lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: Security

Browse Source
This commit is contained in:
simnandez 2012-03-05 11:16:30 +01:00
parent ddedb68aeb
commit 743489ae1d
6 changed files with 122 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/fichinter/apercu.php
View File

@ -2,7 +2,7 @@
/* Copyright (C) 2002-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2005 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -36,7 +36,7 @@ $langs->load('interventions');
// Security check
$socid=0;
$id = GETPOST('id','int');
$ref = GETPOST("ref");
$ref = GETPOST('ref','alpha');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'ficheinter', $id, 'fichinter');

42
htdocs/fichinter/contact.php
View File

@ -1,6 +1,7 @@
<?php
/* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2007-2009 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -32,7 +33,8 @@ $langs->load("interventions");
$langs->load("sendings");
$langs->load("companies");
$fichinterid = isset($_GET["id"])?$_GET["id"]:'';
$fichinterid = GETPOST('id','int');
$action = GETPOST('action','alpha');
// Security check
if ($user->societe_id) $socid=$user->societe_id;
@ -43,16 +45,16 @@ $result = restrictedArea($user, 'ficheinter', $fichinterid, 'fichinter');
* Ajout d'un nouveau contact
*/
if ($_POST["action"] == 'addcontact' && $user->rights->ficheinter->creer)
if ($action == 'addcontact' && $user->rights->ficheinter->creer)
{
$result = 0;
$fichinter = new Fichinter($db);
$result = $fichinter->fetch($_GET["id"]);
$result = $fichinter->fetch($fichinterid);
if ($result > 0 && $_GET["id"] > 0)
if ($result > 0 && $fichinterid > 0)
{
$result = $fichinter->add_contact($_POST["contactid"], $_POST["type"], $_POST["source"]);
$result = $fichinter->add_contact(GETPOST('contactid','int'), GETPOST('type','int'), GETPOST('source','alpha'));
}
if ($result >= 0)
@ -75,12 +77,12 @@ if ($_POST["action"] == 'addcontact' && $user->rights->ficheinter->creer)
}
// bascule du statut d'un contact
if ($_GET["action"] == 'swapstatut' && $user->rights->ficheinter->creer)
if ($action == 'swapstatut' && $user->rights->ficheinter->creer)
{
$fichinter = new Fichinter($db);
if ($fichinter->fetch(GETPOST('id','int')))
if ($fichinter->fetch($fichinterid))
{
$result=$fichinter->swapContactStatus(GETPOST('ligne'));
$result=$fichinter->swapContactStatus(GETPOST('ligne','int'));
}
else
{
@ -89,11 +91,11 @@ if ($_GET["action"] == 'swapstatut' && $user->rights->ficheinter->creer)
}
// Efface un contact
if ($_GET["action"] == 'deleteline' && $user->rights->ficheinter->creer)
if ($action == 'deleteline' && $user->rights->ficheinter->creer)
{
$fichinter = new Fichinter($db);
$fichinter->fetch($_GET["id"]);
$result = $fichinter->delete_contact($_GET["lineid"]);
$fichinter->fetch($fichinterid);
$result = $fichinter->delete_contact(GETPOST('lineid','int'));
if ($result >= 0)
{
@ -125,11 +127,11 @@ $userstatic=new User($db);
/* *************************************************************************** */
dol_htmloutput_mesg($mesg);
$id = $_GET["id"];
if ($id > 0)
if ($fichinterid > 0)
{
$fichinter = new Fichinter($db);
if ($fichinter->fetch($_GET['id']) > 0)
if ($fichinter->fetch($fichinterid) > 0)
{
$soc = new Societe($db);
$soc->fetch($fichinter->socid);
@ -168,7 +170,7 @@ if ($id > 0)
* Ajouter une ligne de contact
* Non affiche en mode modification de ligne
*/
if ($_GET["action"] != 'editline' && $user->rights->ficheinter->creer)
if ($action != 'editline' && $user->rights->ficheinter->creer)
{
print '<tr class="liste_titre">';
print '<td>'.$langs->trans("Source").'</td>';
@ -180,11 +182,11 @@ if ($id > 0)
$var = false;
