lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: security

Browse Source
This commit is contained in:
Regis Houssin 2011-10-26 10:55:56 +02:00
parent a806f1ae09
commit f079b63438
4 changed files with 59 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/compta/deplacement/fiche.php
View File

@ -336,7 +336,10 @@ else if ($id)
$soc = new Societe($db);
if ($object->socid) $soc->fetch($object->socid);
if (! empty($conf->global->MAIN_USE_JQUERY_JEDITABLE)) include(DOL_DOCUMENT_ROOT.'/core/tpl/ajaxeditinplace.tpl.php');
if (! empty($conf->global->MAIN_USE_JQUERY_JEDITABLE) && $user->rights->deplacement->creer)
{
include(DOL_DOCUMENT_ROOT.'/core/tpl/ajaxeditinplace.tpl.php');
}
print '<table class="border" width="100%">';

25
htdocs/core/ajax/loadinplace.php
View File

@ -25,7 +25,7 @@ if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1');
if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1');
if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
require('../../main.inc.php');
require_once(DOL_DOCUMENT_ROOT."/core/class/genericobject.class.php");
@ -39,11 +39,26 @@ top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
// Load original field value
if((isset($_GET['field']) && ! empty($_GET['field'])) && (isset($_GET['table_element']) && ! empty($_GET['table_element'])) && (isset($_GET['fk_element']) && ! empty($_GET['fk_element'])))
if((isset($_GET['field']) && ! empty($_GET['field']))
&& (isset($_GET['element']) && ! empty($_GET['element']))
&& (isset($_GET['table_element']) && ! empty($_GET['table_element']))
&& (isset($_GET['fk_element']) && ! empty($_GET['fk_element'])))
{
$object = new GenericObject($db);
$ret=$object->getValueFrom($_GET['table_element'], $_GET['fk_element'], $_GET['field']);
echo $ret;
$element = GETPOST('element');
$table_element = GETPOST('table_element');
$field = GETPOST('field');
$fk_element = GETPOST('fk_element');
if ($user->rights->$element->lire || $user->rights->$element->read)
{
$object = new GenericObject($db);
$ret=$object->getValueFrom($table_element, $fk_element, $field);
echo $ret;
}
else
{
echo $langs->trans('NotEnoughPermissions');
}
}
?>

41
htdocs/core/ajax/saveinplace.php
View File

@ -40,22 +40,39 @@ top_httphead();
//var_dump($_POST);
// Load original field value
if((isset($_POST['field']) && ! empty($_POST['field'])) && (isset($_POST['table_element']) && ! empty($_POST['table_element'])) && (isset($_POST['fk_element']) && ! empty($_POST['fk_element'])))
if((isset($_POST['field']) && ! empty($_POST['field']))
&& (isset($_POST['element']) && ! empty($_POST['element']))
&& (isset($_POST['table_element']) && ! empty($_POST['table_element']))
&& (isset($_POST['fk_element']) && ! empty($_POST['fk_element'])))
{
$object = new GenericObject($db);
$element = GETPOST('element');
$table_element = GETPOST('table_element');
$field = GETPOST('field');
$fk_element = GETPOST('fk_element');
$value = GETPOST('value');
$type = GETPOST('type');
// Clean parameters
$value = trim($_POST['value']);
if ($_POST['type'] == 'numeric')
if ($user->rights->$element->creer || $user->rights->$element->write)
{
$value = price2num($value);
$object = new GenericObject($db);
// Check parameters
if (! is_numeric($value)) $value = 0;
}
$ret=$object->setValueFrom($_POST['table_element'], $_POST['fk_element'], $_POST['field'], $value);
if ($ret > 0) echo (! empty($value) ? dol_nl2br($value) : '&nbsp;');
// Clean parameters
$value = trim($value);
if ($type == 'numeric')
{
$value = price2num($value);
// Check parameters
if (! is_numeric($value)) $value = 0;
}
$ret=$object->setValueFrom($table_element, $fk_element, $field, $value);
if ($ret > 0) echo (! empty($value) ? dol_nl2br($value) : '&nbsp;');
}
else
{
echo $langs->trans('NotEnoughPermissions');
}
}
?>

6
htdocs/core/tpl/ajaxeditinplace.tpl.php
View File

@ -32,11 +32,13 @@ $(document).ready(function() {
loadurl : '<?php echo DOL_URL_ROOT.'/core/ajax/loadinplace.php'; ?>',
loaddata : {
type: 'textarea',
element: "<?php echo $object->element; ?>",
table_element: "<?php echo $object->table_element; ?>",
fk_element: "<?php echo $object->id; ?>"
},
submitdata : {
type: 'textarea',
element: "<?php echo $object->element; ?>",
table_element: "<?php echo $object->table_element; ?>",
fk_element: "<?php echo $object->id; ?>"
}
@ -52,11 +54,13 @@ $(document).ready(function() {
loadurl : '<?php echo DOL_URL_ROOT.'/core/ajax/loadinplace.php'; ?>',
loaddata : {
type: 'text',
element: "<?php echo $object->element; ?>",
table_element: "<?php echo $object->table_element; ?>",
fk_element: "<?php echo $object->id; ?>"
},
submitdata : {
type: 'text',
element: "<?php echo $object->element; ?>",
table_element: "<?php echo $object->table_element; ?>",
fk_element: "<?php echo $object->id; ?>"
}
@ -72,11 +76,13 @@ $(document).ready(function() {
loadurl : '<?php echo DOL_URL_ROOT.'/core/ajax/loadinplace.php'; ?>',
loaddata : {
type: 'numeric',
element: "<?php echo $object->element; ?>",
table_element: "<?php echo $object->table_element; ?>",
fk_element: "<?php echo $object->id; ?>"
},
submitdata : {
type: 'numeric',
element: "<?php echo $object->element; ?>",
table_element: "<?php echo $object->table_element; ?>",
fk_element: "<?php echo $object->id; ?>"
}