From 9764c85ee3abda4680bedaa7ac0e46c584ccfd4a Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Mon, 27 Apr 2020 19:15:17 +0200 Subject: [PATCH 1/3] FIX files download by API/entity TODO need more clean of this file with multicompany --- htdocs/core/lib/files.lib.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 9746c1047b8..288a28c111a 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2419,7 +2419,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $original_file = $conf->agenda->dir_output.'/'.$original_file; } // Wrapping for categories - elseif ($modulepart == 'category' && !empty($conf->categorie->dir_output)) + elseif ($modulepart == 'category' && !empty($conf->categorie->multidir_output[$entity])) { if (empty($entity) || empty($conf->categorie->multidir_output[$entity])) return array('accessallowed'=>0, 'error'=>'Value entity must be provided'); if ($fuser->rights->categorie->{$lire}) $accessallowed = 1; @@ -2489,7 +2489,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, } // Wrapping for third parties - elseif (($modulepart == 'company' || $modulepart == 'societe' || $modulepart == 'thirdparty') && !empty($conf->societe->dir_output)) + elseif (($modulepart == 'company' || $modulepart == 'societe' || $modulepart == 'thirdparty') && !empty($conf->societe->multidir_output[$entity])) { if (empty($entity) || empty($conf->societe->multidir_output[$entity])) return array('accessallowed'=>0, 'error'=>'Value entity must be provided'); if ($fuser->rights->societe->{$lire} || preg_match('/^specimen/i', $original_file)) @@ -2501,7 +2501,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, } // Wrapping for contact - elseif ($modulepart == 'contact' && !empty($conf->societe->dir_output)) + elseif ($modulepart == 'contact' && !empty($conf->societe->multidir_output[$entity])) { if (empty($entity) || empty($conf->societe->multidir_output[$entity])) return array('accessallowed'=>0, 'error'=>'Value entity must be provided'); if ($fuser->rights->societe->{$lire}) @@ -2519,7 +2519,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $accessallowed = 1; } $original_file = $conf->facture->multidir_output[$entity].'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."facture WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('invoice').")"; } // Wrapping for mass actions elseif ($modulepart == 'massfilesarea_proposals' && !empty($conf->propal->multidir_output[$entity])) @@ -2632,7 +2632,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $accessallowed = 1; } $original_file = $conf->propal->multidir_output[$entity].'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."propal WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('propal').")"; } // Wrapping pour les commandes @@ -2643,7 +2643,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $accessallowed = 1; } $original_file = $conf->commande->multidir_output[$entity].'/'.$original_file; - $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; + $sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."commande WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('order').")"; } // Wrapping pour les projets From 4a8173f498b4a95366263fcc4751ccad1778d96d Mon Sep 17 00:00:00 2001 From: Tim Otte Date: Tue, 28 Apr 2020 12:40:10 +0200 Subject: [PATCH 2/3] Fixed search_projectstatus to allow default values --- htdocs/projet/tasks/list.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 67131c29ef4..ccd3d28ba31 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -45,12 +45,14 @@ $id = GETPOST('id', 'int'); $search_all = trim((GETPOST('search_all', 'alphanohtml') != '') ?GETPOST('search_all', 'alphanohtml') : GETPOST('sall', 'alphanohtml')); $search_categ = GETPOST("search_categ", 'alpha'); $search_project = GETPOST('search_project'); -if (!isset($_GET['search_projectstatus']) && !isset($_POST['search_projectstatus'])) + +$search_projectstatus = GETPOST('search_projectstatus'); +if (!isset($search_projectstatus) || $search_projectstatus == '') { if ($search_all != '') $search_projectstatus = -1; else $search_projectstatus = 1; } -else $search_projectstatus = GETPOST('search_projectstatus'); + $search_project_ref = GETPOST('search_project_ref'); $search_project_title = GETPOST('search_project_title'); $search_task_ref = GETPOST('search_task_ref'); From 947609fc122f9bb89eea7cb6ceff0e532a97835b Mon Sep 17 00:00:00 2001 From: Tim Otte Date: Tue, 28 Apr 2020 12:59:15 +0200 Subject: [PATCH 3/3] Minor fix --- htdocs/projet/tasks/list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 5b60e1ef3bc..113f02670f0 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -47,7 +47,7 @@ $search_categ = GETPOST("search_categ", 'alpha'); $search_project = GETPOST('search_project'); $search_projectstatus = GETPOST('search_projectstatus'); -if (!isset($search_projectstatus) || $search_projectstatus == '') +if (!isset($search_projectstatus) || $search_projectstatus === '') { if ($search_all != '') $search_projectstatus = -1; else $search_projectstatus = 1;