From 3ebf64de63fa0257f54c1372d6157f2efa5a4daa Mon Sep 17 00:00:00 2001
From: marc <marc.baur@ptmsoft.fr>
Date: Sun, 24 Jul 2022 11:57:42 +0200
Subject: [PATCH 1/7] Fix #21536 API Invoice Delete doesn't raise exception in
 some case

---
 htdocs/compta/facture/class/api_invoices.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php
index a864168d161..6948ae850c7 100644
--- a/htdocs/compta/facture/class/api_invoices.class.php
+++ b/htdocs/compta/facture/class/api_invoices.class.php
@@ -666,7 +666,7 @@ class Invoices extends DolibarrApi
 		}
 
 		$result = $this->invoice->delete(DolibarrApiAccess::$user);
-		if ($result < 0) {
+		if ($result <= 0) {
 			throw new RestException(500, 'Error when deleting invoice');
 		}
 

From c31a924812fa490b17696c97fd28a13bbee14ecf Mon Sep 17 00:00:00 2001
From: marc <marc.baur@ptmsoft.fr>
Date: Sun, 24 Jul 2022 16:50:08 +0200
Subject: [PATCH 2/7] The return code 0 is not an error but the serveur refuse
 to execute the request

---
 htdocs/compta/facture/class/api_invoices.class.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php
index 6948ae850c7..285d9d366f7 100644
--- a/htdocs/compta/facture/class/api_invoices.class.php
+++ b/htdocs/compta/facture/class/api_invoices.class.php
@@ -666,8 +666,10 @@ class Invoices extends DolibarrApi
 		}
 
 		$result = $this->invoice->delete(DolibarrApiAccess::$user);
-		if ($result <= 0) {
+		if ($result < 0) {
 			throw new RestException(500, 'Error when deleting invoice');
+		} elseif ($result == 0) {
+			throw new RestException(403, 'Invoice not erasable');
 		}
 
 		return array(

From 1e282aaded86daa2f706712557e4e34ab0824bdd Mon Sep 17 00:00:00 2001
From: lmarcouiller <lucas.marcouiller@gmail.com>
Date: Mon, 25 Jul 2022 10:49:19 +0200
Subject: [PATCH 3/7] FIX : js injection in stockmovement.php

---
 htdocs/product/stock/massstockmove.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php
index 85848942fbe..b2276befd63 100644
--- a/htdocs/product/stock/massstockmove.php
+++ b/htdocs/product/stock/massstockmove.php
@@ -336,11 +336,11 @@ if ($action == 'importCSV' && !empty($user->rights->stock->mouvement->creer)) {
 					continue;
 				}
 				//var_dump($data);
-				$tmp_id_sw = $data[$i][0]['val'];
-				$tmp_id_tw = $data[$i][1]['val'];
-				$tmp_id_product = $data[$i][2]['val'];
-				$tmp_qty = $data[$i][3]['val'];
-				$tmp_batch = $data[$i][4]['val'];
+				$tmp_id_sw = dol_escape_htmltag($data[$i][0]['val']);
+				$tmp_id_tw = dol_escape_htmltag($data[$i][1]['val']);
+				$tmp_id_product = dol_escape_htmltag($data[$i][2]['val']);
+				$tmp_qty = dol_escape_htmltag($data[$i][3]['val']);
+				$tmp_batch = dol_escape_htmltag($data[$i][4]['val']);
 
 				if (!is_numeric($tmp_id_product)) {
 					$result = fetchref($productstatic, $tmp_id_product);

From eb463341b47c201881e353352aaa997ef2a4e2b4 Mon Sep 17 00:00:00 2001
From: Berton Anthony <bertonanthony@gmail.com>
Date: Mon, 25 Jul 2022 12:17:02 +0200
Subject: [PATCH 4/7] ok

---
 htdocs/commande/list.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php
index ee25ea86eff..5d921c89e22 100644
--- a/htdocs/commande/list.php
+++ b/htdocs/commande/list.php
@@ -1217,7 +1217,7 @@ if ($resql) {
 	if ($permissiontocancel) {
 		$arrayofmassactions['cancelorders'] = img_picto('', 'close_title', 'class="pictofixedwidth"').$langs->trans("Cancel");
 	}
-	if ($user->rights->facture->creer) {
+	if (!empty($user->invoices->enabled) && $user->rights->facture->creer) {
 		$arrayofmassactions['createbills'] = img_picto('', 'bill', 'class="pictofixedwidth"').$langs->trans("CreateInvoiceForThisCustomer");
 	}
 	if ($permissiontoclose) {

