From bfa50b8d1d8574151d9bdac304d487f84f39da0e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 2 Jun 2017 19:36:03 +0200 Subject: [PATCH] Fix some security issues --- htdocs/projet/class/projectstats.class.php | 41 +-- htdocs/projet/class/taskstats.class.php | 297 +-------------------- 2 files changed, 27 insertions(+), 311 deletions(-) diff --git a/htdocs/projet/class/projectstats.class.php b/htdocs/projet/class/projectstats.class.php index 4485117fb0f..a47d28d1b43 100644 --- a/htdocs/projet/class/projectstats.class.php +++ b/htdocs/projet/class/projectstats.class.php @@ -28,8 +28,8 @@ class ProjectStats extends Stats public $userid; public $socid; public $year; - - function __construct($db) + + function __construct($db) { global $conf, $user; @@ -41,7 +41,7 @@ class ProjectStats extends Stats /** - * Return all leads grouped by status. + * Return all leads grouped by opportunity status. * Warning: There is no filter on WON/LOST because we want this for statistics. * * @param int $limit Limit results @@ -56,7 +56,10 @@ class ProjectStats extends Stats $sql = "SELECT"; $sql .= " SUM(t.opp_amount), t.fk_opp_status, cls.code, cls.label"; - $sql .= " FROM " . MAIN_DB_PREFIX . "projet as t, ".MAIN_DB_PREFIX."c_lead_status as cls"; + $sql .= " FROM " . MAIN_DB_PREFIX . "projet as t"; + if (! $user->rights->societe->client->voir && ! $user->socid) + $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + $sql .= ", ".MAIN_DB_PREFIX."c_lead_status as cls"; $sql .= $this->buildWhere(); $sql .= " AND t.fk_opp_status = cls.rowid"; $sql .= " AND t.fk_statut <> 0"; // We want historic also, so all projects not draft @@ -112,11 +115,11 @@ class ProjectStats extends Stats $datay = array (); $wonlostfilter=0; // No filter on status WON/LOST - + $sql = "SELECT date_format(t.datec,'%Y') as year, COUNT(t.rowid) as nb, SUM(t.opp_amount) as total, AVG(t.opp_amount) as avg,"; $sql.= " SUM(t.opp_amount * ".$this->db->ifsql("t.opp_percent IS NULL".($wonlostfilter?" OR cls.code IN ('WON','LOST')":""), '0', 't.opp_percent')." / 100) as weighted"; $sql.= " FROM " . MAIN_DB_PREFIX . "projet as t LEFT JOIN ".MAIN_DB_PREFIX."c_lead_status as cls ON cls.rowid = t.fk_opp_status"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql.= $this->buildWhere(); $sql.= " GROUP BY year"; @@ -124,14 +127,14 @@ class ProjectStats extends Stats return $this->_getAllByYear($sql); } - - + + /** * Build the where part - * + * * @return string */ - public function buildWhere() + public function buildWhere() { $sqlwhere_str = ''; $sqlwhere = array(); @@ -163,7 +166,7 @@ class ProjectStats extends Stats * @param int $year scan * @return array of values */ - function getNbByMonth($year) + function getNbByMonth($year) { global $user; @@ -171,7 +174,7 @@ class ProjectStats extends Stats $sql = "SELECT date_format(t.datec,'%m') as dm, COUNT(*) as nb"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet as t"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; @@ -190,7 +193,7 @@ class ProjectStats extends Stats * @param int $year scan * @return array with amount by month */ - function getAmountByMonth($year) + function getAmountByMonth($year) { global $user; @@ -198,7 +201,7 @@ class ProjectStats extends Stats $sql = "SELECT date_format(t.datec,'%m') as dm, SUM(t.opp_amount)"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet as t"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; @@ -313,7 +316,7 @@ class ProjectStats extends Stats * @param int $wonlostfilter Add a filter on status won/lost * @return array Array with amount by month */ - function getWeightedAmountByMonth($year, $wonlostfilter=1) + function getWeightedAmountByMonth($year, $wonlostfilter=1) { global $user; @@ -321,7 +324,7 @@ class ProjectStats extends Stats $sql = "SELECT date_format(t.datec,'%m') as dm, SUM(t.opp_amount * ".