From cea781a711caac5d96ff33c1e15a6414f4a41443 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 27 Sep 2022 16:21:55 +0200 Subject: [PATCH 1/4] FIX CSRF + lost value of constant after use save button --- htdocs/admin/ticket_public.php | 67 +++++++++++++++++----------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php index a0df28a8f84..622a8aaf927 100644 --- a/htdocs/admin/ticket_public.php +++ b/htdocs/admin/ticket_public.php @@ -150,44 +150,45 @@ if ($action == 'setTICKET_ENABLE_PUBLIC_INTERFACE') { $error++; $errors[] = $db->lasterror(); } +} elseif (preg_match('/set_(.*)/', $action, $reg)) { + $code = $reg[1]; + $value = GETPOSTISSET($code) ? GETPOST($code, 'int') : 1; - if ($conf->global->MAIN_FEATURES_LEVEL >= 2) { + if ($code == 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS' && $conf->global->MAIN_FEATURES_LEVEL >= 2) { $param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha'); $res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity); if (!($res > 0)) { $error++; $errors[] = $db->lasterror(); } - } -} elseif (preg_match('/set_(.*)/', $action, $reg)) { - $code = $reg[1]; - $value = GETPOSTISSET($code) ? GETPOST($code, 'int') : 1; - $res = dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - $errors[] = $db->lasterror(); - } + } else { + $res = dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + $errors[] = $db->lasterror(); + } - if (!$error) { - if ($code == 'TICKET_EMAIL_MUST_EXISTS') { - $res = dolibarr_del_const($db, 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST', $conf->entity); - if (!($res > 0)) { - $error++; - $errors[] = $db->lasterror(); - } - } elseif ($code == 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST') { - $res = dolibarr_del_const($db, 'TICKET_EMAIL_MUST_EXISTS', $conf->entity); - if (!($res > 0)) { - $error++; - $errors[] = $db->lasterror(); - } + if (!$error) { + if ($code == 'TICKET_EMAIL_MUST_EXISTS') { + $res = dolibarr_del_const($db, 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST', $conf->entity); + if (!($res > 0)) { + $error++; + $errors[] = $db->lasterror(); + } + } elseif ($code == 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST') { + $res = dolibarr_del_const($db, 'TICKET_EMAIL_MUST_EXISTS', $conf->entity); + if (!($res > 0)) { + $error++; + $errors[] = $db->lasterror(); + } - // enable captcha by default - // TODO Add a visible option in this setup page for this - $res = dolibarr_set_const($db, 'MAIN_SECURITY_ENABLECAPTCHA_TICKET', 1, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - $errors[] = $db->lasterror(); + // enable captcha by default + // TODO Add a visible option in this setup page for this + $res = dolibarr_set_const($db, 'MAIN_SECURITY_ENABLECAPTCHA_TICKET', 1, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + $errors[] = $db->lasterror(); + } } } } @@ -276,9 +277,9 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print ''.$langs->trans("TicketsEmailMustExist").''; print ''; if (empty(getDolGlobalInt('TICKET_EMAIL_MUST_EXISTS'))) { - print '' . img_picto($langs->trans('Disabled'), 'switch_off') . ''; + print '' . img_picto($langs->trans('Disabled'), 'switch_off') . ''; } else { - print '' . img_picto($langs->trans('Enabled'), 'switch_on') . ''; + print '' . img_picto($langs->trans('Enabled'), 'switch_on') . ''; } print ''; print ''; @@ -290,9 +291,9 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print ''.$langs->trans("TicketCreateThirdPartyWithContactIfNotExist").''; print ''; if (empty(getDolGlobalInt('TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST'))) { - print '' . img_picto($langs->trans('Disabled'), 'switch_off') . ''; + print '' . img_picto($langs->trans('Disabled'), 'switch_off') . ''; } else { - print '' . img_picto($langs->trans('Enabled'), 'switch_on') . ''; + print '' . img_picto($langs->trans('Enabled'), 'switch_on') . ''; } print ''; print ''; From d4ad93a94d9309f996663b8de24d6367c3594572 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 27 Sep 2022 16:33:54 +0200 Subject: [PATCH 2/4] TODO Add a visible option for captcha for ticket --- htdocs/core/class/html.formticket.