From d83d0052846104321ac598f80049a8080f88380f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 19 Mar 2021 12:44:59 +0100 Subject: [PATCH] FIX #yogosha5674 --- htdocs/accountancy/admin/account.php | 8 +++---- htdocs/accountancy/admin/subaccount.php | 4 ++-- htdocs/accountancy/bookkeeping/card.php | 4 ++-- htdocs/admin/confexped.php | 8 +++---- htdocs/admin/fckeditor.php | 6 +++--- htdocs/admin/security.php | 10 ++++----- htdocs/bom/bom_card.php | 4 ++-- htdocs/compta/facture/card-rec.php | 6 +++--- htdocs/contact/card.php | 4 ++-- .../conferenceorbooth_card.php | 8 +++---- htdocs/main.inc.php | 21 ++++++++++++++++--- .../modulebuilder/template/myobject_card.php | 8 +++---- htdocs/product/price.php | 4 ++-- .../recruitmentjobposition_card.php | 4 ++-- htdocs/user/card.php | 6 +++--- htdocs/website/websiteaccount_card.php | 6 +++--- htdocs/workstation/workstation_card.php | 6 +++--- htdocs/zapier/hook_card.php | 4 ++-- 18 files changed, 68 insertions(+), 53 deletions(-) diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index faf55427786..8982376ded6 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -529,11 +529,11 @@ if ($resql) { if (!empty($arrayfields['aa.reconcilable']['checked'])) { print ''; if (empty($obj->reconcilable)) { - print ''; + print ''; print img_picto($langs->trans("Disabled"), 'switch_off'); print ''; } else { - print ''; + print ''; print img_picto($langs->trans("Activated"), 'switch_on'); print ''; } @@ -548,11 +548,11 @@ if ($resql) { if (!empty($arrayfields['aa.active']['checked'])) { print ''; if (empty($obj->active)) { - print ''; + print ''; print img_picto($langs->trans("Disabled"), 'switch_off'); print ''; } else { - print ''; + print ''; print img_picto($langs->trans("Activated"), 'switch_on'); print ''; } diff --git a/htdocs/accountancy/admin/subaccount.php b/htdocs/accountancy/admin/subaccount.php index 341fddf113c..ad1804048c3 100644 --- a/htdocs/accountancy/admin/subaccount.php +++ b/htdocs/accountancy/admin/subaccount.php @@ -419,11 +419,11 @@ if ($resql) { if (!empty($arrayfields['reconcilable']['checked'])) { print ''; if (empty($obj->reconcilable)) { - print ''; + print ''; print img_picto($langs->trans("Disabled"), 'switch_off'); print ''; } else { - print ''; + print ''; print img_picto($langs->trans("Activated"), 'switch_on'); print ''; } diff --git a/htdocs/accountancy/bookkeeping/card.php b/htdocs/accountancy/bookkeeping/card.php index 60645353976..e3cac139c08 100644 --- a/htdocs/accountancy/bookkeeping/card.php +++ b/htdocs/accountancy/bookkeeping/card.php @@ -543,11 +543,11 @@ if ($action == 'create') { print '' . $langs->trans("Status") . ''; print ''; if (empty($object->validated)) { - print ''; + print ''; print img_picto($langs->trans("Disabled"), 'switch_off'); print ''; } else { - print ''; + print ''; print img_picto($langs->trans("Activated"), 'switch_on'); print ''; } diff --git a/htdocs/admin/confexped.php b/htdocs/admin/confexped.php index fbf347a45a9..b218a245c99 100644 --- a/htdocs/admin/confexped.php +++ b/htdocs/admin/confexped.php @@ -110,11 +110,11 @@ print ''; print $langs->trans("Required"); /*if (empty($conf->global->MAIN_SUBMODULE_EXPEDITION)) { - print ''.img_picto($langs->trans("Disabled"),'switch_off').''; + print ''.img_picto($langs->trans("Disabled"),'switch_off').''; } else { - print ''.img_picto($langs->trans("Enabled"),'switch_on').''; + print ''.img_picto($langs->trans("Enabled"),'switch_on').''; }*/ print ""; print ''; @@ -130,9 +130,9 @@ print ''; print ''; if (empty($conf->global->MAIN_SUBMODULE_DELIVERY)) { - print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; + print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; } else { - print ''.img_picto($langs->trans("Enabled"), 'switch_on').''; + print ''.img_picto($langs->trans("Enabled"), 'switch_on').''; } print ""; diff --git a/htdocs/admin/fckeditor.php b/htdocs/admin/fckeditor.php index 0671783615c..65029a9246a 100644 --- a/htdocs/admin/fckeditor.php +++ b/htdocs/admin/fckeditor.php @@ -89,7 +89,7 @@ $picto = array( */ foreach ($modules as $const => $desc) { - if ($action == 'activate_'.strtolower($const)) { + if ($action == 'enable_'.strtolower($const)) { dolibarr_set_const($db, "FCKEDITOR_ENABLE_".