lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'develop' of ssh://git@github.com/Dolibarr/dolibarr.git

Browse Source 
into develop

Conflicts:
	htdocs/admin/boxes.php
	htdocs/admin/ihm.php
	htdocs/core/lib/usergroups.lib.php
	htdocs/main.inc.php
This commit is contained in:
Laurent Destailleur 2011-11-02 22:51:52 +01:00
commit 9444e8d63d
7 changed files with 32 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
htdocs/admin/boxes.php
View File

@ -28,10 +28,11 @@ include_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
$langs->load("admin");
$id=GETPOST('rowid','int');
if (!$user->admin) accessforbidden();
$rowid = GETPOST('rowid','int');
$action = GETPOST('action');
// Definition des positions possibles pour les boites
$pos_array = array(0); // Positions possibles pour une boite (0,1,2,...)
$pos_name = array(0=>$langs->trans("Home")); // Nom des positions 0=Homepage, 1=...
@ -41,13 +42,13 @@ $boxes = array();
/*
* Actions
*/
if ($action == 'addconst')
if ((isset($_POST["action"]) && $_POST["action"] == 'addconst'))
{
dolibarr_set_const($db, "MAIN_BOXES_MAXLINES",$_POST["MAIN_BOXES_MAXLINES"],'',0,'',$conf->entity);
}
if ($_POST["action"] == 'add')
if ($action == 'add')
{
$sql = "SELECT rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."boxes";
@ -98,12 +99,12 @@ if ($_POST["action"] == 'add')
}
}
if ($_GET["action"] == 'delete')
if ($action == 'delete')
{
$db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes";
$sql.= " WHERE rowid=".$id;
$sql.= " WHERE rowid=".$rowid;
$resql = $db->query($sql);
// Remove all personalized setup when a box is activated or disabled
@ -114,7 +115,7 @@ if ($_GET["action"] == 'delete')
$db->commit();
}
if ($_GET["action"] == 'switch')
if ($action == 'switch')
{
// On permute les valeur du champ box_order des 2 lignes de la table boxes
$db->begin();

20
htdocs/admin/ihm.php
View File

@ -37,23 +37,21 @@ $langs->load("companies");
$langs->load("products");
$langs->load("members");
if (!$user->admin) accessforbidden();
if (! $user->admin) accessforbidden();
$action = GETPOST('action');
if (! defined("MAIN_MOTD")) define("MAIN_MOTD","");
// List of supported permanent search area
$searchform=array( "MAIN_SEARCHFORM_SOCIETE","MAIN_SEARCHFORM_CONTACT",
"MAIN_SEARCHFORM_PRODUITSERVICE","MAIN_SEARCHFORM_ADHERENT");
$searchformconst=array($conf->global->MAIN_SEARCHFORM_SOCIETE,$conf->global->MAIN_SEARCHFORM_CONTACT,
$conf->global->MAIN_SEARCHFORM_PRODUITSERVICE,$conf->global->MAIN_SEARCHFORM_ADHERENT);
$searchformtitle=array($langs->trans("Companies"),$langs->trans("Contacts"),
$langs->trans("ProductsAndServices"),$langs->trans("Members"));
$searchformmodule=array('Module1Name','Module1Name',
'Module50Name','Module310Name');
$searchform=array("MAIN_SEARCHFORM_SOCIETE","MAIN_SEARCHFORM_CONTACT", "MAIN_SEARCHFORM_PRODUITSERVICE","MAIN_SEARCHFORM_ADHERENT");
$searchformconst=array($conf->global->MAIN_SEARCHFORM_SOCIETE,$conf->global->MAIN_SEARCHFORM_CONTACT,$conf->global->MAIN_SEARCHFORM_PRODUITSERVICE,$conf->global->MAIN_SEARCHFORM_ADHERENT);
$searchformtitle=array($langs->trans("Companies"),$langs->trans("Contacts"),$langs->trans("ProductsAndServices"),$langs->trans("Members"));
$searchformmodule=array('Module1Name','Module1Name','Module50Name','Module310Name');
if (isset($_POST["action"]) && $_POST["action"] == 'update')
if ($action == 'update')
{
dolibarr_set_const($db, "MAIN_LANG_DEFAULT", $_POST["main_lang_default"],'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_MULTILANGS", $_POST["main_multilangs"],'chaine',0,'',$conf->entity);
@ -101,7 +99,7 @@ print $langs->trans("DisplayDesc")."<br>\n";
print "<br>\n";
if (isset($_GET["action"]) && $_GET["action"] == 'edit') // Edit
if ($action == 'edit') // Edit
{
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';