$this->db->ifsql("t.opp_percent IS NULL".($wonlostfilter?" OR cls.code IN ('WON','LOST')":""), '0', 't.opp_percent')." / 100)"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet as t LEFT JOIN ".MAIN_DB_PREFIX.'c_lead_status as cls ON t.fk_opp_status = cls.rowid'; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; @@ -421,7 +424,7 @@ class ProjectStats extends Stats * @param int $year scan * @return array with amount by month */ - function getTransformRateByMonth($year) + function getTransformRateByMonth($year) { global $user; @@ -429,7 +432,7 @@ class ProjectStats extends Stats $sql = "SELECT date_format(t.datec,'%m') as dm, count(t.opp_amount)"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet as t"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; @@ -441,7 +444,7 @@ class ProjectStats extends Stats $sql = "SELECT date_format(t.datec,'%m') as dm, count(t.opp_amount)"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet as t"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; diff --git a/htdocs/projet/class/taskstats.class.php b/htdocs/projet/class/taskstats.class.php index c0a0530bc75..b71c88f3d6b 100644 --- a/htdocs/projet/class/taskstats.class.php +++ b/htdocs/projet/class/taskstats.class.php @@ -51,11 +51,13 @@ class TaskStats extends Stats { global $conf, $user, $langs; - $datay = array (); + $datay = array(); $sql = "SELECT"; $sql .= " COUNT(t.rowid), t.priority"; $sql.= " FROM ". MAIN_DB_PREFIX . "projet_task as t INNER JOIN " . MAIN_DB_PREFIX . "projet as p ON p.rowid = t.fk_projet"; + if (! $user->rights->societe->client->voir && ! $user->soc_id) + $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql .= $this->buildWhere(); //$sql .= " AND t.fk_statut <> 0"; // We want historic also, so all task not draft $sql .= " GROUP BY t.priority"; @@ -112,7 +114,7 @@ class TaskStats extends Stats $sql = "SELECT date_format(t.datec,'%Y') as year, COUNT(t.rowid) as nb"; $sql.= " FROM ". MAIN_DB_PREFIX . "projet_task as t INNER JOIN " . MAIN_DB_PREFIX . "projet as p ON p.rowid = t.fk_projet"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql.= $this->buildWhere(); $sql.= " GROUP BY year"; @@ -167,7 +169,7 @@ class TaskStats extends Stats $sql = "SELECT date_format(t.datec,'%m') as dm, COUNT(t.rowid) as nb"; $sql.= " FROM ". MAIN_DB_PREFIX . "projet_task as t INNER JOIN " . MAIN_DB_PREFIX . "projet as p ON p.rowid = t.fk_projet"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) + if (! $user->rights->societe->client->voir && ! $user->soc_id) $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; @@ -179,293 +181,4 @@ class TaskStats extends Stats // var_dump($res);print '
'; return $res; } - - /** - * Return the Task amount by month for a year - * - * @param int $year scan - * @return array with amount by month - */ - /* - function getAmountByMonth($year) - { - global $user; - - $this->yearmonth = $year; - - $sql = "SELECT date_format(t.datec,'%m') as dm, COUNT(t.rowid)"; - $sql.= " FROM ". MAIN_DB_PREFIX . "projet_task as t INNER JOIN " . MAIN_DB_PREFIX . "projet as p ON p.rowid = t.fk_projet"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) - $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; - $sql .= $this->buildWhere(); - $sql .= " GROUP BY dm"; - $sql .= $this->db->order('dm', 'DESC'); - $this->yearmonth=0; - - $res = $this->_getAmountByMonth($year, $sql); - // var_dump($res);print '
