lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable a public ajax page

Browse Source
This commit is contained in:
Laurent Destailleur 2023-02-21 20:42:46 +01:00
parent 93fdefcd3e
commit ac3f9e3830
4 changed files with 27 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/admin/ticket_public.php
View File

@ -329,7 +329,9 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) {
print '</td>';
print '</tr>';
// Create third-party with contact if email not linked to a contact
// Auto fill the contact found from email
// This option is a serious security hole. it allowe to any non looged perso, to get the database of contacts
/*
print '<tr class="oddeven"><td>'.$langs->trans("TicketCreateThirdPartyWithContactIfNotExist").'</td>';
print '<td class="left">';
if (empty(getDolGlobalInt('TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST'))) {
@ -342,6 +344,7 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) {
print $form->textwithpicto('', $langs->trans("TicketCreateThirdPartyWithContactIfNotExistHelp"), 1, 'help');
print '</td>';
print '</tr>';
*/
/*if ($conf->global->MAIN_FEATURES_LEVEL >= 2)
{

4
htdocs/core/class/html.formticket.class.php
View File

@ -145,7 +145,7 @@ class FormTicket
* @param int $withdolfichehead With dol_get_fiche_head() and dol_get_fiche_end()
* @param string $mode Mode ('create' or 'edit')
* @param int $public 1=If we show the form for the public interface
* @param Contact|null $with_contact [=NULL] Contact to link to this ticket if exists
* @param Contact|null $with_contact [=NULL] Contact to link to this ticket if it exists
* @param string $action [=''] Action in card
* @return void
*/
@ -450,7 +450,7 @@ class FormTicket
if (count($cate_arbo)) {
// Categories
print '<tr><td>'.$langs->trans("Categories").'</td><td colspan="3">';
print img_picto('', 'category').$form->multiselectarray('categories', $cate_arbo, GETPOST('categories', 'array'), '', 0, 'quatrevingtpercent widthcentpercentminusx', 0, 0);
print img_picto('', 'category', 'class="pictofixedwidth"').$form->multiselectarray('categories', $cate_arbo, GETPOST('categories', 'array'), '', 0, 'quatrevingtpercent widthcentpercentminusx', 0, 0);
print "</td></tr>";
}
}

22
htdocs/public/ticket/ajax/ajax.php
View File

@ -19,6 +19,9 @@
/**
* \file htdocs/public/ticket/ajax/ajax.php
* \brief Ajax component for Ticket.
*
* This ajax component is called only by the create ticket public page. And only if TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST is set.
* This option TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST has been removed because it is a security hole.
*/
if (!defined('NOTOKENRENEWAL')) {
@ -54,6 +57,10 @@ $action = GETPOST('action', 'aZ09');
$id = GETPOST('id', 'int');
$email = GETPOST('email', 'alphanohtml');
if (empty($conf->global->TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST)) {
httponly_accessforbidden('Option TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST of module ticket is not enabled');
}
/*
* View
@ -71,9 +78,18 @@ if ($action == 'getContacts') {
require_once DOL_DOCUMENT_ROOT.'/ticket/class/ticket.class.php';
$ticket = new Ticket($db);
$contacts = $ticket->searchContactByEmail($email);
if (is_array($contacts)) {
$return['contacts'] = $contacts;
$arrayofcontacts = $ticket->searchContactByEmail($email);
if (is_array($arrayofcontacts)) {
$arrayofminimalcontacts = array();
foreach ($arrayofcontacts as $tmpval) {
$tmpresult = new stdClass();
$tmpresult->id = $tmpval->id;
$tmpresult->firstname = $tmpval->firstname;
$tmpresult->lastname = $tmpval->lastname;
$arrayofminimalcontacts[] = $tmpresult;
}
$return['contacts'] = $arrayofminimalcontacts;
} else {
$return['error'] = $ticket->errorsToString();
}

4
htdocs/ticket/class/ticket.class.php
View File

@ -1872,10 +1872,10 @@ class Ticket extends CommonObject
$res = $this->db->query($sql);
if ($res) {
while ($rec = $this->db->fetch_array($res)) {
while ($rec = $this->db->fetch_object($res)) {
include_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
$contactstatic = new Contact($this->db);
$contactstatic->fetch($rec['rowid']);
$contactstatic->fetch($rec->rowid);
$contacts[] = $contactstatic;
}