From 56d78cf12a4e57ab23868ce7caf9eda017727fa0 Mon Sep 17 00:00:00 2001 From: Quentin VIAL-GOUTEYRON Date: Wed, 12 May 2021 11:02:27 +0200 Subject: [PATCH 01/34] FIX missing town and zip filter in contract list sql request --- htdocs/contrat/list.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index a7b5114501f..96754e639fd 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -256,6 +256,8 @@ if ($search_email) $sql .= natural_search('s.email', $search_email); if ($search_contract) $sql .= natural_search(array('c.rowid', 'c.ref'), $search_contract); if (!empty($search_ref_customer)) $sql .= natural_search(array('c.ref_customer'), $search_ref_customer); if (!empty($search_ref_supplier)) $sql .= natural_search(array('c.ref_supplier'), $search_ref_supplier); +if ($search_zip) $sql .= natural_search(array('s.zip'), $search_zip); +if ($search_town) $sql .= natural_search(array('s.town'), $search_town); if ($search_sale > 0) { $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$search_sale; From 57732d4265f36bfb1c80c50c8ad9c39b3819a1f1 Mon Sep 17 00:00:00 2001 From: gmilad <61253440+gmilad@users.noreply.github.com> Date: Tue, 18 May 2021 19:45:15 +0200 Subject: [PATCH 02/34] Fix issue #17608 for branch 10 Fix issue #17608 for branch 10 --- htdocs/admin/translation.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php index 2a9983d95b1..1a3fa4d4122 100644 --- a/htdocs/admin/translation.php +++ b/htdocs/admin/translation.php @@ -200,7 +200,7 @@ if ($action == 'delete') $form = new Form($db); $formadmin = new FormAdmin($db); -$wikihelp='EN:Setup|FR:Paramétrage|ES:Configuración'; +$wikihelp = 'EN:Setup_Translation|FR:Paramétrage_Traduction|ES:Configuración_Traducción'; llxHeader('', $langs->trans("Setup"), $wikihelp); $param='&mode='.$mode; From 4bb18db90516bd71c43685c71131b3a1742af23d Mon Sep 17 00:00:00 2001 From: gmilad <61253440+gmilad@users.noreply.github.com> Date: Tue, 18 May 2021 19:53:35 +0200 Subject: [PATCH 03/34] Fix issue #17608 for branch 11 Fix issue #17608 for branch 11 --- htdocs/admin/translation.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php index c641be11a59..23c2a69c127 100644 --- a/htdocs/admin/translation.php +++ b/htdocs/admin/translation.php @@ -197,7 +197,7 @@ if ($action == 'delete') $form = new Form($db); $formadmin = new FormAdmin($db); -$wikihelp = 'EN:Setup|FR:Paramétrage|ES:Configuración'; +$wikihelp = 'EN:Setup_Translation|FR:Paramétrage_Traduction|ES:Configuración_Traducción'; llxHeader('', $langs->trans("Setup"), $wikihelp); $param = '&mode='.$mode; From e2e6d4ba14434f52b8385bbbca5580250c6e3cc9 Mon Sep 17 00:00:00 2001 From: lvessiller Date: Wed, 19 May 2021 14:29:46 +0200 Subject: [PATCH 04/34] FIX keep special code on supplier order lines for external modules --- htdocs/fourn/commande/card.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index 0b7eb338b69..ef127e84811 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -1239,6 +1239,8 @@ if (empty($reshook)) $tva_tx = get_default_tva($soc, $mysoc, $lines[$i]->fk_product, $product_fourn_price_id); } + $object->special_code = $lines[$i]->special_code; + $result = $object->addline( $desc, $lines[$i]->subprice, From 625aab34d648ea2dc54d9fd6da82fa9340c8bd70 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 20 May 2021 15:30:33 +0200 Subject: [PATCH 05/34] Fix phpcs --- htdocs/product/class/product.class.php | 2 +- htdocs/societe/class/societe.class.php | 2 +- htdocs/user/list.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 5130db9cd2f..511331e6008 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -1645,7 +1645,7 @@ class Product extends CommonObject $testExit = array('multiprices','multiprices_ttc','multiprices_base_type','multiprices_min','multiprices_min_ttc','multiprices_tva_tx','multiprices_recuperableonly'); - foreach ($testExit as $field){ + foreach ($testExit as $field) { if (!isset($this->$field[$level])) { return array(); } diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 6def79ac36d..8a8dea9f7e3 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -3363,7 +3363,7 @@ class Societe extends CommonObject * @param int $counter Counter to protect against infinite loops * @return int <0 if KO, 0 if OK or 1 if at some level a parent company was the child to compare to */ - public function validateFamilyTree($idparent, $idchild, $counter = 0) + public function validateFamilyTree($idparent, $idchild, $counter = 0) { if ($counter > 100) { dol_syslog("Too high level of parent - child for company. May be an infinite loop ?", LOG_WARNING); diff --git a/htdocs/user/list.php b/htdocs/user/list.php index ed1d2ae3dea..d5df7ced259 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -931,7 +931,7 @@ while ($i < ($limit ? min($num, $limit) : $num)) { $totalarray['nbfield']++; } } - + if (!empty($arrayfields['u.office_phone']['checked'])) { print "".dol_print_phone($obj->office_phone, $obj->country_code, 0, $obj->rowid, 'AC_TEL', ' ', 'phone')."\n"; if (!$i) { From ab4ae85eb80982ed1f1959842ca85888e9a62544 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Thu, 20 May 2021 16:33:04 +0200 Subject: [PATCH 06/34] fix: getpost exportagenda apha to alpha --- htdocs/public/agenda/agendaexport.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/htdocs/public/agenda/agendaexport.php b/htdocs/public/agenda/agendaexport.php index d40d75c0acf..2aaeb12de23 100644 --- a/htdocs/public/agenda/agendaexport.php +++ b/htdocs/public/agenda/agendaexport.php @@ -96,9 +96,9 @@ if (!isset($conf->global->MAIN_AGENDA_EXPORT_PAST_DELAY)) { $format = 'ical'; $type = 'event'; if (GETPOST("format", 'alpha')) { - $format = GETPOST("format", 'apha'); + $format = GETPOST("format", 'alpha'); } -if (GETPOST("type", 'apha')) { +if (GETPOST("type", 'alpha')) { $type = GETPOST("type", 'alpha'); } @@ -115,20 +115,20 @@ if (GETPOST("idfrom", 'int')) { if (GETPOST("idto", 'int')) { $filters['idto'] = GETPOST("idto", 'int'); } -if (GETPOST("project", 'apha')) { - $filters['project'] = GETPOST("project", 'apha'); +if (GETPOST("project", 'alpha')) { + $filters['project'] = GETPOST("project", 'alpha'); } -if (GETPOST("logina", 'apha')) { - $filters['logina'] = GETPOST("logina", 'apha'); +if (GETPOST("logina", 'alpha')) { + $filters['logina'] = GETPOST("logina", 'alpha'); } -if (GETPOST("logint", 'apha')) { - $filters['logint'] = GETPOST("logint", 'apha'); +if (GETPOST("logint", 'alpha')) { + $filters['logint'] = GETPOST("logint", 'alpha'); } -if (GETPOST("notactiontype", 'apha')) { - $filters['notactiontype'] = GETPOST("notactiontype", 'apha'); +if (GETPOST("notactiontype", 'alpha')) { + $filters['notactiontype'] = GETPOST("notactiontype", 'alpha'); } -if (GETPOST("actiontype", 'apha')) { - $filters['actiontype'] = GETPOST("actiontype", 'apha'); +if (GETPOST("actiontype", 'alpha')) { + $filters['actiontype'] = GETPOST("actiontype", 'alpha'); } if (GETPOST("notolderthan", 'int')) { $filters['notolderthan'] = GETPOST("notolderthan", "int"); From c561669edf0ad3f3374aa8183e36d6a3bf4243b6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 20 May 2021 17:02:22 +0200 Subject: [PATCH 07/34] Code comment --- htdocs/admin/system/security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index 36f08309e02..a4060634ff9 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -155,7 +155,7 @@ print ''.$langs->trans("PermissionsOnFilesInWebRoot").': '; $arrayoffilesinroot = dol_dir_list(DOL_DOCUMENT_ROOT, 'all', 1, '', array('\/custom'), 'name', SORT_ASC, 4, 1, '', 1); $fileswithwritepermission = array(); foreach ($arrayoffilesinroot as $fileinroot) { - // Test permission on file + // Test if there is at least one write permission file. If yes, add the entry into array $fileswithwritepermission if ($fileinroot['perm'] & 0222) { $fileswithwritepermission[] = $fileinroot['relativename']; } From 7833ac8fb0181a7377dd277b7f00dcf8a10b1dbe Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 20 May 2021 17:53:28 +0200 Subject: [PATCH 08/34] Code comment --- htdocs/master.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index e38ddf9b93c..00cfcf842d5 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -230,7 +230,7 @@ if (!defined('NOREQUIREDB') && !defined('NOREQUIRESOC')) { // Set default language (must be after the setValues setting global $conf->global->MAIN_LANG_DEFAULT. Page main.inc.php will overwrite langs->defaultlang with user value later) if (!defined('NOREQUIRETRAN')) { $langcode = (GETPOST('lang', 'aZ09') ? GETPOST('lang', 'aZ09', 1) : (empty($conf->global->MAIN_LANG_DEFAULT) ? 'auto' : $conf->global->MAIN_LANG_DEFAULT)); - if (defined('MAIN_LANG_DEFAULT')) { + if (defined('MAIN_LANG_DEFAULT')) { // So a page can force the language whatever is setup and parameters in URL $langcode = constant('MAIN_LANG_DEFAULT'); } $langs->setDefaultLang($langcode); From cfd035e1deadc583247f3faf9750c916fd4783fd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 20 May 2021 21:25:36 +0200 Subject: [PATCH 09/34] css --- htdocs/compta/bank/card.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php index 30aa32a8d58..3b658f0c793 100644 --- a/htdocs/compta/bank/card.php +++ b/htdocs/compta/bank/card.php @@ -340,7 +340,7 @@ if ($action == 'create') { print dol_get_fiche_head(''); - print ''; + print '
'; // Ref print ''; @@ -835,7 +835,7 @@ if ($action == 'create') { //print '
'; - print '
'.$langs->trans("Ref").'
