From 2c2f86736aff1e648dab317b93d7f21edcada89a Mon Sep 17 00:00:00 2001 From: TuxGasy Date: Sat, 5 Jan 2019 19:01:54 +0100 Subject: [PATCH 1/9] Fix #10301 mass bill orders and replicate extrafields --- htdocs/core/actions_massactions.inc.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index 3bf42f0a538..1760fc067a3 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -533,6 +533,10 @@ if ($massaction == 'confirm_createbills') $objecttmp->origin = 'commande'; $objecttmp->origin_id = $id_order; + // Replicate extrafields + $cmd->fetch_optionals($id_order); + $objecttmp->array_options = $cmd->array_options; + $res = $objecttmp->create($user); if($res > 0) $nb_bills_created++; @@ -682,6 +686,7 @@ if ($massaction == 'confirm_createbills') if (! $error && $validate_invoices) { $massaction = $action = 'builddoc'; + $savobject = $object; foreach($TAllFact as &$objecttmp) { $result = $objecttmp->validate($user); @@ -698,10 +703,12 @@ if ($massaction == 'confirm_createbills') $donotredirect = 1; $upload_dir = $conf->facture->dir_output; $permissioncreate=$user->rights->facture->creer; + $object = $objecttmp; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; } $massaction = $action = 'confirm_createbills'; + $object = $savobject; } if (! $error) From 47448b77f05b673339b46cf4cdbd54f44ff0a409 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 8 Jan 2019 16:47:30 +0100 Subject: [PATCH 2/9] Update actions_massactions.inc.php --- htdocs/core/actions_massactions.inc.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index 1760fc067a3..2ca8a8f86c9 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -686,7 +686,7 @@ if ($massaction == 'confirm_createbills') if (! $error && $validate_invoices) { $massaction = $action = 'builddoc'; - $savobject = $object; + foreach($TAllFact as &$objecttmp) { $result = $objecttmp->validate($user); @@ -703,12 +703,15 @@ if ($massaction == 'confirm_createbills') $donotredirect = 1; $upload_dir = $conf->facture->dir_output; $permissioncreate=$user->rights->facture->creer; - $object = $objecttmp; + + // Call action to build doc + $savobject = $object; + $object = $objecttmp; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; + $object = $savobject; } $massaction = $action = 'confirm_createbills'; - $object = $savobject; } if (! $error) From a1f5ede736442e7f0a643b3496a47daf100f0c76 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 8 Jan 2019 16:50:27 +0100 Subject: [PATCH 3/9] Update actions_massactions.inc.php --- htdocs/core/actions_massactions.inc.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index 2ca8a8f86c9..0a71deed66f 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -516,7 +516,9 @@ if ($massaction == 'confirm_createbills') $objecttmp = new Facture($db); if (!empty($createbills_onebythird) && !empty($TFactThird[$cmd->socid])) $objecttmp = $TFactThird[$cmd->socid]; // If option "one bill per third" is set, we use already created order. else { - + // Load extrafields of order + $cmd->fetch_optionals(); + $objecttmp->socid = $cmd->socid; $objecttmp->type = Facture::TYPE_STANDARD; $objecttmp->cond_reglement_id = $cmd->cond_reglement_id; @@ -533,9 +535,7 @@ if ($massaction == 'confirm_createbills') $objecttmp->origin = 'commande'; $objecttmp->origin_id = $id_order; - // Replicate extrafields - $cmd->fetch_optionals($id_order); - $objecttmp->array_options = $cmd->array_options; + $objecttmp->array_options = $cmd->array_options; // Copy extrafields $res = $objecttmp->create($user); From 1aa2b7a164f88f59314d86cbc4f7beca7ec4070a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 10 Jan 2019 03:26:34 +0100 Subject: [PATCH 4/9] FIX SQL injection on rowid of dict.php --- htdocs/admin/dict.php | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index a60e0be68c8..e1e0c0d419e 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -794,7 +794,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) else $sql.="'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql.= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql.= " WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; if (in_array('entity', $listfieldmodify)) $sql.= " AND entity = '".getEntity($tabname[$id])."'"; dol_syslog("actionmodify", LOG_DEBUG); @@ -818,7 +818,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete if ($tabrowid[$id]) { $rowidcol=$tabrowid[$id]; } else { $rowidcol="rowid"; } - $sql = "DELETE FROM ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + $sql = "DELETE FROM ".$tabname[$id]." WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -842,7 +842,7 @@ if ($action == $acts[0]) else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); @@ -862,7 +862,7 @@ if ($action == $acts[1]) else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); @@ -882,7 +882,7 @@ if ($action == 'activate_favorite') else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); @@ -902,7 +902,7 @@ if ($action == 'disable_favorite') else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); @@ -967,7 +967,7 @@ if (GETPOST('from')) $paramwithsearch.= '&from='.urlencode(GETPOST('from','alpha // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.urlencode($rowid).'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); } //var_dump($elementList); @@ -1367,8 +1367,8 @@ if ($id) print ''; print '
