FIX #19777 #20281

htdocs/compta/paiement/cheque/card.php

@@ -41,12 +41,7 @@ $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');
 
-// Security check
-$fieldname = (!empty($ref) ? 'ref' : 'rowid');
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'cheque', $id, 'bordereau_cheque', '', 'fk_user_author', $fieldname);
+$object = new RemiseCheque($db);
 
 $sortfield = GETPOST('sortfield', 'aZ09comma');
 $sortorder = GETPOST('sortorder', 'aZ09comma');
@@ -63,11 +58,22 @@ if (empty($page) || $page == -1) {
 $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
 $offset = $limit * $page;
 
-$dir = $conf->bank->dir_output.'/checkdeposits/';
+$upload_dir = $conf->bank->multidir_output[$object->entity ? $object->entity : $conf->entity]."/checkdeposits";
+
 $filterdate = dol_mktime(0, 0, 0, GETPOST('fdmonth'), GETPOST('fdday'), GETPOST('fdyear'));
 $filteraccountid = GETPOST('accountid', 'int');
 
-$object = new RemiseCheque($db);
+// Security check
+$fieldname = (!empty($ref) ? 'ref' : 'rowid');
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'cheque', $id, 'bordereau_cheque', '', 'fk_user_author', $fieldname);
+
+$usercanread = $user->rights->banque->cheque;
+$usercancreate = $user->rights->banque->cheque;
+$usercandelete = $user->rights->banque->cheque;
+
 
 
 /*
@@ -242,7 +248,9 @@ if ($action == 'builddoc' && $user->rights->banque->cheque) {
 
 		$langs->load("other");
 
-		$file = $dir.get_exdir($object->ref, 0, 1, 0, $object, 'cheque').GETPOST('file');
+		$filetodelete = GETPOST('file', 'alpha');
+		$file = $upload_dir.'/'.$filetodelete;
+
 		$ret = dol_delete_file($file, 0, 0, 0, $object);
 		if ($ret) {
 			setEventMessages($langs->trans("FileWasRemoved", GETPOST('file')), null, 'mesgs');
@@ -633,6 +641,12 @@ if ($action == 'new') {
 		$i = 1;
 		if ($num > 0) {
 			while ($objp = $db->fetch_object($resql)) {
+				$paymentstatic->id = $objp->pid;
+				$paymentstatic->ref = $objp->pref;
+
+				$accountlinestatic->id = $objp->rowid;
+				$accountlinestatic->ref = $objp->ref;
+
 				print '<tr class="oddeven">';
 				print '<td class="center">'.$i.'</td>';
 				print '<td class="center">'.dol_print_date($db->jdate($objp->date), 'day').'</td>'; // Operation date
@@ -642,8 +656,6 @@ if ($action == 'new') {
 				print '<td class="right"><span class="amount">'.price($objp->amount).'</span></td>';
 				// Link to payment
 				print '<td class="center">';
-				$paymentstatic->id = $objp->pid;
-				$paymentstatic->ref = $objp->pref;
 				if ($paymentstatic->id) {
 					print $paymentstatic->getNomUrl(1);
 				} else {
@@ -652,8 +664,6 @@ if ($action == 'new') {
 				print '</td>';
 				// Link to bank transaction
 				print '<td class="center">';
-				$accountlinestatic->id = $objp->rowid;
-				$accountlinestatic->ref = $objp->ref;
 				if ($accountlinestatic->id > 0) {
 					print $accountlinestatic->getNomUrl(1);
 				} else {
@@ -663,10 +673,10 @@ if ($action == 'new') {
 				// Action button
 				print '<td class="right">';
 				if ($object->statut == 0) {
-					print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=remove&amp;lineid='.$objp->rowid.'">'.img_delete().'</a>';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=remove&token='.newToken().'&lineid='.$objp->rowid.'">'.img_delete().'</a>';
 				}
 				if ($object->statut == 1 && $objp->statut != 2) {
-					print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=reject_check&amp;lineid='.$objp->rowid.'">'.img_picto($langs->trans("RejectCheck"), 'disable').'</a>';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=reject_check&token='.newToken().'&lineid='.$objp->rowid.'">'.img_picto($langs->trans("RejectCheck"), 'disable').'</a>';
 				}
 				if ($objp->statut == 2) {
 					print ' &nbsp; '.img_picto($langs->trans('CheckRejected'), 'statut8').'</a>';
@@ -722,11 +732,13 @@ print '</div>';
 
