From b80de4aeaf2f28c17769611951e05a4d659bb164 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 2 Feb 2021 13:04:41 +0100
Subject: [PATCH] FIX CSRF errors on margin forms

---
 htdocs/core/class/html.form.class.php     | 13 ++++++----
 htdocs/core/lib/ajax.lib.php              |  9 ++++---
 htdocs/core/tpl/objectline_create.tpl.php |  3 +--
 htdocs/margin/agentMargins.php            | 11 ++-------
 htdocs/margin/customerMargins.php         | 16 +++++--------
 htdocs/margin/productMargins.php          | 29 +++++++----------------
 htdocs/variants/combinations.php          |  8 ++++---
 7 files changed, 37 insertions(+), 52 deletions(-)

diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 448bdad3cd9..bc33692e2fc 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1927,7 +1927,7 @@ class Form
 	 *  Return list of products for customer in Ajax if Ajax activated or go to select_produits_list
 	 *
 	 *  @param		int			$selected				Preselected products
-	 *  @param		string		$htmlname				Name of HTML select field (must be unique in page)
+	 *  @param		string		$htmlname				Name of HTML select field (must be unique in page).
 	 *  @param		int			$filtertype				Filter on product type (''=nofilter, 0=product, 1=service)
 	 *  @param		int			$limit					Limit on number of returned lines
 	 *  @param		int			$price_level			Level of price to show
@@ -1949,7 +1949,7 @@ class Form
 	 *  @param		string		$nooutput				No print, return the output into a string
 	 *  @return		void|string
 	 */
-	public function select_produits($selected = '', $htmlname = 'productid', $filtertype = '', $limit = 0, $price_level = 0, $status = 1, $finished = 2, $selected_input_value = '', $hidelabel = 0, $ajaxoptions = array(), $socid = 0, $showempty = '1', $forcecombo = 0, $morecss = '', $hidepriceinlabel = 0, $warehouseStatus = '', $selected_combinations = array(), $nooutput = 0)
+	public function select_produits($selected = '', $htmlname = 'productid', $filtertype = '', $limit = 0, $price_level = 0, $status = 1, $finished = 2, $selected_input_value = '', $hidelabel = 0, $ajaxoptions = array(), $socid = 0, $showempty = '1', $forcecombo = 0, $morecss = '', $hidepriceinlabel = 0, $warehouseStatus = '', $selected_combinations = null, $nooutput = 0)
 	{
 		// phpcs:enable
 		global $langs, $conf;
@@ -1997,10 +1997,13 @@ class Form
 			}
 			$out .= ajax_autocompleter($selected, $htmlname, DOL_URL_ROOT.'/product/ajax/products.php', $urloption, $conf->global->PRODUIT_USE_SEARCH_TO_SELECT, 1, $ajaxoptions);
 
-			if (!empty($conf->variants->enabled)) {
+			if (!empty($conf->variants->enabled) && is_array($selected_combinations)) {
+				// Code to automatically insert with javascript the select of attributes under the select of product
+				// when a parent of variant has been selected.
 				$out .= '
+				<!-- script to auto show attributes select tags if a variant was selected -->
 				<script>
-
+					// auto show attributes fields
 					selected = '.json_encode($selected_combinations).';
 					combvalues = {};
 
@@ -2019,6 +2022,8 @@ class Form
 								return;
 							}
 
+							console.log("After change we get variants");
+
 							jQuery.getJSON("'.DOL_URL_ROOT.'/variants/ajax/getCombinations.php", {
 								id: jQuery(this).val()
 							}, function (data) {
diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php
index b824edb7bb9..58265700e26 100644
--- a/htdocs/core/lib/ajax.lib.php
+++ b/htdocs/core/lib/ajax.lib.php
@@ -144,10 +144,10 @@ function ajax_autocompleter($selected, $htmlname, $url, $urloption = '', $minLen
 						dataType: "json",
     					minLength: '.$minLength.',
     					select: function( event, ui ) {		// Function ran once new value has been selected into javascript combo
-    						console.log("Call change on input '.$htmlname.' because of select definition of autocomplete select call on input#search_'.$htmlname.'");
+    						console.log("We will trigger change on input '.$htmlname.' because of the select definition of autocomplete code for input#search_'.$htmlname.'");
     					    console.log("Selected id = "+ui.item.id+" - If this value is null, it means you select a record with key that is null so selection is not effective");
 
