; +} td.actionbuttons a { padding-left: 6px; } @@ -574,7 +577,9 @@ button[name='button_removefilter_x'] span.fa.fa-remove { button:focus { outline: none; } - +.fa-info-circle { + padding-: 3px; +} th .button { -webkit-box-shadow: none !important; @@ -762,6 +767,19 @@ textarea.centpercent { max-width: 100%; overflow-y: auto; } +div.urllink { + padding: 10px; + margin-top: 5px; + margin-bottom: 5px; + //border: 1px solid #ccc; + border-radius: 5px; + width: fit-content; + background-color: #eee; + opacity: 0.8; +} +div.urllink, div.urllink a { + color: #339 !important; +} i.fa-mars::before, i.fa-venus::before, i.fa-genderless::before { color: #888 !important; @@ -1086,6 +1104,18 @@ select.flat.selectlimit { text-overflow: ellipsis; white-space: nowrap; } +.tdoverflowmax400 { /* For tdoverflow, the max-midth become a minimum ! */ + max-width: 400px; + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; +} +.tdoverflowmax500 { /* For tdoverflow, the max-midth become a minimum ! */ + max-width: 500px; + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; +} .tdoverflowauto { max-width: 0; overflow: auto; @@ -6258,12 +6288,6 @@ div.tabsElem a.tab { /* POS */ /* ============================================================================== */ -.menu_choix1 a { - background: url('') top left no-repeat; -} -.menu_choix2 a { - background: url('') top left no-repeat; -} .menu_choix1,.menu_choix2 { font-size: 1.4em; text-align: left; @@ -6275,7 +6299,7 @@ div.tabsElem a.tab { color: #fff; text-decoration: none; padding-top: 18px; - padding-left: 54px; + padding-left: 10px; font-size: 14px; height: 38px; } diff --git a/htdocs/theme/eldy/theme_vars.inc.php b/htdocs/theme/eldy/theme_vars.inc.php index 8bb2fd3bbca..82cbf9cf2a9 100644 --- a/htdocs/theme/eldy/theme_vars.inc.php +++ b/htdocs/theme/eldy/theme_vars.inc.php @@ -114,6 +114,7 @@ $badgeStatus6 = '#cad2d2'; $badgeStatus7 = '#25a580'; $badgeStatus8 = '#993013'; $badgeStatus9 = '#e7f0f0'; +$badgeStatus10 = '#993013'; // status color ajustement for color blind $colorblind_deuteranopes_badgeStatus4 = $colorblind_deuteranopes_badgeStatus7 = $colorblind_deuteranopes_badgeSuccess; //! text color black diff --git a/htdocs/theme/md/badges.inc.php b/htdocs/theme/md/badges.inc.php index 7dd0229ae46..fd1b1122a17 100644 --- a/htdocs/theme/md/badges.inc.php +++ b/htdocs/theme/md/badges.inc.php @@ -1,7 +1,8 @@ +} +?> /*