lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix #yogosha5728

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-24 18:57:23 +01:00
parent 5f8599ebc9
commit 86c7ab922a
3 changed files with 39 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/adherents/class/adherent.class.php
View File

@ -1141,7 +1141,7 @@ class Adherent extends CommonObject
$this->db->begin();
// If user is linked to this member, remove old link to this member
$sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = NULL WHERE fk_member = ".$this->id;
$sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = NULL WHERE fk_member = ".((int) $this->id);
dol_syslog(get_class($this)."::setUserId", LOG_DEBUG);
$resql = $this->db->query($sql);
if (!$resql) {
@ -1152,7 +1152,7 @@ class Adherent extends CommonObject
// Set link to user
if ($userid > 0) {
$sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = ".$this->id;
$sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = ".((int) $this->id);
$sql .= " WHERE rowid = ".$userid;
dol_syslog(get_class($this)."::setUserId", LOG_DEBUG);
$resql = $this->db->query($sql);

53
htdocs/adherents/subscription.php
View File

@ -44,6 +44,7 @@ $action = GETPOST('action', 'aZ09');
$confirm = GETPOST('confirm', 'alpha');
$rowid = GETPOST('rowid', 'int') ?GETPOST('rowid', 'int') : GETPOST('id', 'int');
$typeid = GETPOST('typeid', 'int');
$cancel = GETPOST('cancel');
// Load variable for pagination
$limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
@ -148,19 +149,18 @@ if (empty($reshook) && $action == 'confirm_create_thirdparty' && $confirm == 'ye
if (empty($reshook) && $action == 'setuserid' && ($user->rights->user->self->creer || $user->rights->user->user->creer)) {
$error = 0;
if (empty($user->rights->user->user->creer)) { // If can edit only itself user, we can link to itself only
if ($_POST["userid"] != $user->id && $_POST["userid"] != $object->user_id) {
if (GETPOST("userid", 'int') != $user->id && GETPOST("userid", 'int') != $object->user_id) {
$error++;
setEventMessages($langs->trans("ErrorUserPermissionAllowsToLinksToItselfOnly"), null, 'errors');
}
}
if (!$error) {
if ($_POST["userid"] != $object->user_id) { // If link differs from currently in database
$result = $object->setUserId($_POST["userid"]);
if (GETPOST("userid", 'int') != $object->user_id) { // If link differs from currently in database
$result = $object->setUserId(GETPOST("userid", 'int'));
if ($result < 0) {
dol_print_error('', $object->error);
}
$_POST['action'] = '';
$action = '';
}
}
@ -190,14 +190,13 @@ if (empty($reshook) && $action == 'setsocid') {
if ($result < 0) {
dol_print_error('', $object->error);
}
$_POST['action'] = '';
$action = '';
}
}
}
}
if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !$_POST["cancel"]) {
if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !$cancel) {
$error = 0;
$langs->load("banks");
@ -209,25 +208,25 @@ if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !
$datesubscription = 0;
$datesubend = 0;
$paymentdate = 0;
if ($_POST["reyear"] && $_POST["remonth"] && $_POST["reday"]) {
$datesubscription = dol_mktime(0, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]);
if (GETPOST("reyear", "int") && GETPOST("remonth", "int") && GETPOST("reday", "int")) {
$datesubscription = dol_mktime(0, 0, 0, GETPOST("remonth", "int"), GETPOST("reday", "int"), GETPOST("reyear", "int"));
}
if ($_POST["endyear"] && $_POST["endmonth"] && $_POST["endday"]) {
$datesubend = dol_mktime(0, 0, 0, $_POST["endmonth"], $_POST["endday"], $_POST["endyear"]);
if (GETPOST("endyear", 'int') && GETPOST("endmonth", 'int') && GETPOST("endday", 'int')) {
$datesubend = dol_mktime(0, 0, 0, GETPOST("endmonth", 'int'), GETPOST("endday", 'int'), GETPOST("endyear", 'int'));
