Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop
Conflicts: ChangeLog build/makepack-dolibarr.pl htdocs/fichinter/list.php htdocs/product/list.php htdocs/projet/tasks/list.php
This commit is contained in:
Laurent Destailleur
commit
e5c898e0d6
41
ChangeLog
41
ChangeLog
@ -17,6 +17,47 @@ Following changes may create regression for some external modules, but were nece
|
||||
html.formmargin.class.php
|
||||
* Removed Societe::set_commnucation_level (was deprecated in 4.0). Was not used.
|
||||
|
||||
***** ChangeLog for 5.0.2 compared to 5.0.1 *****
|
||||
FIX: #6468 + Fix missing translation
|
||||
FIX: #6517 #6525 Autocompletion of thirdparty after n chars not implemented
|
||||
FIX: #6613 Default subject for Supplier proposal emails is filled with a non-existing key
|
||||
FIX: #6614
|
||||
FIX: #6619 Template invoices list do not respect restricted thirdparty user rights
|
||||
FIX: #6621 Documents tab shows greyed out upload form even if the option to show actions not available is disabled
|
||||
FIX: #6623 User card shows "Return to list" link even if the user has no rights to list users
|
||||
FIX: #6636 Complete fix
|
||||
FIX: #6669 User with no permission to edit customer invoices can see a edit button in project entry
|
||||
FIX: #6671 Cannot remove thirdparty type with "#" in its name
|
||||
FIX: #6673 Missing "nature" table header in thirdparty list
|
||||
FIX: #6675 Restricted user with no agenda permissions can see a button to create appointment in thirdparty contact list
|
||||
FIX: #6679 User with restricted supplier invoice permissions can edit project, payment conditions, payment mode
|
||||
FIX: #6680 User with restricted supplier invoice permissions sees "reopen" button even if he has no permission to do it
|
||||
FIX: #6718 Bug: Discount amount is not locally formatted in CommonObject View
|
||||
FIX: #6767 serious critical error, no login possible with postgresql and ipv6.
|
||||
FIX: #6795 #6796
|
||||
FIX: Add option MAIN_MAIL_USE_MULTI_PART to include text content into HTML email and add option MAIN_MAIL_ADD_INLINE_IMAGES_IF_IN_MEDIAS to restore the inline images feature.
|
||||
FIX: ajax autocomplete on clone
|
||||
FIX: A non admin user can not download files attached to user.
|
||||
FIX: Can't download delivery receipts (function dol_check_secure_access_document)
|
||||
FIX: complete hourly rate when not defined into table of time spent
|
||||
FIX: dont get empty "Incoterms : - " string if no incoterm
|
||||
FIX: dont lose supplier ref if no supplier price in database
|
||||
FIX: Enter a direct bank transaction
|
||||
FIX: extrafield css for boolean type
|
||||
FIX: forgotten parameter for right multicompany use
|
||||
FIX: Found duplicate line when it is not.
|
||||
FIX: global $dateSelector isn't the good one, then date selector on objectline_create tpl was hidden
|
||||
FIX: Journal code of bank must be visible of accountaing module on.
|
||||
FIX: length_accounta return variable name
|
||||
FIX: limit+1 dosn't show Total line
|
||||
FIX: No filter on company when showing the link to elements.
|
||||
FIX: overwrapping of weight/volume on rouget template
|
||||
FIX: Several bugs in accounting module.