'; + print '
'; // Ref print ''; @@ -925,7 +925,7 @@ if ($action == 'create') { // Tags-Categories if ($conf->categorie->enabled) { - print ''; - print ''; - - print ''; + print ''."\n"; print ''; print_liste_field_titre("AccountAccounting", $_SERVER['PHP_SELF'], "t.numero_compte", "", $param, "", $sortfield, $sortorder); @@ -298,8 +319,14 @@ if ($action != 'export_csv') { print_liste_field_titre("Debit", $_SERVER['PHP_SELF'], "t.debit", "", $param, 'class="right"', $sortfield, $sortorder); print_liste_field_titre("Credit", $_SERVER['PHP_SELF'], "t.credit", "", $param, 'class="right"', $sortfield, $sortorder); print_liste_field_titre("Balance", $_SERVER["PHP_SELF"], "", $param, "", 'class="right"', $sortfield, $sortorder); - print_liste_field_titre('', $_SERVER["PHP_SELF"], "", $param, "", 'width="60" class="center"', $sortfield, $sortorder); - print "\n"; + + // Hook fields + $parameters = array('arrayfields'=>$arrayfields, 'param'=>$param, 'sortfield'=>$sortfield, 'sortorder'=>$sortorder); + $reshook = $hookmanager->executeHooks('printFieldListTitle', $parameters, $object); // Note that $action and $object may have been modified by hook + print $hookmanager->resPrint; + // Action column + print getTitleFieldOfList($selectedfields, 0, $_SERVER["PHP_SELF"], '', '', '', '', $sortfield, $sortorder, 'center maxwidthsearch ')."\n"; + print ''."\n"; $total_debit = 0; $total_credit = 0; From fbe491c4da728ed5ac85fa0eb4bf9f63d707fff8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 21 May 2021 12:17:56 +0200 Subject: [PATCH 11/34] FIX CWE-79 huntr --- htdocs/main.inc.php | 32 ++++++++++++++------------------ test/phpunit/SecurityTest.php | 4 ++++ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 7b40647ebcb..40bb38a54f7 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -142,27 +142,23 @@ function testSqlAndScriptInject($val, $type) } $inj += preg_match('/base\s+href/si', $val); $inj += preg_match('/=data:/si', $val); - // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp - $inj += preg_match('/onmouse([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like - $inj += preg_match('/ondrag([a-z]*)\s*=/i', $val); // - $inj += preg_match('/ontouch([a-z]*)\s*=/i', $val); // - $inj += preg_match('/on(abort|afterprint|beforeprint|beforeunload|blur|canplay|canplaythrough|change|click|contextmenu|copy|cut)\s*=/i', $val); - $inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|hashchange|input|invalid)\s*=/i', $val); - $inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|loadend|offline|online|pagehide|pageshow)\s*=/i', $val); - $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $val); - $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $val); + // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers + $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like + $inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $val); + $inj += preg_match('/on(lostpointercapture|dblclick|drop|durationchange|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $val); + $inj += preg_match('/on(offline|online|pagehide|pageshow)\s*=/i', $val); + $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeking|show|stalled|start|submit|suspend)\s*=/i', $val); + $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $val); // We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML. Example: error=alert(1) to bypass test on onerror $tmpval = preg_replace('/<[^<]+>/', '', $val); - // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp - $inj += preg_match('/onmouse([a-z]*)\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like - $inj += preg_match('/ondrag([a-z]*)\s*=/i', $tmpval); // - $inj += preg_match('/ontouch([a-z]*)\s*=/i', $tmpval); // - $inj += preg_match('/on(abort|afterprint|beforeprint|beforeunload|blur|canplay|canplaythrough|change|click|contextmenu|copy|cut)\s*=/i', $tmpval); - $inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|hashchange|input|invalid)\s*=/i', $tmpval); - $inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|loadend|offline|online|pagehide|pageshow)\s*=/i', $tmpval); - $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $tmpval); - $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $tmpval); + // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers + $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like + $inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $tmpval); + $inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $tmpval); + $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $tmpval); + $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeking|show|stalled|start|submit|suspend)\s*=/i', $tmpval); + $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $tmpval); //$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ... $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...' diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index bd4d0e9b76d..944d4f4cbe5 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -302,6 +302,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase $test="rror=alert(document.location)"; $result=testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject kkk'); + + $test="XSS"; + $result=testSqlAndScriptInject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject lll'); } /** From a5001899ebe2f34526fa44bcacca557d5f245058 Mon Sep 17 00:00:00 2001 From: UT from dolibit <45215329+dolibit-ut@users.noreply.github.com> Date: Fri, 21 May 2021 13:32:09 +0200 Subject: [PATCH 12/34] Update llx_00_c_country.sql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Nouvelle-Calédonie -> New Caledonia Nouvelle-Zélande -> New Zealand Nicaragua = Nicaragua Niger = Niger Nigeria = Nigeria Nioué -> Niue Ile Norfolk -> Norfolk Island Mariannes du Nord -> Northern Mariana Islands Norvège -> Norway Oman = Oman Pakistan = Pakistan Palaos -> Palau Territoire Palestinien Occupé -> Palestinian territories Panama = Panama Papouasie-Nouvelle-Guinée -> Papua New Guinea Paraguay = Paraguay Peru = Peru Philippines = Philippines Iles Pitcairn -> Pitcairn Islands Pologne -> Poland Porto Rico -> Puerto Rico Qatar = Qatar --- .../install/mysql/data/llx_00_c_country.sql | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/htdocs/install/mysql/data/llx_00_c_country.sql b/htdocs/install/mysql/data/llx_00_c_country.sql index bc09a7fd1f6..677447f1af2 100644 --- a/htdocs/install/mysql/data/llx_00_c_country.sql +++ b/htdocs/install/mysql/data/llx_00_c_country.sql @@ -194,27 +194,27 @@ INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (40 INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (300,'CW','CUW','Curaçao',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (301,'SX','SXM','Sint Maarten',1,0); --End of antilles nederland -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (165,'NC','NCL','Nouvelle-Calédonie',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (166,'NZ','NZL','Nouvelle-Zélande',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (165,'NC','NCL','New Caledonia',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (166,'NZ','NZL','New Zealand',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (167,'NI','NIC','Nicaragua',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (168,'NE','NER','Niger',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (169,'NG','NGA','Nigeria',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (170,'NU','NIU','Nioué',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (171,'NF','NFK','Ile Norfolk',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (172,'MP','MNP','Mariannes du Nord',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (173,'NO','NOR','Norvège',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (170,'NU','NIU','Niue',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (171,'NF','NFK','Norfolk Island',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (172,'MP','MNP','Northern Mariana Islands',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (173,'NO','NOR','Norway',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (174,'OM','OMN','Oman',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (175,'PK','PAK','Pakistan',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (176,'PW','PLW','Palaos',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (177,'PS','PSE','Territoire Palestinien Occupé',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (176,'PW','PLW','Palau',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (177,'PS','PSE','Palestinian territories',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (178,'PA','PAN','Panama',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (179,'PG','PNG','Papouasie-Nouvelle-Guinée',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (179,'PG','PNG','Papua New Guinea',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (180,'PY','PRY','Paraguay',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (181,'PE','PER','Peru',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (182,'PH','PHL','Philippines',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (183,'PN','PCN','Iles Pitcairn',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (183,'PN','PCN','Pitcairn Islands',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (184,'PL','POL','Pologne',1,0); -INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (185,'PR','PRI','Porto Rico',1,0); +INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (185,'PR','PRI','Puerto Rico',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (186,'QA','QAT','Qatar',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (188,'RO','ROU','Roumanie',1,0); INSERT INTO llx_c_country (rowid,code,code_iso,label,active,favorite) VALUES (189,'RW','RWA','Rwanda',1,0); From b5af3b17d53f41bc03ca784ccf94f1acc55d1a82 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 21 May 2021 14:03:52 +0200 Subject: [PATCH 13/34] Update doc --- doc/images/README.md | 19 +++++++++---------- htdocs/main.inc.php | 10 +++++----- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/doc/images/README.md b/doc/images/README.md index 7422d246d40..e93c9f9c3d4 100644 --- a/doc/images/README.md +++ b/doc/images/README.md @@ -10,17 +10,16 @@ https://github.com/Dolibarr/foundation -* Few icons are / were from website led24.de -* Attention: This website is no longer available! +# LICENCE OF IMAGE RESOURCES +-------------------------------- -This is original README file for this source: -------------------------------------------------------- +* All image resources (except dolihelp.ico and doliadmin.ico) in this directory are distributed under licence CC BY-SA + +List of icons from http://led24.de/iconset/ are: +- doliadmin.ico +- dolihelp.ico + +This is original README file for the package with this 2 images: You can do whatever you want with these icons (use on web or in desktop applications) as long as you don’t pass them off as your own and remove this readme file. A credit statement and a link back to http://led24.de/iconset/ or http://led24.de/ would be appreciated. - -Follow us on twitter http://twitter.com/gasyoun or email leds24@gmail.com -512 icons 20/05/2009 -------------------------------------------------------- -List of icons from http://led24.de/iconset/ are: -- dolihelp.ico diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 40bb38a54f7..a42c3c39cd3 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -145,9 +145,9 @@ function testSqlAndScriptInject($val, $type) // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like $inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $val); - $inj += preg_match('/on(lostpointercapture|dblclick|drop|durationchange|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $val); - $inj += preg_match('/on(offline|online|pagehide|pageshow)\s*=/i', $val); - $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeking|show|stalled|start|submit|suspend)\s*=/i', $val); + $inj += preg_match('/on(dblclick|drop|durationchange|emptied|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $val); + $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $val); + $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)\s*=/i', $val); $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $val); // We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML. Example: error=alert(1) to bypass test on onerror @@ -155,9 +155,9 @@ function testSqlAndScriptInject($val, $type) // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like $inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $tmpval); - $inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $tmpval); + $inj += preg_match('/on(dblclick|drop|durationchange|emptied|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $tmpval); $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $tmpval); - $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeking|show|stalled|start|submit|suspend)\s*=/i', $tmpval); + $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)\s*=/i', $tmpval); $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $tmpval); //$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ... From c1c2f44e384d092e9f5d1e6836223887f39e72e7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 21 May 2021 14:16:49 +0200 Subject: [PATCH 14/34] Update file COPYRIGHT --- COPYRIGHT | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/COPYRIGHT b/COPYRIGHT index aedcb1be614..c43d77581a7 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -1,13 +1,24 @@ -License -------- +Copyright and license +---------------------- -Dolibarr is released under the terms of the GNU General Public License as -published by the Free Software Foundation; either version 3 of the License, -or (at your option) any later version (GPL-3+). -More information: https://www.gnu.org/licenses/gpl-3.0.txt +The Dolibarr software as a whole is distributed under the GNU General Public License as published by the Free Software Foundation; +either version 3 of the License, or (at your option) any later version (GPL-3+). More information: https://www.gnu.org/licenses/gpl-3.0.txt. +A copy of this license is available in the COPYING file. +Dolibarr depends on third-party components and code snippets released under their own license (obviously, all compatible with the one of Dolibarr). +These dependencies are listed in the bottom of this file. -Dolibarr uses some external libraries released under different licenses. This is compatibility summary: + +The Dolibarr images resources (available in the doc directory) is distributed under the Creative Commons Attribution 4.0 International license (CC BY 4.0). + + +The name Dolibarr is a trademark initially registered by Laurent Destailleur and ceased to the Dolibarr foundation. You can use the name Dolibarr +for your own need as long as you follow the rules defined on the page https://wiki.dolibarr.org/index.php/Rules_to_use_the_brand_name_%22Dolibarr%22 +The use of the name DoliStore is also restricted to the same rules defined on https://wiki.dolibarr.org/index.php/Rules_to_use_the_brand_name_%22Dolibarr%22 + + + +Licence of dependencies of third-party components used by Dolibarr (all compatible with the Licence of Dolibarr): Component Version License GPL Compatible Usage ------------------------------------------------------------------------------------- @@ -28,7 +39,7 @@ php-iban 1.4.7 LGPL-3+ Yes PHPoAuthLib 0.8.2 MIT License Yes Library to provide oauth1 and oauth2 to different service PHPPrintIPP 1.3 GPL-2+ Yes Library to send print IPP requests PSR/Logs 1.0 Library for logs (used by DebugBar) -PSR/simple-cache ? MIT License Yes Library for cache (used by PHPSpreadSheet) +PSR/simple-cache ? MIT License Yes Library for cache (used by PHPSpreadSheet) Restler 3.1.1 LGPL-3+ Yes Library to develop REST Web services (+ swagger-ui js lib into dir explorer) Sabre 3.2.2 BSD Yes DAV support Swift Mailer 5.4.2-DEV MIT License Yes Comprehensive mailing tools for PHP @@ -63,11 +74,10 @@ Font libraries: Fontawesome 5.13 Font Awesome Free Licence Yes -For licenses compatibility informations: -https://www.gnu.org/licenses/licenses.en.html +For more licenses compatibility informations: https://www.gnu.org/licenses/licenses.en.html -Copyright / Authors +Authors ------------------- See page https://github.com/Dolibarr/dolibarr/graphs/contributors From 11fa523070a805a1608ebcf0031cce66beaa34c4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 21 May 2021 15:54:11 +0200 Subject: [PATCH 15/34] FIX CWE-269 --- htdocs/core/lib/security.lib.php | 5 ++++- htdocs/margin/tabs/productMargins.php | 10 ++++++---- htdocs/margin/tabs/thirdpartyMargins.php | 8 ++++++-- htdocs/product/agenda.php | 16 +++++++++++++++- htdocs/product/card.php | 12 +++++++++++- htdocs/product/composition/card.php | 14 +++++++++++++- htdocs/product/document.php | 12 +++++++++++- htdocs/product/fournisseurs.php | 19 +++++++++---------- htdocs/product/note.php | 11 ++++++++++- htdocs/product/popuprop.php | 4 +--- htdocs/product/price.php | 11 ++++++++++- htdocs/product/stats/bom.php | 3 ++- htdocs/product/stats/card.php | 3 ++- htdocs/product/stats/commande.php | 6 +++--- htdocs/product/stats/commande_fournisseur.php | 3 ++- htdocs/product/stats/contrat.php | 5 ++--- htdocs/product/stats/facture.php | 2 +- htdocs/product/stats/facture_fournisseur.php | 6 +++--- htdocs/product/stats/mo.php | 5 ++--- htdocs/product/stats/propal.php | 5 +++-- htdocs/product/stats/supplier_proposal.php | 6 +++--- htdocs/product/stock/product.php | 13 +++++++++++-- htdocs/product/traduction.php | 17 ++++++++++++++++- htdocs/variants/combinations.php | 16 +++++++++++----- 24 files changed, 157 insertions(+), 55 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index de4d67b1647..06baefed88e 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -173,10 +173,13 @@ function dol_verifyHash($chain, $hash, $type = '0') * This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user). * * @param User $user User to check - * @param string $features Features to check (it must be module $object->element. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) + * @param string $features Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'. + * Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) + * This is used to check permission $user->rights->features->... * @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional). * @param string $feature2 Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'. + * This is used to check permission $user->rights->features->feature2... * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) * @param int $isdraft 1=The object with id=$objectid is a draft diff --git a/htdocs/margin/tabs/productMargins.php b/htdocs/margin/tabs/productMargins.php index 4c34e04c54c..6f2337d1baf 100644 --- a/htdocs/margin/tabs/productMargins.php +++ b/htdocs/margin/tabs/productMargins.php @@ -39,10 +39,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); -if (empty($user->rights->margins->liretous)) { - accessforbidden(); -} $object = new Product($db); @@ -63,6 +59,12 @@ if (!