print '<form action="contact.php?id='.$id.'" method="post">';
print '<form action="contact.php?id='.$fichinterid.'" method="post">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="addcontact">';
print '<input type="hidden" name="source" value="internal">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="id" value="'.$fichinterid.'">';
// Ligne ajout pour contact interne
print "<tr $bc[$var]>";
@ -209,11 +211,11 @@ if ($id > 0)
print '</form>';
print '<form action="contact.php?id='.$id.'" method="post">';
print '<form action="contact.php?id='.$fichinterid.'" method="post">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="addcontact">';
print '<input type="hidden" name="source" value="external">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="id" value="'.$fichinterid.'">';
// Ligne ajout pour contact externe
$var=!$var;
@ -224,7 +226,7 @@ if ($id > 0)
print '</td>';
print '<td colspan="1">';
$selectedCompany = isset($_GET["newcompany"])?$_GET["newcompany"]:$fichinter->client->id;
$selectedCompany = GETPOST('newcompany','int')?GETPOST('newcompany','int'):$fichinter->client->id;
$selectedCompany = $formcompany->selectCompaniesForNewContact($fichinter, 'id', $selectedCompany, $htmlname = 'newcompany');
print '</td>';

14
htdocs/fichinter/document.php
View File

@ -4,7 +4,7 @@
* Copyright (C) 2005 Marc Barilley / Ocebo <marc@ocebo.com>
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
* Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -39,7 +39,7 @@ $langs->load("companies");
$langs->load("interventions");
$id = GETPOST('id','int');
$action = GETPOST("action");
$action = GETPOST('action','alpha');
// Security check
if ($user->societe_id) $socid=$user->societe_id;
@ -47,9 +47,9 @@ $result = restrictedArea($user, 'ficheinter', $id, 'fichinter');
// Get parameters
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
$page = GETPOST("page",'int');
$sortfield = GETPOST('sortfield','alpha');
$sortorder = GETPOST('sortorder','alpha');
$page = GETPOST('page','int');
if ($page == -1) { $page = 0; }
$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
@ -69,7 +69,7 @@ $modulepart='fichinter';
* Actions
*/
if (GETPOST("sendit") && ! empty($conf->global->MAIN_UPLOAD_DOC))
if (GETPOST('sendit','alpha') && ! empty($conf->global->MAIN_UPLOAD_DOC))
{
require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
@ -133,7 +133,7 @@ if ($object->id)
if ($action == 'delete')
{
$file = $upload_dir . '/' . GETPOST("urlfile"); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
$file = $upload_dir . '/' . GETPOST('urlfile','alpha'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
$result=dol_delete_file($file);
//if ($result >= 0) $mesg=$langs->trans("FileWasRemoced");
}

144
htdocs/fichinter/fiche.php
View File

@ -2,7 +2,7 @@
/* Copyright (C) 2002-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -44,11 +44,11 @@ $langs->load("companies");
$langs->load("interventions");
$id = GETPOST('id','int');
$ref = GETPOST('ref');
$ref = GETPOST('ref','alpha');
$socid = GETPOST('socid','int');
$action = GETPOST("action");
$confirm = GETPOST("confirm");
$mesg = GETPOST("msg");
$action = GETPOST('action','alpha');
$confirm = GETPOST('confirm','alpha');
$mesg = GETPOST('msg','alpha');
// Security check
if ($user->societe_id) $socid=$user->societe_id;
@ -72,14 +72,14 @@ if ($action == 'confirm_validate' && $confirm == 'yes')
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
$outputlangs = new Translate("",$conf);
$outputlangs->setDefaultLang($newlang);
}
$result=fichinter_create($db, $object, $_REQUEST['model'], $outputlangs);
$result=fichinter_create($db, $object, GETPOST('model','alpha'), $outputlangs);