|
||||
FIX: shared bank account with multicompany not visible in invoice setup
|
||||
FIX: spaces not allowed into vat code
|
||||
FIX: supplier default condition not retrieved on create
|
||||
FIX: supplier order line were always created with rang = 0
|
||||
|
||||
***** ChangeLog for 5.0.1 compared to 5.0.0 *****
|
||||
FIX: #6503: SQL error in "Last pending payment invoices"
|
||||
FIX: #6505 Project elements page shows greyed-out links even if the option to show actions not available is disabled
|
||||
|
||||
@ -19,7 +19,7 @@ use Cwd;
|
||||
# Change this to defined target for option 98 and 99
|
||||
$PROJECT="dolibarr";
|
||||
$PUBLISHSTABLE="eldy,dolibarr\@frs.sourceforge.net:/home/frs/project/dolibarr";
|
||||
$PUBLISHBETARC="ldestailleur\@asso.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files";
|
||||
$PUBLISHBETARC="ldestailleur\@vmprod.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files";
|
||||
|
||||
|
||||
#@LISTETARGET=("TGZ","ZIP","RPM_GENERIC","RPM_FEDORA","RPM_MANDRIVA","RPM_OPENSUSE","DEB","APS","EXEDOLIWAMP","SNAPSHOT"); # Possible packages
|
||||
@ -509,7 +509,6 @@ if ($nboftargetok) {
|
||||
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/documents`;
|
||||
|
||||
# Removed known external modules to avoid any error when packaging from env where external modules are tested
|
||||
#$ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \;`; # For custom we want to keep dir
|
||||
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/allscreens*`;
|
||||
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/ancotec*`;
|
||||
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/cabinetmed*`;
|
||||
@ -572,6 +571,10 @@ if ($nboftargetok) {
|
||||
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/fonts/utils`;
|
||||
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/tools`;
|
||||
$ret=`rm -f $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/LICENSE.TXT`;
|
||||
|
||||
print "Remove subdir of custom dir\n";
|
||||
print "find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\;\n";
|
||||
$ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\; >/dev/null 2>&1`; # For custom we want to keep dir
|
||||
}
|
||||
|
||||
# Build package for each target
|
||||
|
||||
@ -173,6 +173,7 @@ done >>%{name}.lang
|
||||
%_datadir/dolibarr/htdocs/contrat
|
||||
%_datadir/dolibarr/htdocs/core
|
||||
%_datadir/dolibarr/htdocs/cron
|
||||
%_datadir/dolibarr/htdocs/custom
|
||||
%_datadir/dolibarr/htdocs/don
|
||||
%_datadir/dolibarr/htdocs/ecm
|
||||
%_datadir/dolibarr/htdocs/expedition
|
||||
|
||||
@ -253,6 +253,7 @@ done >>%{name}.lang
|
||||
%_datadir/dolibarr/htdocs/contrat
|
||||
%_datadir/dolibarr/htdocs/core
|
||||
%_datadir/dolibarr/htdocs/cron
|
||||
%_datadir/dolibarr/htdocs/custom
|
||||
%_datadir/dolibarr/htdocs/don
|
||||
%_datadir/dolibarr/htdocs/ecm
|
||||
%_datadir/dolibarr/htdocs/expedition
|
||||
|
||||
@ -170,6 +170,7 @@ done >>%{name}.lang
|
||||
%_datadir/dolibarr/htdocs/contrat
|
||||
%_datadir/dolibarr/htdocs/core
|
||||
%_datadir/dolibarr/htdocs/cron
|
||||
%_datadir/dolibarr/htdocs/custom
|
||||
%_datadir/dolibarr/htdocs/don
|
||||
%_datadir/dolibarr/htdocs/ecm
|
||||
%_datadir/dolibarr/htdocs/expedition
|
||||
|
||||
@ -181,6 +181,7 @@ done >>%{name}.lang
|
||||
%_datadir/dolibarr/htdocs/contrat
|
||||
%_datadir/dolibarr/htdocs/core
|
||||
%_datadir/dolibarr/htdocs/cron
|
||||
%_datadir/dolibarr/htdocs/custom
|
||||
%_datadir/dolibarr/htdocs/don
|
||||
%_datadir/dolibarr/htdocs/ecm
|
||||
%_datadir/dolibarr/htdocs/expedition
|
||||
|
||||
@ -57,7 +57,7 @@ $type=GETPOST("type");
|
||||
$search_email=GETPOST("search_email");
|
||||
$search_categ = GETPOST("search_categ",'int');
|
||||
$catid = GETPOST("catid",'int');
|
||||
$sall=GETPOST("sall");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$optioncss = GETPOST('optioncss','alpha');
|
||||
|
||||
if ($statut < -1) $statut = '';
|
||||
|
||||
@ -41,8 +41,8 @@ $pagenext = $page + 1;
|
||||
if (! $sortorder) $sortorder="DESC";
|
||||
if (! $sortfield) $sortfield="m.date_creat";
|
||||
|
||||
$sall=GETPOST("sall","alpha");
|
||||
$sref=GETPOST("sref","alpha");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$sref=GETPOST("sref", "alpha");
|
||||
$filteremail=GETPOST('filteremail','alpha');
|
||||
|
||||