$sortfield) { $sortfield = "f.datef"; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + +if (empty($user->rights->margins->liretous)) { + accessforbidden(); +} + /* * View diff --git a/htdocs/margin/tabs/thirdpartyMargins.php b/htdocs/margin/tabs/thirdpartyMargins.php index b1c569c0912..505ff9f9f31 100644 --- a/htdocs/margin/tabs/thirdpartyMargins.php +++ b/htdocs/margin/tabs/thirdpartyMargins.php @@ -33,8 +33,6 @@ $socid = GETPOST('socid', 'int'); if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'societe', '', ''); - $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -61,6 +59,12 @@ if ($socid > 0) { // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('thirdpartymargins', 'globalcard')); +$result = restrictedArea($user, 'societe', $object->id, ''); + +if (empty($user->rights->margins->liretous)) { + accessforbidden(); +} + /* * Actions diff --git a/htdocs/product/agenda.php b/htdocs/product/agenda.php index ea32e47c8a5..815014e259f 100644 --- a/htdocs/product/agenda.php +++ b/htdocs/product/agenda.php @@ -73,7 +73,21 @@ if (!$sortorder) { // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('agendathirdparty')); -$result = restrictedArea($user, 'produit|service', $id, 'product&product'); +$object = new Product($db); +if ($id > 0 || !empty($ref)) { + $object->fetch($id, $ref); +} + +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', 0, 'product&product', '', ''); +} /* diff --git a/htdocs/product/card.php b/htdocs/product/card.php index c92f847a1e9..61568a5510a 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -152,7 +152,17 @@ if (!empty($canvas)) { // Security check $fieldvalue = (!empty($id) ? $id : (!empty($ref) ? $ref : '')); $fieldtype = (!empty($id) ? 'rowid' : 'ref'); -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +} // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productcard', 'globalcard')); diff --git a/htdocs/product/composition/card.php b/htdocs/product/composition/card.php index 442232686d3..c9499bf415b 100644 --- a/htdocs/product/composition/card.php +++ b/htdocs/product/composition/card.php @@ -50,7 +50,6 @@ if (!empty($user->socid)) { } $fieldvalue = (!empty($id) ? $id : (!empty($ref) ? $ref : '')); $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); $object = new Product($db); $objectid = 0; @@ -60,6 +59,19 @@ if ($id > 0 || !empty($ref)) { $id = $object->id; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +} + /* * Actions diff --git a/htdocs/product/document.php b/htdocs/product/document.php index 372e3c19bdc..0b15ad7a85c 100644 --- a/htdocs/product/document.php +++ b/htdocs/product/document.php @@ -95,9 +95,19 @@ if ($id > 0 || !empty($ref)) { } $modulepart = 'produit'; + $permissiontoadd = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)); -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +} /* diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 0d5ea9647f5..8b2a792b872 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -103,17 +103,16 @@ if ($id > 0 || $ref) { $object->fetch($id, $ref); } -$sortfield = GETPOST("sortfield", 'alpha'); -$sortorder = GETPOST("sortorder", 'alpha'); - -if (!$sortfield) { - $sortfield = "s.nom"; +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); } -if (!$sortorder) { - $sortorder = "ASC"; -} - -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); /* diff --git a/htdocs/product/note.php b/htdocs/product/note.php index add915181a2..fad4df3500b 100644 --- a/htdocs/product/note.php +++ b/htdocs/product/note.php @@ -51,7 +51,16 @@ if ($id > 0 || !empty($ref)) { $permissionnote = $user->rights->produit->creer; // Used by the include of actions_setnotes.inc.php -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +} /* diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index f23b6eae92d..5aa54b0963c 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -60,9 +60,7 @@ $offset = $limit * $page; $pageprev = $page - 1; $pagenext = $page + 1; -$staticproduct = new Product($db); - -$result = restrictedArea($user, 'produit|service', 0, 'product&product'); +restrictedArea($user, 'produit|service', 0, 'product&product', '', ''); /* diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 9548643166a..295a999a778 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -82,7 +82,16 @@ if ((!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productpricecard', 'globalcard')); -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +} /* diff --git a/htdocs/product/stats/bom.php b/htdocs/product/stats/bom.php index 053d9d6b1a8..505bc8ed060 100644 --- a/htdocs/product/stats/bom.php +++ b/htdocs/product/stats/bom.php @@ -41,7 +41,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatscontract')); @@ -67,6 +66,8 @@ if (!$sortfield) { $sortfield = "b.date_valid"; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * View diff --git a/htdocs/product/stats/card.php b/htdocs/product/stats/card.php index 2dae292884e..d791100ae4a 100644 --- a/htdocs/product/stats/card.php +++ b/htdocs/product/stats/card.php @@ -58,7 +58,6 @@ if (!empty($user->socid)) { // Security check $fieldvalue = (!empty($id) ? $id : $ref); $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); $tmp = dol_getdate(dol_now()); $currentyear = $tmp['year']; @@ -66,6 +65,8 @@ if (empty($search_year)) { $search_year = $currentyear; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * Actions diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php index fe8016f362a..9ba4dee7081 100644 --- a/htdocs/product/stats/commande.php +++ b/htdocs/product/stats/commande.php @@ -43,13 +43,10 @@ $socid = ''; if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatsorder')); -$mesg = ''; - // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -75,6 +72,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', $search_year = ''; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + + /* * View */ diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index bc8346e39b1..6037f608b58 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -42,7 +42,6 @@ $socid = ''; if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatssupplyorder')); @@ -74,6 +73,8 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', $search_year = ''; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * View diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php index e419593208c..f91e74edf50 100644 --- a/htdocs/product/stats/contrat.php +++ b/htdocs/product/stats/contrat.php @@ -40,13 +40,10 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatscontract')); -$mesg = ''; - // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -65,6 +62,8 @@ if (!$sortfield) { $sortfield = "c.date_contrat"; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * View diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php index fa7d4fae24f..0681aa9b5ca 100644 --- a/htdocs/product/stats/facture.php +++ b/htdocs/product/stats/facture.php @@ -44,7 +44,6 @@ $socid = ''; if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatsinvoice')); @@ -77,6 +76,7 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', $search_year = ''; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); /* diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php index 018f1c28f02..69ef83ae5a7 100644 --- a/htdocs/product/stats/facture_fournisseur.php +++ b/htdocs/product/stats/facture_fournisseur.php @@ -44,13 +44,10 @@ $socid = ''; if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatssupplyinvoice')); -$mesg = ''; - // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -76,6 +73,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', $search_year = ''; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + + /* * View */ diff --git a/htdocs/product/stats/mo.php b/htdocs/product/stats/mo.php index 1cabfd9ef85..fefb89592e7 100644 --- a/htdocs/product/stats/mo.php +++ b/htdocs/product/stats/mo.php @@ -40,13 +40,10 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatscontract')); -$mesg = ''; - // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -65,6 +62,8 @@ if (!$sortfield) { $sortfield = "c.date_valid"; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * View diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index 7dfc8b6d1db..96303ac598d 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -48,8 +48,6 @@ $result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatspropal')); -$mesg = ''; - // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'aZ09comma'); @@ -76,6 +74,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', $search_year = ''; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + + /* * View */ diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index 86689786b2d..1b236ed3999 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -43,13 +43,10 @@ $socid = ''; if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productstatspropal')); -$mesg = ''; - // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'aZ09comma'); @@ -76,6 +73,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', $search_year = ''; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + + /* * View */ diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index b97e9b6c2d2..883fff49123 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -81,8 +81,6 @@ if (!empty($batchnumber)) { if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit&stock', $id, 'product&product', '', '', $fieldid); - $object = new Product($db); $extrafields = new ExtraFields($db); @@ -114,6 +112,17 @@ $hookmanager->initHooks(array('stockproductcard', 'globalcard')); $error = 0; +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $id, 'product&product', '', '', $fieldid); +} + /* * Actions diff --git a/htdocs/product/traduction.php b/htdocs/product/traduction.php index 45b45136410..b2c3b0d0b2f 100644 --- a/htdocs/product/traduction.php +++ b/htdocs/product/traduction.php @@ -45,7 +45,22 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + +if ($id > 0 || !empty($ref)) { + $object = new Product($db); + $object->fetch($id, $ref); +} + +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +} /* diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php index ded3a1bb8b9..a7ad432b3ba 100644 --- a/htdocs/variants/combinations.php +++ b/htdocs/variants/combinations.php @@ -51,7 +51,6 @@ $delete_product = GETPOST('delete_product', 'alpha'); // Security check $fieldvalue = (!empty($id) ? $id : $ref); $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); $prodstatic = new Product($db); $prodattr = new ProductAttribute($db); @@ -64,8 +63,6 @@ if ($id > 0 || $ref) { $selectedvariant = $_SESSION['addvariant_'.$object->id]; -$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; - // Security check if (empty($conf->variants->enabled)) { accessforbidden('Module not enabled'); @@ -73,8 +70,17 @@ if (empty($conf->variants->enabled)) { if ($user->socid > 0) { // Protection if external user accessforbidden(); } -//$result = restrictedArea($user, 'variant'); -if (!$permissiontoread) accessforbidden(); + +if ($object->id > 0) { + if ($object->type == $object::TYPE_PRODUCT) { + restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); + } + if ($object->type == $object::TYPE_SERVICE) { + restrictedArea($user, 'service', $object->id, 'product&product', '', ''); + } +} else { + restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); +} /* From 4df70dc3f49e3fa3e952d35501090687e8039043 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 21 May 2021 16:22:45 +0200 Subject: [PATCH 16/34] Fix CWE-269 huntr --- htdocs/ecm/dir_add_card.php | 2 +- htdocs/ecm/dir_card.php | 14 ++++++++++---- htdocs/ecm/file_card.php | 14 +++++++++----- htdocs/ecm/file_note.php | 13 ++++++++----- htdocs/ecm/index.php | 12 ++++++------ htdocs/ecm/search.php | 6 ++++++ 6 files changed, 40 insertions(+), 21 deletions(-) diff --git a/htdocs/ecm/dir_add_card.php b/htdocs/ecm/dir_add_card.php index 4cf557acde6..1416983e3a3 100644 --- a/htdocs/ecm/dir_add_card.php +++ b/htdocs/ecm/dir_add_card.php @@ -188,7 +188,7 @@ if ($action == 'add' && $permtoadd) { exit; } } -} elseif ($action == 'confirm_deletesection' && $confirm == 'yes') { +} elseif ($action == 'confirm_deletesection' && $confirm == 'yes' && $permtoadd) { // Deleting file $result = $ecmdir->delete($user); setEventMessages($langs->trans("ECMSectionWasRemoved", $ecmdir->label), null, 'mesgs'); diff --git a/htdocs/ecm/dir_card.php b/htdocs/ecm/dir_card.php index 4c93e005266..d84a7330e69 100644 --- a/htdocs/ecm/dir_card.php +++ b/htdocs/ecm/dir_card.php @@ -88,17 +88,23 @@ if ($module == 'ecm') { } // Permissions +$permtoread = 0; $permtoadd = 0; $permtoupload = 0; if ($module == 'ecm') { + $permtoread = $user->rights->ecm->read; $permtoadd = $user->rights->ecm->setup; $permtoupload = $user->rights->ecm->upload; } if ($module == 'medias') { + $permtoread = ($user->rights->mailing->lire || $user->rights->website->read); $permtoadd = ($user->rights->mailing->creer || $user->rights->website->write); $permtoupload = ($user->rights->mailing->creer || $user->rights->website->write); } +if (!$permtoread) { + accessforbidden(); +} /* @@ -106,7 +112,7 @@ if ($module == 'medias') { */ // Upload file -if (GETPOST("sendit") && !empty($conf->global->MAIN_UPLOAD_DOC)) { +if (GETPOST("sendit") && !empty($conf->global->MAIN_UPLOAD_DOC) && $permtoupload) { if (dol_mkdir($upload_dir) >= 0) { $resupload = dol_move_uploaded_file($_FILES['userfile']['tmp_name'], $upload_dir."/".dol_unescapefile($_FILES['userfile']['name']), 0, 0, $_FILES['userfile']['error']); if (is_numeric($resupload) && $resupload > 0) { @@ -131,7 +137,7 @@ if (GETPOST("sendit") && !empty($conf->global->MAIN_UPLOAD_DOC)) { } // Remove file -if ($action == 'confirm_deletefile' && $confirm == 'yes') { +if ($action == 'confirm_deletefile' && $confirm == 'yes' && $permtoupload) { $langs->load("other"); $file = $upload_dir."/".GETPOST('urlfile'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). $ret = dol_delete_file($file); @@ -145,7 +151,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') { } // Remove dir -if ($action == 'confirm_deletedir' && $confirm == 'yes') { +if ($action == 'confirm_deletedir' && $confirm == 'yes' && $permtoupload) { $backtourl = DOL_URL_ROOT."/ecm/index.php"; if ($module == 'medias') { $backtourl = DOL_URL_ROOT."/website/index.php?file_manager=1"; @@ -181,7 +187,7 @@ if ($action == 'confirm_deletedir' && $confirm == 'yes') { } // Update dirname or description -if ($action == 'update' && !GETPOST('cancel', 'alpha')) { +if ($action == 'update' && !GETPOST('cancel', 'alpha') && $permtoadd) { $error = 0; if ($module == 'ecm') { diff --git a/htdocs/ecm/file_card.php b/htdocs/ecm/file_card.php index 93885c2843a..14bc7e377f0 100644 --- a/htdocs/ecm/file_card.php +++ b/htdocs/ecm/file_card.php @@ -36,10 +36,6 @@ $action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); -if (!$user->rights->ecm->setup) { - accessforbidden(); -} - // Get parameters $socid = GETPOST("socid", "int"); @@ -105,6 +101,14 @@ if ($result < 0) { exit; } +// Permissions +$permtoread = $user->rights->ecm->read; +$permtoadd = $user->rights->ecm->setup; +$permtoupload = $user->rights->ecm->upload; + +if (!$permtoread) { + accessforbidden(); +} /* @@ -123,7 +127,7 @@ if ($cancel) { } // Rename file -if ($action == 'update') { +if ($action == 'update' && $permtoadd) { $error = 0; $oldlabel = GETPOST('urlfile', 'alpha'); diff --git a/htdocs/ecm/file_note.php b/htdocs/ecm/file_note.php index d2f3f7b4792..505e432f982 100644 --- a/htdocs/ecm/file_note.php +++ b/htdocs/ecm/file_note.php @@ -22,7 +22,7 @@ /** * \file htdocs/ecm/file_note.php * \ingroup ecm - * \brief Fiche de notes sur une ecm file + * \brief Tab for notes on an ECM file */ require '../main.inc.php'; @@ -39,10 +39,6 @@ $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); $action = GETPOST('action', 'aZ09'); -if (!$user->rights->ecm->setup) { - accessforbidden(); -} - // Get parameters $socid = GETPOST("socid", "int"); // Security check @@ -109,6 +105,13 @@ if ($result < 0) { $permissionnote = $user->rights->ecm->setup; // Used by the include of actions_setnotes.inc.php +$permtoread = $user->rights->ecm->read; + +if (!$permtoread) { + accessforbidden(); +} + + /* * Actions */ diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php index 26bf242b0f2..3a8d33343c7 100644 --- a/htdocs/ecm/index.php +++ b/htdocs/ecm/index.php @@ -34,12 +34,6 @@ require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmdirectory.class.php'; // Load translation files required by the page $langs->loadLangs(array("ecm", "companies", "other", "users", "orders", "propal", "bills", "contracts")); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'ecm', 0); - // Get parameters $socid = GETPOST('socid', 'int'); $action = GETPOST('action', 'aZ09'); @@ -81,6 +75,12 @@ $userstatic = new User($db); $error = 0; +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'ecm', 0); + /* * Actions diff --git a/htdocs/ecm/search.php b/htdocs/ecm/search.php index 979e1d3a417..aa792e0c9d7 100644 --- a/htdocs/ecm/search.php +++ b/htdocs/ecm/search.php @@ -84,6 +84,12 @@ if (!empty($section)) { } } +$permtoread = $user->rights->ecm->read; + +if (!$permtoread) { + accessforbidden(); +} + /* * Actions From a0418fc17d0c3a131096fe8f6c3767165c2f92de Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 21 May 2021 18:53:09 +0200 Subject: [PATCH 17/34] FIX CWE-269 huntr - download of files of project --- htdocs/core/class/html.formfile.class.php | 9 +++- htdocs/core/lib/files.lib.php | 17 +++++- htdocs/core/lib/security.lib.php | 52 ++++++++++++++----- htdocs/ecm/index_auto.php | 8 ++- .../class/expensereport.class.php | 22 ++++---- htdocs/projet/class/task.class.php | 3 +- 6 files changed, 78 insertions(+), 33 deletions(-) diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 45429512046..573381b8b0c 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -1774,11 +1774,16 @@ class FormFile continue; // We do not show orphelins files } - print ''."\n"; + print ''."\n"; print ''; print '
'.$langs->trans("Ref").'