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/class/html.formticket.class.php b/htdocs/core/class/html.formticket.class.php index 341c21e06f0..281bf927944 100644 --- a/htdocs/core/class/html.formticket.class.php +++ b/htdocs/core/class/html.formticket.class.php @@ -426,7 +426,7 @@ class FormTicket $doleditor->Create(); print ''; - if ($public && !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA)) { + if ($public && (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) || !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET))) { require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php'; print ''; print ''; From aafecb6d2bd69c946baa96bf302275dce1bb1c1f Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 27 Sep 2022 17:08:08 +0200 Subject: [PATCH 3/4] FIX missing the management of a constant in the Ticket config --- htdocs/admin/ticket_public.php | 32 +++++++++++++++------ htdocs/core/class/html.formticket.class.php | 2 +- htdocs/core/modules/modTicket.class.php | 3 +- htdocs/langs/en_US/ticket.lang | 2 ++ htdocs/public/ticket/create_ticket.php | 2 +- 5 files changed, 30 insertions(+), 11 deletions(-) diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php index 622a8aaf927..4a6d405df03 100644 --- a/htdocs/admin/ticket_public.php +++ b/htdocs/admin/ticket_public.php @@ -181,14 +181,6 @@ if ($action == 'setTICKET_ENABLE_PUBLIC_INTERFACE') { $error++; $errors[] = $db->lasterror(); } - - // enable captcha by default - // TODO Add a visible option in this setup page for this - $res = dolibarr_set_const($db, 'MAIN_SECURITY_ENABLECAPTCHA_TICKET', 1, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - $errors[] = $db->lasterror(); - } } } } @@ -273,6 +265,30 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print ''; print ''; + // Enable Captcha code + print ''; + print ''.$langs->trans("TicketUseCaptchaCode").''; + print ''; + if (function_exists("imagecreatefrompng")) { + if (!empty($conf->use_javascript_ajax)) { + print ajax_constantonoff('MAIN_SECURITY_ENABLECAPTCHA_TICKET'); + } else { + if (empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) { + print ''.img_picto($langs->trans("Disabled"), 'off').''; + } else { + print ''.img_picto($langs->trans("Enabled"), 'on').''; + } + } + } else { + $desc = $form->textwithpicto('', $langs->transnoentities("EnableGDLibraryDesc"), 1, 'warning'); + print $desc; + } + print ''; + print ''; + print $form->textwithpicto('', $langs->trans("TicketUseCaptchaCodeHelp"), 1, 'help'); + print ''; + print ''; + // Check if email exists print ''.$langs->trans("TicketsEmailMustExist").''; print ''; diff --git a/htdocs/core/class/html.formticket.class.php b/htdocs/core/class/html.formticket.class.php index 281bf927944..b5ba0b0208e 100644 --- a/htdocs/core/class/html.formticket.class.php +++ b/htdocs/core/class/html.formticket.class.php @@ -426,7 +426,7 @@ class FormTicket $doleditor->Create(); print ''; - if ($public && (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) || !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET))) { + if ($public && !