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
|
||||
|
||||
@ -77,7 +77,7 @@ $viewstatut=GETPOST('viewstatut');
|
||||
$optioncss = GETPOST('optioncss','alpha');
|
||||
$object_statut=GETPOST('propal_statut');
|
||||
|
||||
$sall=GETPOST("sall");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
|
||||
|
||||
$day=GETPOST("day","int");
|
||||
|
||||
@ -66,7 +66,7 @@ $search_zip=GETPOST('search_zip','alpha');
|
||||
$search_state=trim(GETPOST("search_state"));
|
||||
$search_country=GETPOST("search_country",'int');
|
||||
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
|
||||
$sall=GETPOST('sall');
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$socid=GETPOST('socid','int');
|
||||
$search_user=GETPOST('search_user','int');
|
||||
$search_sale=GETPOST('search_sale','int');
|
||||
|
||||
@ -52,7 +52,7 @@ $action = GETPOST('action','alpha');
|
||||
$confirm = GETPOST('confirm','alpha');
|
||||
$sref = GETPOST('sref');
|
||||
$sref_client = GETPOST('sref_client');
|
||||
$sall = GETPOST('sall');
|
||||
$sall = GETPOST('sall', 'alphanohtml');
|
||||
$socid = GETPOST('socid','int');
|
||||
$selected = GETPOST('orders_to_invoice');
|
||||
$sortfield = GETPOST("sortfield",'alpha');
|
||||
|
||||
@ -53,7 +53,7 @@ $langs->load('bills');
|
||||
$langs->load('companies');
|
||||
$langs->load('products');
|
||||
|
||||
$sall=trim(GETPOST('sall'));
|
||||
$sall=trim(GETPOST('sall', 'alphanohtml'));
|
||||
$projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0);
|
||||
|
||||
$id=(GETPOST('id','int')?GETPOST('id','int'):GETPOST('facid','int')); // For backward compatibility
|
||||
|
||||
@ -42,7 +42,7 @@ $ref = ''; // There is no ref for contacts
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'contact', $contactid,'');
|
||||
|
||||
$sall=GETPOST("sall");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$search_firstlast_only=GETPOST("search_firstlast_only");
|
||||
$search_lastname=GETPOST("search_lastname");
|
||||
$search_firstname=GETPOST("search_firstname");
|
||||
|
||||
@ -53,7 +53,7 @@ $search_country=GETPOST("search_country",'int');
|
||||
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
|
||||
$search_contract=GETPOST('search_contract');
|
||||
$search_ref_supplier=GETPOST('search_ref_supplier','alpha');
|
||||
$sall=GETPOST('sall');
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$search_status=GETPOST('search_status');
|
||||
$socid=GETPOST('socid');
|
||||
$search_user=GETPOST('search_user','int');
|
||||
|
||||
@ -1461,9 +1461,9 @@ class Form
|
||||
{
|
||||
if (! empty($conf->multicompany->transverse_mode))
|
||||
{
|
||||
$sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug";
|
||||
$sql.= " WHERE ug.fk_user = u.rowid";
|
||||
$sql.= " AND ug.entity = ".$conf->entity;
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."usergroup_user as ug";
|
||||
$sql.= " ON ug.fk_user = u.rowid";
|
||||
$sql.= " WHERE ug.entity = ".$conf->entity;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@ -386,9 +386,17 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
|
||||
if (! is_array($out) || empty($out)) $out=array();
|
||||
break;
|
||||
case 'nohtml':
|
||||
$out=dol_string_nohtmltag($out);
|
||||
$out=dol_string_nohtmltag($out);
|
||||
break;
|
||||
case 'custom':
|
||||
case 'alphanohtml': // Recommended for search params
|
||||
$out=trim($out);
|
||||
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
|
||||
// '../' is dangerous because it allows dir transversals
|
||||
if (preg_match('/"/',$out)) $out='';
|
||||
else if (preg_match('/\.\.\//',$out)) $out='';
|
||||
$out=dol_string_nohtmltag($out);
|
||||
break;
|
||||
case 'custom':
|
||||
if (empty($filter)) return 'BadFourthParameterForGETPOST';
|
||||
$out=filter_var($out, $filter, $options);
|
||||
break;
|
||||
|
||||
@ -59,9 +59,11 @@ function getURLContent($url,$postorget='GET',$param='',$followlocation=1,$addhea
|
||||
if (count($addheaders)) curl_setopt($ch, CURLOPT_HTTPHEADER, $addheaders);
|
||||
curl_setopt($ch, CURLINFO_HEADER_OUT, true); // To be able to retrieve request header and log it
|
||||
|
||||
// TLSv1 by default or change to TLSv1.2 in module configuration
|
||||
//curl_setopt($ch, CURLOPT_SSLVERSION, (empty($conf->global->MAIN_CURL_SSLVERSION)?1:$conf->global->MAIN_CURL_SSLVERSION));
|
||||
|
||||
// By default use tls decied by PHP.
