From b6deda1111fd654086f6faf7d3dc6a0227e55b39 Mon Sep 17 00:00:00 2001 From: atm-quentin Date: Mon, 18 Feb 2019 12:28:18 +0100 Subject: [PATCH 1/7] FIX credit note used on list --- .../fourn/class/fournisseur.facture.class.php | 21 +++++++++++++++++++ htdocs/fourn/facture/list.php | 6 ++++++ 2 files changed, 27 insertions(+) diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index 086f154184d..4ad0b221c36 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -2574,6 +2574,27 @@ class FactureFournisseur extends CommonInvoice return ($this->statut == self::STATUS_VALIDATED) && ($this->date_echeance < ($now - $conf->facture->fournisseur->warning_delay)); } + + /** + * Is credit note used + * + * @return bool + */ + public function isCreditNoteUsed() + { + global $db; + + $isUsed = false; + + $sql = "SELECT fk_invoice_supplier FROM ".MAIN_DB_PREFIX."societe_remise_except WHERE fk_invoice_supplier_source=".$this->id; + $resql = $db->query($sql); + if(!empty($resql)){ + $obj = $db->fetch_object($resql); + if(!empty($obj->fk_invoice_supplier))$isUsed=true; + } + + return $isUsed; + } } diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index 98a6956a809..b53a07104c7 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -833,6 +833,7 @@ if ($resql) $facturestatic->date_echeance = $db->jdate($obj->datelimite); $facturestatic->statut = $obj->fk_statut; + $thirdparty->id=$obj->socid; $thirdparty->name=$obj->name; $thirdparty->client=$obj->client; @@ -850,6 +851,11 @@ if ($resql) $totalpay = $paiement + $totalcreditnotes + $totaldeposits; $remaintopay = $obj->total_ttc - $totalpay; + //If invoice has been converted and the conversion has been used, we dont have remain to pay on invoice + if($facturestatic->type == FactureFournisseur::TYPE_CREDIT_NOTE && $facturestatic->statut == FactureFournisseur::STATUS_CLOSED) { + if($facturestatic->isCreditNoteUsed())$remaintopay=0; + } + print ''; if (! empty($arrayfields['f.ref']['checked'])) { From 785092544115056183e718a831e3ac419c4b797e Mon Sep 17 00:00:00 2001 From: atm-quentin Date: Fri, 22 Feb 2019 15:10:41 +0100 Subject: [PATCH 2/7] FIX amount opened on thirdparty card dont care of credit note not converted --- htdocs/societe/class/societe.class.php | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 412bf46b082..b894504bb10 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -3727,7 +3727,7 @@ class Societe extends CommonObject $alreadypayed=price2num($paiement + $creditnotes + $deposits,'MT'); $remaintopay=price2num($invoice->total_ttc - $paiement - $creditnotes - $deposits,'MT'); */ - if ($mode == 'supplier') $sql = "SELECT rowid, total_ht as total_ht, total_ttc, paye, fk_statut, close_code FROM ".MAIN_DB_PREFIX.$table." as f"; + if ($mode == 'supplier') $sql = "SELECT rowid, total_ht as total_ht, total_ttc, paye, type, fk_statut, close_code FROM ".MAIN_DB_PREFIX.$table." as f"; else $sql = "SELECT rowid, total as total_ht, total_ttc, paye, fk_statut, close_code FROM ".MAIN_DB_PREFIX.$table." as f"; $sql .= " WHERE fk_soc = ". $this->id; if ($mode == 'supplier') { @@ -3754,7 +3754,13 @@ class Societe extends CommonObject $tmpobject=new Facture($this->db); } while($obj=$this->db->fetch_object($resql)) { - $tmpobject->id=$obj->rowid; + $tmpobject->id=$obj->rowid; + + $paiement = $tmpobject->getSommePaiement(); + $creditnotes = $tmpobject->getSumCreditNotesUsed(); + $deposits = $tmpobject->getSumDepositsUsed(); + + if ($obj->fk_statut != 0 // Not a draft && ! ($obj->fk_statut == 3 && $obj->close_code == 'replaced') // Not a replaced invoice ) @@ -3768,11 +3774,14 @@ class Societe extends CommonObject && $obj->fk_statut != 2) // Not classified as paid //$sql .= " AND (fk_statut <> 3 OR close_code <> 'abandon')"; // Not abandonned for undefined reason { - $paiement = $tmpobject->getSommePaiement(); - $creditnotes = $tmpobject->getSumCreditNotesUsed(); - $deposits = $tmpobject->getSumDepositsUsed(); + $outstandingOpened+=$obj->total_ttc - $paiement - $creditnotes - $deposits; } + + if($mode == 'supplier' && $obj->type == FactureFournisseur::TYPE_CREDIT_NOTE && $obj->fk_statut == FactureFournisseur::STATUS_CLOSED && !