-							//console.log(ui.item);
+							console.log("Propagate before some properties");
 							$("#'.$htmlname.'").attr("data-pbq", ui.item.pbq);
 							$("#'.$htmlname.'").attr("data-pbqup", ui.item.price_ht);
 							$("#'.$htmlname.'").attr("data-pbqbase", ui.item.pricebasetype);
@@ -155,6 +155,7 @@ function ajax_autocompleter($selected, $htmlname, $url, $urloption = '', $minLen
 							$("#'.$htmlname.'").attr("data-pbqpercent", ui.item.discount);
 
     						$("#'.$htmlname.'").val(ui.item.id).trigger("change");	// Select new value
+
     						// Disable an element
     						if (options.option_disabled) {
     							console.log("Make action option_disabled on #"+options.option_disabled+" with disabled="+ui.item.disabled)
@@ -170,6 +171,7 @@ function ajax_autocompleter($selected, $htmlname, $url, $urloption = '', $minLen
     								$("#" + options.option_disabled).removeAttr("disabled");
     							}
     						}
+
     						if (options.disabled) {
     							console.log("Make action disabled on each "+options.option_disabled)
     							$.each(options.disabled, function(key, value) {
@@ -182,6 +184,7 @@ function ajax_autocompleter($selected, $htmlname, $url, $urloption = '', $minLen
     								$("#" + value).show().trigger("show");
     							});
     						}
+
     						// Update an input
     						if (ui.item.update) {
     							console.log("Make action update on each ui.item.update")
@@ -202,7 +205,7 @@ function ajax_autocompleter($selected, $htmlname, $url, $urloption = '', $minLen
 									}
     							});
     						}
-    						console.log("ajax_autocompleter new value selected, we trigger change on original component so field #search_'.$htmlname.'");
+    						console.log("ajax_autocompleter new value selected, we trigger change also on original component so on field #search_'.$htmlname.'");
 
     						$("#search_'.$htmlname.'").trigger("change");	// We have changed value of the combo select, we must be sure to trigger all js hook binded on this event. This is required to trigger other javascript change method binded on original field by other code.
     					}
diff --git a/htdocs/core/tpl/objectline_create.tpl.php b/htdocs/core/tpl/objectline_create.tpl.php
index 1c526f225aa..a40b385913d 100644
--- a/htdocs/core/tpl/objectline_create.tpl.php
+++ b/htdocs/core/tpl/objectline_create.tpl.php
@@ -214,8 +214,7 @@ if ($nolinesbefore) {
 			if (empty($senderissupplier))
 			{
 				$statustoshow = 1;
-				if (!empty($conf->global->ENTREPOT_EXTRA_STATUS))
-				{
+				if (!empty($conf->global->ENTREPOT_EXTRA_STATUS)) {
 					// hide products in closed warehouse, but show products for internal transfer
 					$form->select_produits(GETPOST('idprod'), 'idprod', $filtertype, $conf->product->limit_size, $buyer->price_level, $statustoshow, 2, '', 1, array(), $buyer->id, '1', 0, 'maxwidth500', 0, 'warehouseopen,warehouseinternal', GETPOST('combinations', 'array'));
 				} else {
diff --git a/htdocs/margin/agentMargins.php b/htdocs/margin/agentMargins.php
index 9c8ff72681b..e7229abd2d3 100644
--- a/htdocs/margin/agentMargins.php
+++ b/htdocs/margin/agentMargins.php
@@ -106,6 +106,7 @@ $titre = $langs->trans("Margins");
 $picto = 'margin';
 
 print '<form method="post" name="sel" action="'.$_SERVER['PHP_SELF'].'">';
+print '<input type="hidden" name="token" value="'.newToken().'">';
 
 print dol_get_fiche_head($head, 'agentMargins', $titre, 0, $picto);
 
@@ -113,7 +114,7 @@ print '<table class="border centpercent">';
 
 print '<tr><td class="titlefield">'.$langs->trans('ContactOfInvoice').'</td>';
 print '<td class="maxwidthonsmartphone" colspan="4">';
-print $form->select_dolusers($agentid, 'agentid', 1, '', $user->rights->margins->read->all ? 0 : 1, '', '', 0, 0, 0, '', 0, '', 'maxwidth300');
+print img_picto('', 'user').$form->select_dolusers($agentid, 'agentid', 1, '', $user->rights->margins->read->all ? 0 : 1, '', '', 0, 0, 0, '', 0, '', 'maxwidth300');
 print '</td></tr>';
 