|
||||
// You can force, if supported a version like TLSv1 or TLSv1.2
|
||||
if (! empty($conf->global->MAIN_CURL_SSLVERSION)) curl_setopt($ch, CURLOPT_SSLVERSION, $conf->global->MAIN_CURL_SSLVERSION);
|
||||
//curl_setopt($ch, CURLOPT_SSLVERSION, 6); for tls 1.2
|
||||
|
||||
//turning off the server and peer verification(TrustManager Concept).
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
|
||||
|
||||
@ -43,7 +43,7 @@ if (! $sortorder) $sortorder="DESC";
|
||||
if (! $sortfield) $sortfield="d.datedon";
|
||||
|
||||
$statut=isset($_GET["statut"])?$_GET["statut"]:"-1";
|
||||
$search_all=GETPOST('sall','alpha');
|
||||
$search_all=GETPOST('sall', 'alphanohtml');
|
||||
$search_ref=GETPOST('search_ref','alpha');
|
||||
$search_company=GETPOST('search_company','alpha');
|
||||
$search_name=GETPOST('search_name','alpha');
|
||||
|
||||
@ -50,7 +50,7 @@ $search_zip=GETPOST('search_zip','alpha');
|
||||
$search_state=trim(GETPOST("search_state"));
|
||||
$search_country=GETPOST("search_country",'int');
|
||||
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
|
||||
$sall = GETPOST('sall');
|
||||
$sall = GETPOST('sall', 'alphanohtml');
|
||||
$optioncss = GETPOST('optioncss','alpha');
|
||||
|
||||
$limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit;
|
||||
|
||||
@ -63,7 +63,7 @@ if (!$sortorder) $sortorder="DESC";
|
||||
if (!$sortfield) $sortfield="d.date_debut";
|
||||
|
||||
|
||||
$sall = GETPOST('sall');
|
||||
$sall = GETPOST('sall', 'alphanohtml');
|
||||
$search_ref = GETPOST('search_ref');
|
||||
$search_user = GETPOST('search_user','int');
|
||||
$search_amount_ht = GETPOST('search_amount_ht','alpha');
|
||||
|
||||
@ -75,6 +75,13 @@ if (! $sortfield)
|
||||
// Initialize technical object to manage context to save list fields
|
||||
$contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'interventionlist';
|
||||
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$search_ref=GETPOST('search_ref')?GETPOST('search_ref','alpha'):GETPOST('search_inter','alpha');
|
||||
$search_company=GETPOST('search_company','alpha');
|
||||
$search_desc=GETPOST('search_desc','alpha');
|
||||
$search_status=GETPOST('search_status');
|
||||
$optioncss = GETPOST('optioncss','alpha');
|
||||
|
||||
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
|
||||
$hookmanager->initHooks(array($contextpage));
|
||||
$extrafields = new ExtraFields($db);
|
||||
|
||||
@ -164,14 +164,17 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force
|
||||
// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
|
||||
// when we post forms (we allow GET to allow direct link to access a particular page).
|
||||
// Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
|
||||
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)
|
||||
&& ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
|
||||
&& (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
|
||||
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
|
||||
{
|
||||
//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
|
||||
print "Access refused by CSRF protection in main.inc.php.\n";
|
||||
print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n";
|
||||
die;
|
||||
if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
|
||||
&& (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
|
||||
{
|
||||
//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
|
||||
print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
|
||||
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
|
||||
die;
|
||||
}
|
||||
// Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on.
