From b27578922359e42573bf08e00f069bd000cf4d41 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 23 Mar 2021 12:22:30 +0100 Subject: [PATCH 01/12] Fix regression --- htdocs/accountancy/customer/lines.php | 6 +++--- htdocs/accountancy/customer/list.php | 6 +++--- htdocs/accountancy/supplier/lines.php | 6 +++--- htdocs/accountancy/supplier/list.php | 6 +++--- htdocs/core/class/html.form.class.php | 3 ++- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index f52bc45f635..6b025e6f3c1 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -246,11 +246,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 177b33f3ded..2e28ae4b566 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -283,11 +283,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index 530ed189e19..a87280744ec 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -238,11 +238,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index d74f0facfd7..aa3f8b4a403 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -288,11 +288,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC, 1).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me, 1).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC, 1).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 848b07bd450..33f3c15151a 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -5670,7 +5670,7 @@ class Form $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE t.fk_pays = c.rowid"; $sql .= " AND t.active > 0"; - $sql .= " AND c.code IN (".$this->db->sanitize($country_code).")"; + $sql .= " AND c.code IN (".$this->db->sanitize($country_code, 1).")"; $sql .= " ORDER BY t.code ASC, t.taux ASC, t.recuperableonly ASC"; $resql = $this->db->query($sql); @@ -5753,6 +5753,7 @@ class Form $defaultnpr = (preg_match('/\*/', $selectedrate) ? 1 : $defaultnpr); $defaulttx = str_replace('*', '', $selectedrate); $defaultcode = ''; + $reg = array(); if (preg_match('/\((.*)\)/', $defaulttx, $reg)) { $defaultcode = $reg[1]; $defaulttx = preg_replace('/\s*\(.*\)/', '', $defaulttx); From 00e48aa9229d7c3e0a2cd0eb2864f2d426850791 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 23 Mar 2021 16:09:02 +0100 Subject: [PATCH 02/12] Clean and secured code for ajax/row.php --- htdocs/core/ajax/row.php | 47 ++++++++++++++++-- htdocs/core/class/commonobject.class.php | 4 +- .../recruitmentcandidature_card.php | 49 ------------------- .../recruitmentjobposition_applications.php | 48 ------------------ .../recruitmentjobposition_card.php | 48 ------------------ htdocs/supplier_proposal/card.php | 2 +- 6 files changed, 46 insertions(+), 152 deletions(-) diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php index 883ba664b5c..7f3d7d4cc3a 100644 --- a/htdocs/core/ajax/row.php +++ b/htdocs/core/ajax/row.php @@ -59,15 +59,52 @@ top_httphead(); print ''."\n"; // Registering the location of boxes -if (GETPOST('roworder', 'alpha') && GETPOST('table_element_line', 'alpha', 2) - && GETPOST('fk_element', 'alpha', 2) && GETPOST('element_id', 'int', 2)) { +if (GETPOST('roworder', 'alpha', 2) && GETPOST('table_element_line', 'aZ09', 2) + && GETPOST('fk_element', 'aZ09', 2) && GETPOST('element_id', 'int', 2)) { $roworder = GETPOST('roworder', 'alpha', 2); - $table_element_line = GETPOST('table_element_line', 'alpha', 2); - $fk_element = GETPOST('fk_element', 'alpha', 2); + $table_element_line = GETPOST('table_element_line', 'aZ09', 2); + $fk_element = GETPOST('fk_element', 'aZ09', 2); $element_id = GETPOST('element_id', 'int', 2); dol_syslog("AjaxRow roworder=".$roworder." table_element_line=".$table_element_line." fk_element=".$fk_element." element_id=".$element_id, LOG_DEBUG); + // Make test on pemrission + $perm = 0; + if ($table_element_line == 'propaldet' && $user->rights->propal->creer) { + $perm = 1; + } elseif ($table_element_line == 'commandedet' && $user->rights->commande->creer) { + $perm = 1; + } elseif ($table_element_line == 'facturedet' && $user->rights->facture->creer) { + $perm = 1; + } elseif ($table_element_line == 'facturerecdet' && $user->rights->facture->creer) { + $perm = 1; + } elseif ($table_element_line == 'ecm_files' && $user->rights->ecm->creer) { + $perm = 1; + } elseif ($table_element_line == 'emailcollector_emailcollectoraction' && $user->admin) { + $perm = 1; + } elseif ($table_element_line == 'bom_bomline' && $user->rights->bom->write) { + $perm = 1; + } elseif ($table_element_line == 'mrp_production' && $user->rights->mrp->write) { + $perm = 1; + } elseif ($table_element_line == 'supplier_proposaldet' && $user->rights->supplier_proposal->write) { + $perm = 1; + } elseif ($table_element_line == 'commande_fournisseurdet' && $user->rights->fourn->commande->creer) { + $perm = 1; + } elseif ($table_element_line == 'facture_fourn_det' && $user->rights->fourn->facture->creer) { + $perm = 1; + } else { + $tmparray = explode('_', $table_element_line); + $tmpmodule = $tmparray[0]; $tmpobject = preg_replace('/line$/', '', $tmparray[1]); + if (!empty($tmpmodule) && !empty($tmpobject) && !empty($conf->$tmpmodule->enabled) && !empty($user->rights->$tmpobject->read)) { + $perm = 1; + } + } + + if (! $perm) { + print 'Bad permission to modify position of lines for object in table '.$table_element_line; + accessforbidden('Bad permission to modify position of lines for object in table '.$table_element_line); + } + $rowordertab = explode(',', $roworder); $newrowordertab = array(); foreach ($rowordertab as $value) { @@ -88,4 +125,6 @@ if (GETPOST('roworder', 'alpha') && GETPOST('table_element_line', 'alpha', 2) if (in_array($fk_element, array('fk_facture', 'fk_propal', 'fk_commande'))) { $result = $row->line_order(true); } +} else { + print 'Bad parameters for row.php'; } diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index f743deaa894..e36e96f0833 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -3022,8 +3022,8 @@ abstract class CommonObject $fieldposition = 'position'; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.