$tmpobject->isCreditNoteUsed()) { //if credit note is converted but not used + + $outstandingOpened+=$obj->total_ttc-$paiement; + } } return array('opened'=>$outstandingOpened, 'total_ht'=>$outstandingTotal, 'total_ttc'=>$outstandingTotalIncTax); // 'opened' is 'incl taxes' } From dc7a2fbb30e34b04a5cc88af5ac6234c8be56911 Mon Sep 17 00:00:00 2001 From: atm-quentin Date: Mon, 25 Feb 2019 10:01:26 +0100 Subject: [PATCH 3/7] FIX placement function --- htdocs/societe/class/societe.class.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index b894504bb10..7d54e7ad01e 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -3756,9 +3756,7 @@ class Societe extends CommonObject while($obj=$this->db->fetch_object($resql)) { $tmpobject->id=$obj->rowid; - $paiement = $tmpobject->getSommePaiement(); - $creditnotes = $tmpobject->getSumCreditNotesUsed(); - $deposits = $tmpobject->getSumDepositsUsed(); + if ($obj->fk_statut != 0 // Not a draft @@ -3774,12 +3772,15 @@ class Societe extends CommonObject && $obj->fk_statut != 2) // Not classified as paid //$sql .= " AND (fk_statut <> 3 OR close_code <> 'abandon')"; // Not abandonned for undefined reason { + $paiement = $tmpobject->getSommePaiement(); + $creditnotes = $tmpobject->getSumCreditNotesUsed(); + $deposits = $tmpobject->getSumDepositsUsed(); $outstandingOpened+=$obj->total_ttc - $paiement - $creditnotes - $deposits; } if($mode == 'supplier' && $obj->type == FactureFournisseur::TYPE_CREDIT_NOTE && $obj->fk_statut == FactureFournisseur::STATUS_CLOSED && !$tmpobject->isCreditNoteUsed()) { //if credit note is converted but not used - + if(empty($paiement)) $paiement = $tmpobject->getSommePaiement(); $outstandingOpened+=$obj->total_ttc-$paiement; } } From 6deba39c6a9d67826297d7422f8130bb95133b35 Mon Sep 17 00:00:00 2001 From: atm-quentin Date: Fri, 12 Apr 2019 10:16:13 +0200 Subject: [PATCH 4/7] FIX credit note can be split --- htdocs/core/class/commoninvoice.class.php | 23 ++++++++++++ htdocs/core/class/discount.class.php | 43 +++++++++++++++++++++++ htdocs/fourn/facture/list.php | 7 ++-- htdocs/societe/class/societe.class.php | 8 ++--- 4 files changed, 75 insertions(+), 6 deletions(-) diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 3aa8eb4e1ab..35ec6ad283e 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -195,6 +195,29 @@ abstract class CommonInvoice extends CommonObject } } + /** + * Return amount (with tax) of all converted amount for this credit note + * + * @param int $multicurrency Return multicurrency_amount instead of amount + * @return int <0 if KO, Sum of credit notes and deposits amount otherwise + */ + function getSumFromThisCreditNotesNotUsed($multicurrency=0) + { + require_once DOL_DOCUMENT_ROOT.'/core/class/discount.class.php'; + + $discountstatic=new DiscountAbsolute($this->db); + $result=$discountstatic->getSumFromThisCreditNotesNotUsed($this, $multicurrency); + if ($result >= 0) + { + return $result; + } + else + { + $this->error=$discountstatic->error; + return -1; + } + } + /** * Renvoie tableau des ids de facture avoir issus de la facture * diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index cfe7ac24dea..2e99a83ec42 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -568,6 +568,49 @@ class DiscountAbsolute return -1; } } + /** + * Return amount (with tax) of all converted amount for this credit note + * + * @param CommonInvoice $invoice Object invoice + * @param int $multicurrency Return multicurrency_amount instead of amount + * @return int <0 if KO, Sum of credit notes and deposits amount otherwise + */ + function getSumFromThisCreditNotesNotUsed($invoice, $multicurrency=0) + { + dol_syslog(get_class($this)."::getSumCreditNotesUsed", LOG_DEBUG); + + if ($invoice->element == 'facture' || $invoice->element == 'invoice') + { + $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; + $sql.= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc'; + $sql.= ' WHERE rc.fk_facture IS NULL AND rc.fk_facture_source = '.