|
||||
}
|
||||
if (empty($dolibarr_main_db_host))
|
||||
{
|
||||
|
||||
@ -60,6 +60,8 @@ $orderday=GETPOST("orderday","int");
|
||||
$deliveryyear=GETPOST("deliveryyear","int");
|
||||
$deliverymonth=GETPOST("deliverymonth","int");
|
||||
$deliveryday=GETPOST("deliveryday","int");
|
||||
|
||||
$sall=GETPOST('search_all', 'alphanohtml');
|
||||
$search_product_category=GETPOST('search_product_category','int');
|
||||
$search_ref=GETPOST('search_ref');
|
||||
$search_refsupp=GETPOST('search_refsupp');
|
||||
@ -75,7 +77,6 @@ $search_ht=GETPOST('search_ht');
|
||||
$search_ttc=GETPOST('search_ttc');
|
||||
$search_status=(GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); // alpha and not intbecause it can be '6,7'
|
||||
$optioncss = GETPOST('optioncss','alpha');
|
||||
$sall=GETPOST('search_all');
|
||||
$socid = GETPOST('socid','int');
|
||||
$search_sale=GETPOST('search_sale','int');
|
||||
$search_total_ht=GETPOST('search_total_ht','alpha');
|
||||
|
||||
@ -53,7 +53,7 @@ $action = GETPOST('action', 'alpha');
|
||||
$confirm = GETPOST('confirm', 'alpha');
|
||||
$sref = GETPOST('sref');
|
||||
$sref_client = GETPOST('sref_client');
|
||||
$sall = GETPOST('sall');
|
||||
$sall = GETPOST('sall', 'alphanohtml');
|
||||
$socid = GETPOST('socid', 'int');
|
||||
$selected = GETPOST('orders_to_invoice');
|
||||
$sortfield = GETPOST("sortfield", 'alpha');
|
||||
|
||||
@ -93,7 +93,7 @@ if ($object->id > 0)
|
||||
|
||||
$totalpaye = $object->getSommePaiement();
|
||||
|
||||
$linkback = '<a href="' . DOL_URL_ROOT . '/compta/facture/list.php' . (! empty($socid) ? '?socid=' . $socid : '') . '">' . $langs->trans("BackToList") . '</a>';
|
||||
$linkback = '<a href="' . DOL_URL_ROOT . '/fourn/facture/list.php' . (! empty($socid) ? '?socid=' . $socid : '') . '">' . $langs->trans("BackToList") . '</a>';
|
||||
|
||||
$morehtmlref='<div class="refidno">';
|
||||
// Ref supplier
|
||||
|
||||
@ -97,7 +97,7 @@ $toselect = GETPOST('toselect', 'array');
|
||||
$option = GETPOST('option');
|
||||
if ($option == 'late') $filter = 'paye:0';
|
||||
|
||||
$search_all = GETPOST('sall');
|
||||
$search_all = GETPOST('sall', 'alphanohtml');
|
||||
$search_label = GETPOST("search_label","alpha");
|
||||
$search_company = GETPOST("search_company","alpha");
|
||||
$search_amount_no_tax = GETPOST("search_amount_no_tax","alpha");
|
||||
|
||||
@ -55,7 +55,7 @@ $pagenext = $page + 1;
|
||||
|
||||
$id = GETPOST('id','int');
|
||||
|
||||
$sall = GETPOST('sall');
|
||||
$sall = GETPOST('sall', 'alphanohtml');
|
||||
$search_ref = GETPOST('search_ref');
|
||||
$month_create = GETPOST('month_create');
|
||||
$year_create = GETPOST('year_create');
|
||||
|
||||
@ -298,16 +298,24 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V
|
||||
// Creation of a token against CSRF vulnerabilities
|
||||
if (! defined('NOTOKENRENEWAL'))
|
||||
{
|
||||
$token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
|
||||
// roulement des jetons car cree a chaque appel
|
||||
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
|
||||
|
||||
// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
|
||||
$token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
|
||||
$_SESSION['newtoken'] = $token;
|
||||
}
|
||||
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) // Check validity of token, only if option enabled (this option breaks some features sometimes)
|
||||
{
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST')
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token')) // Note, offender can still send request by GET
|
||||
{
|
||||
if (GETPOST('token') != $_SESSION['token'])
|
||||
print "Access refused by CSRF protection in main.inc.php. Token not provided.\n";
|
||||
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
|
||||
die;
|
||||
}
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') // This test must be after loading $_SESSION['token'].