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id);
exit;
}
@ -100,14 +100,14 @@ if ($action == 'confirm_modify' && $confirm == 'yes')
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
$outputlangs = new Translate("",$conf);
$outputlangs->setDefaultLang($newlang);
}
$result=fichinter_create($db, $object, (empty($_REQUEST['model'])?$object->model:$_REQUEST['model']), $outputlangs);
$result=fichinter_create($db, $object, (!GETPOST('model','alpha'))?$object->model:GETPOST('model','apha'), $outputlangs);
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id);
exit;
}
@ -120,14 +120,14 @@ if ($action == 'confirm_modify' && $confirm == 'yes')
if ($action == 'add')
{
$object->socid = $socid;
$object->duree = $_POST["duree"];
$object->fk_project = $_POST["projectid"];
$object->duree = GETPOST('duree','int');
$object->fk_project = GETPOST('projectid','int');
$object->author = $user->id;
$object->description = $_POST["description"];
$object->description = GETPOST('description','alpha');
$object->ref = $ref;
$object->modelpdf = $_POST["model"];
$object->note_private = $_POST["note_private"];
$object->note_public = $_POST["note_public"];
$object->modelpdf = GETPOST('model','alpha');
$object->note_private = GETPOST('note_private','alpha');
$object->note_public = GETPOST('note_public','alpha');
if ($object->socid > 0)
{
@ -155,9 +155,9 @@ if ($action == 'update')
$object->fetch($id);
$object->socid = $socid;
$object->fk_project = $_POST["projectid"];
$object->fk_project = GETPOST('projectid','int');
$object->author = $user->id;
$object->description = $_POST["description"];
$object->description = GETPOST('description','alpha');
$object->ref = $ref;
$object->update();
@ -172,22 +172,22 @@ if ($action == 'builddoc') // En get ou en post
$object->fetch_thirdparty();
$object->fetch_lines();
if ($_REQUEST['model'])
if (GETPOST('model','alpha'))
{
$object->setDocModel($user, $_REQUEST['model']);
$object->setDocModel($user, GETPOST('model','alpha'));
}
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
$outputlangs = new Translate("",$conf);
$outputlangs->setDefaultLang($newlang);
}
$result=fichinter_create($db, $object, $_REQUEST['model'], $outputlangs);
$result=fichinter_create($db, $object, GETPOST('model','alpha'), $outputlangs);
if ($result <= 0)
{
dol_print_error($db,$result);
@ -199,7 +199,7 @@ if ($action == 'builddoc') // En get ou en post
if ($action == 'classin')
{
$object->fetch($id);
$result=$object->setProject($_POST['projectid']);
$result=$object->setProject(GETPOST('projectid','int'));
if ($result < 0) dol_print_error($db,$object->error);
}
@ -217,31 +217,31 @@ if ($action == 'confirm_delete' && $confirm == 'yes')
if ($action == 'setdescription')
{
$object->fetch($id);
$result=$object->set_description($user,$_POST['description']);
$result=$object->set_description($user,GETPOST('description','alpha'));
if ($result < 0) dol_print_error($db,$object->error);
}
if ($action == 'setnote_public')
{
$object->fetch($id);
$result=$object->update_note_public($_POST['note_public']);
$result=$object->update_note_public(GETPOST('note_public','alpha'));
if ($result < 0) dol_print_error($db,$object->error);
}
if ($action == 'setnote_private')
{
$object->fetch($id);
$result=$object->update_note($_POST['note_private']);
$result=$object->update_note(GETPOST('note_private','alpha'));
if ($result < 0) dol_print_error($db,$object->error);
}
// Add line
if ($action == "addline" && $user->rights->ficheinter->creer)
{
if (empty($_POST['np_desc']))
if (!GETPOST('np_desc','alpha'))
{
$mesg='<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Description")).'</div>';
$error++;
}