 // Start date
@@ -308,14 +309,6 @@ if ($result)
 }
 $db->free($result);
 
-print "\n".'<script type="text/javascript">
-$(document).ready(function() {
-  $("#agentid").change(function() {
-     $("div.fiche form").submit();
-  });
-});
-</script>'."\n";
-
 // End of page
 llxFooter();
 $db->close();
diff --git a/htdocs/margin/customerMargins.php b/htdocs/margin/customerMargins.php
index 0a015f0f73d..468d633875d 100644
--- a/htdocs/margin/customerMargins.php
+++ b/htdocs/margin/customerMargins.php
@@ -87,6 +87,7 @@ $picto = 'margin';
 
 
 print '<form method="post" name="sel" action="'.$_SERVER['PHP_SELF'].'">';
+print '<input type="hidden" name="token" value="'.newToken().'">';
 
 print dol_get_fiche_head($head, 'customerMargins', $titre, 0, $picto);
 
@@ -101,7 +102,7 @@ if ($socid > 0) {
 	{
 		print '<tr><td class="titlefield">'.$langs->trans('ThirdPartyName').'</td>';
 		print '<td class="maxwidthonsmartphone" colspan="4">';
-		print $form->select_company($socid, 'socid', '(client=1 OR client=3)', 1, 0, 0);
+		print img_picto('', 'company').$form->select_company($socid, 'socid', '(client=1 OR client=3)', 1, 0, 0);
 		print '</td></tr>';
 
 		$client = true;
@@ -111,7 +112,7 @@ if ($socid > 0) {
 } else {
 	print '<tr><td class="titlefield">'.$langs->trans('ThirdPartyName').'</td>';
 	print '<td class="maxwidthonsmartphone" colspan="4">';
-	print $form->select_company(null, 'socid', '(client=1 OR client=3)', 1, 0, 0);
+	print img_picto('', 'company').$form->select_company(null, 'socid', '(client=1 OR client=3)', 1, 0, 0);
 	print '</td></tr>';
 }
 
@@ -138,16 +139,16 @@ foreach ($TRes as $prod) {
 	$TProducts[$prod['key']] = $prod['label'];
 }
 
-print '<tr><td class="titlefield">'.$langs->trans('ChooseProduct/Service').'</td>';
+print '<tr><td class="titlefield">'.$langs->trans('ProductOrService').'</td>';
 print '<td class="maxwidthonsmartpone" colspan="4">';
-print $form->multiselectarray('products', $TProducts, $TSelectedProducts, 0, 0, 'minwidth500');
+print img_picto('', 'product').$form->multiselectarray('products', $TProducts, $TSelectedProducts, 0, 0, 'minwidth500');
 print '</td></tr>';
 
 // Categories
 $TCats = $form->select_all_categories(0, array(), '', 64, 0, 1);
 
 print '<tr>';
-print '<td class="titlefield">'.$langs->trans('ChooseCategory').'</td>';
+print '<td class="titlefield">'.$langs->trans('Category').'</td>';
 print '<td class="maxwidthonsmartphone" colspan="4">';
 print img_picto('', 'category').$form->multiselectarray('categories', $TCats, $TSelectedCats, 0, 0, 'quatrevingtpercent widthcentpercentminusx');
 print '</td>';
@@ -365,11 +366,6 @@ $db->free($result);
 
 print '<script type="text/javascript">
 $(document).ready(function() {
-	/*
-	$("#socid").change(function() {
-    	$("div.fiche form").submit();
-	});*/
-
 	$("#totalMargin").html("'.price($totalMargin, null, null, null, null, $rounding).'");
 	$("#marginRate").html("'.(($marginRate === '') ? 'n/a' : price($marginRate, null, null, null, null, $rounding)."%").'");
 	$("#markRate").html("'.(($markRate === '') ? 'n/a' : price($markRate, null, null, null, null, $rounding)."%").'");
diff --git a/htdocs/margin/productMargins.php b/htdocs/margin/productMargins.php
index 46f128b2f36..ebe8c9c1cac 100644
--- a/htdocs/margin/productMargins.php
+++ b/htdocs/margin/productMargins.php
@@ -99,31 +99,23 @@ $titre = $langs->trans("Margins");
 $picto = 'margin';
 
 print '<form method="post" name="sel" action="'.$_SERVER['PHP_SELF'].'">';
+print '<input type="hidden" name="token" value="'.newToken().'">';
 
 print dol_get_fiche_head($head, 'productMargins', $titre, 0, $picto);
 
 print '<table class="border centpercent">';
 