|
||||
{
|
||||
if (GETPOST('token', 'alpha') != $_SESSION['token'])
|
||||
{
|
||||
dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action').", _POST['token']=".GETPOST('token').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
|
||||
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
|
||||
|
||||
@ -326,7 +326,7 @@ class ActionsCardProduct
|
||||
$this->list_datas = array();
|
||||
|
||||
// Clean parameters
|
||||
$sall=trim(GETPOST("sall"));
|
||||
$sall=trim(GETPOST('sall', 'alphanohtml'));
|
||||
|
||||
foreach($this->field_list as $field)
|
||||
{
|
||||
|
||||
@ -51,11 +51,10 @@ $show_files=GETPOST('show_files','int');
|
||||
$confirm=GETPOST('confirm','alpha');
|
||||
$toselect = GETPOST('toselect', 'array');
|
||||
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$sref=GETPOST("sref");
|
||||
$sbarcode=GETPOST("sbarcode");
|
||||
$snom=GETPOST("snom");
|
||||
$sall=GETPOST("sall");
|
||||
$type= (int) GETPOST("type","int");
|
||||
$search_sale = GETPOST("search_sale");
|
||||
$search_categ = GETPOST("search_categ",'int');
|
||||
$tosell = GETPOST("tosell", 'int');
|
||||
@ -66,6 +65,7 @@ $search_tobatch = GETPOST("search_tobatch",'int');
|
||||
$search_accountancy_code_sell = GETPOST("search_accountancy_code_sell",'alpha');
|
||||
$search_accountancy_code_buy = GETPOST("search_accountancy_code_buy",'alpha');
|
||||
$optioncss = GETPOST('optioncss','alpha');
|
||||
$type= (int) GETPOST("type","int");
|
||||
|
||||
//Show/hide child products. Hidden by default
|
||||
if (!$_POST) {
|
||||
|
||||
@ -42,7 +42,7 @@ $result=restrictedArea($user,'produit|service');
|
||||
$action=GETPOST('action','alpha');
|
||||
$sref=GETPOST("sref");
|
||||
$snom=GETPOST("snom");
|
||||
$sall=GETPOST("sall");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$type=GETPOST("type","int");
|
||||
$sbarcode=GETPOST("sbarcode");
|
||||
$catid=GETPOST('catid','int');
|
||||
|
||||
@ -44,7 +44,7 @@ $result=restrictedArea($user,'produit|service');
|
||||
$action=GETPOST('action','alpha');
|
||||
$sref=GETPOST("sref");
|
||||
$snom=GETPOST("snom");
|
||||
$sall=GETPOST("sall");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$type=GETPOST("type","int");
|
||||
$sbarcode=GETPOST("sbarcode",'alpha');
|
||||
$search_warehouse=GETPOST('search_warehouse','alpha');
|
||||
|
||||
@ -32,9 +32,9 @@ $langs->load("stocks");
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$search_ref=GETPOST("sref","alpha")?GETPOST("sref","alpha"):GETPOST("search_ref","alpha");
|
||||
$search_label=GETPOST("snom","alpha")?GETPOST("snom","alpha"):GETPOST("search_label","alpha");
|
||||
$sall=GETPOST("sall","alpha");
|
||||
$search_status=GETPOST("search_status","int");
|
||||
|
||||
$limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit;
|
||||
|
||||
@ -48,7 +48,7 @@ $result=restrictedArea($user,'produit|service');
|
||||
$action = GETPOST('action','alpha');
|
||||
$sref = GETPOST('sref', 'alpha');
|
||||
$snom = GETPOST('snom', 'alpha');
|
||||
$sall = GETPOST('sall', 'alpha');
|
||||
$sall = GETPOST('sall', 'alphanohtml');
|
||||
$type = GETPOST('type','int');
|
||||
$tobuy = GETPOST('tobuy', 'int');
|
||||
$salert = GETPOST('salert', 'alpha');
|
||||
|
||||
@ -39,11 +39,11 @@ $langs->load("orders");
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result=restrictedArea($user,'produit|service');
|
||||
|
||||
$sall = GETPOST('search_all', 'alphanohtml');
|
||||
$sref = GETPOST('search_ref', 'alpha');
|
||||
$snom = GETPOST('search_nom', 'alpha');
|
||||