$invoice->id; + } + else if ($invoice->element == 'invoice_supplier') + { + $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; + $sql.= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc'; + $sql.= ' WHERE rc.fk_invoice_supplier IS NULL AND rc.fk_invoice_supplier_source = '.$invoice->id; + } + else + { + $this->error=get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter"; + dol_print_error($this->error); + return -1; + } + + $resql=$this->db->query($sql); + if ($resql) + { + $obj = $this->db->fetch_object($resql); + if ($multicurrency) return $obj->multicurrency_amount; + else return $obj->amount; + } + else + { + $this->error = $this->db->lasterror(); + return -1; + } + } /** * Return clickable ref of object (with picto or not) diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index 3e1827d6818..d8e18257d23 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -852,8 +852,11 @@ if ($resql) $remaintopay = $obj->total_ttc - $totalpay; //If invoice has been converted and the conversion has been used, we dont have remain to pay on invoice - if($facturestatic->type == FactureFournisseur::TYPE_CREDIT_NOTE && $facturestatic->statut == FactureFournisseur::STATUS_CLOSED) { - if($facturestatic->isCreditNoteUsed())$remaintopay=0; + if($facturestatic->type == FactureFournisseur::TYPE_CREDIT_NOTE) { + + if($facturestatic->isCreditNoteUsed()){ + $remaintopay=-$facturestatic->getSumFromThisCreditNotesNotUsed(); + } } print ''; diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 7d54e7ad01e..87c4956e48e 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -3778,11 +3778,11 @@ class Societe extends CommonObject $outstandingOpened+=$obj->total_ttc - $paiement - $creditnotes - $deposits; } + + //if credit note is converted but not used + if($mode == 'supplier' && $obj->type == FactureFournisseur::TYPE_CREDIT_NOTE && $tmpobject->isCreditNoteUsed())$outstandingOpened-=$tmpobject->getSumFromThisCreditNotesNotUsed(); + - if($mode == 'supplier' && $obj->type == FactureFournisseur::TYPE_CREDIT_NOTE && $obj->fk_statut == FactureFournisseur::STATUS_CLOSED && !$tmpobject->isCreditNoteUsed()) { //if credit note is converted but not used - if(empty($paiement)) $paiement = $tmpobject->getSommePaiement(); - $outstandingOpened+=$obj->total_ttc-$paiement; - } } return array('opened'=>$outstandingOpened, 'total_ht'=>$outstandingTotal, 'total_ttc'=>$outstandingTotalIncTax); // 'opened' is 'incl taxes' } From 18eb2a83fe7c2d01bdb34cceec389a6f9541e1f6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 16 Aug 2019 16:41:53 +0200 Subject: [PATCH 5/7] FIX #11671 CVE-2019-15062 --- htdocs/core/actions_linkedfiles.inc.php | 8 +++----- htdocs/core/class/html.formfile.class.php | 4 ++-- htdocs/user/card.php | 4 ++-- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 297f7821599..16ba1669337 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -118,8 +118,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') { require_once DOL_DOCUMENT_ROOT . '/core/class/link.class.php'; $link = new Link($db); - $link->id = $linkid; - $link->fetch(); + $link->fetch($linkid); $res = $link->delete($user); $langs->load('link'); @@ -153,8 +152,7 @@ elseif ($action == 'confirm_updateline' && GETPOST('save','alpha') && GETPOST('l require_once DOL_DOCUMENT_ROOT . '/core/class/link.class.php'; $langs->load('link'); $link = new Link($db); - $link->id = GETPOST('linkid', 'int'); - $f = $link->fetch(); + $f = $link->fetch(GETPOST('linkid', 'int')); if ($f) { $link->url = GETPOST('link', 'alpha'); @@ -162,7 +160,7 @@ elseif ($action == 'confirm_updateline' && GETPOST('save','alpha') && GETPOST('l { $link->url = 'http://' . $link->url; } - $link->label = GETPOST('label', 'alpha'); + $link->label = GETPOST('label', 'alphanohtml'); $res = $link->update($user); if (!