 if ($action != 'new') {
 	if ($object->statut == 1) {
-		$filename = dol_sanitizeFileName($object->ref);
-		$filedir = $dir.get_exdir($object->ref, 0, 1, 0, $object, 'checkdeposits');
+		// Documents
+		$objref = dol_sanitizeFileName($object->ref);
+		$filedir = $upload_dir.'/'.$objref;
 		$urlsource = $_SERVER["PHP_SELF"]."?id=".$object->id;
-
-		print $formfile->showdocuments('remisecheque', $filename, $filedir, $urlsource, 1, 1);
+		$genallowed = $usercancreate;
+		$delallowed = $usercandelete;
+		print $formfile->showdocuments('remisecheque', $objref, $filedir, $urlsource, $genallowed, $delallowed, $object->model_pdf, 1, 0, 0, 28, 0, '', '', '', $langs->defaultlang);
 
 		print '<br>';
 	}

htdocs/compta/paiement/cheque/class/remisecheque.class.php

@@ -615,6 +615,7 @@ class RemiseCheque extends CommonObject
 			// We save charset_output to restore it because write_file can change it if needed for
 			// output format that does not support UTF8.
 			$sav_charseSupprimert_output = $outputlangs->charset_output;
+
 			$result = $docmodel->write_file($this, $conf->bank->dir_output.'/checkdeposits', $this->ref, $outputlangs);
 			if ($result > 0) {
 				//$outputlangs->charset_output=$sav_charset_output;

htdocs/core/class/html.formfile.class.php

@@ -359,9 +359,9 @@ class FormFile
 	 *      Return a string to show the box with list of available documents for object.
 	 *      This also set the property $this->numoffiles
 	 *
-	 *      @param      string				$modulepart         Module the files are related to ('propal', 'facture', 'facture_fourn', 'mymodule', 'mymodule:myobject', 'mymodule_temp', ...)
-	 *      @param      string				$modulesubdir       Existing (so sanitized) sub-directory to scan (Example: '0/1/10', 'FA/DD/MM/YY/9999'). Use '' if file is not into subdir of module.
-	 *      @param      string				$filedir            Directory to scan
+	 *      @param      string				$modulepart         Module the files are related to ('propal', 'facture', 'facture_fourn', 'mymodule', 'mymodule:MyObject', 'mymodule_temp', ...)
+	 *      @param      string				$modulesubdir       Existing (so sanitized) sub-directory to scan (Example: '0/1/10', 'FA/DD/MM/YY/9999'). Use '' if file is not into a subdir of module.
+	 *      @param      string				$filedir            Directory to scan (must not end with a /). Example: '/mydolibarrdocuments/facture/FAYYMM-1234'
 	 *      @param      string				$urlsource          Url of origin page (for return)
 	 *      @param      int|string[]        $genallowed         Generation is allowed (1/0 or array list of templates)
 	 *      @param      int					$delallowed         Remove is allowed (1/0)

htdocs/core/modules/cheque/modules_chequereceipts.php

@@ -126,8 +126,7 @@ abstract class ModeleNumRefChequeReceipts
 }
 
 /**
- *	\class      ModeleChequeReceipts
- *	\brief      Classe mere des modeles de
+ *	Class parent for templates of document generation
  */
 abstract class ModeleChequeReceipts extends CommonDocGenerator
 {

htdocs/ecm/class/ecmfiles.class.php

@@ -327,7 +327,11 @@ class EcmFiles extends CommonObject
 		$resql = $this->db->query($sql);
 		if (!$resql) {
 			$error++;
-			$this->errors[] = 'Error '.$this->db->lasterror();
+			if ($this->db->lasterrno() == 'DB_ERROR_RECORD_ALREADY_EXISTS') {
+				$this->errors[] = 'Error DB_ERROR_RECORD_ALREADY_EXISTS : '.$this->db->lasterror();
+			} else {
+				$this->errors[] = 'Error '.$this->db->lasterror();
+			}
 			dol_syslog(__METHOD__.' '.implode(',', $this->errors), LOG_ERR);
 		}