Fix security bugs
This commit is contained in:
Laurent Destailleur
parent
54aa8696ad
commit
e50bbb05fa
@ -681,9 +681,9 @@ if ($action == 'create')
|
||||
dol_fiche_head();
|
||||
|
||||
print '<table class="border" width="100%">';
|
||||
print '<tr><td class="fieldrequired titlefieldcreate">'.$langs->trans("MailTitle").'</td><td><input class="flat" name="titre" size="40" value="'.$_POST['titre'].'"></td></tr>';
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans("MailFrom").'</td><td><input class="flat" name="from" size="40" value="'.$conf->global->MAILING_EMAIL_FROM.'"></td></tr>';
|
||||
print '<tr><td>'.$langs->trans("MailErrorsTo").'</td><td><input class="flat" name="errorsto" size="40" value="'.(!empty($conf->global->MAILING_EMAIL_ERRORSTO)?$conf->global->MAILING_EMAIL_ERRORSTO:$conf->global->MAIN_MAIL_ERRORS_TO).'"></td></tr>';
|
||||
print '<tr><td class="fieldrequired titlefieldcreate">'.$langs->trans("MailTitle").'</td><td><input class="flat minwidth200" name="titre" value="'.dol_escape_htmltag(GETPOST('titre')).'"></td></tr>';
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans("MailFrom").'</td><td><input class="flat minwidth200" name="from" value="'.$conf->global->MAILING_EMAIL_FROM.'"></td></tr>';
|
||||
print '<tr><td>'.$langs->trans("MailErrorsTo").'</td><td><input class="flat minwidth200" name="errorsto" value="'.(!empty($conf->global->MAILING_EMAIL_ERRORSTO)?$conf->global->MAILING_EMAIL_ERRORSTO:$conf->global->MAIN_MAIL_ERRORS_TO).'"></td></tr>';
|
||||
|
||||
// Other attributes
|
||||
$parameters=array();
|
||||
@ -697,7 +697,7 @@ if ($action == 'create')
|
||||
print '</br><br>';
|
||||
|
||||
print '<table class="border" width="100%">';
|
||||
print '<tr><td class="fieldrequired titlefieldcreate">'.$langs->trans("MailTopic").'</td><td><input class="flat" name="sujet" size="60" value="'.$_POST['sujet'].'"></td></tr>';
|
||||
print '<tr><td class="fieldrequired titlefieldcreate">'.$langs->trans("MailTopic").'</td><td><input class="flat minwidth200" name="sujet" value="'.dol_escape_htmltag(GETPOST('sujet')).'"></td></tr>';
|
||||
print '<tr><td>'.$langs->trans("BackgroundColorByDefault").'</td><td colspan="3">';
|
||||
print $htmlother->selectColor($_POST['bgcolor'],'bgcolor','new_mailing',0);
|
||||
print '</td></tr>';
|
||||
|
||||
@ -116,7 +116,7 @@ if ($socid > 0)
|
||||
print '<div class="underbanner clearboth"></div>';
|
||||
print '<table class="border centpercent">';
|
||||
|
||||
// Remise
|
||||
// Discount
|
||||
print '<tr><td class="titlefield">';
|
||||
print $langs->trans("CustomerRelativeDiscount").'</td><td>'.price2num($object->remise_percent)."%</td></tr>";
|
||||
|
||||
@ -127,13 +127,13 @@ if ($socid > 0)
|
||||
|
||||
print '<table class="border centpercent">';
|
||||
|
||||
// Nouvelle valeur
|
||||
// New value
|
||||
print '<tr><td class="titlefield">';
|
||||
print $langs->trans("NewValue").'</td><td><input type="text" size="5" name="remise" value="'.($_POST["remise"]?$_POST["remise"]:'').'">%</td></tr>';
|
||||
print $langs->trans("NewValue").'</td><td><input type="text" size="5" name="remise" value="'.dol_escape_htmltag(GETPOST("remise")).'">%</td></tr>';
|
||||
|
||||
// Motif/Note
|
||||
print '<tr><td>';
|
||||
print $langs->trans("NoteReason").'</td><td><input type="text" size="60" name="note" value="'.$_POST["note"].'"></td></tr>';
|
||||
print $langs->trans("NoteReason").'</td><td><input type="text" size="60" name="note" value="'.dol_escape_htmltag(GETPOST("note")).'"></td></tr>';
|
||||
|
||||
print "</table>";
|
||||
|
||||
|
||||
@ -24,33 +24,34 @@
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php';
|
||||
|
||||
|
||||
/** \class PaymentDonation
|
||||
* \brief Class to manage payments of donations
|
||||
/**
|
||||
* Class to manage payments of donations
|
||||
*/
|
||||
class PaymentDonation extends CommonObject
|
||||
{
|