}
if ($_POST["paymentyear"] && $_POST["paymentmonth"] && $_POST["paymentday"]) {
$paymentdate = dol_mktime(0, 0, 0, $_POST["paymentmonth"], $_POST["paymentday"], $_POST["paymentyear"]);
if (GETPOST("paymentyear", 'int') && GETPOST("paymentmonth", 'int') && GETPOST("paymentday", 'int')) {
$paymentdate = dol_mktime(0, 0, 0, GETPOST("paymentmonth", 'int'), GETPOST("paymentday", 'int'), GETPOST("paymentyear", 'int'));
}
$amount = price2num(GETPOST("subscription", 'alpha')); // Amount of subscription
$label = $_POST["label"];
$label = GETPOST("label");
// Payment informations
$accountid = $_POST["accountid"];
$operation = $_POST["operation"]; // Payment mode
$accountid = GETPOST("accountid", 'int');
$operation = GETPOST("operation", "alphanohtml"); // Payment mode
$num_chq = GETPOST("num_chq", "alphanohtml");
$emetteur_nom = $_POST["chqemetteur"];
$emetteur_banque = $_POST["chqbank"];
$option = $_POST["paymentsave"];
$emetteur_nom = GETPOST("chqemetteur");
$emetteur_banque = GETPOST("chqbank");
$option = GETPOST("paymentsave");
if (empty($option)) {
$option = 'none';
}
@ -267,19 +266,19 @@ if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !
$error++;
$action = 'addsubscription';
} else {
if (!empty($conf->banque->enabled) && $_POST["paymentsave"] != 'none') {
if ($_POST["subscription"]) {
if (!$_POST["label"]) {
if (!empty($conf->banque->enabled) && GETPOST("paymentsave") != 'none') {
if (GETPOST("subscription")) {
if (!GETPOST("label")) {
$errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("Label"));
}
if ($_POST["paymentsave"] != 'invoiceonly' && !$_POST["operation"]) {
if (GETPOST("paymentsave") != 'invoiceonly' && !GETPOST("operation")) {
$errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("PaymentMode"));
}
if ($_POST["paymentsave"] != 'invoiceonly' && !($_POST["accountid"] > 0)) {
if (GETPOST("paymentsave") != 'invoiceonly' && !(GETPOST("accountid", 'int') > 0)) {
$errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("FinancialAccount"));
}
} else {
if ($_POST["accountid"]) {
if (GETPOST("accountid")) {
$errmsg = $langs->trans("ErrorDoNotProvideAccountsIfNullAmount");
}
}
@ -453,7 +452,8 @@ if ($optioncss != '') {
if ($rowid > 0) {
$res = $object->fetch($rowid);
if ($res < 0) {
dol_print_error($db, $object->error); exit;
dol_print_error($db, $object->error);
exit;
}
$adht->fetch($object->typeid);
@ -847,7 +847,7 @@ if ($rowid > 0) {
});
';
if (GETPOST('paymentsave')) {
print '$("#'.GETPOST('paymentsave').'").prop("checked",true);';
print '$("#'.GETPOST('paymentsave', 'aZ09').'").prop("checked", true);';
}
print '});';
print '</script>'."\n";
@ -1038,6 +1038,7 @@ if ($rowid > 0) {
// Bank account
print '<tr class="bankswitchclass"><td class="fieldrequired">'.$langs->trans("FinancialAccount").'</td><td>';
print img_picto('', 'bank_account');
$form->select_comptes(GETPOST('accountid'), 'accountid', 0, '', 2);
print "</td></tr>\n";

14
htdocs/core/lib/functions.lib.php
View File

@ -747,8 +747,11 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('&quot;', '"'), '', trim($out));
$out = str_replace(array('../'), '', $out);
$out = trim($out);
do {
$oldstringtoclean = $out;
$out = str_ireplace(array('&quot;', '"', '../'), '', $out);
} while ($oldstringtoclean != $out);
// keep lines feed
$out = dol_string_nohtmltag($out, 0);
}
@ -757,8 +760,11 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('&quot;', '"'), '', trim($out));
$out = str_replace(array('../'), '', $out);
$out = trim($out);
do {
$oldstringtoclean = $out;
$out = str_ireplace(array('&quot;', '"', '../'), '', $out);
} while ($oldstringtoclean != $out);
}
break;
case 'restricthtml': // Recommended for most html textarea