From 235817c58132e81e4254d90ba8b88ab4151bef71 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 17 Oct 2017 12:02:58 +0200 Subject: [PATCH 1/4] Fix missing default limit --- .../societe/class/api_thirdparties.class.php | 74 +++++++++---------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index 24cf991da52..292288d9015 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -21,15 +21,15 @@ /** * API class for thirdparties * - * @access protected + * @access protected * @class DolibarrApiAccess {@requires user,external} - * + * */ class Thirdparties extends DolibarrApi { /** * - * @var array $FIELDS Mandatory fields, checked when create and update object + * @var array $FIELDS Mandatory fields, checked when create and update object */ static $FIELDS = array( 'name' @@ -48,7 +48,7 @@ class Thirdparties extends DolibarrApi global $db, $conf; $this->db = $db; $this->company = new Societe($this->db); - + if (! empty($conf->global->SOCIETE_MAIL_REQUIRED)) { static::$FIELDS[] = 'email'; } @@ -61,20 +61,20 @@ class Thirdparties extends DolibarrApi * * @param int $id ID of thirdparty * @return array|mixed data without useless information - * + * * @throws RestException */ function get($id) - { + { if(! DolibarrApiAccess::$user->rights->societe->lire) { throw new RestException(401); } - + $result = $this->company->fetch($id); if( ! $result ) { throw new RestException(404, 'Thirdparty not found'); } - + if( ! DolibarrApi::_checkAccessToResource('societe',$this->company->id)) { throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } @@ -84,27 +84,27 @@ class Thirdparties extends DolibarrApi /** * List thirdparties - * + * * Get a list of thirdparties - * + * * @param string $sortfield Sort field * @param string $sortorder Sort order * @param int $limit Limit for list * @param int $page Page number - * @param int $mode Set to 1 to show only customers + * @param int $mode Set to 1 to show only customers * Set to 2 to show only prospects * Set to 3 to show only those are not customer neither prospect - * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:'SO-%') and (t.date_creation:<:'20160101')" + * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.nom:like:'TheCompany%') and (t.date_creation:<:'20160101')" * @return array Array of thirdparty objects */ - function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 0, $page = 0, $mode=0, $sqlfilters = '') { + function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100, $page = 0, $mode=0, $sqlfilters = '') { global $db, $conf; - + $obj_ret = array(); - + // case of external user, we force socids $socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : ''; - + // If the internal user must only see his customers, force searching by him $search_sale = 0; if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id; @@ -112,7 +112,7 @@ class Thirdparties extends DolibarrApi $sql = "SELECT t.rowid"; if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) $sql.= " FROM ".MAIN_DB_PREFIX."societe as t"; - + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale $sql.= ", ".MAIN_DB_PREFIX."c_stcomm as st"; $sql.= " WHERE t.fk_stcomm = st.id"; @@ -130,7 +130,7 @@ class Thirdparties extends DolibarrApi $sql .= " AND sc.fk_user = ".$search_sale; } // Add sql filters - if ($sqlfilters) + if ($sqlfilters) { if (! DolibarrApi::_checkFilters($sqlfilters)) { @@ -139,7 +139,7 @@ class Thirdparties extends DolibarrApi $regexstring='\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; $sql.=" AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - + $sql.= $db->order($sortfield, $sortorder); if ($limit) { @@ -175,7 +175,7 @@ class Thirdparties extends DolibarrApi } return $obj_ret; } - + /** * Create thirdparty object * @@ -189,13 +189,13 @@ class Thirdparties extends DolibarrApi } // Check mandatory fields $result = $this->_validate($request_data); - + foreach($request_data as $field => $value) { $this->company->$field = $value; } if ($this->company->create(DolibarrApiAccess::$user) < 0) throw new RestException(500, 'Error creating thirdparty', array_merge(array($this->company->error), $this->company->errors)); - + return $this->company->id; } @@ -203,20 +203,20 @@ class Thirdparties extends DolibarrApi * Update thirdparty * * @param int $id Id of thirdparty to update - * @param array $request_data Datas - * @return int + * @param array $request_data Datas + * @return int */ function put($id, $request_data = NULL) { if(! DolibarrApiAccess::$user->rights->societe->creer) { throw new RestException(401); } - + $result = $this->company->fetch($id); if( ! $result ) { throw new RestException(404, 'Thirdparty not found'); } - + if( ! DolibarrApi::_checkAccessToResource('societe',$this->company->id)) { throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } @@ -225,13 +225,13 @@ class Thirdparties extends DolibarrApi if ($field == 'id') continue; $this->company->$field = $value; } - + if($this->company->update($id, DolibarrApiAccess::$user,1,'','','update')) return $this->get ($id); - + return false; } - + /** * Delete thirdparty * @@ -252,7 +252,7 @@ class Thirdparties extends DolibarrApi } return $this->company->delete($id); } - + /** * Get categories for a thirdparty * @@ -318,24 +318,24 @@ class Thirdparties extends DolibarrApi * @return array Array of cleaned object properties */ function _cleanObjectDatas($object) { - + $object = parent::_cleanObjectDatas($object); - + unset($object->total_ht); unset($object->total_tva); unset($object->total_localtax1); unset($object->total_localtax2); unset($object->total_ttc); - + return $object; - } - + } + /** * Validate fields before create or update object - * + * * @param array $data Datas to validate * @return array - * + * * @throws RestException */ function _validate($data) From aa1ff189e16efea6b774bb4abc0f2a047b4bdf7f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 17 Oct 2017 12:58:26 +0200 Subject: [PATCH 2/4] Fix var not correctly initialized when using api + multicompany --- htdocs/core/lib/security.lib.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 581c324674a..e799579b181 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -382,8 +382,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh $nocheck = array('barcode','stock','fournisseur'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). - // If dbtable not defined, we use same name for table than module name - if (empty($dbtablename)) $dbtablename = $feature; + // If dbtablename not defined, we use same name for table than module name + if (empty($dbtablename)) + { + $dbtablename = $feature; + $sharedelement = (! empty($params[1]) ? $params[1] : $dbtablename); // We change dbtablename, so we set sharedelement too. + } // Check permission for object with entity if (in_array($feature,$check)) From 000c1bddb22cb2e7ff8901e4597a93665b986d07 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 18 Oct 2017 11:12:59 +0200 Subject: [PATCH 3/4] Fix we lose the private not when closing proposal --- htdocs/comm/propal/card.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index b603d1e6a17..057a0d1edfd 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -611,7 +611,8 @@ if (empty($reshook)) // prevent browser refresh from closing proposal several times if ($object->statut == Propal::STATUS_VALIDATED) { - $result=$object->cloture($user, GETPOST('statut'), GETPOST('note')); + $newprivatenote = dol_concatdesc($object->note_private, GETPOST('note_private','alpha')); + $result=$object->cloture($user, GETPOST('statut','int'), $newprivatenote); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); From b124c7f16d4a0a9b8080a53b0e5f060bff77148e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 18 Oct 2017 11:15:54 +0200 Subject: [PATCH 4/4] Clean params --- htdocs/comm/propal/card.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 057a0d1edfd..7fb13234a94 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -611,8 +611,7 @@ if (empty($reshook)) // prevent browser refresh from closing proposal several times if ($object->statut == Propal::STATUS_VALIDATED) { - $newprivatenote = dol_concatdesc($object->note_private, GETPOST('note_private','alpha')); - $result=$object->cloture($user, GETPOST('statut','int'), $newprivatenote); + $result=$object->cloture($user, GETPOST('statut','int'), GETPOST('note','none')); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors');