From 1b5bbf72fccfb17e5b95c05db84b23e807bd6298 Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 13:41:02 +0100 Subject: [PATCH 01/16] Limit partnership creation on public page by ip adress --- htdocs/langs/en_US/errors.lang | 13 ++++----- htdocs/langs/fr_FR/main.lang | 1 + .../partnership/class/partnership.class.php | 3 +++ htdocs/public/partnership/new.php | 27 +++++++++++++++++++ 4 files changed, 38 insertions(+), 6 deletions(-) diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index 1625f580305..7bcecfa4999 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -97,7 +97,7 @@ ErrorWrongValueForField=Field %s: '%s' does not match regex rule < ErrorHtmlInjectionForField=Field %s: The value '%s' contains a malicious data not allowed ErrorFieldValueNotIn=Field %s: '%s' is not a value found in field %s of %s ErrorFieldRefNotIn=Field %s: '%s' is not a %s existing ref -ErrorMultipleRecordFoundFromRef=Several record found when searching from ref %s. No way to know which ID to use. +ErrorMultipleRecordFoundFromRef=Several record found when searching from ref %s. No way to know which ID to use. ErrorsOnXLines=%s errors found ErrorFileIsInfectedWithAVirus=The antivirus program was not able to validate the file (file might be infected by a virus) ErrorNumRefModel=A reference exists into database (%s) and is not compatible with this numbering rule. Remove record or renamed reference to activate this module. @@ -244,11 +244,12 @@ ErrorObjectMustHaveStatusActiveToBeDisabled=Objects must have status 'Active' to ErrorObjectMustHaveStatusDraftOrDisabledToBeActivated=Objects must have status 'Draft' or 'Disabled' to be enabled ErrorNoFieldWithAttributeShowoncombobox=No fields has property 'showoncombobox' into definition of object '%s'. No way to show the combolist. ErrorFieldRequiredForProduct=Field '%s' is required for product %s +AlreadyTooMuchPostOnThisIPAdress=You have already posted too much on this IP address. ProblemIsInSetupOfTerminal=Problem is in setup of terminal %s. ErrorAddAtLeastOneLineFirst=Add at least one line first ErrorRecordAlreadyInAccountingDeletionNotPossible=Error, record is already transferred in accounting, deletion is not possible. ErrorLanguageMandatoryIfPageSetAsTranslationOfAnother=Error, language is mandatory if you set the page as a translation of another one. -ErrorLanguageOfTranslatedPageIsSameThanThisPage=Error, language of translated page is same than this one. +ErrorLanguageOfTranslatedPageIsSameThanThisPage=Error, language of translated page is same than this one. ErrorBatchNoFoundForProductInWarehouse=No lot/serial found for product "%s" in warehouse "%s". ErrorBatchNoFoundEnoughQuantityForProductInWarehouse=No enough quantity for this lot/serial for product "%s" in warehouse "%s". ErrorOnlyOneFieldForGroupByIsPossible=Only 1 field for the 'Group by' is possible (others are discarded) @@ -281,11 +282,11 @@ ErrorIsNotADraft=%s is not a draft ErrorExecIdFailed=Can't execute command "id" ErrorBadCharIntoLoginName=Unauthorized character in the login name ErrorRequestTooLarge=Error, request too large -ErrorNotApproverForHoliday=You are not the approver for leave %s +ErrorNotApproverForHoliday=You are not the approver for leave %s ErrorAttributeIsUsedIntoProduct=This attribute is used in one or more product variants ErrorAttributeValueIsUsedIntoProduct=This attribute value is used in one or more product variants ErrorPaymentInBothCurrency=Error, all amounts must be entered in the same column -ErrorYouTryToPayInvoicesInACurrencyFromBankWithAnotherCurrency=You try to pay invoices in the currency %s from an account with the currency %s +ErrorYouTryToPayInvoicesInACurrencyFromBankWithAnotherCurrency=You try to pay invoices in the currency %s from an account with the currency %s ErrorInvoiceLoadThirdParty=Can't load third-party object for invoice "%s" ErrorInvoiceLoadThirdPartyKey=Third-party key "%s" no set for invoice "%s" ErrorDeleteLineNotAllowedByObjectStatus=Delete line is not allowed by current object status @@ -294,9 +295,9 @@ ErrorThirpdartyOrMemberidIsMandatory=Third party or Member of partnership is man ErrorFailedToWriteInTempDirectory=Failed to write in temp directory ErrorQuantityIsLimitedTo=Quantity is limited to %s ErrorFailedToLoadThirdParty=Failed to find/load thirdparty from id=%s, email=%s, name=%s -ErrorThisPaymentModeIsNotSepa=This payment mode is not a bank account +ErrorThisPaymentModeIsNotSepa=This payment mode is not a bank account ErrorStripeCustomerNotFoundCreateFirst=Stripe customer is not set for this thirdparty (or set to a value deleted on Stripe side). Create (or re-attach) it first. -ErrorCharPlusNotSupportedByImapForSearch=IMAP search is not able to search into sender or recipient for a string containing the character + +ErrorCharPlusNotSupportedByImapForSearch=IMAP search is not able to search into sender or recipient for a string containing the character + ErrorTableNotFound=Table %s not found ErrorValueForTooLow=Value for %s is too low ErrorValueCantBeNull=Value for %s can't be null diff --git a/htdocs/langs/fr_FR/main.lang b/htdocs/langs/fr_FR/main.lang index eb787cb279d..37bd9224798 100644 --- a/htdocs/langs/fr_FR/main.lang +++ b/htdocs/langs/fr_FR/main.lang @@ -45,6 +45,7 @@ NoError=Aucune erreur Error=Erreur Errors=Erreurs ErrorFieldRequired=Le champ '%s' est obligatoire +AlreadyTooMuchPostOnThisIPAdress=Vous avez déjà posté trop de messages depuis cette adresse IP. ErrorFieldFormat=Le champ '%s' a une valeur incorrecte ErrorFileDoesNotExists=Le fichier %s n'existe pas ErrorFailedToOpenFile=Impossible d'ouvrir le fichier %s diff --git a/htdocs/partnership/class/partnership.class.php b/htdocs/partnership/class/partnership.class.php index 4838c80f92d..93897771019 100644 --- a/htdocs/partnership/class/partnership.class.php +++ b/htdocs/partnership/class/partnership.class.php @@ -22,6 +22,8 @@ * \brief This file is a CRUD class file for Partnership (Create/Read/Update/Delete) */ +use Illuminate\Support\Arr; + // Put here all includes required by your class file require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; //require_once DOL_DOCUMENT_ROOT . '/societe/class/societe.class.php'; @@ -124,6 +126,7 @@ class Partnership extends CommonObject 'last_check_backlink' => array('type'=>'datetime', 'label'=>'LastCheckBacklink', 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>-2,), 'reason_decline_or_cancel' => array('type'=>'text', 'label'=>'ReasonDeclineOrCancel', 'enabled'=>'1', 'position'=>73, 'notnull'=>0, 'visible'=>-2,), 'fk_soc' => array('type'=>'integer:Societe:societe/class/societe.class.php:1:status=1 AND entity IN (__SHARED_ENTITIES__)', 'label'=>'ThirdParty', 'picto'=>'company', 'enabled'=>'1', 'position'=>50, 'notnull'=>-1, 'visible'=>1, 'index'=>1, 'css'=>'maxwidth500', 'csslist'=>'tdoverflowmax150',), + 'ip' => array('type'=>'varchar(250)', 'label'=>'Ip', 'enabled'=>'1', 'position'=>74, 'notnull'=>0, 'visible'=>-2,), ); public $rowid; public $ref; diff --git a/htdocs/public/partnership/new.php b/htdocs/public/partnership/new.php index 5064ec68695..3420806608a 100644 --- a/htdocs/public/partnership/new.php +++ b/htdocs/public/partnership/new.php @@ -223,7 +223,27 @@ if (empty($reshook) && $action == 'add') { $partnership->fk_user_creat = 0; $partnership->fk_type = GETPOST('partnershiptype', 'int'); //$partnership->typeid = $conf->global->PARTNERSHIP_NEWFORM_FORCETYPE ? $conf->global->PARTNERSHIP_NEWFORM_FORCETYPE : GETPOST('typeid', 'int'); + $partnership->ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(ref) as nb_partnerships"; + $sql .= " FROM ".MAIN_DB_PREFIX."partnership"; + $sql .= " WHERE ip = '".$db->escape($partnership->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_partnerships; + } + } + } // test if societe already exist $company = new Societe($db); $result = $company->fetch(0, GETPOST('societe')); @@ -290,6 +310,11 @@ if (empty($reshook) && $action == 'add') { $error++; } + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + $error++; + $errmsg = $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($partnership->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); + } if (!$error) { $result = $partnership->create($user); if ($result > 0) { @@ -464,6 +489,8 @@ if (empty($reshook) && $action == 'add') { $error++; $errmsg .= join('
', $partnership->errors); } + } else { + setEventMessage($errmsg, 'errors'); } } From 1e88704a148577c10ddc02deb3be15043be1442a Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 17:32:32 +0100 Subject: [PATCH 02/16] Limit project creation on public page by ip adress --- .../install/mysql/migration/16.0.0-17.0.0.sql | 1 + htdocs/projet/class/project.class.php | 4 +- htdocs/public/project/new.php | 163 +++++++++++------- htdocs/public/project/viewandvote.php | 8 +- 4 files changed, 104 insertions(+), 72 deletions(-) diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql index 0b4b773be40..c0d3552a440 100644 --- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql +++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql @@ -64,6 +64,7 @@ UPDATE llx_c_paiement SET code = 'BANCON' WHERE code = 'BAN' AND libelle = 'Banc ALTER TABLE llx_partnership ADD COLUMN ip varchar(250); ALTER TABLE llx_adherent ADD COLUMN ip varchar(250); +ALTER TABLE llx_projet ADD COLUMN ip varchar(250); ALTER TABLE llx_fichinterdet_rec DROP COLUMN remise; ALTER TABLE llx_fichinterdet_rec DROP COLUMN fk_export_commpta; diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index e3865663bf7..0e15b26b114 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -308,7 +308,7 @@ class Project extends CommonObject 'fk_user_modif' =>array('type'=>'integer', 'label'=>'UserModification', 'enabled'=>1, 'visible'=>0, 'position'=>415), 'import_key' =>array('type'=>'varchar(14)', 'label'=>'ImportId', 'enabled'=>1, 'visible'=>0, 'position'=>420), 'email_msgid'=>array('type'=>'varchar(255)', 'label'=>'EmailMsgID', 'enabled'=>1, 'visible'=>-1, 'position'=>450, 'help'=>'EmailMsgIDWhenSourceisEmail'), - 'fk_statut' =>array('type'=>'smallint(6)', 'label'=>'Status', 'enabled'=>1, 'visible'=>1, 'notnull'=>1, 'position'=>500) + 'fk_statut' =>array('type'=>'smallint(6)', 'label'=>'Status', 'enabled'=>1, 'visible'=>1, 'notnull'=>1, 'position'=>500), ); // END MODULEBUILDER PROPERTIES @@ -435,6 +435,7 @@ class Project extends CommonObject $sql .= ", note_private"; $sql .= ", note_public"; $sql .= ", entity"; + $sql .= ", ip"; $sql .= ") VALUES ("; $sql .= "'".$this->db->escape($this->ref)."'"; $sql .= ", '".$this->db->escape($this->title)."'"; @@ -466,6 +467,7 @@ class Project extends CommonObject $sql .= ", ".($this->note_private ? "'".$this->db->escape($this->note_private)."'" : 'null'); $sql .= ", ".($this->note_public ? "'".$this->db->escape($this->note_public)."'" : 'null'); $sql .= ", ".((int) $conf->entity); + $sql .= ", ".(!isset($this->ip) ? 'NULL' : "'".$this->db->escape($this->ip)."'"); $sql .= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/public/project/new.php b/htdocs/public/project/new.php index 61bbd23ea61..46209d76a24 100644 --- a/htdocs/public/project/new.php +++ b/htdocs/public/project/new.php @@ -296,6 +296,26 @@ if (empty($reshook) && $action == 'add') { $proj->opp_status = $defaultoppstatus; $proj->fk_opp_status = $defaultoppstatus; + $proj->ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(rowid) as nb_projets"; + $sql .= " FROM ".MAIN_DB_PREFIX."projet"; + $sql .= " WHERE ip = '".$db->escape($proj->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_projets; + } + } + } + // Fill array 'array_options' with data from the form $extrafields->fetch_name_optionals_label($proj->table_element); $ret = $extrafields->setOptionalsFromPost(null, $proj); @@ -303,74 +323,83 @@ if (empty($reshook) && $action == 'add') { $error++; } - // Create the project - $result = $proj->create($user); - if ($result > 0) { - require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; - $object = $proj; - - if ($object->email) { - $subject = ''; - $msg = ''; - - // Send subscription email - include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; - $formmail = new FormMail($db); - // Set output language - $outputlangs = new Translate('', $conf); - $outputlangs->setDefaultLang(empty($object->thirdparty->default_lang) ? $mysoc->default_lang : $object->thirdparty->default_lang); - // Load traductions files required by page - $outputlangs->loadLangs(array("main", "members", "projects")); - // Get email content from template - $arraydefaultmessage = null; - $labeltouse = $conf->global->PROJECT_EMAIL_TEMPLATE_AUTOLEAD; - - if (!empty($labeltouse)) { - $arraydefaultmessage = $formmail->getEMailTemplate($db, 'project', $user, $outputlangs, 0, 1, $labeltouse); - } - - if (!empty($labeltouse) && is_object($arraydefaultmessage) && $arraydefaultmessage->id > 0) { - $subject = $arraydefaultmessage->topic; - $msg = $arraydefaultmessage->content; - } - if (empty($labeltosue)) { - $labeltouse = '['.$mysoc->name.'] '.$langs->trans("YourMessage"); - $msg = $langs->trans("YourMessageHasBeenReceived"); - } - - $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $object); - complete_substitutions_array($substitutionarray, $outputlangs, $object); - $subjecttosend = make_substitutions($subject, $substitutionarray, $outputlangs); - $texttosend = make_substitutions($msg, $substitutionarray, $outputlangs); - - if ($subjecttosend && $texttosend) { - $moreinheader = 'X-Dolibarr-Info: send_an_email by public/lead/new.php'."\r\n"; - - $result = $object->send_an_email($texttosend, $subjecttosend, array(), array(), array(), "", "", 0, -1, '', $moreinheader); - } - /*if ($result < 0) { - $error++; - setEventMessages($object->error, $object->errors, 'errors'); - }*/ - } - - if (!empty($backtopage)) { - $urlback = $backtopage; - } elseif (!empty($conf->global->PROJECT_URL_REDIRECT_LEAD)) { - $urlback = $conf->global->PROJECT_URL_REDIRECT_LEAD; - // TODO Make replacement of __AMOUNT__, etc... - } else { - $urlback = $_SERVER["PHP_SELF"]."?action=added&token=".newToken(); - } - - if (!empty($entity)) { - $urlback .= '&entity='.$entity; - } - - dol_syslog("project lead ".$proj->ref." has been created, we redirect to ".$urlback); - } else { + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { $error++; - $errmsg .= $proj->error.'
'.join('
', $proj->errors); + $errmsg = $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($proj->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); + } + // Create the project + if (!$error) { + $result = $proj->create($user); + if ($result > 0) { + require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; + $object = $proj; + + if ($object->email) { + $subject = ''; + $msg = ''; + + // Send subscription email + include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; + $formmail = new FormMail($db); + // Set output language + $outputlangs = new Translate('', $conf); + $outputlangs->setDefaultLang(empty($object->thirdparty->default_lang) ? $mysoc->default_lang : $object->thirdparty->default_lang); + // Load traductions files required by page + $outputlangs->loadLangs(array("main", "members", "projects")); + // Get email content from template + $arraydefaultmessage = null; + $labeltouse = $conf->global->PROJECT_EMAIL_TEMPLATE_AUTOLEAD; + + if (!empty($labeltouse)) { + $arraydefaultmessage = $formmail->getEMailTemplate($db, 'project', $user, $outputlangs, 0, 1, $labeltouse); + } + + if (!empty($labeltouse) && is_object($arraydefaultmessage) && $arraydefaultmessage->id > 0) { + $subject = $arraydefaultmessage->topic; + $msg = $arraydefaultmessage->content; + } + if (empty($labeltosue)) { + $labeltouse = '['.$mysoc->name.'] '.$langs->trans("YourMessage"); + $msg = $langs->trans("YourMessageHasBeenReceived"); + } + + $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $object); + complete_substitutions_array($substitutionarray, $outputlangs, $object); + $subjecttosend = make_substitutions($subject, $substitutionarray, $outputlangs); + $texttosend = make_substitutions($msg, $substitutionarray, $outputlangs); + + if ($subjecttosend && $texttosend) { + $moreinheader = 'X-Dolibarr-Info: send_an_email by public/lead/new.php'."\r\n"; + + $result = $object->send_an_email($texttosend, $subjecttosend, array(), array(), array(), "", "", 0, -1, '', $moreinheader); + } + /*if ($result < 0) { + $error++; + setEventMessages($object->error, $object->errors, 'errors'); + }*/ + } + + if (!empty($backtopage)) { + $urlback = $backtopage; + } elseif (!empty($conf->global->PROJECT_URL_REDIRECT_LEAD)) { + $urlback = $conf->global->PROJECT_URL_REDIRECT_LEAD; + // TODO Make replacement of __AMOUNT__, etc... + } else { + $urlback = $_SERVER["PHP_SELF"]."?action=added&token=".newToken(); + } + + if (!empty($entity)) { + $urlback .= '&entity='.$entity; + } + + dol_syslog("project lead ".$proj->ref." has been created, we redirect to ".$urlback); + } else { + $error++; + $errmsg .= $proj->error.'
'.join('
', $proj->errors); + } + } else { + setEventMessage($errmsg, 'errors'); } } diff --git a/htdocs/public/project/viewandvote.php b/htdocs/public/project/viewandvote.php index 1d9fc58c810..4e8b6b19ddc 100644 --- a/htdocs/public/project/viewandvote.php +++ b/htdocs/public/project/viewandvote.php @@ -70,10 +70,10 @@ $id = GETPOST('id'); $securekeyreceived = GETPOST("securekey"); $securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 'md5'); -if ($securekeytocompare != $securekeyreceived) { - print $langs->trans('MissingOrBadSecureKey'); - exit; -} +// if ($securekeytocompare != $securekeyreceived) { +// print $langs->trans('MissingOrBadSecureKey'); +// exit; +// } $listofvotes = explode(',', $_SESSION["savevotes"]); From 08010fae5c22df095d177ae998afa7f05acf68ee Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 19:51:17 +0100 Subject: [PATCH 03/16] Limit booth suggest on public page by ip adress --- htdocs/comm/action/class/actioncomm.class.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index fb78c8d1af5..58ab4503dc5 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -555,7 +555,8 @@ class ActionComm extends CommonObject $sql .= "recurdateend,"; $sql .= "num_vote,"; $sql .= "event_paid,"; - $sql .= "status"; + $sql .= "status,"; + $sql .= "ip"; $sql .= ") VALUES ("; $sql .= "'(PROV)', "; $sql .= "'".$this->db->idate($now)."', "; @@ -596,7 +597,8 @@ class ActionComm extends CommonObject $sql .= (!empty($this->recurdateend) ? "'".$this->db->idate($this->recurdateend)."'" : "null").", "; $sql .= (!empty($this->num_vote) ? (int) $this->num_vote : "null").", "; $sql .= (!empty($this->event_paid) ? (int) $this->event_paid : 0).", "; - $sql .= (!empty($this->status) ? (int) $this->status : "0"); + $sql .= (!empty($this->status) ? (int) $this->status : "0").", "; + $sql .= (!empty($this->ip) ? "'".$this->db->escape($this->ip)."'" : "null"); $sql .= ")"; dol_syslog(get_class($this)."::add", LOG_DEBUG); From dfb10f7362469b9b3d287107f2e753f39ff628d9 Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 19:51:34 +0100 Subject: [PATCH 04/16] Limit booth suggest on public page by ip adress --- .../install/mysql/migration/16.0.0-17.0.0.sql | 1 + htdocs/public/project/suggestbooth.php | 40 ++++++++++++++++--- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql index c0d3552a440..68a9a5806f3 100644 --- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql +++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql @@ -65,6 +65,7 @@ UPDATE llx_c_paiement SET code = 'BANCON' WHERE code = 'BAN' AND libelle = 'Banc ALTER TABLE llx_partnership ADD COLUMN ip varchar(250); ALTER TABLE llx_adherent ADD COLUMN ip varchar(250); ALTER TABLE llx_projet ADD COLUMN ip varchar(250); +ALTER TABLE llx_actioncomm ADD COLUMN ip varchar(250); ALTER TABLE llx_fichinterdet_rec DROP COLUMN remise; ALTER TABLE llx_fichinterdet_rec DROP COLUMN fk_export_commpta; diff --git a/htdocs/public/project/suggestbooth.php b/htdocs/public/project/suggestbooth.php index f42e75b21b1..298240e8b79 100644 --- a/htdocs/public/project/suggestbooth.php +++ b/htdocs/public/project/suggestbooth.php @@ -86,10 +86,10 @@ if ($resultproject < 0) { $securekeyreceived = GETPOST("securekey"); $securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 'md5'); -if ($securekeytocompare != $securekeyreceived) { - print $langs->trans('MissingOrBadSecureKey'); - exit; -} +// if ($securekeytocompare != $securekeyreceived) { +// print $langs->trans('MissingOrBadSecureKey'); +// exit; +// } // Load translation files $langs->loadLangs(array("main", "companies", "install", "other", "eventorganization")); @@ -361,7 +361,37 @@ if (empty($reshook) && $action == 'add') { $conforbooth->datep2 = $dateend; $conforbooth->datec = dol_now(); $conforbooth->tms = dol_now(); - $resultconforbooth = $conforbooth->create($user); + $conforbooth->ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(ref) as nb_confs"; + $sql .= " FROM ".MAIN_DB_PREFIX."actioncomm"; + $sql .= " WHERE ip = '".$db->escape($conforbooth->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_confs; + } + } + } + + $resultconforbooth = 0; + + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + $error++; + $errmsg .= $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($conforbooth->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); + setEventMessage($errmsg, 'errors'); + } else { + $resultconforbooth = $conforbooth->create($user); + } if ($resultconforbooth<=0) { $error++; $errmsg .= $conforbooth->error; From 7ee47b725b2eefad4b694b85f80f896cc2e905fe Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 19:52:32 +0100 Subject: [PATCH 05/16] no wanted changes --- htdocs/public/project/suggestbooth.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/public/project/suggestbooth.php b/htdocs/public/project/suggestbooth.php index 298240e8b79..7c97a1da346 100644 --- a/htdocs/public/project/suggestbooth.php +++ b/htdocs/public/project/suggestbooth.php @@ -86,10 +86,10 @@ if ($resultproject < 0) { $securekeyreceived = GETPOST("securekey"); $securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 'md5'); -// if ($securekeytocompare != $securekeyreceived) { -// print $langs->trans('MissingOrBadSecureKey'); -// exit; -// } +if ($securekeytocompare != $securekeyreceived) { + print $langs->trans('MissingOrBadSecureKey'); + exit; +} // Load translation files $langs->loadLangs(array("main", "companies", "install", "other", "eventorganization")); From c539ed9f57c7798c55c37f14cec90848ca6e3e87 Mon Sep 17 00:00:00 2001 From: Faustin Date: Wed, 23 Nov 2022 20:26:26 +0100 Subject: [PATCH 06/16] Limit conference suggest on public page by ip adress --- htdocs/public/project/suggestconference.php | 32 ++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/htdocs/public/project/suggestconference.php b/htdocs/public/project/suggestconference.php index f0b9299f980..bcff02859a0 100644 --- a/htdocs/public/project/suggestconference.php +++ b/htdocs/public/project/suggestconference.php @@ -359,7 +359,37 @@ if (empty($reshook) && $action == 'add') { $conforbooth->tms = dol_now(); $conforbooth->firstname = $contact->firstname; $conforbooth->lastname = $contact->lastname; - $resultconforbooth = $conforbooth->create($user); + $conforbooth->ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(ref) as nb_confs"; + $sql .= " FROM ".MAIN_DB_PREFIX."actioncomm"; + $sql .= " WHERE ip = '".$db->escape($conforbooth->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_confs; + } + } + } + + $resultconforbooth = 0; + + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + $error++; + $errmsg .= $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($conforbooth->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); + setEventMessage($errmsg, 'errors'); + } else { + $resultconforbooth = $conforbooth->create($user); + } if ($resultconforbooth<=0) { $error++; $errmsg .= $conforbooth->error; From 0901bf55c37d93acfe5310e1f46c5af7a2e32908 Mon Sep 17 00:00:00 2001 From: Faustin Date: Thu, 24 Nov 2022 10:58:43 +0100 Subject: [PATCH 07/16] Limit eventorganization attendee on public page by ip adress + fix some bugs on that page --- .../class/conferenceorboothattendee.class.php | 1 + .../install/mysql/migration/16.0.0-17.0.0.sql | 1 + .../public/eventorganization/attendee_new.php | 38 +++++++++++++++++-- 3 files changed, 37 insertions(+), 3 deletions(-) diff --git a/htdocs/eventorganization/class/conferenceorboothattendee.class.php b/htdocs/eventorganization/class/conferenceorboothattendee.class.php index 909758ca3f2..595eaf67eeb 100644 --- a/htdocs/eventorganization/class/conferenceorboothattendee.class.php +++ b/htdocs/eventorganization/class/conferenceorboothattendee.class.php @@ -123,6 +123,7 @@ class ConferenceOrBoothAttendee extends CommonObject 'import_key' => array('type'=>'varchar(14)', 'label'=>'ImportId', 'enabled'=>'1', 'position'=>1000, 'notnull'=>-1, 'visible'=>-2,), 'model_pdf' => array('type'=>'varchar(255)', 'label'=>'Model pdf', 'enabled'=>'1', 'position'=>1010, 'notnull'=>-1, 'visible'=>0,), 'status' => array('type'=>'smallint', 'label'=>'Status', 'enabled'=>'1', 'position'=>1000, 'default'=>0, 'notnull'=>1, 'visible'=>1, 'index'=>1, 'arrayofkeyval'=>array('0'=>'Draft', '1'=>'Validated', '9'=>'Canceled'),), + 'ip' => array('type'=>'varchar(250)', 'label'=>'Ip', 'enabled'=>'1', 'position'=>1000, 'notnull'=>-1, 'visible'=>-2,), ); public $rowid; public $ref; diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql index 68a9a5806f3..56f64efc66e 100644 --- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql +++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql @@ -66,6 +66,7 @@ ALTER TABLE llx_partnership ADD COLUMN ip varchar(250); ALTER TABLE llx_adherent ADD COLUMN ip varchar(250); ALTER TABLE llx_projet ADD COLUMN ip varchar(250); ALTER TABLE llx_actioncomm ADD COLUMN ip varchar(250); +ALTER TABLE llx_eventorganization_conferenceorboothattendee ADD COLUMN ip varchar(250); ALTER TABLE llx_fichinterdet_rec DROP COLUMN remise; ALTER TABLE llx_fichinterdet_rec DROP COLUMN fk_export_commpta; diff --git a/htdocs/public/eventorganization/attendee_new.php b/htdocs/public/eventorganization/attendee_new.php index b4f6ee14217..21901753692 100644 --- a/htdocs/public/eventorganization/attendee_new.php +++ b/htdocs/public/eventorganization/attendee_new.php @@ -229,7 +229,7 @@ if ($reshook < 0) { } // Action called when page is submitted -if (empty($reshook) && $action == 'add' && (!empty($conference->id) && $conference->status!=2 || !empty($project->id) && $project->status == Project::STATUS_VALIDATED)) { +if (empty($reshook) && $action == 'add' && (!empty($conference->id) && $conference->status==2 || !empty($project->id) && $project->status == Project::STATUS_VALIDATED)) { $error = 0; $urlback = ''; @@ -259,10 +259,12 @@ if (empty($reshook) && $action == 'add' && (!empty($conference->id) && $conferen // Check if attendee already exists (by email and for this event) $confattendee = new ConferenceOrBoothAttendee($db); + $filter = array(); + if ($type == 'global') { $filter = array('t.fk_project'=>((int) $id), 'customsql'=>'t.email="'.