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) { require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php'; print ''; print ''; diff --git a/htdocs/core/modules/modTicket.class.php b/htdocs/core/modules/modTicket.class.php index 13967fc4096..18f0d368cfd 100644 --- a/htdocs/core/modules/modTicket.class.php +++ b/htdocs/core/modules/modTicket.class.php @@ -117,7 +117,8 @@ class modTicket extends DolibarrModules 9 => array('TICKET_NOTIFICATION_EMAIL_FROM', 'chaine', getDolGlobalString('MAIN_MAIL_EMAIL_FROM'), 'Email to use by default as sender for messages sent from Dolibarr', 0), 10 => array('TICKET_MESSAGE_MAIL_INTRO', 'chaine', $langs->trans('TicketMessageMailIntroText'), 'Introduction text of ticket replies sent from Dolibarr', 0), 11 => array('TICKET_MESSAGE_MAIL_SIGNATURE', 'chaine', $default_signature, 'Signature to use by default for messages sent from Dolibarr', 0), - 12 => array('MAIN_EMAILCOLLECTOR_MAIL_WITHOUT_HEADER', 'chaine', "1", 'Disable the rendering of headers in tickets', 0) + 12 => array('MAIN_EMAILCOLLECTOR_MAIL_WITHOUT_HEADER', 'chaine', "1", 'Disable the rendering of headers in tickets', 0), + 13 => array('MAIN_SECURITY_ENABLECAPTCHA_TICKET', 'chaine', getDolGlobalInt('MAIN_SECURITY_ENABLECAPTCHA_TICKET'), 'Enable captcha code by default', 0) ); diff --git a/htdocs/langs/en_US/ticket.lang b/htdocs/langs/en_US/ticket.lang index 3e252e407e4..1fe2e5b8a6e 100644 --- a/htdocs/langs/en_US/ticket.lang +++ b/htdocs/langs/en_US/ticket.lang @@ -149,6 +149,8 @@ TicketsAutoNotifyCloseHelp=When closing a ticket, you will be proposed to send a TicketWrongContact=Provided contact is not part of current ticket contacts. Email not sent. TicketChooseProductCategory=Product category for ticket support TicketChooseProductCategoryHelp=Select the product category of ticket support. This will be used to automatically link a contract to a ticket. +TicketUseCaptchaCode=Use graphical code (CAPTCHA) when creating a ticket +TicketUseCaptchaCodeHelp=Adds CAPTCHA verification when creating a new ticket. # # Index & list page diff --git a/htdocs/public/ticket/create_ticket.php b/htdocs/public/ticket/create_ticket.php index 669c5e8d512..9ea689ec76c 100644 --- a/htdocs/public/ticket/create_ticket.php +++ b/htdocs/public/ticket/create_ticket.php @@ -218,7 +218,7 @@ if (empty($reshook)) { } // Check Captcha code if is enabled - if (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) || !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) { + if (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA_TICKET)) { $sessionkey = 'dol_antispam_value'; $ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'restricthtml')))); if (!$ok) { From 50fe00ecd81116c5764163a3a74d2955645c36ef Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 27 Sep 2022 17:40:56 +0200 Subject: [PATCH 4/4] FIX compatibility if javascript not actived --- htdocs/admin/ticket.php | 57 ++++++++++++++++++++++++---------- htdocs/admin/ticket_public.php | 18 +++++++---- 2 files changed, 53 insertions(+), 22 deletions(-) diff --git a/htdocs/admin/ticket.php b/htdocs/admin/ticket.php index 99d1b34749f..28c9656d84d 100644 --- a/htdocs/admin/ticket.php +++ b/htdocs/admin/ticket.php @@ -81,6 +81,27 @@ if ($action == 'updateMask') { dolibarr_del_const($db, 'TICKET_ADDON_PDF', $conf->entity); } } +} elseif (preg_match('/set_(.*)/', $action, $reg)) { + $code = $reg[1]; + $value = GETPOSTISSET($code) ? GETPOST($code, 'int') : 1; + if ($code == 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS' && $conf->global->MAIN_FEATURES_LEVEL >= 2) { + $param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } + } else { + $res = dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } + } +} elseif (preg_match('/del_(.*)/', $action, $reg)) { + $code = $reg[1]; + $res = dolibarr_del_const($db, $code, $conf->entity); + if (!