$const, "1", 'chaine', 0, '', $conf->entity); // If fckeditor is active in the product/service description, it is activated in the forms if ($const == 'PRODUCTDESC' && !empty($conf->global->PRODUIT_DESC_IN_FORM)) { @@ -166,9 +166,9 @@ if (empty($conf->use_javascript_ajax)) { $constante = 'FCKEDITOR_ENABLE_'.$const; $value = (isset($conf->global->$constante) ? $conf->global->$constante : 0); if ($value == 0) { - print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; + print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; } elseif ($value == 1) { - print ''.img_picto($langs->trans("Enabled"), 'switch_on').''; + print ''.img_picto($langs->trans("Enabled"), 'switch_on').''; } print ""; diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php index 011b28e7421..98b6c996181 100644 --- a/htdocs/admin/security.php +++ b/htdocs/admin/security.php @@ -406,7 +406,7 @@ if (!empty($conf->global->DATABASE_PWD_ENCRYPTED)) { if ($allow_disable_encryption) { //On n'autorise pas l'annulation de l'encryption car les mots de passe ne peuvent pas etre decodes //Do not allow "disable encryption" as passwords cannot be decrypted - print ''.$langs->trans("Disable").''; + print ''.$langs->trans("Disable").''; } else { print '-'; } @@ -432,10 +432,10 @@ if (empty($dolibarr_main_db_pass) && empty($dolibarr_main_db_encrypted_pass)) { print img_warning($langs->trans("WarningPassIsEmpty")); } else { if (empty($dolibarr_main_db_encrypted_pass)) { - print ''.$langs->trans("Activate").''; + print ''.$langs->trans("Activate").''; } if (!empty($dolibarr_main_db_encrypted_pass)) { - print ''.$langs->trans("Disable").''; + print ''.$langs->trans("Disable").''; } } print ""; @@ -455,12 +455,12 @@ if (!empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK)) { print ''; if (empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK)) { print ''; - print ''.$langs->trans("Activate").''; + print ''.$langs->trans("Activate").''; print ""; } if (!empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK)) { print ''; - print ''.$langs->trans("Disable").''; + print ''.$langs->trans("Disable").''; print ""; } print ""; diff --git a/htdocs/bom/bom_card.php b/htdocs/bom/bom_card.php index 6d2047d3f49..fa2ef014d17 100644 --- a/htdocs/bom/bom_card.php +++ b/htdocs/bom/bom_card.php @@ -656,11 +656,11 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea { if ($object->status == 1) { - print ''.$langs->trans("Disable").''."\n"; + print ''.$langs->trans("Disable").''."\n"; } else { - print ''.$langs->trans("Enable").''."\n"; + print ''.$langs->trans("Enable").''."\n"; } } */ diff --git a/htdocs/compta/facture/card-rec.php b/htdocs/compta/facture/card-rec.php index 167e9e4a577..4f0148a05a1 100644 --- a/htdocs/compta/facture/card-rec.php +++ b/htdocs/compta/facture/card-rec.php @@ -1658,15 +1658,15 @@ if ($action == 'create') { if ($user->rights->facture->creer) { if (empty($object->suspended)) { - print '
'.$langs->trans("Disable").'
'; + print '
id.'&token='.newToken().'">'.$langs->trans("Disable").'
'; } else { - print '
'.$langs->trans("Enable").'
'; + print '
id.'&token='.newToken().'">'.$langs->trans("Enable").'
'; } } //if ($object->statut == Facture::STATUS_DRAFT && $user->rights->facture->supprimer) if ($user->rights->facture->supprimer) { - print '
'.$langs->trans('Delete').'
'; + print '
'.$langs->trans('Delete').'