'.$langs->trans("Categories").''; + print '
'.$langs->trans("Categories").''; $cate_arbo = $form->select_all_categories(Categorie::TYPE_ACCOUNT, '', 'parent', 64, 0, 1); $c = new Categorie($db); $cats = $c->containing($object->id, Categorie::TYPE_ACCOUNT); From ac9d9e93147449acf001a8678e5ee27b36c56ef8 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Fri, 21 May 2021 07:04:58 +0200 Subject: [PATCH 10/34] NEW Add hook on balance list --- htdocs/accountancy/bookkeeping/balance.php | 75 +++++++++++++++------- 1 file changed, 51 insertions(+), 24 deletions(-) diff --git a/htdocs/accountancy/bookkeeping/balance.php b/htdocs/accountancy/bookkeeping/balance.php index 75283667fcb..434754516cc 100644 --- a/htdocs/accountancy/bookkeeping/balance.php +++ b/htdocs/accountancy/bookkeeping/balance.php @@ -68,7 +68,9 @@ if ($search_accountancy_code_end == - 1) { $search_accountancy_code_end = ''; } +// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $object = new BookKeeping($db); +$hookmanager->initHooks(array('balancelist')); // Note that conf->hooks_modules contains array $formaccounting = new FormAccounting($db); $formother = new FormOther($db); @@ -155,16 +157,23 @@ if (empty($user->rights->accounting->mouvements->lire)) { * Action */ -if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) { // All tests are required to be compatible with all browsers - $show_subgroup = ''; - $search_date_start = ''; - $search_date_end = ''; - $search_accountancy_code_start = ''; - $search_accountancy_code_end = ''; - $search_ledger_code = array(); - $filter = array(); +$parameters = array('socid'=>$socid); +$reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks +if ($reshook < 0) { + setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); } +if (empty($reshook)) { + if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) { // All tests are required to be compatible with all browsers + $show_subgroup = ''; + $search_date_start = ''; + $search_date_end = ''; + $search_accountancy_code_start = ''; + $search_accountancy_code_end = ''; + $search_ledger_code = array(); + $filter = array(); + } +} /* * View @@ -226,22 +235,28 @@ if ($action != 'export_csv') { print ''; print ''; - $button = 'global->ACCOUNTING_EXPORT_FORMAT.')" />'; + $parameters = array(); + $reshook = $hookmanager->executeHooks('addMoreActionsButtons', $parameters, $object, $action); // Note that $action and $object may have been modified by hook + if (empty($reshook)) { + $button = 'global->ACCOUNTING_EXPORT_FORMAT.')" />'; - print ''; + '; + } print_barre_liste($title_page, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $button, $result, $nbtotalofrecords, 'title_accountancy', 0, '', '', $limit); + $selectedfields = ''; + $moreforfilter = ''; $moreforfilter .= '
'; @@ -283,12 +298,18 @@ if ($action != 'export_csv') { print ' '; print $formaccounting->select_account($search_accountancy_code_end, 'search_accountancy_code_end', $langs->trans('to'), array(), 1, 1, '', 'accounts'); print '
'; + + // Fields from hook + $parameters = array('arrayfields'=>$arrayfields); + $reshook = $hookmanager->executeHooks('printFieldListOption', $parameters, $object); // Note that $action and $object may have been modified by hook + print $hookmanager->resPrint; + + // Action column + print ''; $searchpicto = $form->showFilterButtons(); print $searchpicto; print '
'; if ($found > 0 && is_object($this->cache_objects[$modulepart.'_'.$id.'_'.$ref])) { - print $this->cache_objects[$modulepart.'_'.$id.'_'.$ref]->getNomUrl(1, 'document'); + $tmpobject = $this->cache_objects[$modulepart.'_'.$id.'_'.$ref]; + //if (! in_array($tmpobject->element, array('expensereport'))) { + print $tmpobject->getNomUrl(1, 'document'); + //} else { + // print $tmpobject->getNomUrl(1); + //} } else { print $langs->trans("ObjectDeleted", ($id ? $id : $ref)); } diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index ce5e7129bcf..90796f402d4 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2232,7 +2232,8 @@ function dol_most_recent_file($dir, $regexfilter = '', $excludefilter = array('( } /** - * Security check when accessing to a document (used by document.php, viewimage.php and webservices) + * Security check when accessing to a document (used by document.php, viewimage.php and webservices to get documents). + * TODO Replace code that set $accesallowed by a call to restrictedArea() * * @param string $modulepart Module of document ('module', 'module_user_temp', 'module_user' or 'module_temp') * @param string $original_file Relative path with filename, relative to modulepart. @@ -2612,12 +2613,26 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, // Wrapping pour les projets if ($fuser->rights->projet->{$lire} || preg_match('/^specimen/i', $original_file)) { $accessallowed = 1; + // If we known $id of project, call checkUserAccessToObject to check permission on properties and contact of project + if ($refname && !preg_match('/^specimen/i', $original_file)) { + include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; + $tmpproject = new Project($db); + $tmpproject->fetch('', $refname); + $accessallowed = checkUserAccessToObject($user, array('projet'), $tmpproject->id, 'projet&project', '', '', 'rowid', ''); + } } $original_file = $conf->projet->dir_output.'/'.$original_file; $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('project').")"; } elseif ($modulepart == 'project_task' && !empty($conf->projet->dir_output)) { if ($fuser->rights->projet->{$lire} || preg_match('/^specimen/i', $original_file)) { $accessallowed = 1; + // If we known $id of project, call checkUserAccessToObject to check permission on properties and contact of project + if ($refname && !preg_match('/^specimen/i', $original_file)) { + include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php'; + $tmptask = new Task($db); + $tmptask->fetch('', $refname); + $accessallowed = checkUserAccessToObject($user, array('projet_task'), $tmptask->id, 'projet&project', '', '', 'rowid', ''); + } } $original_file = $conf->projet->dir_output.'/'.$original_file; $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('project').")"; diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 06baefed88e..598802ea574 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -183,10 +183,11 @@ function dol_verifyHash($chain, $hash, $type = '0') * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) * @param int $isdraft 1=The object with id=$objectid is a draft - * @return int Always 1, die process if not allowed + * @param int $mode Mode (0=default, 1=return with not die) + * @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed. * @see dol_check_secure_access_document(), checkUserAccessToObject() */ -function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0) +function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0) { global $db, $conf; global $hookmanager; @@ -231,7 +232,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f if (isset($hookmanager->resArray['result'])) { if ($hookmanager->resArray['result'] == 0) { - accessforbidden(); // Module returns 0, so access forbidden + if ($mode) { + return 0; + } else { + accessforbidden(); // Module returns 0, so access forbidden + } } } if ($reshook > 0) { // No other test done. @@ -346,7 +351,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f } if (!$readok) { - accessforbidden(); + if ($mode) { + return 0; + } else { + accessforbidden(); + } } //print "Read access is ok"; @@ -435,7 +444,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f } if ($wemustcheckpermissionforcreate && !$createok) { - accessforbidden(); + if ($mode) { + return 0; + } else { + accessforbidden(); + } } //print "Write access is ok"; } @@ -448,7 +461,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f } if (!$createuserok) { - accessforbidden(); + if ($mode) { + return 0; + } else { + accessforbidden(); + } } //print "Create user access is ok"; } @@ -523,26 +540,34 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f } if (!$deleteok && !($isdraft && $createok)) { - accessforbidden(); + if ($mode) { + return 0; + } else { + accessforbidden(); + } } //print "Delete access is ok"; } - // If we have a particular object to check permissions on, we check this object - // is linked to a company allowed to $user. + // If we have a particular object to check permissions on, we check if $user has permission + // for this given object (link to company, is contact for project, ...) if (!empty($objectid) && $objectid > 0) { $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select, $parentfortableentity); $params = array('objectid' => $objectid, 'features' => join(',', $featuresarray), 'features2' => $feature2); //print 'checkUserAccessToObject ok='.$ok; - return $ok ? 1 : accessforbidden('', 1, 1, 0, $params); + if ($mode) { + return $ok ? 1 : 0; + } else { + return $ok ? 1 : accessforbidden('', 1, 1, 0, $params); + } } return 1; } /** - * Check access by user to object. - * This function is also called by restrictedArea that check before if module is enabled and permissions of user compared to $action. + * Check access by user to object is ok. + * This function is also called by restrictedArea that check before if module is enabled and if permission of user for $action is ok. * * @param User $user User to check * @param array $featuresarray Features/modules to check. Example: ('user','service','member','project','task',...) @@ -555,7 +580,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f * @return bool True if user has access, False otherwise * @see restrictedArea() */ -function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '') +function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '') { global $db, $conf; @@ -689,6 +714,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; $projectstatic = new Project($db); $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0); + $tmparray = explode(',', $tmps); if (!in_array($objectid, $tmparray)) { return false; diff --git a/htdocs/ecm/index_auto.php b/htdocs/ecm/index_auto.php index bcfff8aa2da..d54dcf14d1e 100644 --- a/htdocs/ecm/index_auto.php +++ b/htdocs/ecm/index_auto.php @@ -440,15 +440,13 @@ if (empty($action) || $action == 'file_manager' || preg_match('/refresh/i', $act continue; // If condition to show is ok } - $var = false; - print '
'; +print ''; +print '
'; /* * Documents models for Receptions Receipt @@ -302,6 +305,7 @@ if ($resql) { dol_print_error($db); } +print '
'; print ''; print ''; print ''; @@ -417,6 +421,8 @@ foreach ($dirmodels as $reldir) { } print '
'.$langs->trans("Name").'
'; +print '
'; + print '
'; diff --git a/htdocs/admin/resource.php b/htdocs/admin/resource.php index b8bb566c79b..06ae59d64a3 100644 --- a/htdocs/admin/resource.php +++ b/htdocs/admin/resource.php @@ -74,6 +74,7 @@ print '
'; print ''; print ''; +print '
'; print ''; print ''; print ''."\n"; @@ -132,6 +133,7 @@ print ''; print ''; print '
'.$langs->trans("Parameters").'
'; +print '
'; print '
'; diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index 0dccf65e5e7..83649d46a28 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -126,6 +126,7 @@ $head = user_admin_prepare_head(); print dol_get_fiche_head($head, 'card', $langs->trans("MenuUsersAndGroups"), -1, 'user'); +print '
'; print ''; print ''; print ''; @@ -171,6 +172,7 @@ if ($conf->use_javascript_ajax) { print ''; print '
'.$langs->trans("Parameter").'
'; +print '
'; print '
'; @@ -197,6 +199,7 @@ if ($resql) { print load_fiche_titre($langs->trans("UsersDocModules"), '', ''); +print '
'; print ''; print ''; print ''; @@ -306,7 +309,9 @@ foreach ($dirmodels as $reldir) { } print '
'.$langs->trans("Name").'
'; -print "
"; +print '
'; + +print '
'; print dol_get_fiche_end(); diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php index 303382f285b..ae260171a0b 100644 --- a/htdocs/core/lib/admin.lib.php +++ b/htdocs/core/lib/admin.lib.php @@ -1545,6 +1545,7 @@ function form_constantes($tableau, $strictw3c = 0, $helptext = '') print ''; } + print '
'; print ''; print ''; print ''; @@ -1715,6 +1716,7 @@ function form_constantes($tableau, $strictw3c = 0, $helptext = '') } } print '
'.$langs->trans("Description").'
