From 765b1a858a076e0bc44401c76061803821ca5ee4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 15 Mar 2023 09:44:50 +0100 Subject: [PATCH] FIX Protection on agenda view for a thirdparty id that does not exist --- htdocs/societe/agenda.php | 185 +++++++++++++++++++------------------- 1 file changed, 94 insertions(+), 91 deletions(-) diff --git a/htdocs/societe/agenda.php b/htdocs/societe/agenda.php index af8cc51b771..89fe0aca071 100644 --- a/htdocs/societe/agenda.php +++ b/htdocs/societe/agenda.php @@ -79,9 +79,16 @@ $socid = GETPOST('socid', 'int'); if ($user->socid) { $socid = $user->socid; } + +$result = $object->fetch($socid); +if ($result <= 0) { + accessforbidden('Third party not found'); +} + $result = restrictedArea($user, 'societe', $socid, '&societe'); + /* * Actions */ @@ -114,108 +121,104 @@ if (empty($reshook)) { $form = new Form($db); -if ($socid > 0) { - $result = $object->fetch($socid); +$title = $langs->trans("Agenda"); +if (!empty($conf->global->MAIN_HTML_TITLE) && preg_match('/thirdpartynameonly/', $conf->global->MAIN_HTML_TITLE) && $object->name) { + $title = $object->name." - ".$title; +} +$help_url = ''; +llxHeader('', $title, $help_url); - $title = $langs->trans("Agenda"); - if (!empty($conf->global->MAIN_HTML_TITLE) && preg_match('/thirdpartynameonly/', $conf->global->MAIN_HTML_TITLE) && $object->name) { - $title = $object->name." - ".$title; +if (isModEnabled('notification')) { + $langs->load("mails"); +} +$head = societe_prepare_head($object); + + +print dol_get_fiche_head($head, 'agenda', $langs->trans("ThirdParty"), -1, $object->picto); + +$linkback = ''.$langs->trans("BackToList").''; + +$morehtmlref = ''; + +dol_banner_tab($object, 'socid', $linkback, ($user->socid ? 0 : 1), 'rowid', 'nom', $morehtmlref); + +print '
'; + +print '
'; + +$object->info($socid); +dol_print_object_info($object, 1); + +print '
'; + +print dol_get_fiche_end(); + + + +// Actions buttons + +$objthirdparty = $object; +$objcon = new stdClass(); + +$out = ''; +$permok = $user->hasRight('agenda', 'myactions', 'create'); +if ((!empty($objthirdparty->id) || !empty($objcon->id)) && $permok) { + if (is_object($objthirdparty) && get_class($objthirdparty) == 'Societe') { + $out .= '&originid='.$objthirdparty->id.($objthirdparty->id > 0 ? '&socid='.$objthirdparty->id : '').'&backtopage='.urlencode($_SERVER['PHP_SELF'].($objthirdparty->id > 0 ? '?socid='.$objthirdparty->id : '')); } - $help_url = ''; - llxHeader('', $title, $help_url); + $out .= (!empty($objcon->id) ? '&contactid='.$objcon->id : '').'&percentage=-1'; + $out .= '&datep='.dol_print_date(dol_now(), 'dayhourlog'); +} - if (isModEnabled('notification')) { - $langs->load("mails"); +$morehtmlright = ''; + +$messagingUrl = DOL_URL_ROOT.'/societe/messaging.php?socid='.$object->id; +$morehtmlright .= dolGetButtonTitle($langs->trans('ShowAsConversation'), '', 'fa fa-comments imgforviewmode', $messagingUrl, '', 1); +$messagingUrl = DOL_URL_ROOT.'/societe/agenda.php?socid='.$object->id; +$morehtmlright .= dolGetButtonTitle($langs->trans('MessageListViewType'), '', 'fa fa-bars imgforviewmode', $messagingUrl, '', 2); + +// // Show link to send an email (if read and not closed) +// $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage"; +// $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&private_message=0&send_email=1&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle'; +// $morehtmlright .= dolGetButtonTitle($langs->trans('SendMail'), '', 'fa fa-paper-plane', $url, 'email-title-button', $btnstatus); + +// // Show link to add a private message (if read and not closed) +// $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage"; +// $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle'; +// $morehtmlright .= dolGetButtonTitle($langs->trans('TicketAddMessage'), '', 'fa fa-comment-dots', $url, 'add-new-ticket-title-button', $btnstatus); + +if (isModEnabled('agenda')) { + if (!empty($user->rights->agenda->myactions->create) || !empty($user->rights->agenda->allactions->create)) { + $morehtmlright .= dolGetButtonTitle($langs->trans('AddAction'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/comm/action/card.php?action=create'.$out); } - $head = societe_prepare_head($object); +} +if (isModEnabled('agenda') && (!empty($user->rights->agenda->myactions->read) || !empty($user->rights->agenda->allactions->read))) { + print '
'; - print dol_get_fiche_head($head, 'agenda', $langs->trans("ThirdParty"), -1, $object->picto); - - $linkback = ''.$langs->trans("BackToList").''; - - $morehtmlref = ''; - - dol_banner_tab($object, 'socid', $linkback, ($user->socid ? 0 : 1), 'rowid', 'nom', $morehtmlref); - - print '
