From 0a9293c9c6f0a06a9a46febce87e540394ea8bd3 Mon Sep 17 00:00:00 2001 From: Florian HENRY Date: Wed, 21 Oct 2020 20:40:53 +0200 Subject: [PATCH 1/4] fix token CSRF check for getSupplierPrice ajax call --- htdocs/core/tpl/objectline_create.tpl.php | 2 +- htdocs/core/tpl/objectline_edit.tpl.php | 2 +- htdocs/fourn/ajax/getSupplierPrices.php | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/core/tpl/objectline_create.tpl.php b/htdocs/core/tpl/objectline_create.tpl.php index 0f6e056dce5..a173d9ec5b9 100644 --- a/htdocs/core/tpl/objectline_create.tpl.php +++ b/htdocs/core/tpl/objectline_create.tpl.php @@ -667,7 +667,7 @@ if (!empty($usemargins) && $user->rights->margins->creer) $("#buying_price").val("").show(); /* Call post to load content of combo list fournprice_predef */ - $.post('/fourn/ajax/getSupplierPrices.php?bestpricefirst=1', { 'idprod': $(this).val() }, function(data) { + $.post('/fourn/ajax/getSupplierPrices.php?bestpricefirst=1', { 'idprod': $(this).val(), 'token': '' }, function(data) { if (data && data.length > 0) { var options = ''; var defaultkey = ''; var defaultprice = ''; var bestpricefound = 0; diff --git a/htdocs/core/tpl/objectline_edit.tpl.php b/htdocs/core/tpl/objectline_edit.tpl.php index fb9e8bbd208..85ab1291a4d 100644 --- a/htdocs/core/tpl/objectline_edit.tpl.php +++ b/htdocs/core/tpl/objectline_edit.tpl.php @@ -430,7 +430,7 @@ jQuery(document).ready(function() }); /* Init field buying_price and fournprice */ - $.post('/fourn/ajax/getSupplierPrices.php', {'idprod': fk_product ? $line->fk_product : 0; ?>}, function(data) { + $.post('/fourn/ajax/getSupplierPrices.php', {'idprod': fk_product ? $line->fk_product : 0; ?>, 'token': ''}, function(data) { if (data && data.length > 0) { var options = ''; var trouve=false; diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php index 0c0d8f42c9e..68f1cbbe0d8 100644 --- a/htdocs/fourn/ajax/getSupplierPrices.php +++ b/htdocs/fourn/ajax/getSupplierPrices.php @@ -26,6 +26,7 @@ if (!defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); // Disables token if (!defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); +//if (!defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1'); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; @@ -48,6 +49,7 @@ top_httphead(); if ($idprod > 0) { + $producttmp = new ProductFournisseur($db); $producttmp->fetch($idprod); From 93a97492ae819e84913e883a33b45af2903aadf6 Mon Sep 17 00:00:00 2001 From: Florian HENRY Date: Wed, 21 Oct 2020 20:41:50 +0200 Subject: [PATCH 2/4] review --- htdocs/fourn/ajax/getSupplierPrices.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php index 68f1cbbe0d8..0c0d8f42c9e 100644 --- a/htdocs/fourn/ajax/getSupplierPrices.php +++ b/htdocs/fourn/ajax/getSupplierPrices.php @@ -26,7 +26,6 @@ if (!defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); // Disables token if (!defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); -//if (!defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1'); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; @@ -49,7 +48,6 @@ top_httphead(); if ($idprod > 0) { - $producttmp = new ProductFournisseur($db); $producttmp->fetch($idprod); From 46a31f443d7cd952740874192dc9ae5f84eab492 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 22 Oct 2020 15:11:01 +0200 Subject: [PATCH 3/4] Update objectline_create.tpl.php --- htdocs/core/tpl/objectline_create.tpl.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/tpl/objectline_create.tpl.php b/htdocs/core/tpl/objectline_create.tpl.php index a173d9ec5b9..8da4d30af02 100644 --- a/htdocs/core/tpl/objectline_create.tpl.php +++ b/htdocs/core/tpl/objectline_create.tpl.php @@ -667,7 +667,7 @@ if (!empty($usemargins) && $user->rights->margins->creer) $("#buying_price").val("").show(); /* Call post to load content of combo list fournprice_predef */ - $.post('/fourn/ajax/getSupplierPrices.php?bestpricefirst=1', { 'idprod': $(this).val(), 'token': '' }, function(data) { + $.post('/fourn/ajax/getSupplierPrices.php?bestpricefirst=1', { 'idprod': $(this).val(), 'token': '' }, function(data) { if (data && data.length > 0) { var options = ''; var defaultkey = ''; var defaultprice = ''; var bestpricefound = 0; From d521ad6db4fe4bd18d876de2e74dc58a2555ac28 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 22 Oct 2020 15:11:54 +0200 Subject: [PATCH 4/4] Update objectline_edit.tpl.php --- htdocs/core/tpl/objectline_edit.tpl.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/tpl/objectline_edit.tpl.php b/htdocs/core/tpl/objectline_edit.tpl.php index 85ab1291a4d..b3e360b8e2c 100644 --- a/htdocs/core/tpl/objectline_edit.tpl.php +++ b/htdocs/core/tpl/objectline_edit.tpl.php @@ -430,7 +430,7 @@ jQuery(document).ready(function() }); /* Init field buying_price and fournprice */ - $.post('/fourn/ajax/getSupplierPrices.php', {'idprod': fk_product ? $line->fk_product : 0; ?>, 'token': ''}, function(data) { + $.post('/fourn/ajax/getSupplierPrices.php', {'idprod': fk_product ? $line->fk_product : 0; ?>, 'token': ''}, function(data) { if (data && data.length > 0) { var options = ''; var trouve=false;