$db->escape($email).'"'); } - if ($action == 'conf') { + if ($type == 'conf') { $filter = array('t.fk_actioncomm'=>((int) $id), 'customsql'=>'t.email="'.$db->escape($email).'"'); } @@ -281,7 +283,37 @@ if (empty($reshook) && $action == 'add' && (!empty($conference->id) && $conferen $confattendee->fk_actioncomm = $id; $confattendee->note_public = $note_public; - $resultconfattendee = $confattendee->create($user); + $confattendee->ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(ref) as nb_attendee"; + $sql .= " FROM ".MAIN_DB_PREFIX."eventorganization_conferenceorboothattendee"; + $sql .= " WHERE ip = '".$db->escape($confattendee->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_attendee; + } + } + } + + $resultconforbooth = -1; + + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + $error++; + $errmsg .= $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($confattendee->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); + setEventMessage($errmsg, 'errors'); + } else { + $resultconfattendee = $confattendee->create($user); + } if ($resultconfattendee < 0) { $error++; $errmsg .= $confattendee->error; From 9a028c9137386865cc5d1d67462ce78bd83d9e11 Mon Sep 17 00:00:00 2001 From: Faustin Date: Thu, 24 Nov 2022 13:10:43 +0100 Subject: [PATCH 08/16] Limit survey answer on public page by ip adress --- .../install/mysql/migration/16.0.0-17.0.0.sql | 2 + .../class/opensurveysondage.class.php | 7 ++- htdocs/public/opensurvey/studs.php | 58 ++++++++++++++++++- 3 files changed, 61 insertions(+), 6 deletions(-) diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql index 56f64efc66e..817d8d18d9c 100644 --- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql +++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql @@ -67,6 +67,8 @@ ALTER TABLE llx_adherent ADD COLUMN ip varchar(250); ALTER TABLE llx_projet ADD COLUMN ip varchar(250); ALTER TABLE llx_actioncomm ADD COLUMN ip varchar(250); ALTER TABLE llx_eventorganization_conferenceorboothattendee ADD COLUMN ip varchar(250); +ALTER TABLE llx_opensurvey_user_studs ADD COLUMN ip varchar(250); +ALTER TABLE llx_opensurvey_comments ADD COLUMN ip varchar(250); ALTER TABLE llx_fichinterdet_rec DROP COLUMN remise; ALTER TABLE llx_fichinterdet_rec DROP COLUMN fk_export_commpta; diff --git a/htdocs/opensurvey/class/opensurveysondage.class.php b/htdocs/opensurvey/class/opensurveysondage.class.php index cae73d0c2b2..b7fadbdb60d 100644 --- a/htdocs/opensurvey/class/opensurveysondage.class.php +++ b/htdocs/opensurvey/class/opensurveysondage.class.php @@ -571,12 +571,13 @@ class Opensurveysondage extends CommonObject * * @param string $comment Comment content * @param string $comment_user Comment author + * @param string $user_ip Comment author IP * @return boolean False in case of the query fails, true if it was successful */ - public function addComment($comment, $comment_user) + public function addComment($comment, $comment_user, $user_ip = '') { - $sql = "INSERT INTO ".MAIN_DB_PREFIX."opensurvey_comments (id_sondage, comment, usercomment)"; - $sql .= " VALUES ('".$this->db->escape($this->id_sondage)."','".$this->db->escape($comment)."','".$this->db->escape($comment_user)."')"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."opensurvey_comments (id_sondage, comment, usercomment, ip)"; + $sql .= " VALUES ('".$this->db->escape($this->id_sondage)."','".$this->db->escape($comment)."','".$this->db->escape($comment_user)."'".($user_ip ? ",'".$this->db->escape($user_ip)."'" : '').")"; $resql = $this->db->query($sql); if (!$resql) { diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php index f11f8aea918..900483bbbfa 100644 --- a/htdocs/public/opensurvey/studs.php +++ b/htdocs/public/opensurvey/studs.php @@ -97,8 +97,34 @@ if (GETPOST('ajoutcomment', 'alpha')) { $error++; } + $user_ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(id_comment) as nb_comments"; + $sql .= " FROM ".MAIN_DB_PREFIX."opensurvey_comments"; + $sql .= " WHERE ip = '".$db->escape($user_ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_comments; + } + } + } + + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + setEventMessages($langs->trans("AlreadyTooMuchPostOnThisIPAdress"), null, 'errors'); + $error++; + } + if (!$error) { - $resql = $object->addComment($comment, $comment_user); + $resql = $object->addComment($comment, $comment_user, $user_ip); if (!$resql) { dol_print_error($db); @@ -125,6 +151,28 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) { // bo } } + $user_ip = getUserRemoteIP(); + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(id_users) as nb_records"; + $sql .= " FROM ".MAIN_DB_PREFIX."opensurvey_user_studs"; + $sql .= " WHERE ip = '".$db->escape($user_ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_records; + } + } + } + + $nom = substr(GETPOST("nom", 'alphanohtml'), 0, 64); // Check if vote already exists @@ -137,12 +185,16 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) { // bo } $num_rows = $db->num_rows($resql); + if ($num_rows > 0) { setEventMessages($langs->trans("VoteNameAlreadyExists"), null, 'errors'); $error++; + } elseif ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + setEventMessages($langs->trans("AlreadyTooMuchPostOnThisIPAdress"), null, 'errors'); + $error++; } else { - $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'opensurvey_user_studs (nom, id_sondage, reponses)'; - $sql .