Fix security on ajax
This commit is contained in:
Laurent Destailleur
parent
796e061b40
commit
e17e4b7320
@ -31,6 +31,14 @@ if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1');
|
||||
|
||||
// Load Dolibarr environment
|
||||
require '../../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
|
||||
|
||||
$object = new Societe($db);
|
||||
|
||||
$usesublevelpermission = '';
|
||||
|
||||
// Security check
|
||||
restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission);
|
||||
|
||||
|
||||
/*
|
||||
@ -68,15 +76,15 @@ if (GETPOST('newcompany') || GETPOST('socid', 'int') || GETPOST('id_fourn')) {
|
||||
$sql .= " AND (";
|
||||
// Add criteria on name/code
|
||||
if (!empty($conf->global->COMPANY_DONOTSEARCH_ANYWHERE)) { // Can use index
|
||||
$sql .= "s.nom LIKE '".$db->escape($socid)."%'";
|
||||
$sql .= " OR s.code_client LIKE '".$db->escape($socid)."%'";
|
||||
$sql .= " OR s.code_fournisseur LIKE '".$db->escape($socid)."%'";
|
||||
$sql .= "s.nom LIKE '".$db->escape($db->escapeforlike($socid))."%'";
|
||||
$sql .= " OR s.code_client LIKE '".$db->escape($db->escapeforlike($socid))."%'";
|
||||
$sql .= " OR s.code_fournisseur LIKE '".$db->escape($db->escapeforlike($socid))."%'";
|
||||
} else {
|
||||
$sql .= "s.nom LIKE '%".$db->escape($socid)."%'";
|
||||
$sql .= " OR s.code_client LIKE '%".$db->escape($socid)."%'";
|
||||
$sql .= " OR s.code_fournisseur LIKE '%".$db->escape($socid)."%'";
|
||||
$sql .= "s.nom LIKE '%".$db->escape($db->escapeforlike($socid))."%'";
|
||||
$sql .= " OR s.code_client LIKE '%".$db->escape($db->escapeforlike($socid))."%'";
|
||||
$sql .= " OR s.code_fournisseur LIKE '%".$db->escape($db->escapeforlike($socid))."%'";
|
||||
}
|
||||
if (!empty($conf->global->SOCIETE_ALLOW_SEARCH_ON_ROWID)) $sql .= " OR s.rowid = '".$db->escape($socid)."'";
|
||||
if (!empty($conf->global->SOCIETE_ALLOW_SEARCH_ON_ROWID)) $sql .= " OR s.rowid = ".((int) $socid);
|
||||
$sql .= ")";
|
||||
}
|
||||
//if (GETPOST("filter")) $sql.= " AND (".GETPOST("filter", "alpha").")"; // Add other filters
|
||||
|
||||
@ -39,7 +39,6 @@ $action = GETPOST('action', 'aZ09');
|
||||
$htmlname = GETPOST('htmlname', 'alpha');
|
||||
|
||||
|
||||
|
||||
// Security check
|
||||
restrictedArea($user, 'facture', $invoice_id, '', '', 'fk_soc', 'rowid');
|
||||
|
||||
|
||||
@ -39,13 +39,14 @@ include '../../main.inc.php';
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';
|
||||
|
||||
|
||||
|
||||
top_httphead();
|
||||
|
||||
// opensurvey as aZ09 id
|
||||
$id = GETPOST('id', 'aZ09');
|
||||
$objecttype = GETPOST('objecttype', 'aZ09');
|
||||
$objecttype = GETPOST('objecttype', 'aZ09'); // 'module' or 'myobject@mymodule', 'mymodule_myobject'
|
||||
|
||||
$html = '';
|
||||
$regs = array();
|
||||
$params = array();
|
||||
if (GETPOSTISSET('infologin')) {
|
||||
@ -214,24 +215,60 @@ if ($objecttype == 'invoice_supplier') {
|
||||
}
|
||||
// print "objecttype=".$objecttype." module=".$module." subelement=".$subelement." classfile=".$classfile." classname=".$classname." classpath=".$classpath."<br>";
|
||||
|
||||
|
||||
// Define a generic object with a very low cost memory and cpu load
|
||||
$object = new stdClass();
|
||||
$object->module = $module;
|
||||
$object->element = $myobject;
|
||||
if (empty($classname)) {
|
||||
$classname = ucfirst($module);
|
||||
}
|
||||
if (empty($classpath)) {
|
||||
$classpath = $module.'/class';
|
||||
}
|
||||
if (empty($classfile)) {
|
||||
$classfile = $myobject;
|
||||
}
|
||||
|
||||
// Load object
|
||||
if (isModEnabled($module)) {
|
||||
$res = dol_include_once('/'.$classpath.'/'.$classfile.'.class.php');
|
||||
if ($res) {
|
||||
if (class_exists($classname)) {
|
||||
if (class_exists($classname) && $id > 0) {
|
||||
$object = new $classname($db);
|
||||
$res = $object->fetch($id);
|
||||
if ($res > 0) {
|
||||
$html = $object->getTooltipContent($params);
|
||||
} elseif ($res == 0) {
|
||||
$html = $langs->trans('Deleted');
|
||||
}
|
||||
unset($object);
|
||||
} else {
|
||||
dol_syslog("Class with classname ".$classname." is unknown even after the include", LOG_ERR);
|
||||
}
|
||||
} else {
|
||||
dol_syslog("Failed to include ".$classpath."/".$classfile, LOG_ERR);
|
||||
}
|
||||
}
|
||||
|
||||
$usesublevelpermission = ($module != $myobject ? $myobject : '');
|
||||
if ($usesublevelpermission && !isset($user->rights->$module->$myobject)) { // There is no permission on object defined, we will check permission on module directly
|
||||
$usesublevelpermission = '';
|
||||
}
|
||||
|
||||
// Security check
|
||||
restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
$html = '';
|
||||
|
||||
if (is_object($object)) {
|
||||
if ($object->id > 0) {
|
||||
$html = $object->getTooltipContent($params);
|
||||
} elseif ($res == 0) {
|
||||
$html = $langs->trans('Deleted');
|
||||
}
|
||||
unset($object);
|
||||
}
|
||||
|
||||
print $html;
|
||||
|
||||
$db->close();
|
||||
|
||||
@ -54,10 +54,10 @@ $idticketgroup = GETPOST('idticketgroup', 'aZ09');
|
||||
$idticketgroup = GETPOST('idticketgroup', 'aZ09');
|
||||
$lang = GETPOST('lang', 'aZ09');
|
||||
|
||||
/*if (defined("NOLOGIN") && !getDolGlobalString('TICKET_ENABLE_PUBLIC_INTERFACE')) {
|
||||
// If we ask public content (so without login), we block if option TICKET_ENABLE_PUBLIC_INTERFACE is not enabled
|
||||
httponly_accessforbidden('');
|
||||
}*/
|
||||
// Security check
|
||||
if (!defined("NOLOGIN")) { // No need for restrictedArea if not logged. Later the select will filter on public articles only if not logged.
|
||||
restrictedArea($user, 'knowledgemanagement', 0, 'knowledgemanagement_knowledgerecord', 'knowledgerecord');
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
Loading…
Reference in New Issue
Block a user