diff --git a/ChangeLog b/ChangeLog
index d4a8b55625f..646c1314b1f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,7 @@ English Dolibarr ChangeLog
For users:
----------
+NEW: Several security issues after a second private bug bounty campaign.
For developers:
diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php
index b75bce38ca9..9b4dbb0203d 100644
--- a/htdocs/adherents/card.php
+++ b/htdocs/adherents/card.php
@@ -84,12 +84,10 @@ if (!empty($canvas)) {
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager->initHooks(array('membercard', 'globalcard'));
-// Security check
-$result = restrictedArea($user, 'adherent', $id, '', '', 'socid', 'rowid', 0);
-
-if ($id > 0) {
+// Fetch object
+if ($id > 0 || !empty($ref)) {
// Load member
- $result = $object->fetch($id);
+ $result = $object->fetch($id, $ref);
// Define variables to know what current user can do on users
$canadduser = ($user->admin || $user->rights->user->user->creer);
@@ -97,9 +95,9 @@ if ($id > 0) {
if ($object->user_id) {
// $User is the user who edits, $object->user_id is the id of the related user in the edited member
$caneditfielduser = ((($user->id == $object->user_id) && $user->rights->user->self->creer)
- || (($user->id != $object->user_id) && $user->rights->user->user->creer));
+ || (($user->id != $object->user_id) && $user->rights->user->user->creer));
$caneditpassworduser = ((($user->id == $object->user_id) && $user->rights->user->self->password)
- || (($user->id != $object->user_id) && $user->rights->user->user->password));
+ || (($user->id != $object->user_id) && $user->rights->user->user->password));
}
}
@@ -110,6 +108,8 @@ if ($id) {
$caneditfieldmember = $user->rights->adherent->creer;
}
+// Security check
+$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);
/*
diff --git a/htdocs/adherents/document.php b/htdocs/adherents/document.php
index 88e31ebffb6..c359f539547 100644
--- a/htdocs/adherents/document.php
+++ b/htdocs/adherents/document.php
@@ -42,9 +42,6 @@ $ref = GETPOST('ref', 'alphanohtml');
$action = GETPOST('action', 'aZ09');
$confirm = GETPOST('confirm', 'alpha');
-// Security check
-$result = restrictedArea($user, 'adherent', $id);
-
// Get parameters
$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
$sortfield = GETPOST("sortfield", 'alpha');
@@ -63,8 +60,6 @@ if (!$sortfield) {
$sortfield = "name";
}
-
-$form = new Form($db);
$object = new Adherent($db);
$membert = new AdherentType($db);
$result = $object->fetch($id, $ref);
@@ -74,6 +69,33 @@ if ($result < 0) {
}
$upload_dir = $conf->adherent->dir_output."/".get_exdir(0, 0, 0, 1, $object, 'member');
+// Fetch object
+if ($id > 0 || !empty($ref)) {
+ // Load member
+ $result = $object->fetch($id, $ref);
+
+ // Define variables to know what current user can do on users
+ $canadduser = ($user->admin || $user->rights->user->user->creer);
+ // Define variables to know what current user can do on properties of user linked to edited member
+ if ($object->user_id) {
+ // $User is the user who edits, $object->user_id is the id of the related user in the edited member
+ $caneditfielduser = ((($user->id == $object->user_id) && $user->rights->user->self->creer)
+ || (($user->id != $object->user_id) && $user->rights->user->user->creer));
+ $caneditpassworduser = ((($user->id == $object->user_id) && $user->rights->user->self->password)
+ || (($user->id != $object->user_id) && $user->rights->user->user->password));
+ }
+}
+
+// Define variables to determine what the current user can do on the members
+$canaddmember = $user->rights->adherent->creer;
+// Define variables to determine what the current user can do on the properties of a member