'; + print '
'; if (!empty($strictw3c) && $strictw3c == 1) { print '
'; diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php index 6c705c62489..4468c36a7da 100644 --- a/htdocs/theme/eldy/global.inc.php +++ b/htdocs/theme/eldy/global.inc.php @@ -633,6 +633,9 @@ th .button { .quatrevingtquinzepercent { width: 95%; } +.quatrevingtpercentminusx { + width: calc(80% - 52px); +} textarea.centpercent { width: 96%; } diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php index 407a38ea320..f1fb649f4af 100644 --- a/htdocs/theme/md/style.css.php +++ b/htdocs/theme/md/style.css.php @@ -780,6 +780,9 @@ th .button { textarea.centpercent { width: 96%; } +.quatrevingtpercentminusx { + width: calc(80% - 52px); +} .small, small { font-size: 85%; } diff --git a/htdocs/user/list.php b/htdocs/user/list.php index d5df7ced259..693590ff7d2 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -188,7 +188,7 @@ if ($mode == 'employee') { accessforbidden(); } } else { - if (!$user->rights->user->user->lire && !$user->admin) { + if (empty($user->rights->user->user->lire) && empty($user->admin)) { accessforbidden(); } } From d4310f49c4237fb7453b97473f01a59147bfa310 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 24 May 2021 19:46:19 +0200 Subject: [PATCH 21/34] FIX CWE-79 - huntr - Fix option MAIN_ALLOW_SVG_FILES_AS_IMAGES --- htdocs/admin/system/security.php | 20 ++++--- htdocs/core/class/html.form.class.php | 80 +++++++++++++++------------ 2 files changed, 57 insertions(+), 43 deletions(-) diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index a4060634ff9..7f258f8f30e 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -217,7 +217,7 @@ print '
'; print '$dolibarr_nocsrfcheck: '.$dolibarr_nocsrfcheck; if (!empty($dolibarr_nocsrfcheck)) { - print img_picto('', 'warning').'   '.$langs->trans("IfYouAreOnAProductionSetThis", 0); + print '   '.img_picto('', 'warning').' '.$langs->trans("IfYouAreOnAProductionSetThis", 0); } print '
'; @@ -234,16 +234,18 @@ print '
'; print '
'; print '
'; print '
'; -print load_fiche_titre($langs->trans("Menu").' '.$langs->trans("SecuritySetup"), '', 'folder'); +print load_fiche_titre($langs->trans("Menu").' '.$langs->trans("SecuritySetup").' + '.$langs->trans("OtherSetup"), '', 'folder'); //print ''.$langs->trans("PasswordEncryption").': '; print 'MAIN_SECURITY_HASH_ALGO = '.(empty($conf->global->MAIN_SECURITY_HASH_ALGO) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_HASH_ALGO)."   "; if (empty($conf->global->MAIN_SECURITY_HASH_ALGO)) { print '     If unset: \'md5\''; } -print '
'; if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') { - print 'MAIN_SECURITY_SALT = '.(empty($conf->global->MAIN_SECURITY_SALT) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_SALT).'
'; + print '
MAIN_SECURITY_SALT = '.(empty($conf->global->MAIN_SECURITY_SALT) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_SALT).'
'; +} else { + print '('.$langs->trans("Recommanded").': password_hash)'; + print '
'; } if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') { print '
The recommanded value for MAIN_SECURITY_HASH_ALGO is now \'password_hash\' but setting it now will make ALL existing passwords of all users not valid, so update is not possible.
'; @@ -259,18 +261,20 @@ print '
'; print 'MAIN_SECURITY_ANTI_SSRF_SERVER_IP = '.(empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP)."
"; print '
'; +print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0   ('.$langs->trans("Recommanded").': 0)' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)."
"; +print '
'; print 'MAIN_EXEC_USE_POPEN = '; if (empty($conf->global->MAIN_EXEC_USE_POPEN)) { - print ''.$langs->trans("Undefined").'   '; + print ''.$langs->trans("Undefined").''; } else { - print $conf->global->MAIN_EXEC_USE_POPEN.'   '; + print $conf->global->MAIN_EXEC_USE_POPEN; } if ($execmethod == 1) { - print ' --> "exec" PHP method will be used for shell commands.'; + print '   ("exec" PHP method will be used for shell commands)'; } if ($execmethod == 2) { - print ' --> "popen" PHP method will be used for shell commands.'; + print '   ("popen" PHP method will be used for shell commands)'; } print "
"; print '
'; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 57bbbe3a029..ea9692f2864 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -8193,41 +8193,47 @@ class Form if ($modulepart == 'societe') { $dir = $conf->societe->multidir_output[$entity]; if (!empty($object->logo)) { - if ((string) $imagesize == 'mini') { - $file = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.getImageFileNameForSize($object->logo, '_mini'); // getImageFileNameForSize include the thumbs - } elseif ((string) $imagesize == 'small') { - $file = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.getImageFileNameForSize($object->logo, '_small'); - } else { - $file = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.$object->logo; + if (dolIsAllowedForPreview($object->logo)) { + if ((string) $imagesize == 'mini') { + $file = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.getImageFileNameForSize($object->logo, '_mini'); // getImageFileNameForSize include the thumbs + } elseif ((string) $imagesize == 'small') { + $file = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.getImageFileNameForSize($object->logo, '_small'); + } else { + $file = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.$object->logo; + } + $originalfile = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.$object->logo; } - $originalfile = get_exdir(0, 0, 0, 0, $object, 'thirdparty').'logos/'.$object->logo; } $email = $object->email; } elseif ($modulepart == 'contact') { $dir = $conf->societe->multidir_output[$entity].'/contact'; if (!empty($object->photo)) { - if ((string) $imagesize == 'mini') { - $file = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.getImageFileNameForSize($object->photo, '_mini'); - } elseif ((string) $imagesize == 'small') { - $file = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.getImageFileNameForSize($object->photo, '_small'); - } else { - $file = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.$object->photo; + if (dolIsAllowedForPreview($object->logo)) { + if ((string) $imagesize == 'mini') { + $file = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.getImageFileNameForSize($object->photo, '_mini'); + } elseif ((string) $imagesize == 'small') { + $file = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.getImageFileNameForSize($object->photo, '_small'); + } else { + $file = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.$object->photo; + } + $originalfile = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.$object->photo; } - $originalfile = get_exdir(0, 0, 0, 0, $object, 'contact').'photos/'.$object->photo; } $email = $object->email; $capture = 'user'; } elseif ($modulepart == 'userphoto') { $dir = $conf->user->dir_output; if (!empty($object->photo)) { - if ((string) $imagesize == 'mini') { - $file = get_exdir(0, 0, 0, 0, $object, 'user').getImageFileNameForSize($object->photo, '_mini'); - } elseif ((string) $imagesize == 'small') { - $file = get_exdir(0, 0, 0, 0, $object, 'user').getImageFileNameForSize($object->photo, '_small'); - } else { - $file = get_exdir(0, 0, 0, 0, $object, 'user').$object->photo; + if (dolIsAllowedForPreview($object->logo)) { + if ((string) $imagesize == 'mini') { + $file = get_exdir(0, 0, 0, 0, $object, 'user').getImageFileNameForSize($object->photo, '_mini'); + } elseif ((string) $imagesize == 'small') { + $file = get_exdir(0, 0, 0, 0, $object, 'user').getImageFileNameForSize($object->photo, '_small'); + } else { + $file = get_exdir(0, 0, 0, 0, $object, 'user').$object->photo; + } + $originalfile = get_exdir(0, 0, 0, 0, $object, 'user').$object->photo; } - $originalfile = get_exdir(0, 0, 0, 0, $object, 'user').$object->photo; } if (!empty($conf->global->MAIN_OLD_IMAGE_LINKS)) { $altfile = $object->id.".jpg"; // For backward compatibility @@ -8237,14 +8243,16 @@ class Form } elseif ($modulepart == 'memberphoto') { $dir = $conf->adherent->dir_output; if (!empty($object->photo)) { - if ((string) $imagesize == 'mini') { - $file = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.getImageFileNameForSize($object->photo, '_mini'); - } elseif ((string) $imagesize == 'small') { - $file = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.getImageFileNameForSize($object->photo, '_small'); - } else { - $file = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.$object->photo; + if (dolIsAllowedForPreview($object->logo)) { + if ((string) $imagesize == 'mini') { + $file = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.getImageFileNameForSize($object->photo, '_mini'); + } elseif ((string) $imagesize == 'small') { + $file = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.getImageFileNameForSize($object->photo, '_small'); + } else { + $file = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.$object->photo; + } + $originalfile = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.$object->photo; } - $originalfile = get_exdir(0, 0, 0, 0, $object, 'member').'photos/'.$object->photo; } if (!empty($conf->global->MAIN_OLD_IMAGE_LINKS)) { $altfile = $object->id.".jpg"; // For backward compatibility @@ -8255,14 +8263,16 @@ class Form // Generic case to show photos $dir = $conf->$modulepart->dir_output; if (!empty($object->photo)) { - if ((string) $imagesize == 'mini') { - $file = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.getImageFileNameForSize($object->photo, '_mini'); - } elseif ((string) $imagesize == 'small') { - $file = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.getImageFileNameForSize($object->photo, '_small'); - } else { - $file = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.$object->photo; + if (dolIsAllowedForPreview($object->logo)) { + if ((string) $imagesize == 'mini') { + $file = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.getImageFileNameForSize($object->photo, '_mini'); + } elseif ((string) $imagesize == 'small') { + $file = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.getImageFileNameForSize($object->photo, '_small'); + } else { + $file = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.$object->photo; + } + $originalfile = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.$object->photo; } - $originalfile = get_exdir($id, 2, 0, 0, $object, $modulepart).'photos/'.$object->photo; } if (!empty($conf->global->MAIN_OLD_IMAGE_LINKS)) { $altfile = $object->id.".jpg"; // For backward compatibility From 31af74f852f4db4fcc3e6cf46ebb346ea3e2979a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 24 May 2021 20:04:23 +0200 Subject: [PATCH 22/34] FIX CWE-269 - huntr - Can download files of an agenda event --- htdocs/core/lib/files.lib.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 90796f402d4..7e34eec5ecd 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2447,6 +2447,16 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, // Wrapping for events if ($fuser->rights->agenda->myactions->{$read}) { $accessallowed = 1; + // If we known $id of project, call checkUserAccessToObject to check permission on the given agenda event on properties and assigned users + if ($refname && !preg_match('/^specimen/i', $original_file)) { + include_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; + $tmpobject = new ActionComm($db); + $tmpobject->fetch((int) $refname); + $accessallowed = checkUserAccessToObject($user, array('agenda'), $tmpobject->id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id', ''); + if ($user->socid && $tmpobject->socid) { + $accessallowed = checkUserAccessToObject($user, array('societe'), $tmpobject->socid); + } + } } $original_file = $conf->agenda->dir_output.'/'.$original_file; } elseif ($modulepart == 'category' && !empty($conf->categorie->multidir_output[$entity])) { From bb64a25638cdba35bba39b8cf44677529ca403b1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 24 May 2021 22:11:24 +0200 Subject: [PATCH 23/34] Fix CWE-269 - huntr - Fix set of email without edit user permission --- htdocs/core/class/ldap.class.php | 2 +- htdocs/user/bank.php | 82 +++++++++++++++++--------------- htdocs/user/card.php | 4 +- 3 files changed, 47 insertions(+), 41 deletions(-) diff --git a/htdocs/core/class/ldap.class.php b/htdocs/core/class/ldap.class.php index 0f97ed878cf..a578f08f3c1 100644 --- a/htdocs/core/class/ldap.class.php +++ b/htdocs/core/class/ldap.class.php @@ -932,7 +932,7 @@ class Ldap * Returns an array containing a details or list of LDAP record(s) * ldapsearch -LLLx -hlocalhost -Dcn=admin,dc=parinux,dc=org -w password -b "ou=adherents,ou=people,dc=parinux,dc=org" userPassword * - * @param string $search Value of fiel to search, '*' for all. Not used if $activefilter is set. + * @param string $search Value of field to search, '*' for all. Not used if $activefilter is set. * @param string $userDn DN (Ex: ou=adherents,ou=people,dc=parinux,dc=org) * @param string $useridentifier Name of key field (Ex: uid) * @param array $attributeArray Array of fields required. Note this array must also contains field $useridentifier (Ex: sn,userPassword) diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php index 356e23a5de0..0b179653487 100644 --- a/htdocs/user/bank.php +++ b/htdocs/user/bank.php @@ -59,6 +59,29 @@ if ($user->socid > 0) { $socid = $user->socid; } $feature2 = (($socid && $user->rights->user->self->creer) ? '' : 'user'); + +$object = new User($db); +if ($id > 0 || !empty($ref)) { + $result = $object->fetch($id, $ref, '', 1); + $object->getrights(); +} + +$account = new UserBankAccount($db); +if (!$bankid) { + $account->fetch(0, '', $id); +} else { + $account->fetch($bankid); +} +if (empty($account->userid)) { + $account->userid = $object->id; +} + + +// Define value to know what current user can do on users +$canadduser = (!empty($user->admin) || $user->rights->user->user->creer); +$canreaduser = (!empty($user->admin) || $user->rights->user->user->lire); +$permissiontoaddbankaccount = (!empty($user->rights->salaries->write) || !empty($user->rights->hrm->employee->write) || !empty($user->rights->user->creer)); + // Ok if user->rights->salaries->read or user->rights->hrm->read //$result = restrictedArea($user, 'salaries|hrm', $id, 'user&user', $feature2); $ok = false; @@ -78,30 +101,12 @@ if (!$ok) { accessforbidden(); } -$object = new User($db); -if ($id > 0 || !empty($ref)) { - $result = $object->fetch($id, $ref, '', 1); - $object->getrights(); -} - -$account = new UserBankAccount($db); -if (!$bankid) { - $account->fetch(0, '', $id); -} else { - $account->fetch($bankid); -} -if (empty($account->userid)) { - $account->userid = $object->id; -} - -$permissiontoaddbankaccount = (!empty($user->rights->salaries->write) || !empty($user->rights->hrm->employee->write) || !empty($user->rights->user->creer)); - /* * Actions */ -if ($action == 'add' && !