||||
public $element='payment_donation'; //!< Id that identify managed objects
|
||||
public $table_element='payment_donation'; //!< Name of table without prefix where object is stored
|
||||
public $picto = 'payment';
|
||||
|
||||
public $rowid;
|
||||
|
||||
var $rowid;
|
||||
|
||||
var $fk_donation;
|
||||
var $datec='';
|
||||
var $tms='';
|
||||
var $datep='';
|
||||
var $amount; // Total amount of payment
|
||||
var $amounts=array(); // Array of amounts
|
||||
var $typepayment;
|
||||
var $num_payment;
|
||||
var $fk_bank;
|
||||
var $fk_user_creat;
|
||||
var $fk_user_modif;
|
||||
public $fk_donation;
|
||||
public $datec='';
|
||||
public $tms='';
|
||||
public $datep='';
|
||||
public $amount; // Total amount of payment
|
||||
public $amounts=array(); // Array of amounts
|
||||
public $typepayment;
|
||||
public $num_payment;
|
||||
public $fk_bank;
|
||||
public $fk_user_creat;
|
||||
public $fk_user_modif;
|
||||
|
||||
/**
|
||||
* @deprecated
|
||||
* @see amount, amounts
|
||||
*/
|
||||
var $total;
|
||||
public $total;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
@ -432,6 +433,32 @@ class PaymentDonation extends CommonObject
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Retourne le libelle du statut d'un don (brouillon, validee, abandonnee, payee)
|
||||
*
|
||||
* @param int $mode 0=libelle long, 1=libelle court, 2=Picto + Libelle court, 3=Picto, 4=Picto + Libelle long
|
||||
* @return string Libelle
|
||||
*/
|
||||
function getLibStatut($mode=0)
|
||||
{
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Renvoi le libelle d'un statut donne
|
||||
*
|
||||
* @param int $statut Id statut
|
||||
* @param int $mode 0=libelle long, 1=libelle court, 2=Picto + Libelle court, 3=Picto, 4=Picto + Libelle long, 5=Libelle court + Picto
|
||||
* @return string Libelle du statut
|
||||
*/
|
||||
function LibStatut($statut,$mode=0)
|
||||
{
|
||||
global $langs;
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Initialise an instance with random values.
|
||||
* Used to build previews or test instances.
|
||||
|
||||
@ -40,10 +40,10 @@ if ($user->societe_id) $socid=$user->societe_id;
|
||||
// TODO Add rule to restrict access payment
|
||||
//$result = restrictedArea($user, 'facture', $id,'');
|
||||
|
||||
$payment = new PaymentDonation($db);
|
||||
$object = new PaymentDonation($db);
|
||||
if ($id > 0)
|
||||
{
|
||||
$result=$payment->fetch($id);
|
||||
$result=$object->fetch($id);
|
||||
if (! $result) dol_print_error($db,'Failed to get payment id '.$id);
|
||||
}
|
||||
|
||||
@ -57,7 +57,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes' && $user->rights->don->supp
|
||||
{
|
||||
$db->begin();
|
||||
|
||||
$result = $payment->delete($user);
|
||||
$result = $object->delete($user);
|
||||
if ($result > 0)
|
||||
{
|
||||
$db->commit();
|
||||
@ -66,7 +66,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes' && $user->rights->don->supp
|
||||
}
|
||||
else
|
||||
{
|
||||
setEventMessages($payment->error, $payment->errors, 'errors');
|
||||
setEventMessages($object->error, $object->errors, 'errors');
|
||||
$db->rollback();
|
||||
}
|
||||
}
|
||||
@ -76,7 +76,7 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->don->cree
|
||||
{
|
||||
$db->begin();
|
||||
|
||||
$result=$payment->valide();
|
||||
$result=$object->valide();
|
||||
|
||||
if ($result > 0)
|
||||
{
|
||||
@ -99,12 +99,12 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->don->cree
|
||||
}
|
||||
}
|
||||
|
||||
header('Location: card.php?id='.$payment->id);
|
||||
header('Location: card.php?id='.$object->id);
|
||||
exit;
|
||||
}
|
||||
else
|
||||
{
|
||||
setEventMessages($payment->error, $payment->errors, 'errors');
|
||||
setEventMessages($object->error, $object->errors, 'errors');
|
||||
$db->rollback();
|
||||
}
|
||||
}
|
||||