'; - return $res; - }*/ - - - /** - * Return amount of elements by month for several years - * - * @param int $endyear Start year - * @param int $startyear End year - * @param int $cachedelay Delay we accept for cache file (0=No read, no save of cache, -1=No read but save) - * @param int $wonlostfilter Add a filter on status won/lost - * @return array Array of values - */ - /* - function getWeightedAmountByMonthWithPrevYear($endyear,$startyear,$cachedelay=0,$wonlostfilter=1) - { - global $conf,$user,$langs; - - if ($startyear > $endyear) return -1; - - $datay=array(); - - // Search into cache - if (! empty($cachedelay)) - { - include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - include_once DOL_DOCUMENT_ROOT.'/core/lib/json.lib.php'; - } - - $newpathofdestfile=$conf->user->dir_temp.'/'.get_class($this).'_'.__FUNCTION__.'_'.(empty($this->cachefilesuffix)?'':$this->cachefilesuffix.'_').$langs->defaultlang.'_user'.$user->id.'.cache'; - $newmask='0644'; - - $nowgmt = dol_now(); - - $foundintocache=0; - if ($cachedelay > 0) - { - $filedate=dol_filemtime($newpathofdestfile); - if ($filedate >= ($nowgmt - $cachedelay)) - { - $foundintocache=1; - - $this->_lastfetchdate[get_class($this).'_'.__FUNCTION__]=$filedate; - } - else - { - dol_syslog(get_class($this).'::'.__FUNCTION__." cache file ".$newpathofdestfile." is not found or older than now - cachedelay (".$nowgmt." - ".$cachedelay.") so we can't use it."); - } - } - - // Load file into $data - if ($foundintocache) // Cache file found and is not too old - { - dol_syslog(get_class($this).'::'.__FUNCTION__." read data from cache file ".$newpathofdestfile." ".$filedate."."); - $data = json_decode(file_get_contents($newpathofdestfile), true); - } - else - { - $year=$startyear; - while($year <= $endyear) - { - $datay[$year] = $this->getWeightedAmountByMonth($year,$wonlostfilter); - $year++; - } - - $data = array(); - // $data = array('xval'=>array(0=>xlabel,1=>yval1,2=>yval2...),...) - for ($i = 0 ; $i < 12 ; $i++) - { - $data[$i][]=$datay[$endyear][$i][0]; // set label - $year=$startyear; - while($year <= $endyear) - { - $data[$i][]=$datay[$year][$i][1]; // set yval for x=i - $year++; - } - } - } - - // Save cache file - if (empty($foundintocache) && ($cachedelay > 0 || $cachedelay == -1)) - { - dol_syslog(get_class($this).'::'.__FUNCTION__." save cache file ".$newpathofdestfile." onto disk."); - if (! dol_is_dir($conf->user->dir_temp)) dol_mkdir($conf->user->dir_temp); - $fp = fopen($newpathofdestfile, 'w'); - if ($fp) - { - fwrite($fp, json_encode($data)); - fclose($fp); - if (! empty($conf->global->MAIN_UMASK)) $newmask=$conf->global->MAIN_UMASK; - @chmod($newpathofdestfile, octdec($newmask)); - } - else dol_syslog("Failed to write cache file", LOG_ERR); - $this->_lastfetchdate[get_class($this).'_'.__FUNCTION__]=$nowgmt; - } - - return $data; - } - */ - - - /** - * Return the Task weighted opp amount by month for a year. - * - * @param int $year Year to scan - * @param int $wonlostfilter Add a filter on status won/lost - * @return array Array with amount by month - */ - /* - function getWeightedAmountByMonth($year, $wonlostfilter=1) - { - global $user; - - $this->yearmonth = $year; - - $sql = "SELECT date_format(t.datec,'%m') as dm"; - $sql.= " FROM ". MAIN_DB_PREFIX . "projet_task as t INNER JOIN " . MAIN_DB_PREFIX . "projet as p ON p.rowid = t.fk_projet"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) - $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; - $sql .= $this->buildWhere(); - $sql .= " GROUP BY dm"; - $sql .= $this->db->order('dm', 'DESC'); - $this->yearmonth=0; - - $res = $this->_getAmountByMonth($year, $sql); - // var_dump($res);print '