if (empty($_POST['durationhour']) && empty($_POST['durationmin']))
if (!GETPOST('durationhour','int') && !GETPOST('durationmin','int'))
{
$mesg='<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Duration")).'</div>';
$error++;
@ -253,9 +253,9 @@ if ($action == "addline" && $user->rights->ficheinter->creer)
$ret=$object->fetch($id);
$object->fetch_thirdparty();
$desc=$_POST['np_desc'];
$date_intervention = dol_mktime($_POST["dihour"], $_POST["dimin"], 0, $_POST["dimonth"], $_POST["diday"], $_POST["diyear"]);
$duration = convertTime2Seconds($_POST['durationhour'],$_POST['durationmin']);
$desc=GETPOST('np_desc','alpha');
$date_intervention = dol_mktime(GETPOST('dihour','int'), GETPOST('dimin','int'), 0, GETPOST('dimonth','int'), GETPOST('diday','int'), GETPOST('diyear','int'));
$duration = convertTime2Seconds(GETPOST('durationhour','int'),GETPOST('durationmin','int'));
$result=$object->addline(
$id,
@ -267,7 +267,7 @@ if ($action == "addline" && $user->rights->ficheinter->creer)
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
@ -310,10 +310,10 @@ if ($action == 'classifybilled')
/*
* Mise a jour d'une ligne d'intervention
*/
if ($action == 'updateline' && $user->rights->ficheinter->creer && $_POST["save"] == $langs->trans("Save"))
if ($action == 'updateline' && $user->rights->ficheinter->creer && GETPOST('save','alpha') == $langs->trans("Save"))
{
$objectline = new FichinterLigne($db);
if ($objectline->fetch($_POST['line_id']) <= 0)
if ($objectline->fetch(GETPOST('line_id','int')) <= 0)
{
dol_print_error($db);
exit;
@ -326,9 +326,9 @@ if ($action == 'updateline' && $user->rights->ficheinter->creer && $_POST["save"
}
$object->fetch_thirdparty();
$desc = $_POST['np_desc'];
$date_inter = dol_mktime($_POST["dihour"], $_POST["dimin"], 0, $_POST["dimonth"], $_POST["diday"], $_POST["diyear"]);
$duration = convertTime2Seconds($_POST['durationhour'],$_POST['durationmin']);
$desc = GETPOST('np_desc','alpha');
$date_inter = dol_mktime(GETPOST('dihour','int'), GETPOST('dimin','int'), 0, GETPOST('dimonth','int'), GETPOST('diday','int'), GETPOST('diyear','int'));
$duration = convertTime2Seconds(GETPOST('durationhour','int'),GETPOST('durationmin','int'));
$objectline->datei = $date_inter;
$objectline->desc = $desc;
@ -343,7 +343,7 @@ if ($action == 'updateline' && $user->rights->ficheinter->creer && $_POST["save"
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
@ -364,7 +364,7 @@ if ($action == 'confirm_deleteline' && $confirm == 'yes')
if ($user->rights->ficheinter->creer)
{
$objectline = new FichinterLigne($db);
if ($objectline->fetch($_GET['line_id']) <= 0)
if ($objectline->fetch(GETPOST('line_id','int')) <= 0)
{
dol_print_error($db);
exit;
@ -380,7 +380,7 @@ if ($action == 'confirm_deleteline' && $confirm == 'yes')
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
@ -401,12 +401,12 @@ if ($action == 'up' && $user->rights->ficheinter->creer)
{
$object->fetch($id);
$object->fetch_thirdparty();
$object->line_up($_GET['line_id']);
$object->line_up(GETPOST('line_id','int'));
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
@ -414,7 +414,7 @@ if ($action == 'up' && $user->rights->ficheinter->creer)
$outputlangs->setDefaultLang($newlang);
}
fichinter_create($db, $object, $object->modelpdf, $outputlangs);
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id.'#'.$_GET['line_id']);
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id.'#'.GETPOST('line_id','int'));
exit;
}
@ -422,12 +422,12 @@ if ($action == 'down' && $user->rights->ficheinter->creer)
{
$object->fetch($id);
$object->fetch_thirdparty();
$object->line_down($_GET['line_id']);
$object->line_down(GETPOST('line_id','int'));