+if ($id) {
+ $caneditfieldmember = $user->rights->adherent->creer;
+}
+
+// Security check
+$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);
+
/*
* Actions
diff --git a/htdocs/adherents/htpasswd.php b/htdocs/adherents/htpasswd.php
index a1c105bd192..e1f580a3656 100644
--- a/htdocs/adherents/htpasswd.php
+++ b/htdocs/adherents/htpasswd.php
@@ -26,7 +26,16 @@
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
+$status = GETPOST('status', 'int');
+$cotis = GETPOST('cotis', 'int');
+
+$sortfield = GETPOST('sortfield', 'alphanohtml');
+$sortorder = GETPOST('sortorder', 'aZ09');
+
// Security check
+if (empty($conf->adherent->enabled)) {
+ accessforbidden();
+}
if (!$user->rights->adherent->export) {
accessforbidden();
}
@@ -46,19 +55,10 @@ if (empty($sortorder)) {
if (empty($sortfield)) {
$sortfield = "d.login";
}
-if (!isset($statut)) {
- $statut = 1;
-}
-
-if (!isset($cotis)) {
- // by default, members must be up to date of subscription
- $cotis = 1;
-}
-
$sql = "SELECT d.login, d.pass, d.datefin";
$sql .= " FROM ".MAIN_DB_PREFIX."adherent as d ";
-$sql .= " WHERE d.statut = ".$statut;
+$sql .= " WHERE d.statut = ".((int) $status);
if ($cotis == 1) {
$sql .= " AND datefin > '".$db->idate($now)."'";
}
@@ -70,6 +70,7 @@ if ($resql) {
$num = $db->num_rows($resql);
$i = 0;
+ $param = '';
print_barre_liste($langs->trans("HTPasswordExport"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', 0);
print "
\n";
diff --git a/htdocs/adherents/ldap.php b/htdocs/adherents/ldap.php
index 89baf2f5ec5..44d5ee5399b 100644
--- a/htdocs/adherents/ldap.php
+++ b/htdocs/adherents/ldap.php
@@ -32,7 +32,8 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php';
// Load translation files required by the page
$langs->loadLangs(array("companies", "members", "ldap", "admin"));
-$rowid = GETPOST('id', 'int');
+$id = GETPOST('id', 'int');
+$ref = GETPOST('ref', 'alphanohtml');
$action = GETPOST('action', 'aZ09');
// Protection
@@ -42,12 +43,34 @@ if ($user->socid > 0) {
}
$object = new Adherent($db);
-$result = $object->fetch($rowid);
-if (!$result) {
- dol_print_error($db, "Failed to get adherent: ".$object->error);
- exit;
+
+// Fetch object
+if ($id > 0 || !empty($ref)) {
+ // Load member
+ $result = $object->fetch($id, $ref);
+
+ // Define variables to know what current user can do on users
+ $canadduser = ($user->admin || $user->rights->user->user->creer);
+ // Define variables to know what current user can do on properties of user linked to edited member
+ if ($object->user_id) {
+ // $User is the user who edits, $object->user_id is the id of the related user in the edited member
+ $caneditfielduser = ((($user->id == $object->user_id) && $user->rights->user->self->creer)
+ || (($user->id != $object->user_id) && $user->rights->user->user->creer));
+ $caneditpassworduser = ((($user->id == $object->user_id) && $user->rights->user->self->password)
+ || (($user->id != $object->user_id) && $user->rights->user->user->password));
+ }
}
+// Define variables to determine what the current user can do on the members
+$canaddmember = $user->rights->adherent->creer;
+// Define variables to determine what the current user can do on the properties of a member
+if ($id) {
+ $caneditfieldmember = $user->rights->adherent->creer;
+}
+
+// Security check
+$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);
+
/*
* Actions
diff --git a/htdocs/adherents/note.php b/htdocs/adherents/note.php
index 26fec04a5e6..91946094a9a 100644
--- a/htdocs/adherents/note.php
+++ b/htdocs/adherents/note.php