= " VALUES ('".$db->escape($nom)."', '".$db->escape($numsondage)."','".$db->escape($nouveauchoix)."')"; + $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'opensurvey_user_studs (nom, id_sondage, reponses, ip)'; + $sql .= " VALUES ('".$db->escape($nom)."', '".$db->escape($numsondage)."','".$db->escape($nouveauchoix)."', '".$db->escape($user_ip)."')"; $resql = $db->query($sql); if ($resql) { From 6e4eeb8b3cca862854da946b4462491e2c414d15 Mon Sep 17 00:00:00 2001 From: Faustin Date: Thu, 24 Nov 2022 14:26:50 +0100 Subject: [PATCH 09/16] Limit member subscription on public page by ip adress --- htdocs/adherents/class/adherent.class.php | 3 ++- htdocs/public/members/new.php | 29 +++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 130f5580e3a..59890c36988 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -605,7 +605,7 @@ class Adherent extends CommonObject // Insert member $sql = "INSERT INTO ".MAIN_DB_PREFIX."adherent"; - $sql .= " (ref, datec,login,fk_user_author,fk_user_mod,fk_user_valid,morphy,fk_adherent_type,entity,import_key)"; + $sql .= " (ref, datec,login,fk_user_author,fk_user_mod,fk_user_valid,morphy,fk_adherent_type,entity,import_key, ip)"; $sql .= " VALUES ("; $sql .= " '(PROV)'"; $sql .= ", '".$this->db->idate($this->datec)."'"; @@ -615,6 +615,7 @@ class Adherent extends CommonObject $sql .= ", ".((int) $this->typeid); $sql .= ", ".$conf->entity; $sql .= ", ".(!empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'" : "null"); + $sql .= ", ".(!empty($this->ip) ? "'".$this->db->escape($this->ip)."'" : "null"); $sql .= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index 9346988274a..2e38de0251e 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -284,12 +284,41 @@ if (empty($reshook) && $action == 'add') { $adh->morphy = getDolGlobalString("MEMBER_NEWFORM_FORCEMORPHY", GETPOST('morphy')); $adh->birth = $birthday; + $adh->ip = getUserRemoteIP(); + + $nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 1000); + + // Calculate nb of post for IP + $nb_post_ip = 0; + if ($nb_post_max > 0) { // Calculate only if there is a limit to check + $sql = "SELECT COUNT(ref) as nb_adh"; + $sql .= " FROM ".MAIN_DB_PREFIX."adherent"; + $sql .= " WHERE ip = '".$db->escape($adh->ip)."'"; + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + $i = 0; + while ($i < $num) { + $i++; + $obj = $db->fetch_object($resql); + $nb_post_ip = $obj->nb_adh; + } + } + } + // Fill array 'array_options' with data from add form $extrafields->fetch_name_optionals_label($adh->table_element); $ret = $extrafields->setOptionalsFromPost(null, $adh); if ($ret < 0) { $error++; + $errmsg .= $adh->error; + } + + if ($nb_post_max > 0 && $nb_post_ip >= $nb_post_max) { + $error++; + $errmsg .= $langs->trans("AlreadyTooMuchPostOnThisIPAdress"); + array_push($adh->errors, $langs->trans("AlreadyTooMuchPostOnThisIPAdress")); } if (!$error) { From c11fc9d3e578c910929bfa45f5c244a7a8d25bb1 Mon Sep 17 00:00:00 2001 From: Faustin Date: Thu, 24 Nov 2022 14:30:34 +0100 Subject: [PATCH 10/16] unwanted commented code --- htdocs/public/project/viewandvote.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/public/project/viewandvote.php b/htdocs/public/project/viewandvote.php index 4e8b6b19ddc..1d9fc58c810 100644 --- a/htdocs/public/project/viewandvote.php +++ b/htdocs/public/project/viewandvote.php @@ -70,10 +70,10 @@ $id = GETPOST('id'); $securekeyreceived = GETPOST("securekey"); $securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 'md5'); -// if ($securekeytocompare != $securekeyreceived) { -// print $langs->trans('MissingOrBadSecureKey'); -// exit; -// } +if ($securekeytocompare != $securekeyreceived) { + print $langs->trans('MissingOrBadSecureKey'); + exit; +} $listofvotes = explode(',', $_SESSION["savevotes"]); From 53a1867be8ae6a9bc5634119d4a1e25e46786bc1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 24 Nov 2022 16:40:44 +0100 Subject: [PATCH 11/16] Fix phpcs --- htdocs/core/class/html.formprojet.class.php | 2 +- htdocs/core/db/DoliDB.class.php | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php index aedff703a19..430c3a708d2 100644 --- a/htdocs/core/class/html.formprojet.class.php +++ b/htdocs/core/class/html.formprojet.class.php @@ -188,7 +188,7 @@ class FormProjets $sql .= natural_search(array('p.title', 'p.ref'), $filterkey); } if ($morefilter) { - $sql .= ' AND ('.$morefilter.')'; + $sql .= ' AND ('.$this->db->sanitize($morefilter, 0, 1).')'; } $sql .= " ORDER BY p.ref ASC"; diff --git a/htdocs/core/db/DoliDB.class.php b/htdocs/core/db/DoliDB.class.php index 2d2ea33a6c5..16b2fd956fe 100644 --- a/htdocs/core/db/DoliDB.class.php +++ b/htdocs/core/db/DoliDB.class.php @@ -136,15 +136,12 @@ abstract class DoliDB implements Database * * @param string $stringtosanitize String to escape * @param int $allowsimplequote 1=Allow simple quotes in string. When string is used as a list of SQL string ('aa', 'bb', ...) + * @param string $allowsequals 1=Allow equals sign * @return string String escaped */ - public function sanitize($stringtosanitize, $allowsimplequote = 0) + public function sanitize($stringtosanitize, $allowsimplequote = 0, $allowsequals = 0) { - if ($allowsimplequote) { - return preg_replace('/[^a-z0-9_\-\.,\']/i', '', $stringtosanitize); - } else { - return preg_replace('/[^a-z0-9_\-\.,]/i', '', $stringtosanitize); - } + return preg_replace('/[^a-z0-9_\-\.,'.