($res > 0)) { + $error++; + } } elseif ($action == 'setdoc') { // Set default model if (dolibarr_set_const($db, "TICKET_ADDON_PDF", $value, 'chaine', 0, '', $conf->entity)) { @@ -100,16 +121,25 @@ if ($action == 'updateMask') { dolibarr_set_const($db, "TICKET_ADDON", $value, 'chaine', 0, '', $conf->entity); } elseif ($action == 'setvarworkflow') { - $param_auto_read = GETPOST('TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', 'alpha'); - $res = dolibarr_set_const($db, 'TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', $param_auto_read, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - } + // For compatibility when javascript is not enabled + if (empty($conf->use_javascript_ajax)) { + $param_auto_read = GETPOST('TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND', $param_auto_read, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } - $param_auto_assign = GETPOST('TICKET_AUTO_ASSIGN_USER_CREATE', 'alpha'); - $res = dolibarr_set_const($db, 'TICKET_AUTO_ASSIGN_USER_CREATE', $param_auto_assign, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; + $param_auto_assign = GETPOST('TICKET_AUTO_ASSIGN_USER_CREATE', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_AUTO_ASSIGN_USER_CREATE', $param_auto_assign, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } + + $param_auto_notify_close = GETPOST('TICKET_NOTIFY_AT_CLOSING', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_NOTIFY_AT_CLOSING', $param_auto_notify_close, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } } $param_limit_view = GETPOST('TICKET_LIMIT_VIEW_ASSIGNED_ONLY', 'alpha'); @@ -137,12 +167,6 @@ if ($action == 'updateMask') { if (!($res > 0)) { $error++; } - - $param_auto_notify_close = GETPOST('TICKET_NOTIFY_AT_CLOSING', 'alpha'); - $res = dolibarr_set_const($db, 'TICKET_NOTIFY_AT_CLOSING', $param_auto_notify_close, 'chaine', 0, '', $conf->entity); - if (!($res > 0)) { - $error++; - } } elseif ($action == 'setvar') { include_once DOL_DOCUMENT_ROOT."/core/lib/files.lib.php"; @@ -191,7 +215,8 @@ if ($action == 'updateMask') { $error++; } - if ($conf->global->MAIN_FEATURES_LEVEL >= 2) { + // For compatibility when javascript is not enabled + if ($conf->global->MAIN_FEATURES_LEVEL >= 2 && empty($conf->use_javascript_ajax)) { $param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha'); $res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity); if (!($res > 0)) { diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php index 4a6d405df03..c4b12852071 100644 --- a/htdocs/admin/ticket_public.php +++ b/htdocs/admin/ticket_public.php @@ -150,24 +150,30 @@ if ($action == 'setTICKET_ENABLE_PUBLIC_INTERFACE') { $error++; $errors[] = $db->lasterror(); } -} elseif (preg_match('/set_(.*)/', $action, $reg)) { - $code = $reg[1]; - $value = GETPOSTISSET($code) ? GETPOST($code, 'int') : 1; - if ($code == 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS' && $conf->global->MAIN_FEATURES_LEVEL >= 2) { + // For compatibility when javascript is not enabled + if ($conf->global->MAIN_FEATURES_LEVEL >= 2 && empty($conf->use_javascript_ajax)) { $param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha'); $res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity); if (!($res > 0)) { $error++; $errors[] = $db->lasterror(); } + } +} elseif (preg_match('/set_(.*)/', $action, $reg)) { + $code = $reg[1]; + $value = GETPOSTISSET($code) ? GETPOST($code, 'int') : 1; + if ($code == 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS' && $conf->global->MAIN_FEATURES_LEVEL >= 2) { + $param_notification_also_main_addressemail = GETPOST('TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', 'alpha'); + $res = dolibarr_set_const($db, 'TICKET_NOTIFICATION_ALSO_MAIN_ADDRESS', $param_notification_also_main_addressemail, 'chaine', 0, '', $conf->entity); + if (!($res > 0)) { + $error++; + } } else { $res = dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity); if (!($res > 0)) { $error++; - $errors[] = $db->lasterror(); } - if (!$error) { if ($code == 'TICKET_EMAIL_MUST_EXISTS') { $res = dolibarr_del_const($db, 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST', $conf->entity);