'; - print ''; - print ''; + print ''; + print ''; if (! is_null($withentity)) print ''; print ''; @@ -1622,14 +1622,14 @@ if ($id) if ($id == 4) { print ''; - if ($iserasable) print ''.$actl[$obj->favorite].''; + if ($iserasable) print ''.$actl[$obj->favorite].''; else print $langs->trans("AlwaysActive"); print ''; } // Active print ''; - if ($canbedisabled) print ''.$actl[$obj->active].''; + if ($canbedisabled) print ''.$actl[$obj->active].''; else { if (in_array($obj->code, array('AC_OTH','AC_OTH_AUTO'))) print $langs->trans("AlwaysActive"); From 7c9d85d091ba0d3754bc474e5e9cf47af07e3420 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 15 Jan 2019 12:18:04 +0100 Subject: [PATCH 5/9] FIX problem with multicompany transverse mode Signed-off-by: Regis Houssin --- htdocs/core/lib/security.lib.php | 6 +++--- htdocs/user/card.php | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index d2b768d75d5..d12ee339909 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -484,9 +484,9 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh { $sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug"; $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; - $sql.= " AND (ug.fk_user = dbt.rowid"; - $sql.= " AND ug.entity IN (".getEntity('user')."))"; - $sql.= " OR dbt.entity = 0"; // Show always superadmin + $sql.= " AND ((ug.fk_user = dbt.rowid"; + $sql.= " AND ug.entity IN (".getEntity('usergroup')."))"; + $sql.= " OR dbt.entity = 0)"; // Show always superadmin } } else { diff --git a/htdocs/user/card.php b/htdocs/user/card.php index f0b3fb819f2..bb3d7e7d8f6 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -84,9 +84,9 @@ $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; $feature2='user'; if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card -if (!$canreaduser) { - $result = restrictedArea($user, 'user', $id, 'user&user', $feature2); -} + +$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); + if ($user->id <> $id && ! $canreaduser) accessforbidden(); // Load translation files required by page From 41a38b3a0aa3308bbc73765ba8b816f1b161bd15 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 15 Jan 2019 15:44:45 +0100 Subject: [PATCH 6/9] FIX avoid php warning Signed-off-by: Regis Houssin --- htdocs/install/inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php index 0a2a6866f26..0b924122ebb 100644 --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -196,7 +196,7 @@ if (constant('DOL_DATA_ROOT') === null) { } if (@file_exists($lockfile)) { - if (! is_object($langs)) + if (! isset($langs) || ! is_object($langs)) { $langs = new Translate('..', $conf); $langs->setDefaultLang('auto'); From adc442232398b95825e0559c894b2b0925514aba Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 15 Jan 2019 17:57:30 +0100 Subject: [PATCH 7/9] Update card.php --- htdocs/user/card.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/user/card.php b/htdocs/user/card.php index bb3d7e7d8f6..6db383ed515 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -85,7 +85,9 @@ if ($user->societe_id > 0) $socid = $user->societe_id; $feature2='user'; if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card -$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); +if (! $canreaduser) { + $result = restrictedArea($user, 'user', $id, 'user&user', $feature2); +} if ($user->id <> $id && ! $canreaduser) accessforbidden(); From 0d384eea008994aea4b7def68ad5f9493fa2a63d Mon Sep 17 00:00:00 2001 From: atm-quentin Date: Wed, 16 Jan 2019 09:30:48 +0100 Subject: [PATCH 8/9] FIX credit note can have negative value --- htdocs/compta/facture/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 9ad79393499..8541581fb49 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -1695,7 +1695,7 @@ if (empty($reshook)) setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentitiesnoconv('Type')), null, 'errors'); $error++; } - if ($prod_entry_mode == 'free' && empty($idprod) && (($price_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $price_ht == '') && $price_ht_devise == '') // Unit price can be 0 but not '' + if (($prod_entry_mode == 'free' && empty($idprod) && (($price_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $price_ht == '') && $price_ht_devise == '') && $object->type != Facture::TYPE_CREDIT_NOTE) // Unit price can be 0 but not '' { if ($price_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) { @@ -2155,7 +2155,7 @@ if (empty($reshook)) setEventMessages($langs->trans('ErrorQtyForCustomerInvoiceCantBeNegative'), null, 'errors'); $error++; } - if (empty($productid) && (($pu_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $pu_ht == '') && $pu_ht_devise == '') // Unit price can be 0 but not '' + if ((empty($productid) && (($pu_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $pu_ht == '') && $pu_ht_devise == '') && $object->type != Facture::TYPE_CREDIT_NOTE) // Unit price can be 0 but not '' { if ($pu_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) { From 6becdc8af4684dfb2c1400afe19e7a4e254cdda3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 16 Jan 2019 16:34:36 +0100 Subject: [PATCH 9/9] Fix missing substitution of ID --- htdocs/adherents/class/adherent.class.php | 4 +++- htdocs/adherents/subscription.php | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 11fb1a1a111..b4cedc98118 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -213,7 +213,9 @@ class Adherent extends CommonObject // Substitutions $substitutionarray=array( - '__CIVILITY__'=>$this->getCivilityLabel(), + '__ID__'=>$this->id, + '__MEMBER_ID__'=>$this->id, + '__CIVILITY__'=>$this->getCivilityLabel(), '__FIRSTNAME__'=>$msgishtml?dol_htmlentitiesbr($this->firstname):$this->firstname, '__LASTNAME__'=>$msgishtml?dol_htmlentitiesbr($this->lastname):$this->lastname, '__FULLNAME__'=>$msgishtml?dol_htmlentitiesbr($this->getFullName($langs)):$this->getFullName($langs), diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 60969908a44..69e22adf882 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -558,7 +558,7 @@ if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && ! if (! $error) { // Send confirmation Email - if ($object->email && $_POST["sendmail"]) + if ($object->email && $_POST["sendmail"]) // $object is 'Adherent' { $subjecttosend=$object->makeSubstitution($conf->global->ADHERENT_MAIL_COTIS_SUBJECT); $texttosend=$object->makeSubstitution($adht->getMailOnSubscription());