$cancel) { +if ($action == 'add' && !$cancel && $permissiontoaddbankaccount) { $account->userid = $object->id; $account->bank = GETPOST('bank', 'alpha'); @@ -128,7 +133,7 @@ if ($action == 'add' && !$cancel) { } } -if ($action == 'update' && !$cancel) { +if ($action == 'update' && !$cancel && $permissiontoaddbankaccount) { $account->userid = $object->id; /* @@ -199,7 +204,7 @@ if ($action == 'update' && !$cancel) { } // update personal email -if ($action == 'setpersonal_email') { +if ($action == 'setpersonal_email' && $canadduser) { $object->personal_email = (string) GETPOST('personal_email', 'alphanohtml'); $result = $object->update($user); if ($result < 0) { @@ -208,7 +213,7 @@ if ($action == 'setpersonal_email') { } // update personal mobile -if ($action == 'setpersonal_mobile') { +if ($action == 'setpersonal_mobile' && $canadduser) { $object->personal_mobile = (string) GETPOST('personal_mobile', 'alphanohtml'); $result = $object->update($user); if ($result < 0) { @@ -216,25 +221,26 @@ if ($action == 'setpersonal_mobile') { } } -// update default_c_exp_tax_cat -if ($action == 'setdefault_c_exp_tax_cat') { - $object->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat', 'int'); - $result = $object->update($user); - if ($result < 0) { - setEventMessages($object->error, $object->errors, 'errors'); +if (!empty($conf->global->MAIN_USE_EXPENSE_IK)) { + // update default_c_exp_tax_cat + if ($action == 'setdefault_c_exp_tax_cat' && $canadduser) { + $object->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat', 'int'); + $result = $object->update($user); + if ($result < 0) { + setEventMessages($object->error, $object->errors, 'errors'); + } + } + + // update default range + if ($action == 'setdefault_range' && $canadduser) { + $object->default_range = GETPOST('default_range', 'int'); + $result = $object->update($user); + if ($result < 0) { + setEventMessages($object->error, $object->errors, 'errors'); + } } } -// update default range -if ($action == 'setdefault_range') { - $object->default_range = GETPOST('default_range', 'int'); - $result = $object->update($user); - if ($result < 0) { - setEventMessages($object->error, $object->errors, 'errors'); - } -} - - /* * View diff --git a/htdocs/user/card.php b/htdocs/user/card.php index cb4e7350e0e..0dd7506a784 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -615,8 +615,8 @@ if (empty($reshook)) { } // Action initialisation donnees depuis record LDAP - if ($action == 'adduserldap') { - $selecteduser = $_POST['users']; + if ($action == 'adduserldap' && $canadduser) { + $selecteduser = GETPOST('users'); $required_fields = array( $conf->global->LDAP_KEY_USERS, From dd48c3ee9d334bbd83e8cf430ce3343d93fac591 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 00:07:38 +0200 Subject: [PATCH 24/34] Remove deprecated __REFCLIENT__ (Replaced with __REF_CLIENT__) --- ChangeLog | 2 +- htdocs/core/lib/functions.lib.php | 4 ---- htdocs/core/tpl/card_presend.tpl.php | 2 +- htdocs/core/tpl/massactions_pre.tpl.php | 2 +- 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index ec201fa378e..50a0ff10131 100644 --- a/ChangeLog +++ b/ChangeLog @@ -169,7 +169,7 @@ Following changes may create regressions for some external modules, but were nec * If your database is PostgreSql, you must use version 9.1.0 or more (Dolibarr need the SQL function CONCAT) * If your database is MySql or MariaDB, you need at least version 5.1 * Function set_price_level() has been renamed into setPriceLevel() to follow camelcase rules - +* Remove deprecated subtituion key __REFCLIENT__ (Replaced with __REF_CLIENT__) ***** ChangeLog for 13.0.3 compared to 13.0.2 ***** diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 48237bbc826..eab810692c6 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -6877,10 +6877,6 @@ function getCommonSubstitutionArray($outputlangs, $onlykey = 0, $exclude = null, $substitutionarray['__DATE_DELIVERY_SS__'] = (isset($object->date_livraison) ? dol_print_date($object->date_livraison, "%S") : ''); // For backward compatibility - $substitutionarray['__REFCLIENT__'] = (isset($object->ref_client) ? $object->ref_client : (isset($object->ref_customer) ? $object->ref_customer : null)); - $substitutionarray['__REFSUPPLIER__'] = (isset($object->ref_supplier) ? $object->ref_supplier : null); - $substitutionarray['__REFCLIENT__'] = (isset($object->ref_client) ? $object->ref_client : (isset($object->ref_customer) ? $object->ref_customer : null)); - $substitutionarray['__REFSUPPLIER__'] = (isset($object->ref_supplier) ? $object->ref_supplier : null); $substitutionarray['__SUPPLIER_ORDER_DATE_DELIVERY__'] = (isset($object->date_livraison) ? dol_print_date($object->date_livraison, 'day', 0, $outputlangs) : ''); $substitutionarray['__SUPPLIER_ORDER_DELAY_DELIVERY__'] = (isset($object->availability_code) ? ($outputlangs->transnoentities("AvailabilityType".$object->availability_code) != ('AvailabilityType'.$object->availability_code) ? $outputlangs->transnoentities("AvailabilityType".$object->availability_code) : $outputlangs->convToOutputCharset(isset($object->availability) ? $object->availability : '')) : ''); diff --git a/htdocs/core/tpl/card_presend.tpl.php b/htdocs/core/tpl/card_presend.tpl.php index 9c1387d7d58..731cc580ea1 100644 --- a/htdocs/core/tpl/card_presend.tpl.php +++ b/htdocs/core/tpl/card_presend.tpl.php @@ -76,7 +76,7 @@ if ($action == 'presend') { if (empty($object->ref_client)) { $topicmail = $outputlangs->trans($defaulttopic, '__REF__'); } elseif (!empty($object->ref_client)) { - $topicmail = $outputlangs->trans($defaulttopic, '__REF__ (__REFCLIENT__)'); + $topicmail = $outputlangs->trans($defaulttopic, '__REF__ (__REF_CLIENT__)'); } // Build document if it not exists diff --git a/htdocs/core/tpl/massactions_pre.tpl.php b/htdocs/core/tpl/massactions_pre.tpl.php index 21150d19936..4b8680e11bb 100644 --- a/htdocs/core/tpl/massactions_pre.tpl.php +++ b/htdocs/core/tpl/massactions_pre.tpl.php @@ -149,7 +149,7 @@ if ($massaction == 'presend') { $formmail->withtofree = empty($liste) ? 1 : 0; $formmail->withtocc = 1; $formmail->withtoccc = $conf->global->MAIN_EMAIL_USECCC; - $formmail->withtopic = $langs->transnoentities($topicmail, '__REF__', '__REFCLIENT__'); + $formmail->withtopic = $langs->transnoentities($topicmail, '__REF__', '__REF_CLIENT__'); $formmail->withfile = 1; // $formmail->withfile = 2; Not yet supported in mass action $formmail->withmaindocfile = 1; // Add a checkbox "Attach also main document" From 97154f8267dd28dac5402b3f1ea498a6f7ab3154 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 00:29:32 +0200 Subject: [PATCH 25/34] Fix timezone into widgets --- htdocs/core/boxes/box_accountancy_last_manual_entries.php | 2 +- htdocs/core/boxes/box_actions.php | 4 ++-- htdocs/core/boxes/box_birthdays.php | 4 ++-- htdocs/core/boxes/box_birthdays_members.php | 4 ++-- htdocs/core/boxes/box_boms.php | 2 +- htdocs/core/boxes/box_clients.php | 4 ++-- htdocs/core/boxes/box_commandes.php | 2 +- htdocs/core/boxes/box_contacts.php | 2 +- htdocs/core/boxes/box_contracts.php | 2 +- htdocs/core/boxes/box_external_rss.php | 2 +- htdocs/core/boxes/box_factures.php | 4 ++-- htdocs/core/boxes/box_factures_fourn.php | 4 ++-- htdocs/core/boxes/box_factures_fourn_imp.php | 4 ++-- htdocs/core/boxes/box_factures_imp.php | 4 ++-- htdocs/core/boxes/box_ficheinter.php | 2 +- htdocs/core/boxes/box_fournisseurs.php | 4 ++-- htdocs/core/boxes/box_goodcustomers.php | 4 ++-- htdocs/core/boxes/box_last_modified_ticket.php | 2 +- htdocs/core/boxes/box_last_ticket.php | 2 +- htdocs/core/boxes/box_lastlogin.php | 2 +- htdocs/core/boxes/box_members.php | 4 ++-- htdocs/core/boxes/box_members_last_modified.php | 4 ++-- htdocs/core/boxes/box_members_last_subscriptions.php | 2 +- htdocs/core/boxes/box_members_subscriptions_by_year.php | 2 +- htdocs/core/boxes/box_mos.php | 4 ++-- htdocs/core/boxes/box_produits.php | 4 ++-- htdocs/core/boxes/box_propales.php | 4 ++-- htdocs/core/boxes/box_prospect.php | 4 ++-- htdocs/core/boxes/box_scheduled_jobs.php | 2 +- htdocs/core/boxes/box_services_contracts.php | 4 ++-- htdocs/core/boxes/box_services_expired.php | 2 +- htdocs/core/boxes/box_supplier_orders.php | 2 +- htdocs/core/boxes/box_supplier_orders_awaiting_reception.php | 2 +- 33 files changed, 50 insertions(+), 50 deletions(-) diff --git a/htdocs/core/boxes/box_accountancy_last_manual_entries.php b/htdocs/core/boxes/box_accountancy_last_manual_entries.php index 123f9894e1e..b1e4a637046 100644 --- a/htdocs/core/boxes/box_accountancy_last_manual_entries.php +++ b/htdocs/core/boxes/box_accountancy_last_manual_entries.php @@ -116,7 +116,7 @@ class box_accountancy_last_manual_entries extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', + 'td' => 'class="center nowraponall"', 'text' => dol_print_date($date, 'day'), 'asis' => 1, ); diff --git a/htdocs/core/boxes/box_actions.php b/htdocs/core/boxes/box_actions.php index e14fdfcb457..45c9d580ad2 100644 --- a/htdocs/core/boxes/box_actions.php +++ b/htdocs/core/boxes/box_actions.php @@ -161,8 +161,8 @@ class box_actions extends ModeleBoxes ); $this->info_box_contents[$line][2] = array( - 'td' => 'class="nowrap left"', - 'text' => dol_print_date($datelimite, "dayhour"), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datelimite, "dayhour", 'tzuserrel'), 'asis' => 1 ); diff --git a/htdocs/core/boxes/box_birthdays.php b/htdocs/core/boxes/box_birthdays.php index d6e6296a3cc..62cfaa590ab 100644 --- a/htdocs/core/boxes/box_birthdays.php +++ b/htdocs/core/boxes/box_birthdays.php @@ -118,8 +118,8 @@ class box_birthdays extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($dateb, "day").' - '.$age.' '.$langs->trans('DurationYears') + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($dateb, "day", 'gmt').' - '.$age.' '.$langs->trans('DurationYears') ); /*$this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_birthdays_members.php b/htdocs/core/boxes/box_birthdays_members.php index 4d367a223e2..5e772ff3593 100644 --- a/htdocs/core/boxes/box_birthdays_members.php +++ b/htdocs/core/boxes/box_birthdays_members.php @@ -115,8 +115,8 @@ class box_birthdays_members extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($dateb, "day").' - '.$age.' '.$langs->trans('DurationYears') + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($dateb, "day", 'gmt').' - '.$age.' '.$langs->trans('DurationYears') ); /*$this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_boms.php b/htdocs/core/boxes/box_boms.php index d0a169321d0..ae0877c0369 100644 --- a/htdocs/core/boxes/box_boms.php +++ b/htdocs/core/boxes/box_boms.php @@ -143,7 +143,7 @@ class box_boms extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datem, 'day'), + 'text' => dol_print_date($datem, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_clients.php b/htdocs/core/boxes/box_clients.php index 56b8fa089a3..df56b510823 100644 --- a/htdocs/core/boxes/box_clients.php +++ b/htdocs/core/boxes/box_clients.php @@ -134,8 +134,8 @@ class box_clients extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, "day") + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, "day", 'tzuserrel') ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_commandes.php b/htdocs/core/boxes/box_commandes.php index eac431918b2..6583673f8ca 100644 --- a/htdocs/core/boxes/box_commandes.php +++ b/htdocs/core/boxes/box_commandes.php @@ -180,7 +180,7 @@ class box_commandes extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($date, 'day'), + 'text' => dol_print_date($date, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_contacts.php b/htdocs/core/boxes/box_contacts.php index bd69ddc0108..fada6a93bfd 100644 --- a/htdocs/core/boxes/box_contacts.php +++ b/htdocs/core/boxes/box_contacts.php @@ -161,7 +161,7 @@ class box_contacts extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datem, "day"), + 'text' => dol_print_date($datem, "day", 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_contracts.php b/htdocs/core/boxes/box_contracts.php index ad19184691c..9d7b625db91 100644 --- a/htdocs/core/boxes/box_contracts.php +++ b/htdocs/core/boxes/box_contracts.php @@ -156,7 +156,7 @@ class box_contracts extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datec, 'day'), + 'text' => dol_print_date($datec, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_external_rss.php b/htdocs/core/boxes/box_external_rss.php index 7bf8a69ed03..aff48328edb 100644 --- a/htdocs/core/boxes/box_external_rss.php +++ b/htdocs/core/boxes/box_external_rss.php @@ -150,7 +150,7 @@ class box_external_rss extends ModeleBoxes //$item['atom_content'] } if (is_numeric($date)) { - $date = dol_print_date($date, "dayhour"); + $date = dol_print_date($date, "dayhour", 'tzuserrel'); } $isutf8 = utf8_check($title); diff --git a/htdocs/core/boxes/box_factures.php b/htdocs/core/boxes/box_factures.php index 9ef12a9b8f6..2a97d738cd8 100644 --- a/htdocs/core/boxes/box_factures.php +++ b/htdocs/core/boxes/box_factures.php @@ -163,7 +163,7 @@ class box_factures extends ModeleBoxes $late = ''; if ($facturestatic->hasDelay()) { - $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day'))); + $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day', 'tzuserrel'))); } $this->info_box_contents[$line][] = array( @@ -186,7 +186,7 @@ class box_factures extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($date, 'day'), + 'text' => dol_print_date($date, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_factures_fourn.php b/htdocs/core/boxes/box_factures_fourn.php index a2ce199faee..a5d63c7b9c3 100644 --- a/htdocs/core/boxes/box_factures_fourn.php +++ b/htdocs/core/boxes/box_factures_fourn.php @@ -159,7 +159,7 @@ class box_factures_fourn extends ModeleBoxes $late = ''; if ($facturestatic->hasDelay()) { - $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day'))); + $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day', 'tzuserrel'))); } $this->info_box_contents[$line][] = array( @@ -189,7 +189,7 @@ class box_factures_fourn extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($date, 'day'), + 'text' => dol_print_date($date, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_factures_fourn_imp.php b/htdocs/core/boxes/box_factures_fourn_imp.php index aea07802fdf..9c35055011d 100644 --- a/htdocs/core/boxes/box_factures_fourn_imp.php +++ b/htdocs/core/boxes/box_factures_fourn_imp.php @@ -150,7 +150,7 @@ class box_factures_fourn_imp extends ModeleBoxes $late = ''; if ($facturestatic->hasDelay()) { - $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day'))); + $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day', 'tzuserrel'))); } $tooltip = $langs->trans('SupplierInvoice').': '.($objp->ref ? $objp->ref : $objp->facid).'