'; } print ''; diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index bae45672257..421b88ea6b8 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -1470,11 +1470,11 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Activer if ($object->statut == 0 && $user->rights->societe->contact->creer) { - print ''.$langs->trans("Reactivate").''; + print ''.$langs->trans("Reactivate").''; } // Desactiver if ($object->statut == 1 && $user->rights->societe->contact->creer) { - print ''.$langs->trans("DisableUser").''; + print ''.$langs->trans("DisableUser").''; } // Delete diff --git a/htdocs/eventorganization/conferenceorbooth_card.php b/htdocs/eventorganization/conferenceorbooth_card.php index 817be70ab79..e27e909d071 100644 --- a/htdocs/eventorganization/conferenceorbooth_card.php +++ b/htdocs/eventorganization/conferenceorbooth_card.php @@ -476,16 +476,16 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea /* if ($permissiontoadd) { if ($object->status == $object::STATUS_ENABLED) { - print ''.$langs->trans("Disable").''."\n"; + print ''.$langs->trans("Disable").''."\n"; } else { - print ''.$langs->trans("Enable").''."\n"; + print ''.$langs->trans("Enable").''."\n"; } } if ($permissiontoadd) { if ($object->status == $object::STATUS_VALIDATED) { - print ''.$langs->trans("Cancel").''."\n"; + print ''.$langs->trans("Cancel").''."\n"; } else { - print ''.$langs->trans("Re-Open").''."\n"; + print ''.$langs->trans("Re-Open").''."\n"; } } */ diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index d77b1479102..108a25e1877 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -431,11 +431,26 @@ if (!defined('NOTOKENRENEWAL')) { // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) || defined('CSRFCHECK_WITH_TOKEN')) { - // Check all cases that need a token (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions) + // Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request) + $arrayofactiontoforcetokencheck = array( + 'activate', 'add', 'addtimespent', 'update', 'install', + 'confirm_create_user', 'confirm_create_thirdparty', 'confirm_reject_check', + 'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'disable', + 'enable' + ); + $sensitiveget = false; + if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) { + $sensitiveget = true; + } + if (preg_match('/^(disable_|enable_)/', GETPOST('action', 'aZ09'))) { + $sensitiveget = true; + } + + // Check all cases that need a mandatory token (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions) if ( $_SERVER['REQUEST_METHOD'] == 'POST' || - ((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN')) || - in_array(GETPOST('action', 'aZ09'), array('add', 'addtimespent', 'update', 'install', 'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'confirm_create_user', 'confirm_create_thirdparty', 'confirm_reject_check')) + $sensitiveget || + ((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN')) ) { if (!GETPOST('token', 'alpha')) { // If token is not provided or empty if (GETPOST('uploadform', 'int')) { diff --git a/htdocs/modulebuilder/template/myobject_card.php b/htdocs/modulebuilder/template/myobject_card.php index e99acc0b913..8e40c1071e2 100644 --- a/htdocs/modulebuilder/template/myobject_card.php +++ b/htdocs/modulebuilder/template/myobject_card.php @@ -514,16 +514,16 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea /* if ($permissiontoadd) { if ($object->status == $object::STATUS_ENABLED) { - print ''.$langs->trans("Disable").''."\n"; + print ''.$langs->trans("Disable").''."\n"; } else { - print ''.$langs->trans("Enable").''."\n"; + print ''.$langs->trans("Enable").''."\n"; } } if ($permissiontoadd) { if ($object->status == $object::STATUS_VALIDATED) { - print ''.$langs->trans("Cancel").''."\n"; + print ''.$langs->trans("Cancel").''."\n"; } else { - print ''.$langs->trans("Re-Open").''."\n"; + print ''.$langs->trans("Re-Open").''."\n"; } } */ diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 015b061119b..ee86d43c09f 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -942,10 +942,10 @@ if (!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT_ } print ''; - print '('.$langs->trans("DisablePriceByQty").')'; + print '('.$langs->trans("DisablePriceByQty").')'; } else { print $langs->trans("No"); - print '  ('.$langs->trans("Activate").')'; + print '  ('.$langs->trans("Activate").')'; } print ''; } diff --git a/htdocs/recruitment/recruitmentjobposition_card.php b/htdocs/recruitment/recruitmentjobposition_card.php index 26d1578b24c..2b832b3b467 100644 --- a/htdocs/recruitment/recruitmentjobposition_card.php +++ b/htdocs/recruitment/recruitmentjobposition_card.php @@ -548,9 +548,9 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea /* if ($permissiontoadd) { if ($object->status == $object::STATUS_ENABLED) { - print ''.$langs->trans("Disable").''."\n"; + print ''.$langs->trans("Disable").''."\n"; } else { - print ''.$langs->trans("Enable").''."\n"; + print ''.$langs->trans("Enable").''."\n"; } }*/ if ($permissiontoadd) { diff --git a/htdocs/user/card.php b/htdocs/user/card.php index a72dde04fb1..d4373812f61 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -1821,12 +1821,12 @@ if ($action == 'create' || $action == 'adduserldap') { // Enable user if ($user->id <> $id && $candisableuser && $object->statut == 0 && ((empty($conf->multicompany->enabled) && $object->entity == $user->entity) || !$user->entity || ($object->entity == $conf->entity) || ($conf->global->MULTICOMPANY_TRANSVERSE_MODE && $conf->entity == 1))) { - print '
'.$langs->trans("Reactivate").'