@@ -33,9 +33,7 @@ $langs->loadLangs(array("companies", "members", "bills"));
$action = GETPOST('action', 'aZ09');
$id = GETPOST('id', 'int');
-
-// Security check
-$result = restrictedArea($user, 'adherent', $id);
+$ref = GETPOST('ref', 'alphanohtml');
$object = new Adherent($db);
$result = $object->fetch($id);
@@ -46,6 +44,34 @@ if ($result > 0) {
$permissionnote = $user->rights->adherent->creer; // Used by the include of actions_setnotes.inc.php
+// Fetch object
+if ($id > 0 || !empty($ref)) {
+ // Load member
+ $result = $object->fetch($id, $ref);
+
+ // Define variables to know what current user can do on users
+ $canadduser = ($user->admin || $user->rights->user->user->creer);
+ // Define variables to know what current user can do on properties of user linked to edited member
+ if ($object->user_id) {
+ // $User is the user who edits, $object->user_id is the id of the related user in the edited member
+ $caneditfielduser = ((($user->id == $object->user_id) && $user->rights->user->self->creer)
+ || (($user->id != $object->user_id) && $user->rights->user->user->creer));
+ $caneditpassworduser = ((($user->id == $object->user_id) && $user->rights->user->self->password)
+ || (($user->id != $object->user_id) && $user->rights->user->user->password));
+ }
+}
+
+// Define variables to determine what the current user can do on the members
+$canaddmember = $user->rights->adherent->creer;
+// Define variables to determine what the current user can do on the properties of a member
+if ($id) {
+ $caneditfieldmember = $user->rights->adherent->creer;
+}
+
+// Security check
+$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);
+
+
/*
* Actions
*/
diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php
index ecc0e1cfe47..54729e5ba8a 100644
--- a/htdocs/adherents/subscription.php
+++ b/htdocs/adherents/subscription.php
@@ -42,7 +42,9 @@ $langs->loadLangs(array("companies", "bills", "members", "users", "mails", 'othe
$action = GETPOST('action', 'aZ09');
$confirm = GETPOST('confirm', 'alpha');
-$rowid = GETPOST('rowid', 'int') ?GETPOST('rowid', 'int') : GETPOST('id', 'int');
+$id = GETPOST('rowid', 'int') ?GETPOST('rowid', 'int') : GETPOST('id', 'int');
+$rowid = $id;
+$ref = GETPOST('ref', 'alphanohtml');
$typeid = GETPOST('typeid', 'int');
$cancel = GETPOST('cancel');
@@ -66,10 +68,6 @@ if (!$sortorder) {
$sortorder = "DESC";
}
-
-// Security check
-$result = restrictedArea($user, 'adherent', $rowid, '', 'cotisation');
-
$object = new Adherent($db);
$extrafields = new ExtraFields($db);
$adht = new AdherentType($db);
@@ -82,29 +80,6 @@ $errmsg = '';
$defaultdelay = 1;
$defaultdelayunit = 'y';
-if ($rowid) {
- // Load member
- $result = $object->fetch($rowid);
-
- // Define variables to know what current user can do on users
- $canadduser = ($user->admin || $user->rights->user->user->creer);
- // Define variables to know what current user can do on properties of user linked to edited member
- if ($object->user_id) {
- // $user is the user editing, $object->user_id is the user's id linked to the edited member
- $caneditfielduser = ((($user->id == $object->user_id) && $user->rights->user->self->creer)
- || (($user->id != $object->user_id) && $user->rights->user->user->creer));
- $caneditpassworduser = ((($user->id == $object->user_id) && $user->rights->user->self->password)
- || (($user->id != $object->user_id) && $user->rights->user->user->password));
- }
-}
-
-// Define variables to know what current user can do on members
-$canaddmember = $user->rights->adherent->creer;
-// Define variables to know what current user can do on properties of a member
-if ($rowid) {
