From 8911d72be84bd64c16cf5f8fa31329185d0a2b7d Mon Sep 17 00:00:00 2001 From: Marc de Lima Lucio Date: Tue, 30 Oct 2018 12:28:04 +0100 Subject: [PATCH 1/5] FIX: task time screen: prevent users with access to all project from assigning to tasks they're not allowed to do --- htdocs/core/class/html.formprojet.class.php | 37 ++++++++++++--------- htdocs/projet/activity/perday.php | 2 +- htdocs/projet/activity/perweek.php | 2 +- 3 files changed, 24 insertions(+), 17 deletions(-) diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php index 616355eab28..c2d8377add5 100644 --- a/htdocs/core/class/html.formprojet.class.php +++ b/htdocs/core/class/html.formprojet.class.php @@ -295,22 +295,29 @@ class FormProjets /** * Output a combo list with projects qualified for a third party * - * @param int $socid Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id) - * @param int $selected Id task preselected - * @param string $htmlname Name of HTML select - * @param int $maxlength Maximum length of label - * @param int $option_only Return only html options lines without the select tag - * @param string $show_empty Add an empty line ('1' or string to show for empty line) - * @param int $discard_closed Discard closed projects (0=Keep,1=hide completely,2=Disable) - * @param int $forcefocus Force focus on field (works with javascript only) - * @param int $disabled Disabled - * @param string $morecss More css added to the select component - * @return int Nbr of project if OK, <0 if KO + * @param int $socid Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id) + * @param int $selected Id task preselected + * @param string $htmlname Name of HTML select + * @param int $maxlength Maximum length of label + * @param int $option_only Return only html options lines without the select tag + * @param string $show_empty Add an empty line ('1' or string to show for empty line) + * @param int $discard_closed Discard closed projects (0=Keep,1=hide completely,2=Disable) + * @param int $forcefocus Force focus on field (works with javascript only) + * @param int $disabled Disabled + * @param string $morecss More css added to the select component + * @param User $usertofilter User object to use for filtering + * @param int $forceuserfilter 1=Force individual task user rights even if user has right to see all + * @return int Nbr of project if OK, <0 if KO */ - function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500') + function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null, $forceuserfilter=0) { global $user,$conf,$langs; + if(is_null($usertofilter)) + { + $usertofilter = $user; + } + require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; $out=''; @@ -319,10 +326,10 @@ class FormProjets if (! empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) $hideunselectables = true; $projectsListId = false; - if (empty($user->rights->projet->all->lire)) + if (empty($usertofilter->rights->projet->all->lire) || $forceuserfilter) { $projectstatic=new Project($this->db); - $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,0,1); + $projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertofilter,0,1); } // Search all projects @@ -367,7 +374,7 @@ class FormProjets { $obj = $this->db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. - if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($user->rights->societe->lire)) + if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($usertofilter->rights->societe->lire)) { // Do nothing } diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php index b4329ac9237..b1214f0bff7 100644 --- a/htdocs/projet/activity/perday.php +++ b/htdocs/projet/activity/perday.php @@ -399,7 +399,7 @@ print '
'; $titleassigntask = $langs->trans("AssignTaskToMe"); if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs)); print '
'; -$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1); +$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1); print '
'; print ' '; print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200'); diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php index 591f8b3ab6f..d18afc573e1 100644 --- a/htdocs/projet/activity/perweek.php +++ b/htdocs/projet/activity/perweek.php @@ -402,7 +402,7 @@ print '
'; $titleassigntask = $langs->trans("AssignTaskToMe"); if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs)); print '
'; -$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1); +$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1); print '
'; print ' '; print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200'); From 2fbc305683c9cacba509e4fb0a67cac4f7c98fd5 Mon Sep 17 00:00:00 2001 From: Marc de Lima Lucio Date: Tue, 30 Oct 2018 16:00:56 +0100 Subject: [PATCH 2/5] FIX: task time screen: last fix was overkill --- htdocs/core/class/html.formprojet.class.php | 5 ++--- htdocs/projet/activity/perday.php | 2 +- htdocs/projet/activity/perweek.php | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php index c2d8377add5..cb31107c65c 100644 --- a/htdocs/core/class/html.formprojet.class.php +++ b/htdocs/core/class/html.formprojet.class.php @@ -306,10 +306,9 @@ class FormProjets * @param int $disabled Disabled * @param string $morecss More css added to the select component * @param User $usertofilter User object to use for filtering - * @param int $forceuserfilter 1=Force individual task user rights even if user has right to see all * @return int Nbr of project if OK, <0 if KO */ - function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null, $forceuserfilter=0) + function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null) { global $user,$conf,$langs; @@ -326,7 +325,7 @@ class FormProjets if (! empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) $hideunselectables = true; $projectsListId = false; - if (empty($usertofilter->rights->projet->all->lire) || $forceuserfilter) + if (empty($usertofilter->rights->projet->all->lire)) { $projectstatic=new Project($this->db); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertofilter,0,1); diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php index b1214f0bff7..b27572790dd 100644 --- a/htdocs/projet/activity/perday.php +++ b/htdocs/projet/activity/perday.php @@ -399,7 +399,7 @@ print '