$rang; - $sql .= ' WHERE rowid = '.$rowid; + $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang); + $sql .= ' WHERE rowid = '.((int) $rowid); dol_syslog(get_class($this)."::updateRangOfLine", LOG_DEBUG); if (!$this->db->query($sql)) { diff --git a/htdocs/recruitment/recruitmentcandidature_card.php b/htdocs/recruitment/recruitmentcandidature_card.php index 653b38c90b3..7c2f5e2ebe7 100644 --- a/htdocs/recruitment/recruitmentcandidature_card.php +++ b/htdocs/recruitment/recruitmentcandidature_card.php @@ -555,55 +555,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print dol_get_fiche_end(); - - /* - * Lines - */ - - if (!empty($object->table_element_line)) { - // Show object lines - $result = $object->getLinesArray(); - - print '
- - - - - '; - - if (!empty($conf->use_javascript_ajax) && $object->status == 0) { - include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php'; - } - - print '
'; - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print ''; - } - - if (!empty($object->lines)) { - $object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1); - } - - // Form to add new line - if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') { - if ($action != 'editline') { - // Add products/services form - $object->formAddObjectLine(1, $mysoc, $soc); - - $parameters = array(); - $reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - } - } - - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print '
'; - } - print '
'; - - print "
\n"; - } - - // Buttons for actions if ($action != 'presend' && $action != 'editline') { diff --git a/htdocs/recruitment/recruitmentjobposition_applications.php b/htdocs/recruitment/recruitmentjobposition_applications.php index c126c594c3a..54efe31e14c 100644 --- a/htdocs/recruitment/recruitmentjobposition_applications.php +++ b/htdocs/recruitment/recruitmentjobposition_applications.php @@ -412,54 +412,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print dol_get_fiche_end(); - - /* - * Lines - */ - - if (!empty($object->table_element_line)) { - // Show object lines - $result = $object->getLinesArray(); - - print '
- - - - - '; - - if (!empty($conf->use_javascript_ajax) && $object->status == 0) { - include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php'; - } - - print '
'; - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print ''; - } - - if (!empty($object->lines)) { - $object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1); - } - - // Form to add new line - if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') { - if ($action != 'editline') { - // Add products/services form - $object->formAddObjectLine(1, $mysoc, $soc); - - $parameters = array(); - $reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - } - } - - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print '
'; - } - print '
'; - - print "
\n"; - } - print '
'.$langs->trans("FeatureNotYetAvailable"); } diff --git a/htdocs/recruitment/recruitmentjobposition_card.php b/htdocs/recruitment/recruitmentjobposition_card.php index 2b832b3b467..ba97712513a 100644 --- a/htdocs/recruitment/recruitmentjobposition_card.php +++ b/htdocs/recruitment/recruitmentjobposition_card.php @@ -440,54 +440,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print dol_get_fiche_end(); - /* - * Lines - */ - - if (!empty($object->table_element_line)) { - // Show object lines - $result = $object->getLinesArray(); - - print '
- - - - - '; - - if (!empty($conf->use_javascript_ajax) && $object->status == 0) { - include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php'; - } - - print '
'; - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print ''; - } - - if (!empty($object->lines)) { - $object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1); - } - - // Form to add new line - if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') { - if ($action != 'editline') { - // Add products/services form - $object->formAddObjectLine(1, $mysoc, $soc); - - $parameters = array(); - $reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - } - } - - if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) { - print '
'; - } - print '
'; - - print "
\n"; - } - - // Buttons for actions if ($action != 'presend' && $action != 'editline') { diff --git a/htdocs/supplier_proposal/card.php b/htdocs/supplier_proposal/card.php index 1b10c92b0dc..21bb18dda93 100644 --- a/htdocs/supplier_proposal/card.php +++ b/htdocs/supplier_proposal/card.php @@ -118,6 +118,7 @@ $usercancreateorder = $user->rights->fournisseur->commande->creer; $permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php $permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php $permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php +$permissiontoadd = $usercancreate; /* @@ -485,7 +486,6 @@ if (empty($reshook)) { // Actions to build doc $upload_dir = $conf->supplier_proposal->dir_output; - $permissiontoadd = $usercancreate; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; From 538547acfe0a7a6c29b7d186abad2e1175e6a3e2 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 23 Mar 2021 16:26:31 +0100 Subject: [PATCH 03/12] Add currency into combo of bank account (for a future use in js) --- htdocs/core/class/html.form.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 33f3c15151a..0f8e724692f 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -4375,9 +4375,9 @@ class Form while ($i < $num) { $obj = $this->db->fetch_object($result); if ($selected == $obj->rowid || ($useempty == 2 && $num == 1 && empty($selected))) { - $out .= '