'; - return $res; - }*/ - - /** - * Return amount of elements by month for several years - * - * @param int $endyear End year - * @param int $startyear Start year - * @param int $cachedelay accept for cache file (0=No read, no save of cache, -1=No read but save) - * @return array of values - */ - /* - function getTransformRateByMonthWithPrevYear($endyear, $startyear, $cachedelay = 0) - { - global $conf, $user, $langs; - - if ($startyear > $endyear) return - 1; - - $datay = array(); - - // Search into cache - if (! empty($cachedelay)) - { - include_once DOL_DOCUMENT_ROOT . '/core/lib/files.lib.php'; - include_once DOL_DOCUMENT_ROOT . '/core/lib/json.lib.php'; - } - - $newpathofdestfile = $conf->user->dir_temp . '/' . get_class($this) . '_' . __FUNCTION__ . '_' . (empty($this->cachefilesuffix) ? '' : $this->cachefilesuffix . '_') . $langs->defaultlang . '_user' . $user->id . '.cache'; - $newmask = '0644'; - - $nowgmt = dol_now(); - - $foundintocache = 0; - if ($cachedelay > 0) { - $filedate = dol_filemtime($newpathofdestfile); - if ($filedate >= ($nowgmt - $cachedelay)) { - $foundintocache = 1; - - $this->_lastfetchdate[get_class($this) . '_' . __FUNCTION__] = $filedate; - } else { - dol_syslog(get_class($this) . '::' . __FUNCTION__ . " cache file " . $newpathofdestfile . " is not found or older than now - cachedelay (" . $nowgmt . " - " . $cachedelay . ") so we can't use it."); - } - } - - // Load file into $data - if ($foundintocache) // Cache file found and is not too old - { - dol_syslog(get_class($this) . '::' . __FUNCTION__ . " read data from cache file " . $newpathofdestfile . " " . $filedate . "."); - $data = json_decode(file_get_contents($newpathofdestfile), true); - } else { - $year = $startyear; - while ( $year <= $endyear ) { - $datay[$year] = $this->getTransformRateByMonth($year); - $year ++; - } - - $data = array (); - // $data = array('xval'=>array(0=>xlabel,1=>yval1,2=>yval2...),...) - for($i = 0; $i < 12; $i ++) { - $data[$i][] = $datay[$endyear][$i][0]; // set label - $year = $startyear; - while ( $year <= $endyear ) { - $data[$i][] = $datay[$year][$i][1]; // set yval for x=i - $year ++; - } - } - } - - // Save cache file - if (empty($foundintocache) && ($cachedelay > 0 || $cachedelay == - 1)) { - dol_syslog(get_class($this) . '::' . __FUNCTION__ . " save cache file " . $newpathofdestfile . " onto disk."); - if (! dol_is_dir($conf->user->dir_temp)) - dol_mkdir($conf->user->dir_temp); - $fp = fopen($newpathofdestfile, 'w'); - fwrite($fp, json_encode($data)); - fclose($fp); - if (! empty($conf->global->MAIN_UMASK)) - $newmask = $conf->global->MAIN_UMASK; - @chmod($newpathofdestfile, octdec($newmask)); - - $this->_lastfetchdate[get_class($this) . '_' . __FUNCTION__] = $nowgmt; - } - - return $data; - }*/ - - /** - * Return the Task transformation rate by month for a year - * - * @param int $year scan - * @return array with amount by month - */ - /* - function getTransformRateByMonth($year) - { - global $user; - - $this->yearmonth = $year; - - $sql = "SELECT date_format(t.datec,'%m') as dm, count(t.rowid)"; - $sql.= " FROM ". MAIN_DB_PREFIX . "projet_task as t INNER JOIN " . MAIN_DB_PREFIX . "projet as p ON p.rowid = t.fk_projet"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) - $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; - $sql .= $this->buildWhere(); - $sql .= " GROUP BY dm"; - $sql .= $this->db->order('dm', 'DESC'); - - $res_total = $this->_getNbByMonth($year, $sql); - - $this->status=6; - - $sql = "SELECT date_format(t.datec,'%m') as dm, count(t.rowid)"; - $sql .= " FROM " . MAIN_DB_PREFIX . "projet_task as t"; - if (! $user->rights->societe->client->voir && ! $user->societe_id) - $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; - $sql .= $this->buildWhere(); - $sql .= " GROUP BY dm"; - $sql .= $this->db->order('dm', 'DESC'); - - $this->status=0; - $this->yearmonth=0; - - $res_only_wined = $this->_getNbByMonth($year, $sql); - - $res=array(); - - foreach($res_total as $key=>$total_row) { - //var_dump($total_row); - if (!empty($total_row[1])) { - $res[$key]=array($total_row[0],(100*$res_only_wined[$key][1])/$total_row[1]); - } else { - $res[$key]=array($total_row[0],0); - } - - } - // var_dump($res);print '
'; - return $res; - }*/ }