$suser = GETPOST('search_user', 'alpha');
|
||||
$sttc = GETPOST('search_ttc', 'alpha');
|
||||
$sall = GETPOST('search_all', 'alpha');
|
||||
$sdate = GETPOST('search_date', 'alpha');
|
||||
$page = GETPOST('page', 'int');
|
||||
$sproduct = GETPOST('sproduct', 'int');
|
||||
|
||||
@ -33,7 +33,7 @@ $result=restrictedArea($user,'stock');
|
||||
|
||||
$sref=GETPOST("sref");
|
||||
$snom=GETPOST("snom");
|
||||
$sall=GETPOST("sall");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
|
||||
$sortfield = GETPOST("sortfield");
|
||||
$sortorder = GETPOST("sortorder");
|
||||
|
||||
@ -67,13 +67,12 @@ $offset = $limit * $page ;
|
||||
$pageprev = $page - 1;
|
||||
$pagenext = $page + 1;
|
||||
|
||||
$search_all=GETPOST("search_all");
|
||||
$search_all=GETPOST('search_all', 'alphanohtml');
|
||||
$search_categ=GETPOST("search_categ",'alpha');
|
||||
$search_ref=GETPOST("search_ref");
|
||||
$search_label=GETPOST("search_label");
|
||||
$search_societe=GETPOST("search_societe");
|
||||
$search_year=GETPOST("search_year");
|
||||
$search_all=GETPOST("search_all");
|
||||
$search_status=GETPOST("search_status",'int');
|
||||
$search_opp_status=GETPOST("search_opp_status",'alpha');
|
||||
$search_opp_percent=GETPOST("search_opp_percent",'alpha');
|
||||
|
||||
@ -40,7 +40,7 @@ $toselect = GETPOST('toselect', 'array');
|
||||
|
||||
$id=GETPOST('id','int');
|
||||
|
||||
$search_all=GETPOST('search_all');
|
||||
$search_all=GETPOST('search_all', 'alphanohtml');
|
||||
$search_categ=GETPOST("search_categ",'alpha');
|
||||
$search_project=GETPOST('search_project');
|
||||
if (! isset($_GET['search_projectstatus']) && ! isset($_POST['search_projectstatus']))
|
||||
|
||||
@ -48,7 +48,7 @@ $socid = GETPOST('socid','int');
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user,'societe',$socid,'');
|
||||
|
||||
$search_all=trim(GETPOST("sall"));
|
||||
$search_all=trim(GETPOST('sall', 'alphanohtml'));
|
||||
$search_nom=trim(GETPOST("search_nom"));
|
||||
$search_nom_only=trim(GETPOST("search_nom_only"));
|
||||
$search_barcode=trim(GETPOST("sbarcode"));
|
||||
|
||||
@ -66,7 +66,7 @@ $search_author=GETPOST('search_author','alpha');
|
||||
$search_status=GETPOST('viewstatut','alpha')?GETPOST('viewstatut','alpha'):GETPOST('search_status','int');
|
||||
$object_statut=$db->escape(GETPOST('supplier_proposal_statut'));
|
||||
|
||||
$sall=GETPOST("sall");
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
|
||||
$year=GETPOST("year");
|
||||
$month=GETPOST("month");
|
||||
|
||||
@ -34,7 +34,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
|
||||
|
||||
$langs->load("users");
|
||||
|
||||
$sall=GETPOST('sall');
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$search_group=GETPOST('search_group');
|
||||
$optioncss = GETPOST('optioncss','alpha');
|
||||
|
||||
|
||||
@ -39,7 +39,7 @@ $socid=0;
|
||||
if ($user->societe_id > 0)
|
||||
$socid = $user->societe_id;
|
||||
|
||||
$sall=GETPOST('sall','alpha');
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$search_user=GETPOST('search_user','alpha');
|
||||
|
||||
$userstatic=new User($db);
|
||||
|
||||
@ -110,7 +110,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab
|
||||
}
|
||||
|
||||
// Init search fields
|
||||
$sall=GETPOST('sall','alpha');
|
||||
$sall=GETPOST('sall', 'alphanohtml');
|
||||
$search_user=GETPOST('search_user','alpha');
|
||||
$search_login=GETPOST('search_login','alpha');
|
||||
$search_lastname=GETPOST('search_lastname','alpha');
|
||||
|
||||
Loading…
Reference in New Issue
Block a user