@ -133,7 +133,7 @@ dol_fiche_head($head, $hselected, $langs->trans("DonationPayment"), 0, 'payment'
|
||||
*/
|
||||
if ($action == 'delete')
|
||||
{
|
||||
print $form->formconfirm('card.php?id='.$payment->id, $langs->trans("DeletePayment"), $langs->trans("ConfirmDeletePayment"), 'confirm_delete','',0,2);
|
||||
print $form->formconfirm('card.php?id='.$object->id, $langs->trans("DeletePayment"), $langs->trans("ConfirmDeletePayment"), 'confirm_delete','',0,2);
|
||||
|
||||
}
|
||||
|
||||
@ -142,46 +142,51 @@ if ($action == 'delete')
|
||||
*/
|
||||
if ($action == 'valide')
|
||||
{
|
||||
$facid = $_GET['facid'];
|
||||
print $form->formconfirm('card.php?id='.$payment->id.'&facid='.$facid, $langs->trans("ValidatePayment"), $langs->trans("ConfirmValidatePayment"), 'confirm_valide','',0,2);
|
||||
$facid = GETPOST('facid','int');
|
||||
print $form->formconfirm('card.php?id='.$object->id.'&facid='.$facid, $langs->trans("ValidatePayment"), $langs->trans("ConfirmValidatePayment"), 'confirm_valide','',0,2);
|
||||
|
||||
}
|
||||
|
||||
|
||||
dol_banner_tab($object,'id','',1,'rowid','id');
|
||||
|
||||
print '<div class="underbanner clearboth"></div>';
|
||||
|
||||
print '<table class="border" width="100%">';
|
||||
|
||||
// Ref
|
||||
print '<tr><td valign="top" width="20%">'.$langs->trans('Ref').'</td>';
|
||||
/*print '<tr><td class=">'.$langs->trans('Ref').'</td>';
|
||||
print '<td colspan="3">';
|
||||
print $form->showrefnav($payment,'id','',1,'rowid','id');
|
||||
print $form->showrefnav($object,'id','',1,'rowid','id');
|
||||
print '</td></tr>';
|
||||
*/
|
||||
|
||||
// Date
|
||||
print '<tr><td valign="top">'.$langs->trans('Date').'</td><td colspan="3">'.dol_print_date($payment->datep,'day').'</td></tr>';
|
||||
print '<tr><td class="titlefield">'.$langs->trans('Date').'</td><td>'.dol_print_date($object->datep,'day').'</td></tr>';
|
||||
|
||||
// Mode
|
||||
print '<tr><td valign="top">'.$langs->trans('Mode').'</td><td colspan="3">'.$langs->trans("PaymentType".$payment->type_code).'</td></tr>';
|
||||
print '<tr><td>'.$langs->trans('Mode').'</td><td>'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
|
||||
|
||||
// Number
|
||||
print '<tr><td valign="top">'.$langs->trans('Number').'</td><td colspan="3">'.$payment->num_payment.'</td></tr>';
|
||||
print '<tr><td>'.$langs->trans('Number').'</td><td>'.$object->num_payment.'</td></tr>';
|
||||
|
||||
// Amount
|
||||
print '<tr><td valign="top">'.$langs->trans('Amount').'</td><td colspan="3">'.price($payment->amount, 0, $outputlangs, 1, -1, -1, $conf->currency).'</td></tr>';
|
||||
print '<tr><td>'.$langs->trans('Amount').'</td><td>'.price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency).'</td></tr>';
|
||||
|
||||
// Note
|
||||
print '<tr><td valign="top">'.$langs->trans('Note').'</td><td colspan="3">'.nl2br($payment->note).'</td></tr>';
|
||||
print '<tr><td>'.$langs->trans('Note').'</td><td>'.nl2br($object->note).'</td></tr>';
|
||||
|
||||
// Bank account
|
||||
if (! empty($conf->banque->enabled))
|
||||
{
|
||||
if ($payment->bank_account)
|
||||
if ($object->bank_account)
|
||||
{
|
||||
$bankline=new AccountLine($db);
|
||||
$bankline->fetch($payment->bank_line);
|
||||
$bankline->fetch($object->bank_line);
|
||||
|
||||
print '<tr>';
|
||||
print '<td>'.$langs->trans('BankTransactionLine').'</td>';
|
||||
print '<td colspan="3">';
|
||||
print '<td>';
|
||||
print $bankline->getNomUrl(1,0,'showall');
|
||||
print '</td>';
|
||||
print '</tr>';
|
||||
@ -269,7 +274,7 @@ print '<div class="tabsAction">';
|
||||
/*
|
||||
if (! empty($conf->global->BILL_ADD_PAYMENT_VALIDATION))
|
||||
{
|
||||
if ($user->societe_id == 0 && $payment->statut == 0 && $_GET['action'] == '')
|
||||
if ($user->societe_id == 0 && $object->statut == 0 && $_GET['action'] == '')
|
||||
{
|
||||
if ($user->rights->facture->paiement)
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user