diff --git a/htdocs/core/ajax/ajaxcompanies.php b/htdocs/core/ajax/ajaxcompanies.php index ef0d7303715..330f0884605 100644 --- a/htdocs/core/ajax/ajaxcompanies.php +++ b/htdocs/core/ajax/ajaxcompanies.php @@ -31,6 +31,14 @@ if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); // Load Dolibarr environment require '../../main.inc.php'; +require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; + +$object = new Societe($db); + +$usesublevelpermission = ''; + +// Security check +restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission); /* @@ -68,15 +76,15 @@ if (GETPOST('newcompany') || GETPOST('socid', 'int') || GETPOST('id_fourn')) { $sql .= " AND ("; // Add criteria on name/code if (!empty($conf->global->COMPANY_DONOTSEARCH_ANYWHERE)) { // Can use index - $sql .= "s.nom LIKE '".$db->escape($socid)."%'"; - $sql .= " OR s.code_client LIKE '".$db->escape($socid)."%'"; - $sql .= " OR s.code_fournisseur LIKE '".$db->escape($socid)."%'"; + $sql .= "s.nom LIKE '".$db->escape($db->escapeforlike($socid))."%'"; + $sql .= " OR s.code_client LIKE '".$db->escape($db->escapeforlike($socid))."%'"; + $sql .= " OR s.code_fournisseur LIKE '".$db->escape($db->escapeforlike($socid))."%'"; } else { - $sql .= "s.nom LIKE '%".$db->escape($socid)."%'"; - $sql .= " OR s.code_client LIKE '%".$db->escape($socid)."%'"; - $sql .= " OR s.code_fournisseur LIKE '%".$db->escape($socid)."%'"; + $sql .= "s.nom LIKE '%".$db->escape($db->escapeforlike($socid))."%'"; + $sql .= " OR s.code_client LIKE '%".$db->escape($db->escapeforlike($socid))."%'"; + $sql .= " OR s.code_fournisseur LIKE '%".$db->escape($db->escapeforlike($socid))."%'"; } - if (!empty($conf->global->SOCIETE_ALLOW_SEARCH_ON_ROWID)) $sql .= " OR s.rowid = '".$db->escape($socid)."'"; + if (!empty($conf->global->SOCIETE_ALLOW_SEARCH_ON_ROWID)) $sql .= " OR s.rowid = ".((int) $socid); $sql .= ")"; } //if (GETPOST("filter")) $sql.= " AND (".GETPOST("filter", "alpha").")"; // Add other filters diff --git a/htdocs/core/ajax/ajaxinvoiceline.php b/htdocs/core/ajax/ajaxinvoiceline.php index 432ad15b151..f575bf326ac 100644 --- a/htdocs/core/ajax/ajaxinvoiceline.php +++ b/htdocs/core/ajax/ajaxinvoiceline.php @@ -39,7 +39,6 @@ $action = GETPOST('action', 'aZ09'); $htmlname = GETPOST('htmlname', 'alpha'); - // Security check restrictedArea($user, 'facture', $invoice_id, '', '', 'fk_soc', 'rowid'); diff --git a/htdocs/core/ajax/ajaxtooltip.php b/htdocs/core/ajax/ajaxtooltip.php index 8652908eced..787829d5864 100644 --- a/htdocs/core/ajax/ajaxtooltip.php +++ b/htdocs/core/ajax/ajaxtooltip.php @@ -39,13 +39,14 @@ include '../../main.inc.php'; include_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; include_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php'; + + top_httphead(); // opensurvey as aZ09 id $id = GETPOST('id', 'aZ09'); -$objecttype = GETPOST('objecttype', 'aZ09'); +$objecttype = GETPOST('objecttype', 'aZ09'); // 'module' or 'myobject@mymodule', 'mymodule_myobject' -$html = ''; $regs = array(); $params = array(); if (GETPOSTISSET('infologin')) { @@ -214,24 +215,60 @@ if ($objecttype == 'invoice_supplier') { } // print "objecttype=".$objecttype." module=".$module." subelement=".$subelement." classfile=".$classfile." classname=".$classname." classpath=".$classpath."
"; + +// Define a generic object with a very low cost memory and cpu load +$object = new stdClass(); +$object->module = $module; +$object->element = $myobject; +if (empty($classname)) { + $classname = ucfirst($module); +} +if (empty($classpath)) { + $classpath = $module.'/class'; +} +if (empty($classfile)) { + $classfile = $myobject; +} + +// Load object if (isModEnabled($module)) { $res = dol_include_once('/'.$classpath.'/'.$classfile.'.class.php'); if ($res) { - if (class_exists($classname)) { + if (class_exists($classname) && $id > 0) { $object = new $classname($db); $res = $object->fetch($id); - if ($res > 0) { - $html = $object->getTooltipContent($params); - } elseif ($res == 0) { - $html = $langs->trans('Deleted'); - } - unset($object); } else { dol_syslog("Class with classname ".$classname." is unknown even after the include", LOG_ERR); } + } else { + dol_syslog("Failed to include ".$classpath."/".$classfile, LOG_ERR); } } +$usesublevelpermission = ($module != $myobject ? $myobject : ''); +if ($usesublevelpermission && !isset($user->rights->$module->$myobject)) { // There is no permission on object defined, we will check permission on module directly + $usesublevelpermission = ''; +} + +// Security check +restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission); + + +/* + * View + */ + +$html = ''; + +if (is_object($object)) { + if ($object->id > 0) { + $html = $object->getTooltipContent($params); + } elseif ($res == 0) { + $html = $langs->trans('Deleted'); + } + unset($object); +} + print $html; $db->close(); diff --git a/htdocs/core/ajax/fetchKnowledgeRecord.php b/htdocs/core/ajax/fetchKnowledgeRecord.php index 295d164022f..afadf119e16 100644 --- a/htdocs/core/ajax/fetchKnowledgeRecord.php +++ b/htdocs/core/ajax/fetchKnowledgeRecord.php @@ -54,10 +54,10 @@ $idticketgroup = GETPOST('idticketgroup', 'aZ09'); $idticketgroup = GETPOST('idticketgroup', 'aZ09'); $lang = GETPOST('lang', 'aZ09'); -/*if (defined("NOLOGIN") && !getDolGlobalString('TICKET_ENABLE_PUBLIC_INTERFACE')) { - // If we ask public content (so without login), we block if option TICKET_ENABLE_PUBLIC_INTERFACE is not enabled - httponly_accessforbidden(''); -}*/ +// Security check +if (!defined("NOLOGIN")) { // No need for restrictedArea if not logged. Later the select will filter on public articles only if not logged. + restrictedArea($user, 'knowledgemanagement', 0, 'knowledgemanagement_knowledgerecord', 'knowledgerecord'); +} /*