- $caneditfieldmember = $user->rights->adherent->creer;
-}
-
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager->initHooks(array('subscription'));
@@ -117,6 +92,33 @@ $datefrom = 0;
$dateto = 0;
$paymentdate = -1;
+// Fetch object
+if ($id > 0 || !empty($ref)) {
+ // Load member
+ $result = $object->fetch($id, $ref);
+
+ // Define variables to know what current user can do on users
+ $canadduser = ($user->admin || $user->rights->user->user->creer);
+ // Define variables to know what current user can do on properties of user linked to edited member
+ if ($object->user_id) {
+ // $User is the user who edits, $object->user_id is the id of the related user in the edited member
+ $caneditfielduser = ((($user->id == $object->user_id) && $user->rights->user->self->creer)
+ || (($user->id != $object->user_id) && $user->rights->user->user->creer));
+ $caneditpassworduser = ((($user->id == $object->user_id) && $user->rights->user->self->password)
+ || (($user->id != $object->user_id) && $user->rights->user->user->password));
+ }
+}
+
+// Define variables to determine what the current user can do on the members
+$canaddmember = $user->rights->adherent->creer;
+// Define variables to determine what the current user can do on the properties of a member
+if ($id) {
+ $caneditfieldmember = $user->rights->adherent->creer;
+}
+
+// Security check
+$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);
+
/*
* Actions
diff --git a/htdocs/adherents/vcard.php b/htdocs/adherents/vcard.php
index a53cacd2212..902206c7874 100644
--- a/htdocs/adherents/vcard.php
+++ b/htdocs/adherents/vcard.php
@@ -30,71 +30,100 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php';
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/vcard.class.php';
-$adherent = new adherent($db);
-
-
$id = GETPOST('id', 'int');
+$ref = GETPOST('ref', 'alphanohtml');
+
+$object = new adherent($db);
+
+// Fetch object
+if ($id > 0 || !empty($ref)) {
+ // Load member
+ $result = $object->fetch($id, $ref);
+
+ // Define variables to know what current user can do on users
+ $canadduser = ($user->admin || $user->rights->user->user->creer);
+ // Define variables to know what current user can do on properties of user linked to edited member
+ if ($object->user_id) {
+ // $User is the user who edits, $object->user_id is the id of the related user in the edited member
+ $caneditfielduser = ((($user->id == $object->user_id) && $user->rights->user->self->creer)
+ || (($user->id != $object->user_id) && $user->rights->user->user->creer));
+ $caneditpassworduser = ((($user->id == $object->user_id) && $user->rights->user->self->password)
+ || (($user->id != $object->user_id) && $user->rights->user->user->password));
+ }
+}
+
+// Define variables to determine what the current user can do on the members
+$canaddmember = $user->rights->adherent->creer;
+// Define variables to determine what the current user can do on the properties of a member
+if ($id) {
+ $caneditfieldmember = $user->rights->adherent->creer;
+}
// Security check
-$result = restrictedArea($user, 'adherent', $id, '', '', 'socid', 'rowid', $objcanvas);
+$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);
-$result = $adherent->fetch($id);
-if ($result <= 0) {
- dol_print_error($adherent->error);
- exit;
-}
+/*
+ * Actions
+ */
-$physicalperson = 1;
+// None
+
+
+/*
+ * View
+ */
$company = new Societe($db);
-if ($adherent->socid) {
- $result = $company->fetch($adherent->socid);
+if ($object->socid) {
+ $result = $company->fetch($object->socid);
}
+
+
// We create VCard
$v = new vCard();
$v->setProdId('Dolibarr '.DOL_VERSION);