-if ($id > 0) {
-	print '<tr><td class="titlefield">'.$langs->trans('ChooseProduct/Service').'</td>';
-	print '<td class="maxwidthonsmartpone" colspan="4">';
-	$form->select_produits($id, 'id', '', 20, 0, 1, 2, '', 1, array(), 0, 'All');
-	print '</td></tr>';
-
-	if (!$sortorder) $sortorder = "DESC";
-	if (!$sortfield) $sortfield = "f.datef";
-} else {
-	print '<tr><td class="titlefield">'.$langs->trans('ChooseProduct/Service').'</td>';
-	print '<td class="maxwidthonsmartphone" colspan="4">';
-	$form->select_produits('', 'id', '', 20, 0, 1, 2, '', 1, array(), 0, 'All');
-	print '</td></tr>';
-}
+// Product
+print '<tr><td class="titlefield">'.$langs->trans('ProductOrService').'</td>';
+print '<td class="maxwidthonsmartphone" colspan="4">';
+print img_picto('', 'product').$form->select_produits(($id > 0 ? $id : ''), 'id', '', 20, 0, 1, 2, '', 1, array(), 0, 'All', 0, '', 0, '', null, 1);
+print '</td></tr>';
 
 // Categories
 $TCats = $form->select_all_categories(0, array(), '', 64, 0, 1);
 
 print '<tr>';
-print '<td class="titlefield">'.$langs->trans('ChooseCategory').'</td>';
+print '<td class="titlefield">'.$langs->trans('Category').'</td>';
 print '<td class="maxwidthonsmartphone" colspan="4">';
 print img_picto('', 'category').$form->multiselectarray('categories', $TCats, $TSelectedCats, 0, 0, 'quatrevingtpercent widthcentpercentminusx');
 print '</td>';
@@ -350,15 +342,10 @@ $db->free($result);
 print '
 <script type="text/javascript">
 $(document).ready(function() {
-
-  $("#id").change(function() {
-     $("div.fiche form").submit();
-  });
-
+  console.log("Init some values");
   $("#totalMargin").html("'.price(price2num($totalMargin, 'MT')).'");
   $("#marginRate").html("'.(($marginRate === '') ? 'n/a' : price(price2num($marginRate, 'MT'))."%").'");
   $("#markRate").html("'.(($markRate === '') ? 'n/a' : price(price2num($markRate, 'MT'))."%").'");
-
 });
 </script>
 ';
diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php
index 24da596f3c2..933d379e48a 100644
--- a/htdocs/variants/combinations.php
+++ b/htdocs/variants/combinations.php
@@ -107,7 +107,9 @@ if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST(
 	$features = $_SESSION['addvariant_'.$object->id];
 
 	if (!$features) {
-		setEventMessages($langs->trans('ErrorFieldsRequired'), null, 'errors');
+		if ($action == 'create') {
+			setEventMessages($langs->trans('ErrorFieldsRequired'), null, 'errors');
+		}
 	} else {
 		$reference = trim($reference);
 		if (empty($reference)) {
@@ -763,11 +765,11 @@ if (!empty($id) || !empty($ref))
 
 		print '	<div class="inline-block divButAction">';
 
-		print '<a href="combinations.php?id='.$object->id.'&action=add" class="butAction">'.$langs->trans('NewProductCombination').'</a>'; // NewVariant
+		print '<a href="combinations.php?id='.$object->id.'&action=add&token='.newToken().'" class="butAction">'.$langs->trans('NewProductCombination').'</a>'; // NewVariant
 
 		if ($productCombinations)
 		{
-			print '<a href="combinations.php?id='.$object->id.'&action=copy" class="butAction">'.$langs->trans('PropagateVariant').'</a>';
+			print '<a href="combinations.php?id='.$object->id.'&action=copy&token='.newToken().'" class="butAction">'.$langs->trans('PropagateVariant').'</a>';
 		}
 
 		print '	</div>';