From e77c51eabbfbc90d67bddc4a573324653f4a38f8 Mon Sep 17 00:00:00 2001
From: Berton Anthony <bertonanthony@gmail.com>
Date: Mon, 25 Jul 2022 12:18:07 +0200
Subject: [PATCH 5/7] conf

---
 htdocs/commande/list.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php
index 5d921c89e22..dbb99d0f993 100644
--- a/htdocs/commande/list.php
+++ b/htdocs/commande/list.php
@@ -1217,7 +1217,7 @@ if ($resql) {
 	if ($permissiontocancel) {
 		$arrayofmassactions['cancelorders'] = img_picto('', 'close_title', 'class="pictofixedwidth"').$langs->trans("Cancel");
 	}
-	if (!empty($user->invoices->enabled) && $user->rights->facture->creer) {
+	if (!empty($conf->invoice->enabled) && $user->rights->facture->creer) {
 		$arrayofmassactions['createbills'] = img_picto('', 'bill', 'class="pictofixedwidth"').$langs->trans("CreateInvoiceForThisCustomer");
 	}
 	if ($permissiontoclose) {

From d964aabcea3894db14904e5dc40d6ce5400679c7 Mon Sep 17 00:00:00 2001
From: lmarcouiller <lucas.marcouiller@gmail.com>
Date: Tue, 26 Jul 2022 11:01:53 +0200
Subject: [PATCH 6/7] fix with advices

---
 htdocs/product/stock/massstockmove.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php
index b2276befd63..09bc19b9beb 100644
--- a/htdocs/product/stock/massstockmove.php
+++ b/htdocs/product/stock/massstockmove.php
@@ -336,10 +336,10 @@ if ($action == 'importCSV' && !empty($user->rights->stock->mouvement->creer)) {
 					continue;
 				}
 				//var_dump($data);
-				$tmp_id_sw = dol_escape_htmltag($data[$i][0]['val']);
-				$tmp_id_tw = dol_escape_htmltag($data[$i][1]['val']);
-				$tmp_id_product = dol_escape_htmltag($data[$i][2]['val']);
-				$tmp_qty = dol_escape_htmltag($data[$i][3]['val']);
+				$tmp_id_sw = (int) $data[$i][0]['val'];
+				$tmp_id_tw = (int) dol_escape_htmltag($data[$i][1]['val']);
+				$tmp_id_product = (int) dol_escape_htmltag($data[$i][2]['val']);
+				$tmp_qty = price2num((float) $data[$i][3]['val'], 'MS');
 				$tmp_batch = dol_escape_htmltag($data[$i][4]['val']);
 
 				if (!is_numeric($tmp_id_product)) {

From e4d2e538c4dedc045951d0f863757f61e40f4945 Mon Sep 17 00:00:00 2001
From: lmarcouiller <lucas.marcouiller@gmail.com>
Date: Tue, 26 Jul 2022 11:03:27 +0200
Subject: [PATCH 7/7] remove escape

---
 htdocs/product/stock/massstockmove.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php
index 09bc19b9beb..31b2aa8e187 100644
--- a/htdocs/product/stock/massstockmove.php
+++ b/htdocs/product/stock/massstockmove.php
@@ -337,8 +337,8 @@ if ($action == 'importCSV' && !empty($user->rights->stock->mouvement->creer)) {
 				}
 				//var_dump($data);
 				$tmp_id_sw = (int) $data[$i][0]['val'];
-				$tmp_id_tw = (int) dol_escape_htmltag($data[$i][1]['val']);
-				$tmp_id_product = (int) dol_escape_htmltag($data[$i][2]['val']);
+				$tmp_id_tw = (int) $data[$i][1]['val'];
+				$tmp_id_product = (int) $data[$i][2]['val'];
 				$tmp_qty = price2num((float) $data[$i][3]['val'], 'MS');
 				$tmp_batch = dol_escape_htmltag($data[$i][4]['val']);