-$v->setUid('DOLIBARR-ADHERENTID-'.$adherent->id);
-$v->setName($adherent->lastname, $adherent->firstname, "", $adherent->civility, "");
-$v->setFormattedName($adherent->getFullName($langs, 1));
+$v->setUid('DOLIBARR-ADHERENTID-'.$object->id);
+$v->setName($object->lastname, $object->firstname, "", $object->civility, "");
+$v->setFormattedName($object->getFullName($langs, 1));
-$v->setPhoneNumber($adherent->phone_pro, "TYPE=WORK;VOICE");
-//$v->setPhoneNumber($adherent->phone_perso,"TYPE=HOME;VOICE");
-$v->setPhoneNumber($adherent->phone_mobile, "TYPE=CELL;VOICE");
-$v->setPhoneNumber($adherent->fax, "TYPE=WORK;FAX");
+$v->setPhoneNumber($object->phone_pro, "TYPE=WORK;VOICE");
+//$v->setPhoneNumber($object->phone_perso,"TYPE=HOME;VOICE");
+$v->setPhoneNumber($object->phone_mobile, "TYPE=CELL;VOICE");
+$v->setPhoneNumber($object->fax, "TYPE=WORK;FAX");
-$country = $adherent->country_code ? $adherent->country : '';
+$country = $object->country_code ? $object->country : '';
-$v->setAddress("", "", $adherent->address, $adherent->town, $adherent->state, $adherent->zip, $country, "TYPE=WORK;POSTAL");
-$v->setLabel("", "", $adherent->address, $adherent->town, $adherent->state, $adherent->zip, $country, "TYPE=WORK");
+$v->setAddress("", "", $object->address, $object->town, $object->state, $object->zip, $country, "TYPE=WORK;POSTAL");
+$v->setLabel("", "", $object->address, $object->town, $object->state, $object->zip, $country, "TYPE=WORK");
-$v->setEmail($adherent->email);
-$v->setNote($adherent->note_public);
-$v->setTitle($adherent->poste);
+$v->setEmail($object->email);
+$v->setNote($object->note_public);
+$v->setTitle($object->poste);
// Data from linked company
if ($company->id) {
$v->setURL($company->url, "TYPE=WORK");
- if (!$adherent->phone_pro) {
+ if (!$object->phone_pro) {
$v->setPhoneNumber($company->phone, "TYPE=WORK;VOICE");
}
- if (!$adherent->fax) {
+ if (!$object->fax) {
$v->setPhoneNumber($company->fax, "TYPE=WORK;FAX");
}
- if (!$adherent->zip) {
+ if (!$object->zip) {
$v->setAddress("", "", $company->address, $company->town, $company->state, $company->zip, $company->country, "TYPE=WORK;POSTAL");
}
// when company e-mail is empty, use only adherent e-mail
if (empty(trim($company->email))) {
// was set before, don't set twice
- } elseif (empty(trim($adherent->email))) {
+ } elseif (empty(trim($object->email))) {
// when adherent e-mail is empty, use only company e-mail
$v->setEmail($company->email);
- } elseif (strtolower(end(explode("@", $adherent->email))) == strtolower(end(explode("@", $company->email)))) {
+ } elseif (strtolower(end(explode("@", $object->email))) == strtolower(end(explode("@", $company->email)))) {
// when e-mail domain of adherent and company are the same, use adherent e-mail at first (and company e-mail at second)
- $v->setEmail($adherent->email);
+ $v->setEmail($object->email);
// support by Microsoft Outlook (2019 and possible earlier)
$v->setEmail($company->email, 'INTERNET');
@@ -103,7 +132,7 @@ if ($company->id) {
$v->setEmail($company->email);
// support by Microsoft Outlook (2019 and possible earlier)
- $v->setEmail($adherent->email, 'INTERNET');
+ $v->setEmail($object->email, 'INTERNET');
}
// Si adherent lie a un tiers non de type "particulier"
@@ -113,9 +142,9 @@ if ($company->id) {
}
// Personal informations
-$v->setPhoneNumber($adherent->phone_perso, "TYPE=HOME;VOICE");
-if ($adherent->birth) {
- $v->setBirthday($adherent->birth);
+$v->setPhoneNumber($object->phone_perso, "TYPE=HOME;VOICE");
+if ($object->birth) {
+ $v->setBirthday($object->birth);
}
$db->close();
diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php