'; $titleassigntask = $langs->trans("AssignTaskToMe"); if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs)); print '
'; -$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1); +$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess); print '
'; print ' '; print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200'); diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php index d18afc573e1..3d2e638849e 100644 --- a/htdocs/projet/activity/perweek.php +++ b/htdocs/projet/activity/perweek.php @@ -402,7 +402,7 @@ print '
'; $titleassigntask = $langs->trans("AssignTaskToMe"); if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs)); print '
'; -$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1); +$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess); print '
'; print ' '; print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200'); From f0305a7beb7ca2acbb5c60e7d997424d13d47454 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 5 Nov 2018 13:50:12 +0100 Subject: [PATCH 3/5] Prepare 8.0.4 --- htdocs/filefunc.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 24c0de121db..36e3ba38b58 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -31,7 +31,7 @@ */ if (! defined('DOL_APPLICATION_TITLE')) define('DOL_APPLICATION_TITLE','Dolibarr'); -if (! defined('DOL_VERSION')) define('DOL_VERSION','8.0.3'); // a.b.c-alpha, a.b.c-beta, a.b.c-rcX or a.b.c +if (! defined('DOL_VERSION')) define('DOL_VERSION','8.0.4'); // a.b.c-alpha, a.b.c-beta, a.b.c-rcX or a.b.c if (! defined('EURO')) define('EURO',chr(128)); From 52aa86000869e14d54f14fbe441192ba6d852f5e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 6 Nov 2018 09:39:22 +0100 Subject: [PATCH 4/5] Code comment --- htdocs/core/modules/expedition/doc/pdf_rouget.modules.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php b/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php index 683a5e13124..d1e7ffe0917 100644 --- a/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php +++ b/htdocs/core/modules/expedition/doc/pdf_rouget.modules.php @@ -75,7 +75,7 @@ class pdf_rouget extends ModelePdfExpedition $this->posxqtytoship=$this->page_largeur - $this->marge_droite - 28; $this->posxpuht=$this->page_largeur - $this->marge_droite; - if (!empty($conf->global->MAIN_PDF_SHIPPING_DISPLAY_AMOUNT_HT)) { + if (!empty($conf->global->MAIN_PDF_SHIPPING_DISPLAY_AMOUNT_HT)) { // Show also the prices $this->posxweightvol=$this->page_largeur - $this->marge_droite - 118; $this->posxqtyordered=$this->page_largeur - $this->marge_droite - 96; @@ -122,7 +122,7 @@ class pdf_rouget extends ModelePdfExpedition if (! is_object($outputlangs)) $outputlangs=$langs; // For backward compatibility with FPDF, force output charset to ISO, because FPDF expect text to be encoded in ISO if (! empty($conf->global->MAIN_USE_FPDF)) $outputlangs->charset_output='ISO-8859-1'; - + // Translations $outputlangs->loadLangs(array("main", "bills", "products", "dict", "companies", "propal", "deliveries", "sendings", "productbatch")); From 7e33af66771113ea337db39bfb5a696f3c9311bd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 6 Nov 2018 17:40:59 +0100 Subject: [PATCH 5/5] Fix max size --- htdocs/admin/modules.php | 24 ++++++++++++++++++++++- htdocs/core/class/html.formfile.class.php | 1 + 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 68f7c3a29a7..ae87a19e433 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -40,6 +40,7 @@ $langs->loadLangs(array("errors","admin","modulebuilder")); $mode=GETPOST('mode', 'alpha'); if (empty($mode)) $mode='common'; $action=GETPOST('action','alpha'); +//var_dump($_POST);exit; $value=GETPOST('value', 'alpha'); $page_y=GETPOST('page_y','int'); $search_keyword=GETPOST('search_keyword','alpha'); @@ -1003,8 +1004,29 @@ if ($mode == 'deploy') print '
'; print ''; print ''; - print $langs->trans("YouCanSubmitFile").' '; + + print $langs->trans("YouCanSubmitFile"); + + $max=$conf->global->MAIN_UPLOAD_DOC; // En Kb + $maxphp=@ini_get('upload_max_filesize'); // En inconnu + if (preg_match('/k$/i',$maxphp)) $maxphp=$maxphp*1; + if (preg_match('/m$/i',$maxphp)) $maxphp=$maxphp*1024; + if (preg_match('/g$/i',$maxphp)) $maxphp=$maxphp*1024*1024; + if (preg_match('/t$/i',$maxphp)) $maxphp=$maxphp*1024*1024*1024; + // Now $max and $maxphp are in Kb + $maxmin = $max; + if ($maxphp > 0) $maxmin=min($max,$maxphp); + + if ($maxmin > 0) + { + // MAX_FILE_SIZE doit précéder le champ input de type file + print ''; + } + + print ' '; + print ''; + print '
'; print '
'; diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 7a0c07bb996..4e77269db4c 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -127,6 +127,7 @@ class FormFile if ($maxmin > 0) { + // MAX_FILE_SIZE doit précéder le champ input de type file $out .= ''; }