// Define output language
$outputlangs = $langs;
$newlang='';
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id'];
if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','alpha')) $newlang=GETPOST('lang_id','alpha');
if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang;
if (! empty($newlang))
{
@ -435,7 +435,7 @@ if ($action == 'down' && $user->rights->ficheinter->creer)
$outputlangs->setDefaultLang($newlang);
}
fichinter_create($db, $object, $object->modelpdf, $outputlangs);
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id.'#'.$_GET['line_id']);
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id.'#'.GETPOST('line_id','int'));
exit;
}
@ -443,7 +443,7 @@ if ($action == 'down' && $user->rights->ficheinter->creer)
/*
* Add file in email form
*/
if ($_POST['addfile'])
if (GETPOST('addfile','alpha'))
{
require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
@ -459,7 +459,7 @@ if ($_POST['addfile'])
/*
* Remove file in email form
*/
if (! empty($_POST['removedfile']))
if (GETPOST('removedfile','alpha'))
{
require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
@ -468,7 +468,7 @@ if (! empty($_POST['removedfile']))
$upload_dir_tmp = $vardir.'/temp';
// TODO Delete only files that was uploaded from email form
$mesg=dol_remove_file_process($_POST['removedfile'],0);
$mesg=dol_remove_file_process(GETPOST('removedfile','alpha'),0);
$action='presend';
}
@ -476,7 +476,7 @@ if (! empty($_POST['removedfile']))
/*
* Send mail
*/
if ($action == 'send' && ! $_POST['cancel'] && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->ficheinter->ficheinter_advance->send))
if ($action == 'send' && ! GETPOST('cancel','alpha') && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->ficheinter->ficheinter_advance->send))
{
$langs->load('mails');
@ -489,24 +489,24 @@ if ($action == 'send' && ! $_POST['cancel'] && (empty($conf->global->MAIN_USE_AD
{
$object->fetch_thirdparty();
if ($_POST['sendto'])
if (GETPOST('sendto','alpha'))
{
// Le destinataire a ete fourni via le champ libre
$sendto = $_POST['sendto'];
$sendto = GETPOST('sendto','alpha');
$sendtoid = 0;
}
elseif ($_POST['receiver'] != '-1')
elseif (GETPOST('receiver','alpha') != '-1')
{
// Recipient was provided from combo list
if ($_POST['receiver'] == 'thirdparty') // Id of third party
if (GETPOST('receiver','alpha') == 'thirdparty') // Id of third party
{
$sendto = $object->client->email;
$sendtoid = 0;
}
else // Id du contact
{
$sendto = $object->client->contact_get_email($_POST['receiver']);
$sendtoid = $_POST['receiver'];
$sendto = $object->client->contact_get_email(GETPOST('receiver','alpha'));
$sendtoid = GETPOST('receiver','alpha');
}
}
@ -514,15 +514,15 @@ if ($action == 'send' && ! $_POST['cancel'] && (empty($conf->global->MAIN_USE_AD
{
$langs->load("commercial");
$from = $_POST['fromname'] . ' <' . $_POST['frommail'] .'>';
$replyto = $_POST['replytoname']. ' <' . $_POST['replytomail'].'>';
$message = $_POST['message'];
$sendtocc = $_POST['sendtocc'];
$deliveryreceipt = $_POST['deliveryreceipt'];
$from = GETPOST('fromname','alpha') . ' <' . GETPOST('frommail','alpha') .'>';
$replyto = GETPOST('replytoname','alpha'). ' <' . GETPOST('replytomail','alpha').'>';
$message = GETPOST('message','alpha');
$sendtocc = GETPOST('sendtocc','alpha');
$deliveryreceipt = GETPOST('deliveryreceipt','alpha');
if ($action == 'send')
{
if (strlen($_POST['subject'])) $subject = $_POST['subject'];
if (strlen(GETPOST('subject','alphs'))) $subject = GETPOST('subject','alpha');
else $subject = $langs->transnoentities('Intervention').' '.$object->ref;
$actiontypecode='AC_FICH';