index cecb4fff28a..3844373328d 100644
--- a/htdocs/comm/propal/card.php
+++ b/htdocs/comm/propal/card.php
@@ -1387,7 +1387,7 @@ if (empty($reshook)) {
} elseif ($action == 'swapstatut') {
// Toggle the status of a contact
if ($object->fetch($id) > 0) {
- $result = $object->swapContactStatus(GETPOST('ligne'));
+ $result = $object->swapContactStatus(GETPOST('ligne', 'int'));
} else {
dol_print_error($db);
}
diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php
index 3674356af20..0460caf21f5 100644
--- a/htdocs/comm/propal/class/propal.class.php
+++ b/htdocs/comm/propal/class/propal.class.php
@@ -3843,7 +3843,7 @@ class PropaleLigne extends CommonObjectLine
$sql .= ' pd.date_start, pd.date_end, pd.product_type';
$sql .= ' FROM '.MAIN_DB_PREFIX.'propaldet as pd';
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON pd.fk_product = p.rowid';
- $sql .= ' WHERE pd.rowid = '.$rowid;
+ $sql .= ' WHERE pd.rowid = '.((int) $rowid);
$result = $this->db->query($sql);
if ($result) {
diff --git a/htdocs/comm/propal/contact.php b/htdocs/comm/propal/contact.php
index 60d3836cfcb..3bbe232be6e 100644
--- a/htdocs/comm/propal/contact.php
+++ b/htdocs/comm/propal/contact.php
@@ -93,7 +93,7 @@ if ($action == 'addcontact' && $user->rights->propale->creer) {
} elseif ($action == 'swapstatut' && $user->rights->propale->creer) {
// Toggle the status of a contact
if ($object->id > 0) {
- $result = $object->swapContactStatus(GETPOST('ligne'));
+ $result = $object->swapContactStatus(GETPOST('ligne', 'int'));
}
} elseif ($action == 'deletecontact' && $user->rights->propale->creer) {
// Deletes a contact
diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php
index 453abff36b2..f5ac2ebae7a 100644
--- a/htdocs/comm/propal/list.php
+++ b/htdocs/comm/propal/list.php
@@ -843,31 +843,31 @@ if ($resql) {
if ($user->rights->societe->client->voir || $socid) {
$langs->load("commercial");
$moreforfilter .= '';
- $moreforfilter .= $langs->trans('ThirdPartiesOfSaleRepresentative').': ';
- $moreforfilter .= $formother->select_salesrepresentatives($search_sale, 'search_sale', $user, 0, 1, 'maxwidth200');
+ $tmptitle = $langs->trans('ThirdPartiesOfSaleRepresentative');
+ $moreforfilter .= img_picto($tmptitle, 'user', 'class="pictofixedwidth"').$formother->select_salesrepresentatives($search_sale, 'search_sale', $user, 0, $tmptitle, 'maxwidth250');
$moreforfilter .= '
';
}
// If the user can view prospects other than his'
if ($user->rights->societe->client->voir || $socid) {
$moreforfilter .= '';
- $moreforfilter .= $langs->trans('LinkedToSpecificUsers').': ';
- $moreforfilter .= $form->select_dolusers($search_user, 'search_user', 1, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth200');
+ $tmptitle = $langs->trans('LinkedToSpecificUsers');
+ $moreforfilter .= img_picto($tmptitle, 'user', 'class="pictofixedwidth"').$form->select_dolusers($search_user, 'search_user', $tmptitle, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth250');
$moreforfilter .= '
';
}
// If the user can view products
if (!empty($conf->categorie->enabled) && $user->rights->categorie->lire && ($user->rights->produit->lire || $user->rights->service->lire)) {
include_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php';
$moreforfilter .= '';
- $moreforfilter .= $langs->trans('IncludingProductWithTag').': ';
+ $tmptitle = $langs->trans('IncludingProductWithTag');
$cate_arbo = $form->select_all_categories(Categorie::TYPE_PRODUCT, null, 'parent', null, null, 1);
- $moreforfilter .= $form->selectarray('search_product_category', $cate_arbo, $search_product_category, 1, 0, 0, '', 0, 0, 0, 0, 'maxwidth300', 1);