'; - - print '
'; - - $object->info($socid); - dol_print_object_info($object, 1); - - print '
'; - - print dol_get_fiche_end(); - - - - // Actions buttons - - $objthirdparty = $object; - $objcon = new stdClass(); - - $out = ''; - $permok = $user->hasRight('agenda', 'myactions', 'create'); - if ((!empty($objthirdparty->id) || !empty($objcon->id)) && $permok) { - if (is_object($objthirdparty) && get_class($objthirdparty) == 'Societe') { - $out .= '&originid='.$objthirdparty->id.($objthirdparty->id > 0 ? '&socid='.$objthirdparty->id : '').'&backtopage='.urlencode($_SERVER['PHP_SELF'].($objthirdparty->id > 0 ? '?socid='.$objthirdparty->id : '')); - } - $out .= (!empty($objcon->id) ? '&contactid='.$objcon->id : '').'&percentage=-1'; - $out .= '&datep='.dol_print_date(dol_now(), 'dayhourlog'); + $param = '&socid='.urlencode($socid); + if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) { + $param .= '&contextpage='.urlencode($contextpage); + } + if ($limit > 0 && $limit != $conf->liste_limit) { + $param .= '&limit='.urlencode($limit); } - $morehtmlright = ''; + // Try to know count of actioncomm from cache + require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php'; + $cachekey = 'count_events_thirdparty_'.$object->id; + $nbEvent = dol_getcache($cachekey); - $messagingUrl = DOL_URL_ROOT.'/societe/messaging.php?socid='.$object->id; - $morehtmlright .= dolGetButtonTitle($langs->trans('ShowAsConversation'), '', 'fa fa-comments imgforviewmode', $messagingUrl, '', 1); - $messagingUrl = DOL_URL_ROOT.'/societe/agenda.php?socid='.$object->id; - $morehtmlright .= dolGetButtonTitle($langs->trans('MessageListViewType'), '', 'fa fa-bars imgforviewmode', $messagingUrl, '', 2); + // print load_fiche_titre($langs->trans("ActionsOnCompany"), $newcardbutton, ''); + print_barre_liste($langs->trans("ActionsOnCompany").(is_numeric($nbEvent) ? '('.$nbEvent.')': ''), 0, $_SERVER["PHP_SELF"], '', $sortfield, $sortorder, '', 0, -1, '', 0, $morehtmlright, '', 0, 1, 1); - // // Show link to send an email (if read and not closed) - // $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage"; - // $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&private_message=0&send_email=1&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle'; - // $morehtmlright .= dolGetButtonTitle($langs->trans('SendMail'), '', 'fa fa-paper-plane', $url, 'email-title-button', $btnstatus); + // List of all actions + $filters = array(); + $filters['search_agenda_label'] = $search_agenda_label; + $filters['search_rowid'] = $search_rowid; - // // Show link to add a private message (if read and not closed) - // $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage"; - // $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle'; - // $morehtmlright .= dolGetButtonTitle($langs->trans('TicketAddMessage'), '', 'fa fa-comment-dots', $url, 'add-new-ticket-title-button', $btnstatus); - - if (isModEnabled('agenda')) { - if (!empty($user->rights->agenda->myactions->create) || !empty($user->rights->agenda->allactions->create)) { - $morehtmlright .= dolGetButtonTitle($langs->trans('AddAction'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/comm/action/card.php?action=create'.$out); - } - } - - if (isModEnabled('agenda') && (!empty($user->rights->agenda->myactions->read) || !empty($user->rights->agenda->allactions->read))) { - print '
'; - - $param = '&socid='.urlencode($socid); - if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) { - $param .= '&contextpage='.urlencode($contextpage); - } - if ($limit > 0 && $limit != $conf->liste_limit) { - $param .= '&limit='.urlencode($limit); - } - - // Try to know count of actioncomm from cache - require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php'; - $cachekey = 'count_events_thirdparty_'.$object->id; - $nbEvent = dol_getcache($cachekey); - - // print load_fiche_titre($langs->trans("ActionsOnCompany"), $newcardbutton, ''); - print_barre_liste($langs->trans("ActionsOnCompany").(is_numeric($nbEvent) ? '('.$nbEvent.')': ''), 0, $_SERVER["PHP_SELF"], '', $sortfield, $sortorder, '', 0, -1, '', 0, $morehtmlright, '', 0, 1, 1); - - // List of all actions - $filters = array(); - $filters['search_agenda_label'] = $search_agenda_label; - $filters['search_rowid'] = $search_rowid; - - // TODO Replace this with same code than into list.php - show_actions_done($conf, $langs, $db, $object, null, 0, $actioncode, '', $filters, $sortfield, $sortorder, $object->module); - } + // TODO Replace this with same code than into list.php + show_actions_done($conf, $langs, $db, $object, null, 0, $actioncode, '', $filters, $sortfield, $sortorder, $object->module); } // End of page