'.$langs->trans('RefSupplier').': '.$objp->ref_supplier; @@ -175,7 +175,7 @@ class box_factures_fourn_imp extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datelimite, 'day'), + 'text' => dol_print_date($datelimite, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_factures_imp.php b/htdocs/core/boxes/box_factures_imp.php index 1830dcd5c7a..391fc2e7cd0 100644 --- a/htdocs/core/boxes/box_factures_imp.php +++ b/htdocs/core/boxes/box_factures_imp.php @@ -165,7 +165,7 @@ class box_factures_imp extends ModeleBoxes $late = ''; if ($facturestatic->hasDelay()) { - $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day'))); + $late = img_warning(sprintf($l_due_date, dol_print_date($datelimite, 'day', 'tzuserrel'))); } $this->info_box_contents[$line][] = array( @@ -188,7 +188,7 @@ class box_factures_imp extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datelimite, 'day'), + 'text' => dol_print_date($datelimite, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_ficheinter.php b/htdocs/core/boxes/box_ficheinter.php index 94d081483e2..edf4daa5191 100644 --- a/htdocs/core/boxes/box_ficheinter.php +++ b/htdocs/core/boxes/box_ficheinter.php @@ -145,7 +145,7 @@ class box_ficheinter extends ModeleBoxes $this->info_box_contents[$i][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datec, 'day'), + 'text' => dol_print_date($datec, 'day', 'tzuserrel'), ); $this->info_box_contents[$i][] = array( diff --git a/htdocs/core/boxes/box_fournisseurs.php b/htdocs/core/boxes/box_fournisseurs.php index d8b7f30c103..b0d5a0774fc 100644 --- a/htdocs/core/boxes/box_fournisseurs.php +++ b/htdocs/core/boxes/box_fournisseurs.php @@ -128,8 +128,8 @@ class box_fournisseurs extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, "day"), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, "day", 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_goodcustomers.php b/htdocs/core/boxes/box_goodcustomers.php index 3a4f7e63103..aef7cdc9f3d 100644 --- a/htdocs/core/boxes/box_goodcustomers.php +++ b/htdocs/core/boxes/box_goodcustomers.php @@ -126,8 +126,8 @@ class box_goodcustomers extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, "day") + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, "day", 'tzuserrel') ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_last_modified_ticket.php b/htdocs/core/boxes/box_last_modified_ticket.php index 320a23f745b..4d5097e23ba 100644 --- a/htdocs/core/boxes/box_last_modified_ticket.php +++ b/htdocs/core/boxes/box_last_modified_ticket.php @@ -162,7 +162,7 @@ class box_last_modified_ticket extends ModeleBoxes // Date creation $this->info_box_contents[$i][$r] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datec, 'dayhour') + 'text' => dol_print_date($datec, 'dayhour', 'tzuserrel') ); $r++; diff --git a/htdocs/core/boxes/box_last_ticket.php b/htdocs/core/boxes/box_last_ticket.php index 8a0e3822448..e08a54f1c87 100644 --- a/htdocs/core/boxes/box_last_ticket.php +++ b/htdocs/core/boxes/box_last_ticket.php @@ -166,7 +166,7 @@ class box_last_ticket extends ModeleBoxes // Date creation $this->info_box_contents[$i][$r] = array( 'td' => 'class="right"', - 'text' => dol_print_date($datec, 'dayhour'), + 'text' => dol_print_date($datec, 'dayhour', 'tzuserrel'), ); $r++; diff --git a/htdocs/core/boxes/box_lastlogin.php b/htdocs/core/boxes/box_lastlogin.php index a487ec5bc72..e5e11d9ba8f 100644 --- a/htdocs/core/boxes/box_lastlogin.php +++ b/htdocs/core/boxes/box_lastlogin.php @@ -93,7 +93,7 @@ class box_lastlogin extends ModeleBoxes 'text' => $langs->trans("PreviousConnexion"), ); if ($user->datepreviouslogin) { - $tmp = dol_print_date($user->datepreviouslogin, "dayhour", 'tzuser'); + $tmp = dol_print_date($user->datepreviouslogin, "dayhour", 'tzuserrel'); } else { $tmp = $langs->trans("Unknown"); } diff --git a/htdocs/core/boxes/box_members.php b/htdocs/core/boxes/box_members.php index acd3773d2f0..5865cba2530 100644 --- a/htdocs/core/boxes/box_members.php +++ b/htdocs/core/boxes/box_members.php @@ -145,8 +145,8 @@ class box_members extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, "day"), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, "day", 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_members_last_modified.php b/htdocs/core/boxes/box_members_last_modified.php index 1315ac9895b..9de6a3af12f 100644 --- a/htdocs/core/boxes/box_members_last_modified.php +++ b/htdocs/core/boxes/box_members_last_modified.php @@ -147,8 +147,8 @@ class box_members_last_modified extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, "day"), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, "day", 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_members_last_subscriptions.php b/htdocs/core/boxes/box_members_last_subscriptions.php index e08bc1073b6..3cea44c2dc3 100644 --- a/htdocs/core/boxes/box_members_last_subscriptions.php +++ b/htdocs/core/boxes/box_members_last_subscriptions.php @@ -158,7 +158,7 @@ class box_members_last_subscriptions extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right tdoverflowmax150 maxwidth150onsmartphone"', - 'text' => dol_print_date($this->db->jdate($obj->datem ? $obj->datem : $obj->datec), 'dayhour'), + 'text' => dol_print_date($this->db->jdate($obj->datem ? $obj->datem : $obj->datec), 'dayhour', 'tzuserrel'), ); $line++; diff --git a/htdocs/core/boxes/box_members_subscriptions_by_year.php b/htdocs/core/boxes/box_members_subscriptions_by_year.php index b6c146312bc..be835511c6b 100644 --- a/htdocs/core/boxes/box_members_subscriptions_by_year.php +++ b/htdocs/core/boxes/box_members_subscriptions_by_year.php @@ -111,7 +111,7 @@ class box_members_subscriptions_by_year extends ModeleBoxes $i = 0; while ($i < $num) { $objp = $this->db->fetch_object($result); - $year = dol_print_date($this->db->jdate($objp->dateh), "%Y"); + $year = dol_print_date($this->db->jdate($objp->dateh), "%Y", 'gmt'); $Total[$year] = (isset($Total[$year]) ? $Total[$year] : 0) + $objp->subscription; $Number[$year] = (isset($Number[$year]) ? $Number[$year] : 0) + 1; $tot += $objp->subscription; diff --git a/htdocs/core/boxes/box_mos.php b/htdocs/core/boxes/box_mos.php index b12506147bf..43d1cd411e4 100644 --- a/htdocs/core/boxes/box_mos.php +++ b/htdocs/core/boxes/box_mos.php @@ -138,8 +138,8 @@ class box_mos extends ModeleBoxes } $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, 'day'), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_produits.php b/htdocs/core/boxes/box_produits.php index 44333683000..dde3b685d25 100644 --- a/htdocs/core/boxes/box_produits.php +++ b/htdocs/core/boxes/box_produits.php @@ -190,8 +190,8 @@ class box_produits extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, 'day'), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_propales.php b/htdocs/core/boxes/box_propales.php index d876dad67d0..9c6376351e7 100644 --- a/htdocs/core/boxes/box_propales.php +++ b/htdocs/core/boxes/box_propales.php @@ -165,8 +165,8 @@ class box_propales extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($date, 'day'), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($date, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_prospect.php b/htdocs/core/boxes/box_prospect.php index ea550b9d856..a8959202082 100644 --- a/htdocs/core/boxes/box_prospect.php +++ b/htdocs/core/boxes/box_prospect.php @@ -135,8 +135,8 @@ class box_prospect extends ModeleBoxes ); $this->info_box_contents[$line][] = array( - 'td' => 'class="right"', - 'text' => dol_print_date($datem, "day"), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, "day", 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_scheduled_jobs.php b/htdocs/core/boxes/box_scheduled_jobs.php index 04ba2944c75..793b0cc8c79 100644 --- a/htdocs/core/boxes/box_scheduled_jobs.php +++ b/htdocs/core/boxes/box_scheduled_jobs.php @@ -156,7 +156,7 @@ class box_scheduled_jobs extends ModeleBoxes ); $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'textnoformat' => (empty($resultarray[$line][2]) ? '' : $form->textwithpicto(dol_print_date($resultarray[$line][2], "dayhoursec"), $langs->trans("CurrentTimeZone"))) + 'textnoformat' => (empty($resultarray[$line][2]) ? '' : $form->textwithpicto(dol_print_date($resultarray[$line][2], "dayhoursec", 'tzserver'), $langs->trans("CurrentTimeZone"))) ); $this->info_box_contents[$line][] = array( 'td' => 'class="center" ', diff --git a/htdocs/core/boxes/box_services_contracts.php b/htdocs/core/boxes/box_services_contracts.php index b6eb51826cc..98e2b82bb37 100644 --- a/htdocs/core/boxes/box_services_contracts.php +++ b/htdocs/core/boxes/box_services_contracts.php @@ -200,8 +200,8 @@ class box_services_contracts extends ModeleBoxes ); $this->info_box_contents[$i][] = array( - 'td' => '', - 'text' => dol_print_date($datem, 'day'), + 'td' => 'class="center nowraponall"', + 'text' => dol_print_date($datem, 'day', 'tzuserrel'), 'text2'=> $late, ); diff --git a/htdocs/core/boxes/box_services_expired.php b/htdocs/core/boxes/box_services_expired.php index 724eb9baebf..75cc1cde413 100644 --- a/htdocs/core/boxes/box_services_expired.php +++ b/htdocs/core/boxes/box_services_expired.php @@ -152,7 +152,7 @@ class box_services_expired extends ModeleBoxes $this->info_box_contents[$i][] = array( 'td' => 'class="center nowraponall"', - 'text' => dol_print_date($dateline, 'day'), + 'text' => dol_print_date($dateline, 'day', 'tzuserrel'), 'text2'=> $late, ); diff --git a/htdocs/core/boxes/box_supplier_orders.php b/htdocs/core/boxes/box_supplier_orders.php index 235e7a8e72a..0c2b97ce6b5 100644 --- a/htdocs/core/boxes/box_supplier_orders.php +++ b/htdocs/core/boxes/box_supplier_orders.php @@ -153,7 +153,7 @@ class box_supplier_orders extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => dol_print_date($date, 'day'), + 'text' => dol_print_date($date, 'day', 'tzuserrel'), ); $this->info_box_contents[$line][] = array( diff --git a/htdocs/core/boxes/box_supplier_orders_awaiting_reception.php b/htdocs/core/boxes/box_supplier_orders_awaiting_reception.php index 1a8cec07155..04dabbd0ff3 100644 --- a/htdocs/core/boxes/box_supplier_orders_awaiting_reception.php +++ b/htdocs/core/boxes/box_supplier_orders_awaiting_reception.php @@ -161,7 +161,7 @@ class box_supplier_orders_awaiting_reception extends ModeleBoxes $this->info_box_contents[$line][] = array( 'td' => 'class="right"', - 'text' => $delayIcon.' '.dol_print_date($delivery_date, 'day').'', + 'text' => $delayIcon.' '.dol_print_date($delivery_date, 'day', 'tzuserrel').'', 'asis' => 1 ); From fedf7645b1184d4748218e1e805f62052b201c49 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 12:02:33 +0200 Subject: [PATCH 26/34] Fix regression, can't reset parent company. --- htdocs/societe/card.php | 2 +- htdocs/societe/class/societe.class.php | 43 ++++++++++++++------------ 2 files changed, 24 insertions(+), 21 deletions(-) diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index 3d03a97a59f..1165d6a9fd7 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -852,7 +852,7 @@ if (empty($reshook)) { // Set parent company if ($action == 'set_thirdparty' && $user->rights->societe->creer) { $object->fetch($socid); - $result = $object->set_parent(GETPOST('parent_id', 'int')); + $result = $object->setParent(GETPOST('parent_id', 'int')); } // Set sales representatives diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 8a8dea9f7e3..e2eba54b489 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -3321,34 +3321,37 @@ class Societe extends CommonObject } } - // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** * Define parent commany of current company * * @param int $id Id of thirdparty to set or '' to remove * @return int <0 if KO, >0 if OK */ - public function set_parent($id) + public function setParent($id) { - // phpcs:enable if ($this->id) { // Check if the id we want to add as parent has not already one parent that is the current id we try to update - $sameparent = $this->validateFamilyTree($id, $this->id, 0); - if ($sameparent < 0) { - return -1; - } elseif ($sameparent == 1) { - setEventMessages('ParentCompanyToAddIsAlreadyAChildOfModifiedCompany', null, 'warnings'); - return -1; - } else { - $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe SET parent = '.