($allowsequals ? '=' : '').($allowsimplequote ? "\'" : '').']/i', '', $stringtosanitize); } /** From 5135ea9a86272933131035923056f47b667b4fa1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 24 Nov 2022 16:58:31 +0100 Subject: [PATCH 12/16] Move asset module as experimental --- htdocs/core/modules/modAsset.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/modules/modAsset.class.php b/htdocs/core/modules/modAsset.class.php index a0fb405887e..3a7caa1cb57 100644 --- a/htdocs/core/modules/modAsset.class.php +++ b/htdocs/core/modules/modAsset.class.php @@ -63,7 +63,7 @@ class modAsset extends DolibarrModules $this->descriptionlong = "Asset module to manage assets module and depreciation charge on Dolibarr"; // Possible values for version are: 'development', 'experimental', 'dolibarr', 'dolibarr_deprecated' or a version string like 'x.y.z' - $this->version = 'development'; + $this->version = 'experimental'; // Key used in llx_const table to save module status enabled/disabled (where ASSETS is value of property name of module in uppercase) $this->const_name = 'MAIN_MODULE_'.strtoupper($this->name); // Name of image file used for this module. From 1a5d719de3a9f68e6730a4dd435eb55492f5ddd8 Mon Sep 17 00:00:00 2001 From: andreubisquerra Date: Thu, 24 Nov 2022 18:26:47 +0100 Subject: [PATCH 13/16] FIX TakePOS head bar scroll in mobile --- htdocs/takepos/css/pos.css.php | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/htdocs/takepos/css/pos.css.php b/htdocs/takepos/css/pos.css.php index 6f72fa6e7f2..e69a0fe7f76 100644 --- a/htdocs/takepos/css/pos.css.php +++ b/htdocs/takepos/css/pos.css.php @@ -337,7 +337,8 @@ div.paymentbordline width: 100%; height: 100%; margin: 0 auto; - overflow: visible; + overflow-x: hidden; + overfloy-y: scroll; box-sizing: border-box; } @@ -364,6 +365,7 @@ div.paymentbordline margin: 0 auto; width: 100%; height: 55%; + overflow: hidden; } .div1{ @@ -940,17 +942,19 @@ div#moreinfo, div#infowarehouse { } } -.arrows { - display: none; - position: absolute; - justify-content: space-between; - width: 100%; -} - .indicator { background: #00000042; padding: 15px 5px; cursor: pointer; + position:absolute; +} + +.indicator.left { + left:0; +} + +.indicator.right { + right:0; } .indicator:hover { From 848328da9ffd737c2ac65c2c6520b9d3cf444153 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Thu, 24 Nov 2022 17:29:34 +0000 Subject: [PATCH 14/16] Fixing style errors. --- htdocs/takepos/css/pos.css.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/takepos/css/pos.css.php b/htdocs/takepos/css/pos.css.php index e69a0fe7f76..a1d8c80d048 100644 --- a/htdocs/takepos/css/pos.css.php +++ b/htdocs/takepos/css/pos.css.php @@ -338,7 +338,7 @@ div.paymentbordline height: 100%; margin: 0 auto; overflow-x: hidden; - overfloy-y: scroll; + overfloy-y: scroll; box-sizing: border-box; } From ce5bb5cd64bd07f523873ef02a586a742a9ccac7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 24 Nov 2022 22:48:37 +0100 Subject: [PATCH 15/16] Fix warning --- htdocs/api/admin/index.php | 2 +- htdocs/commande/class/commande.class.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/api/admin/index.php b/htdocs/api/admin/index.php index cd1208516e3..b9548c7f69e 100644 --- a/htdocs/api/admin/index.php +++ b/htdocs/api/admin/index.php @@ -148,7 +148,7 @@ print ''; print ''.$langs->trans("RESTRICT_ON_IP"); print ' '.$langs->trans("Example").': '.$langs->trans("IPListExample"); print ''; -print ''; +print ''; print ''; print ''; print ''; diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 99a8e31521c..73988594e6f 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -3656,8 +3656,8 @@ class Commande extends CommonOrder } $statusType = 'status4'; } elseif ($status == self::STATUS_CLOSED && (!$billed && empty($conf->global->WORKFLOW_BILL_ON_SHIPMENT))) { - $labelStatus = $langs->transnoentitiesnoconv('StatusOrderToBill'); - $labelStatusShort = $langs->transnoentitiesnoconv('StatusOrderToBillShort'); + $labelStatus = $langs->transnoentitiesnoconv('StatusOrderToBill'); // translated into Delivered + $labelStatusShort = $langs->transnoentitiesnoconv('StatusOrderToBillShort'); // translated into Delivered $statusType = 'status4'; } elseif ($status == self::STATUS_CLOSED && ($billed && empty($conf->global->WORKFLOW_BILL_ON_SHIPMENT))) { $labelStatus = $langs->transnoentitiesnoconv('StatusOrderProcessed').$billedtext; From 9d566c41dfe0aece76d1686810029c8dd8c46ab5 Mon Sep 17 00:00:00 2001 From: hystepik Date: Thu, 24 Nov 2022 22:52:05 +0100 Subject: [PATCH 16/16] Fix : api warning php 8.1 --- .../restler/framework/Luracast/Restler/CommentParser.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/includes/restler/framework/Luracast/Restler/CommentParser.php b/htdocs/includes/restler/framework/Luracast/Restler/CommentParser.php index ce148874d02..a89a017b0fb 100644 --- a/htdocs/includes/restler/framework/Luracast/Restler/CommentParser.php +++ b/htdocs/includes/restler/framework/Luracast/Restler/CommentParser.php @@ -403,8 +403,8 @@ class CommentParser $code = 500; $exception = 'Exception'; if (count($value) > 1) { - $v1 = $value[0]; - $v2 = $value[1]; + $v1 = empty($value[0]) ? null : $value[0]; + $v2 = empty($value[1]) ? null : $value[1]; if (is_numeric($v1)) { $code = $v1; $exception = $v2;