+ $moreforfilter .= img_picto($tmptitle, 'category', 'class="pictofixedwidth"').$form->selectarray('search_product_category', $cate_arbo, $search_product_category, $tmptitle, 0, 0, '', 0, 0, 0, 0, 'maxwidth300', 1);
$moreforfilter .= '
';
}
if (!empty($conf->categorie->enabled) && $user->rights->categorie->lire) {
require_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php';
$moreforfilter .= '';
- $moreforfilter .= $langs->trans('CustomersProspectsCategoriesShort').': ';
- $moreforfilter .= $formother->select_categories('customer', $search_categ_cus, 'search_categ_cus', 1);
+ $tmptitle = $langs->trans('CustomersProspectsCategoriesShort');
+ $moreforfilter .= img_picto($tmptitle, 'category', 'class="pictofixedwidth"').$formother->select_categories('customer', $search_categ_cus, 'search_categ_cus', 1, $tmptitle);
$moreforfilter .= '
';
}
$parameters = array();
diff --git a/htdocs/comm/prospect/recap-prospect.php b/htdocs/comm/prospect/recap-prospect.php
index 655dda87d0d..4656574fb47 100644
--- a/htdocs/comm/prospect/recap-prospect.php
+++ b/htdocs/comm/prospect/recap-prospect.php
@@ -33,7 +33,7 @@ if (!empty($conf->facture->enabled)) {
}
// Security check
-$socid = $_GET["socid"];
+$socid = GETPOST("socid", 'int');
if ($user->socid > 0) {
$action = '';
$socid = $user->socid;
diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php
index a46e7df6b75..8e0dc91756c 100644
--- a/htdocs/commande/card.php
+++ b/htdocs/commande/card.php
@@ -1370,7 +1370,7 @@ if (empty($reshook)) {
} elseif ($action == 'swapstatut') {
// bascule du statut d'un contact
if ($object->id > 0) {
- $result = $object->swapContactStatus(GETPOST('ligne'));
+ $result = $object->swapContactStatus(GETPOST('ligne', 'int'));
} else {
dol_print_error($db);
}
diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php
index 14fc65cf18d..ea97dcbf233 100644
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -4126,7 +4126,7 @@ class OrderLine extends CommonOrderLine
$sql .= ' cd.date_start, cd.date_end';
$sql .= ' FROM '.MAIN_DB_PREFIX.'commandedet as cd';
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON cd.fk_product = p.rowid';
- $sql .= ' WHERE cd.rowid = '.$rowid;
+ $sql .= ' WHERE cd.rowid = '.((int) $rowid);
$result = $this->db->query($sql);
if ($result) {
$objp = $this->db->fetch_object($result);
diff --git a/htdocs/commande/contact.php b/htdocs/commande/contact.php
index 0a576707e73..5e11c5cb030 100644
--- a/htdocs/commande/contact.php
+++ b/htdocs/commande/contact.php
@@ -75,14 +75,14 @@ if ($action == 'addcontact' && $user->rights->commande->creer) {
} elseif ($action == 'swapstatut' && $user->rights->commande->creer) {
// bascule du statut d'un contact
if ($object->fetch($id)) {
- $result = $object->swapContactStatus(GETPOST('ligne'));
+ $result = $object->swapContactStatus(GETPOST('ligne', 'int'));
} else {
dol_print_error($db);
}
} elseif ($action == 'deletecontact' && $user->rights->commande->creer) {
// Efface un contact
$object->fetch($id);
- $result = $object->delete_contact($_GET["lineid"]);
+ $result = $object->delete_contact(GETPOST("lineid", 'int'));
if ($result >= 0) {
header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php
index 22121fa7664..965e0f6c94b 100644
--- a/htdocs/compta/bank/bankentries_list.php
+++ b/htdocs/compta/bank/bankentries_list.php
@@ -211,7 +211,6 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x'
$search_thirdparty_user = '';
$search_num_releve = '';
$search_conciliated = '';
- $thirdparty = '';
$search_account = "";
if ($id > 0 || !empty($ref)) {
@@ -992,9 +991,9 @@ if ($resql) {
// Bank line