$actionmsg = $langs->transnoentities('MailSentBy').' '.$from.' '.$langs->transnoentities('To').' '.$sendto.".\n";
@ -695,7 +695,7 @@ if ($action == 'create')
$langs->load("project");
print '<tr><td valign="top">'.$langs->trans("Project").'</td><td>';
$numprojet=select_projects($soc->id,$_POST["projectid"],'projectid');
$numprojet=select_projects($soc->id,GETPOST('projectid','int'),'projectid');
if ($numprojet==0)
{
print ' &nbsp; <a href="'.DOL_DOCUMENT_ROOT.'/projet/fiche.php?socid='.$soc->id.'&action=create">'.$langs->trans("AddProject").'</a>';
@ -796,7 +796,7 @@ else if ($id > 0 || ! empty($ref))
// Confirmation de la suppression d'une ligne d'intervention
if ($action == 'ask_deleteline')
{
$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?id='.$object->id.'&line_id='.$_GET["line_id"], $langs->trans('DeleteInterventionLine'), $langs->trans('ConfirmDeleteInterventionLine'), 'confirm_deleteline','',0,1);
$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?id='.$object->id.'&line_id='.GETPOST('line_id','int'), $langs->trans('DeleteInterventionLine'), $langs->trans('ConfirmDeleteInterventionLine'), 'confirm_deleteline','',0,1);
if ($ret == 'html') print '<br>';
}
@ -908,7 +908,7 @@ else if ($id > 0 || ! empty($ref))
$var=!$var;
// Ligne en mode visu
if ($action != 'editline' || $_GET['line_id'] != $objp->rowid)
if ($action != 'editline' || GETPOST('line_id','int') != $objp->rowid)
{
print '<tr '.$bc[$var].'>';
print '<td>';
@ -963,13 +963,13 @@ else if ($id > 0 || ! empty($ref))
}
// Ligne en mode update
if ($object->statut == 0 && $action == 'editline' && $user->rights->ficheinter->creer && $_GET["line_id"] == $objp->rowid)
if ($object->statut == 0 && $action == 'editline' && $user->rights->ficheinter->creer && GETPOST('line_id','int') == $objp->rowid)
{
print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'#'.$objp->rowid.'" method="post">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="updateline">';
print '<input type="hidden" name="id" value="'.$object->id.'">';
print '<input type="hidden" name="line_id" value="'.$_GET["line_id"].'">';
print '<input type="hidden" name="line_id" value="'.GETPOST('line_id','int').'">';
print '<tr '.$bc[$var].'>';
print '<td>';
print '<a name="'.$objp->rowid.'"></a>'; // ancre pour retourner sur la ligne
@ -1031,21 +1031,21 @@ else if ($id > 0 || ! empty($ref))
print '<td>';
// editeur wysiwyg
require_once(DOL_DOCUMENT_ROOT."/core/class/doleditor.class.php");
$doleditor=new DolEditor('np_desc',$_POST["np_desc"],'',100,'dolibarr_details','',false,true,$conf->global->FCKEDITOR_ENABLE_DETAILS,ROWS_2,70);
$doleditor=new DolEditor('np_desc',GETPOST('np_desc','alpha'),'',100,'dolibarr_details','',false,true,$conf->global->FCKEDITOR_ENABLE_DETAILS,ROWS_2,70);
$doleditor->Create();
print '</td>';
// Date intervention
print '<td align="center" nowrap="nowrap">';
$timearray=dol_getdate(mktime());
if (empty($_POST['diday'])) $timewithnohour=dol_mktime(0,0,0,$timearray['mon'],$timearray['mday'],$timearray['year']);
else $timewithnohour=dol_mktime($_POST['dihour'],$_POST['dimin'],$_POST['disec'],$_POST['dimonth'],$_POST['diday'],$_POST['diyear']);
if (!GETPOST('diday','int')) $timewithnohour=dol_mktime(0,0,0,$timearray['mon'],$timearray['mday'],$timearray['year']);
else $timewithnohour=dol_mktime(GETPOST('dihour','int'),GETPOST('dimin','int'),GETPOST('disec','int'),GETPOST('dimonth','int'),GETPOST('diday','int'),GETPOST('diyear','int'));
$form->select_date($timewithnohour,'di',1,1,0,"addinter");
print '</td>';
// Duration
print '<td align="right">';
$form->select_duration('duration',(empty($_POST["durationhour"]) && empty($_POST["durationmin"]))?3600:(60*60*$_POST["durationhour"]+60*$_POST["durationmin"]));