'; + print '
'.$langs->trans("Reactivate").'
'; } // Disable user if ($user->id <> $id && $candisableuser && $object->statut == 1 && ((empty($conf->multicompany->enabled) && $object->entity == $user->entity) || !$user->entity || ($object->entity == $conf->entity) || ($conf->global->MULTICOMPANY_TRANSVERSE_MODE && $conf->entity == 1))) { - print '
'.$langs->trans("DisableUser").'
'; + print '
'.$langs->trans("DisableUser").'
'; } else { if ($user->id == $id) { print '
'.$langs->trans("DisableUser").'
'; @@ -1836,7 +1836,7 @@ if ($action == 'create' || $action == 'adduserldap') { if ($user->id <> $id && $candisableuser && ((empty($conf->multicompany->enabled) && $object->entity == $user->entity) || !$user->entity || ($object->entity == $conf->entity) || ($conf->global->MULTICOMPANY_TRANSVERSE_MODE && $conf->entity == 1))) { if ($user->admin || !$object->admin) { // If user edited is admin, delete is possible on for an admin - print '
'.$langs->trans("DeleteUser").'
'; + print '
'.$langs->trans("DeleteUser").'
'; } else { print '
'.$langs->trans("DeleteUser").'
'; } diff --git a/htdocs/website/websiteaccount_card.php b/htdocs/website/websiteaccount_card.php index e63c3cb8fef..957173335c0 100644 --- a/htdocs/website/websiteaccount_card.php +++ b/htdocs/website/websiteaccount_card.php @@ -332,17 +332,17 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea { if ($object->status == 1) { - print '
'.$langs->trans("Disable").'
'."\n"; + print '
'.$langs->trans("Disable").'
'."\n"; } else { - print '
'.$langs->trans("Enable").'
'."\n"; + print '
'.$langs->trans("Enable").'
'."\n"; } } */ if ($user->rights->website->delete) { - print '
'.$langs->trans('Delete').'
'."\n"; + print '
'.$langs->trans('Delete').'
'."\n"; } } print ''."\n"; diff --git a/htdocs/workstation/workstation_card.php b/htdocs/workstation/workstation_card.php index c15053bad5e..61686423d4c 100755 --- a/htdocs/workstation/workstation_card.php +++ b/htdocs/workstation/workstation_card.php @@ -469,16 +469,16 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea if ($permissiontoadd) { if ($object->status == $object::STATUS_ENABLED) { - print ''.$langs->trans("Disable").''."\n"; + print ''.$langs->trans("Disable").''."\n"; } else { - print ''.$langs->trans("Enable").''."\n"; + print ''.$langs->trans("Enable").''."\n"; } } // Delete (need delete permission, or if draft, just need create/modify permission) if ($permissiontodelete) { - print ''.$langs->trans('Delete').''."\n"; + print ''.$langs->trans('Delete').''."\n"; } else { print ''.$langs->trans('Delete').''."\n"; } diff --git a/htdocs/zapier/hook_card.php b/htdocs/zapier/hook_card.php index 455efc95cc9..f57f8873aba 100644 --- a/htdocs/zapier/hook_card.php +++ b/htdocs/zapier/hook_card.php @@ -351,11 +351,11 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea { if ($object->status == 1) { - print ''.$langs->trans("Disable").''."\n"; + print ''.$langs->trans("Disable").''."\n"; } else { - print ''.$langs->trans("Enable").''."\n"; + print ''.$langs->trans("Enable").''."\n"; } } */