$res) { diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 2b02ada6b47..a198fba4f98 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -1757,7 +1757,7 @@ class FormFile print $langs->trans('Link') . ': '; print ''; print ''; - print $langs->trans('Label') . ': '; + print $langs->trans('Label') . ': '; print ''; print '' . dol_print_date(dol_now(), "dayhour", "tzuser") . ''; print ''; @@ -1771,7 +1771,7 @@ class FormFile print ''; print img_picto('', 'object_globe').' '; print ''; - print $link->label; + print dol_escape_htmltag($link->label); print ''; print ''."\n"; print ''; diff --git a/htdocs/user/card.php b/htdocs/user/card.php index adcf094e7a4..460e345131c 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -309,12 +309,12 @@ if (empty($reshook)) { { $error = 0; - if (!$_POST["lastname"]) { + if (! GETPOST("lastname", 'alpha')) { setEventMessages($langs->trans("NameNotDefined"), null, 'errors'); $action = "edit"; // Go back to create page $error ++; } - if (!$_POST["login"]) { + if (! GETPOST("login", 'alpha')) { setEventMessages($langs->trans("LoginNotDefined"), null, 'errors'); $action = "edit"; // Go back to create page $error ++; From 2d59f6bb3d1c17ceefa6be3e32f04e117e45f6da Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 23 Aug 2019 07:59:36 +0200 Subject: [PATCH 6/7] FIX avoid sql error if fk_project is empty during update --- .../compta/sociales/class/chargesociales.class.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index c3995a2202d..b08f1bda27f 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -291,17 +291,17 @@ class ChargeSociales extends CommonObject $sql.= ", date_ech='".$this->db->idate($this->date_ech)."'"; $sql.= ", periode='".$this->db->idate($this->periode)."'"; $sql.= ", amount='".price2num($this->amount,'MT')."'"; - $sql.= ", fk_projet='".$this->db->escape($this->fk_project)."'"; + $sql.= ", fk_projet=".($this->fk_project>0?$this->db->escape($this->fk_project):"NULL"); $sql.= ", fk_user_modif=".$user->id; $sql.= " WHERE rowid=".$this->id; dol_syslog(get_class($this)."::update", LOG_DEBUG); $resql=$this->db->query($sql); - + if (! $resql) { $error++; $this->errors[]="Error ".$this->db->lasterror(); } - + if (! $error) { if (! $notrigger) @@ -312,7 +312,7 @@ class ChargeSociales extends CommonObject // End call triggers } } - + // Commit or rollback if ($error) { @@ -329,8 +329,8 @@ class ChargeSociales extends CommonObject $this->db->commit(); return 1; } - - + + } /** From 064ab389ed0030e19514fcea944f6d64af212e03 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 24 Aug 2019 12:44:23 +0200 Subject: [PATCH 7/7] FIX wrong parameters (same error in branch 9, 10, develop) --- htdocs/compta/paiement.php | 2 +- htdocs/projet/index.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php index 4888b758cc1..aa344c3df2e 100644 --- a/htdocs/compta/paiement.php +++ b/htdocs/compta/paiement.php @@ -530,7 +530,7 @@ if ($action == 'create' || $action == 'confirm_paiement' || $action == 'add_paie $sql = 'SELECT f.rowid as facid, f.facnumber, f.total_ttc, f.multicurrency_code, f.multicurrency_total_ttc, f.type,'; $sql.= ' f.datef as df, f.fk_soc as socid'; $sql.= ' FROM '.MAIN_DB_PREFIX.'facture as f'; - $sql.= ' WHERE f.entity IN ('.getEntity('facture', $conf->entity).')'; + $sql.= ' WHERE f.entity IN ('.getEntity('facture').')'; $sql.= ' AND (f.fk_soc = '.$facture->socid; // Can pay invoices of all child of parent company if(!empty($conf->global->FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS) && !empty($facture->thirdparty->parent)) { diff --git a/htdocs/projet/index.php b/htdocs/projet/index.php index 906cb3783f1..4c4ae4c71cf 100644 --- a/htdocs/projet/index.php +++ b/htdocs/projet/index.php @@ -258,7 +258,7 @@ $sql = "SELECT COUNT(p.rowid) as nb, SUM(p.opp_amount)"; $sql.= ", s.nom as name, s.rowid as socid"; $sql.= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid"; -$sql.= " WHERE p.entity IN (".getEntity('project', $conf->entity).")"; +$sql.= " WHERE p.entity IN (".getEntity('project').")"; $sql.= " AND p.fk_statut = 1"; if ($mine || empty($user->rights->projet->all->lire)) $sql.= " AND p.rowid IN (".$projectsListId.")"; // If we have this test true, it also means projectset is not 2 if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";