$form->select_duration('duration',(!GETPOST('durationhour','int') && !GETPOST('durationmin','int'))?3600:(60*60*GETPOST('durationhour','int')+60*GETPOST('durationmin','int')));
print '</td>';
print '<td align="center" valign="middle" colspan="4"><input type="submit" class="button" value="'.$langs->trans('Add').'" name="addline"></td>';
@ -1191,7 +1191,7 @@ else if ($id > 0 || ! empty($ref))
$formmail->fromname = $user->getFullName($langs);
$formmail->frommail = $user->email;
$formmail->withfrom=1;
$formmail->withto=empty($_POST["sendto"])?1:$_POST["sendto"];
$formmail->withto=(!GETPOST('sendto','alpha'))?1:GETPOST('sendto','alpha');
$formmail->withtosocid=$societe->id;
$formmail->withtocc=1;
$formmail->withtoccsocid=0;
@ -1212,7 +1212,7 @@ else if ($id > 0 || ! empty($ref))
$formmail->param['returnurl']=$_SERVER["PHP_SELF"].'?id='.$object->id;
// Init list of files
if (! empty($_REQUEST["mode"]) && $_REQUEST["mode"]=='init')
if (GETPOST('mode','alpha')=='init')
{
$formmail->clear_attached_files();
$formmail->add_attached_files($file,$object->ref.'.pdf','application/pdf');

27
htdocs/fichinter/list.php
View File

@ -2,7 +2,7 @@
/* Copyright (C) 2002-2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -32,22 +32,23 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/date.lib.php");
$langs->load("companies");
$langs->load("interventions");
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
$page = GETPOST("page",'int');
if ($page == -1) { $page = 0; }
$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
$socid=GETPOST('socid','int');
$page=GETPOST("page");
// Security check
$fichinterid = GETPOST('id','int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'ficheinter', $fichinterid,'fichinter');
$sortfield = GETPOST('sortfield','alpha');
$sortorder = GETPOST('sortorder','alpha');
$page = GETPOST('page','int');
if ($page == -1) {
$page = 0;
}
$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="fd.date";
if ($page == -1) { $page = 0 ; }
@ -57,9 +58,9 @@ $offset = $limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
$search_ref=GETPOST("search_ref");
$search_company=GETPOST("search_company");
$search_desc=GETPOST("search_desc");
$search_ref=GETPOST('search_ref','alpha');
$search_company=GETPOST('search_company','alpha');
$search_desc=GETPOST('search_desc','alpha');
/*

10
htdocs/fichinter/note.php
View File

@ -1,6 +1,6 @@
<?php
/* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -30,7 +30,7 @@ $langs->load('companies');
$langs->load("interventions");
$fichinterid = GETPOST('id','int');
$action=GETPOST("action");
$action=GETPOST('action','alpha');
// Security check
if ($user->societe_id) $socid=$user->societe_id;
@ -48,7 +48,7 @@ if ($action == 'update_public' && $user->rights->ficheinter->creer)
$db->begin();
$res=$fichinter->update_note_public(GETPOST("note_public"),$user);
$res=$fichinter->update_note_public(GETPOST('note_public','alpha'),$user);
if ($res < 0)
{
$mesg='<div class="error">'.$fichinter->error.'</div>';
@ -67,7 +67,7 @@ if ($action == 'update' && $user->rights->ficheinter->creer)
$db->begin();
$res=$fichinter->update_note(GETPOST("note_private"),$user);
$res=$fichinter->update_note(GETPOST('note_private','alpha'),$user);
if ($res < 0)
{
$mesg='<div class="error">'.$fichinter->error.'</div>';
@ -157,7 +157,7 @@ if ($fichinterid)
*/
print '<div class="tabsAction">';
if ($user->rights->ficheinter->creer && GETPOST("action") <> 'edit')
if ($user->rights->ficheinter->creer && $action <> 'edit')
{
print '<a class="butAction" href="note.php?id='.$fichinter->id.'&amp;action=edit">'.$langs->trans('Modify').'</a>';
}