2
htdocs/main.inc.php
View File

@ -84,7 +84,7 @@ function test_sql_and_script_inject($val, $get)
// For XSS Injection done by adding javascript with script
$sql_inj += preg_match('/<script/i', $val);
if ($get) $sql_inj += preg_match('/javascript:/i', $val);
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
return $sql_inj;
}

2
htdocs/user/index.php
View File

@ -36,7 +36,7 @@ $langs->load("companies");
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$sall=GETPOST("sall");
$sall=GETPOST('sall','alpha');
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');

6
htdocs/user/info.php
View File

@ -37,11 +37,11 @@ $fuser->fetch($id);
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
if ($user->id == $_GET["id"]) // A user can always read its own card
if ($user->id == $id) // A user can always read its own card
{
$feature2='';
}
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
$result = restrictedArea($user, 'user', $id, '', $feature2);
// If user is not user read and no permission to read other users, we stop
if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
@ -55,7 +55,7 @@ if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
llxHeader();
$fuser->info($_GET["id"]);
$fuser->info($id);
$head = user_prepare_head($fuser);

6
htdocs/user/note.php
View File

@ -26,8 +26,8 @@ require("../main.inc.php");
require_once(DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php');
require_once(DOL_DOCUMENT_ROOT.'/user/class/user.class.php');
$action=GETPOST('action');
$id=GETPOST('id','int');
$id = GETPOST('id','int');
$action = GETPOST('action');
$langs->load("companies");
$langs->load("members");
@ -57,7 +57,7 @@ $result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
/* Actions */
/******************************************************************************/
if ($_POST["action"] == 'update' && $user->rights->user->user->creer && ! $_POST["cancel"])
if ($action == 'update' && $user->rights->user->user->creer && ! $_POST["cancel"])
{
$db->begin();

18
htdocs/user/param_ihm.php
View File

@ -32,11 +32,12 @@ $langs->load("admin");
$langs->load("users");
$langs->load("languages");
$id=GETPOST('id','int');
// Defini si peux lire/modifier permisssions
$canreaduser=($user->admin || $user->rights->user->user->lire);
$id = GETPOST('id','int');
$action = GETPOST('action');
if ($id)
{
// $user est le user qui edite, $id est l'id de l'utilisateur edite
@ -56,7 +57,6 @@ if ($user->id == $id) // A user can always read its own card
$result = restrictedArea($user, 'user', $id, '', $feature2);
if ($user->id <> $id && ! $canreaduser) accessforbidden();
$dirtop = "../core/menus/standard";
$dirleft = "../core/menus/standard";
@ -77,13 +77,9 @@ $formadmin=new FormAdmin($db);
/*
* Actions
*/
if ($_POST["action"] == 'update' && ($caneditfield || $user->admin))
if ($action == 'update' && ($caneditfield || $user->admin))
{
if ($_POST["cancel"])
{
$_GET["id"]=$_POST["id"];
}
else
if (! $_POST["cancel"])
{
$tabparam=array();
@ -106,7 +102,7 @@ if ($_POST["action"] == 'update' && ($caneditfield || $user->admin))
$_SESSION["mainmenu"]=""; // Le gestionnaire de menu a pu changer
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$_POST["id"]);
Header('Location: '.$_SERVER["PHP_SELF"].'?id='.$id);
exit;
}
}
@ -152,7 +148,7 @@ if ($_GET["action"] == 'edit')
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
print '<input type="hidden" name="id" value="'.$id.'">';
clearstatcache();
$var=true;