($id > 0 ? $id : 'null').' WHERE rowid = '.((int) $this->id); - dol_syslog(get_class($this).'::set_parent', LOG_DEBUG); - $resql = $this->db->query($sql); - if ($resql) { - $this->parent = $id; - return 1; - } else { + if ($id > 0) { + $sameparent = $this->validateFamilyTree($id, $this->id, 0); + if ($sameparent < 0) { return -1; } + if ($sameparent == 1) { + setEventMessages('ParentCompanyToAddIsAlreadyAChildOfModifiedCompany', null, 'warnings'); + return -1; + } + } + + dol_syslog(get_class($this).'::setParent', LOG_DEBUG); + + $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe SET parent = '.($id > 0 ? $id : 'null').' WHERE rowid = '.((int) $this->id); + + $resql = $this->db->query($sql); + if ($resql) { + $this->parent = $id; + return 1; + } else { + return -1; } } else { return -1; @@ -3369,9 +3372,9 @@ class Societe extends CommonObject dol_syslog("Too high level of parent - child for company. May be an infinite loop ?", LOG_WARNING); } - $sql = 'SELECT s.parent'; - $sql .= ' FROM '.MAIN_DB_PREFIX.'societe as s'; - $sql .= ' WHERE rowid = '.$idparent; + $sql = 'SELECT s.parent'; + $sql .= ' FROM '.MAIN_DB_PREFIX.'societe as s'; + $sql .= ' WHERE rowid = '.$idparent; $resql = $this->db->query($sql); if ($resql) { $obj = $this->db->fetch_object($resql); From 857be16e1294c3ed2e7f5e624bcc838969dff565 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 12:03:38 +0200 Subject: [PATCH 27/34] Log --- htdocs/societe/class/societe.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index e2eba54b489..7554ad2fbe2 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -3329,6 +3329,8 @@ class Societe extends CommonObject */ public function setParent($id) { + dol_syslog(get_class($this).'::setParent', LOG_DEBUG); + if ($this->id) { // Check if the id we want to add as parent has not already one parent that is the current id we try to update if ($id > 0) { @@ -3342,8 +3344,6 @@ class Societe extends CommonObject } } - dol_syslog(get_class($this).'::setParent', LOG_DEBUG); - $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe SET parent = '.($id > 0 ? $id : 'null').' WHERE rowid = '.((int) $this->id); $resql = $this->db->query($sql); From fb6aea72b837ec464c059b9fbdafc4d799496e8d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 12:06:29 +0200 Subject: [PATCH 28/34] Fix syntax error --- htdocs/fourn/class/fournisseur.facture.class.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index 8586e0fc623..637f29e87b8 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -1361,7 +1361,7 @@ class FactureFournisseur extends CommonInvoice } $sql .= ', fk_user_closing = '.$user->id; $sql .= ", date_closing = '".$this->db->idate($now)."'"; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= ' WHERE rowid = '.((int) $this->id); $resql = $this->db->query($sql); if ($resql) { @@ -1417,18 +1417,17 @@ class FactureFournisseur extends CommonInvoice */ public function setUnpaid($user) { - global $conf, $langs; $error = 0; $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture_fourn'; - $sql .= ' SET paye=0, fk_statut='.self::STATUS_VALIDATED.', close_code=null, close_note=null'; + $sql .= ' SET paye=0, fk_statut='.self::STATUS_VALIDATED.', close_code=null, close_note=null,'; $sql .= ' date_closing=null,'; $sql .= ' fk_user_closing=null'; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= ' WHERE rowid = '.((int) $this->id); - dol_syslog("FactureFournisseur::set_unpaid", LOG_DEBUG); + dol_syslog(get_class($this)."::set_unpaid", LOG_DEBUG); $resql = $this->db->query($sql); if ($resql) { // Call trigger From a840afa72a33e80cb1b83802905c17fdfe6668e0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 15:24:28 +0200 Subject: [PATCH 29/34] Fix missing entry into table --- htdocs/install/mysql/data/llx_accounting_abc.sql | 6 +++--- htdocs/install/mysql/migration/13.0.0-14.0.0.sql | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/htdocs/install/mysql/data/llx_accounting_abc.sql b/htdocs/install/mysql/data/llx_accounting_abc.sql index 3c178f7c70d..806d084ce85 100644 --- a/htdocs/install/mysql/data/llx_accounting_abc.sql +++ b/htdocs/install/mysql/data/llx_accounting_abc.sql @@ -174,10 +174,10 @@ INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUE INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 15,'SYSCOHADA-TG', 'Plan comptable Ouest-Africain', 1); -- Description of chart of account USA US-BASE -INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 11, 'US-BASE', 'USA basic chart of accounts', 1); +INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 11, 'US-BASE', 'USA basic chart of accounts', 1); -- Description of chart of account Canada CA-ENG-BASE -INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 14, 'CA-ENG-BASE', 'Canadian basic chart of accounts - English', 1); +INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 14, 'CA-ENG-BASE', 'Canadian basic chart of accounts - English', 1); -- Description of chart of account Mexico SAT/24-2019 -INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 154, 'SAT/24-2019', 'Catalogo y codigo agrupador fiscal del 2019', 1); +INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 154, 'SAT/24-2019', 'Catalogo y codigo agrupador fiscal del 2019', 1); diff --git a/htdocs/install/mysql/migration/13.0.0-14.0.0.sql b/htdocs/install/mysql/migration/13.0.0-14.0.0.sql index b95ea30f8fb..c9736e429c4 100644 --- a/htdocs/install/mysql/migration/13.0.0-14.0.0.sql +++ b/htdocs/install/mysql/migration/13.0.0-14.0.0.sql @@ -62,6 +62,11 @@ UPDATE llx_c_country SET eec = 1 WHERE code IN ('AT','BE','BG','CY','CZ','DE','D ALTER TABLE llx_export_model MODIFY COLUMN type varchar(64); +INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 11, 'US-BASE', 'USA basic chart of accounts', 1); +INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 14, 'CA-ENG-BASE', 'Canadian basic chart of accounts - English', 1); +INSERT INTO llx_accounting_system (fk_country, pcg_version, label, active) VALUES ( 154, 'SAT/24-2019', 'Catalogo y codigo agrupador fiscal del 2019', 1); + + -- For v14 ALTER TABLE llx_product_lot ADD COLUMN eol_date datetime NULL; From d18fc6ca3c9e859be79f7d99bb6522fc37e35d46 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 15:38:12 +0200 Subject: [PATCH 30/34] Fix init --- htdocs/accountancy/admin/accountmodel.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index f0fd9702009..0f4d538cfac 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -609,10 +609,12 @@ if ($id) { print ''; if ($num) { + $i = 0; // Lines with values while ($i < $num) { $obj = $db->fetch_object($resql); //print_r($obj); + print ''; if ($action == 'edit' && ($rowid == (!empty($obj->rowid) ? $obj->rowid : $obj->code))) { print '
'; @@ -708,6 +710,7 @@ if ($id) { print "\n"; } + $i++; } } From b9de8561a9732773a4ea27f7fec888683db02ee8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 15:59:36 +0200 Subject: [PATCH 31/34] Fix regression --- htdocs/core/lib/functions.lib.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index eab810692c6..45d1bdca12e 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -6877,6 +6877,8 @@ function getCommonSubstitutionArray($outputlangs, $onlykey = 0, $exclude = null, $substitutionarray['__DATE_DELIVERY_SS__'] = (isset($object->date_livraison) ? dol_print_date($object->date_livraison, "%S") : ''); // For backward compatibility + $substitutionarray['__REFCLIENT__'] = (isset($object->ref_client) ? $object->ref_client : (isset($object->ref_customer) ? $object->ref_customer : null)); + $substitutionarray['__REFSUPPLIER__'] = (isset($object->ref_supplier) ? $object->ref_supplier : null); $substitutionarray['__SUPPLIER_ORDER_DATE_DELIVERY__'] = (isset($object->date_livraison) ? dol_print_date($object->date_livraison, 'day', 0, $outputlangs) : ''); $substitutionarray['__SUPPLIER_ORDER_DELAY_DELIVERY__'] = (isset($object->availability_code) ? ($outputlangs->transnoentities("AvailabilityType".$object->availability_code) != ('AvailabilityType'.$object->availability_code) ? $outputlangs->transnoentities("AvailabilityType".$object->availability_code) : $outputlangs->convToOutputCharset(isset($object->availability) ? $object->availability : '')) : ''); From 263f1c8101df8279bb50e7e4be03150edd169143 Mon Sep 17 00:00:00 2001 From: lmarcouiller Date: Tue, 25 May 2021 17:26:56 +0200 Subject: [PATCH 32/34] Fix #11882 : fix of module opensurvey for datesurvey --- htdocs/opensurvey/results.php | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/htdocs/opensurvey/results.php b/htdocs/opensurvey/results.php index 6d12259a39f..1c7a98739d7 100644 --- a/htdocs/opensurvey/results.php +++ b/htdocs/opensurvey/results.php @@ -251,7 +251,40 @@ if (GETPOSTISSET("ajoutercolonne") && $object->format == "D") { header('Location: results.php?id='.$object->id_sondage); } } - + if ($cleinsertion >= 0) { + $sql = 'SELECT s.reponses'; + $sql .= " FROM ".MAIN_DB_PREFIX."opensurvey_user_studs as s"; + $sql .= " WHERE id_sondage = '".$db->escape($numsondage)."'"; + $resql = $db->query($sql); + if (!$resql) { + dol_print_error($db); + } else { + $num = $db->num_rows($resql); + $compteur = 0; + while ($compteur < $num) { + $obj = $db->fetch_object($resql); + $sql = 'UPDATE '.MAIN_DB_PREFIX."opensurvey_user_studs"; + if ($cleinsertion == 0) { + $sql .= " SET reponses = '0".$db->escape($obj->reponses)."'"; + } else { + $reponsesadd = str_split($obj->reponses); + $lengthresponses = count($reponsesadd); + for ($cpt = $lengthresponses; $cpt > $cleinsertion; $cpt--) { + $reponsesadd[$cpt] = $reponsesadd[$cpt-1]; + } + $reponsesadd[$cleinsertion] = '0'; + $reponsesadd = implode($reponsesadd); + $sql .= " SET reponses = '".$db->escape($reponsesadd)."'"; + } + $sql .= " WHERE id_sondage = '".$db->escape($numsondage)."'"; + $resql = $db->query($sql); + if (!$resql) { + dol_print_error($db); + } + $compteur++; + } + } + } $adresseadmin = $object->mail_admin; } else { $erreur_ajout_date = "yes"; From daababb97f3ae56e255e82cf6dd6f83e47b69e21 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 May 2021 19:39:06 +0200 Subject: [PATCH 33/34] Update index.php --- htdocs/takepos/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index 26a62e36d6e..d51fd21279e 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -566,7 +566,7 @@ function Search2(keyCodeForEnter) { $("#prodesc" + i).text(data[i]['label']); $("#prodivdesc" + i).show(); $("#probutton" + i).text(data[i]['label']); - $("#probutton" + i).show();; + $("#probutton" + i).show(); if (data[i]['price_formated']) { $("#proprice" + i).attr("class", "productprice"); $("#proprice" + i).html(data[i]['price_formated']); From 708deaac00673e7302f489d5c704d5ea96e784e3 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Tue, 25 May 2021 17:47:28 +0000 Subject: [PATCH 34/34] Fixing style errors. --- htdocs/contrat/list.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index 918bd4c256a..19a040bf091 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -290,10 +290,10 @@ if (!empty($search_ref_supplier)) { $sql .= natural_search(array('c.ref_supplier'), $search_ref_supplier); } if ($search_zip) { - $sql .= natural_search(array('s.zip'), $search_zip); + $sql .= natural_search(array('s.zip'), $search_zip); } if ($search_town) { - $sql .= natural_search(array('s.town'), $search_town); + $sql .= natural_search(array('s.town'), $search_town); } if ($search_sale > 0) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;