$moreforfilter .= '';
- $moreforfilter .= $langs->trans('RubriquesTransactions').' : ';
+ $tmptitle = $langs->trans('RubriquesTransactions');
$cate_arbo = $form->select_all_categories(Categorie::TYPE_BANK_LINE, $search_bid, 'parent', null, null, 1);
- $moreforfilter .= $form->selectarray('search_bid', $cate_arbo, $search_bid, 1, 0, 0, '', 0, 0, 0, '', '', 1);
+ $moreforfilter .= img_picto($tmptitle, 'category', 'class="pictofixedwidth"').$form->selectarray('search_bid', $cate_arbo, $search_bid, $tmptitle, 0, 0, '', 0, 0, 0, '', '', 1);
$moreforfilter .= '
';
}
}
@@ -1561,12 +1560,12 @@ if ($resql) {
// Debit
if (!empty($arrayfields['b.debit']['checked'])) {
- print '';
+ print ' | ';
if ($objp->amount < 0) {
print price($objp->amount * -1);
$totalarray['totaldeb'] += $objp->amount;
}
- print " | \n";
+ print "\n";
if (!$i) {
$totalarray['nbfield']++;
}
@@ -1577,12 +1576,12 @@ if ($resql) {
// Credit
if (!empty($arrayfields['b.credit']['checked'])) {
- print '';
+ print ' | ';
if ($objp->amount > 0) {
print price($objp->amount);
$totalarray['totalcred'] += $objp->amount;
}
- print " | \n";
+ print "\n";
if (!$i) {
$totalarray['nbfield']++;
}
@@ -1717,9 +1716,9 @@ if ($resql) {
print ''.$langs->trans("Totalforthispage").' | ';
}
} elseif ($totalarray['totaldebfield'] == $i) {
- print ''.price(-1 * $totalarray['totaldeb']).' | ';
+ print ''.price(-1 * $totalarray['totaldeb']).' | ';
} elseif ($totalarray['totalcredfield'] == $i) {
- print ''.price($totalarray['totalcred']).' | ';
+ print ''.price($totalarray['totalcred']).' | ';
} elseif ($i == $posconciliatecol) {
print '';
if ($user->rights->banque->consolidate && $action == 'reconcile') {
diff --git a/htdocs/compta/bank/budget.php b/htdocs/compta/bank/budget.php
index d3ffbb37916..3e40e45b58e 100644
--- a/htdocs/compta/bank/budget.php
+++ b/htdocs/compta/bank/budget.php
@@ -82,8 +82,8 @@ if ($result) {
print ' | ';
print "| rowid\">$objp->label | ";
print ''.$objp->nombre.' | ';
- print ''.price(abs($objp->somme))." | ";
- print ''.price(abs(price2num($objp->somme / $objp->nombre, 'MT')))." | ";
+ print ''.price(abs($objp->somme))." | ";
+ print ''.price(abs(price2num($objp->somme / $objp->nombre, 'MT')))." | ";
print "
";
$i++;
$total += abs($objp->somme);
diff --git a/htdocs/compta/bank/releve.php b/htdocs/compta/bank/releve.php
index be91d475d4d..dc71a1d2d27 100644
--- a/htdocs/compta/bank/releve.php
+++ b/htdocs/compta/bank/releve.php
@@ -346,7 +346,7 @@ if (empty($numref)) {
$balancestart[$objp->numr] = $obj->amount;
$db->free($resql);
}
- print ''.price($balancestart[$objp->numr], '', $langs, 1, -1, -1, $conf->currency).' | ';
+ print ''.price($balancestart[$objp->numr], '', $langs, 1, -1, -1, $conf->currency).' | ';
// Calculate end amount
$sql = "SELECT sum(b.amount) as amount";
@@ -359,7 +359,7 @@ if (empty($numref)) {
$content[$objp->numr] = $obj->amount;
$db->free($resql);
}
- print ''.price(($balancestart[$objp->numr] + $content[$objp->numr]), '', $langs, 1, -1, -1, $conf->currency).' | ';
+ print ''.price(($balancestart[$objp->numr] + $content[$objp->numr]), '', $langs, 1, -1, -1, $conf->currency).' | ';
print '';
if ($user->rights->banque->consolidate && $action != 'editbankreceipt') {
diff --git a/htdocs/compta/bank/various_payment/list.php b/htdocs/compta/bank/various_payment/list.php
index 65542598351..dcc1f4aef97 100644
--- a/htdocs/compta/bank/various_payment/list.php
+++ b/htdocs/compta/bank/various_payment/list.php
@@ -671,7 +671,7 @@ if ($result) {
if ($arrayfields['debit']['checked']) {
print ' | ';
if ($obj->sens == 0) {
- print price($obj->amount);
+ print ''.price($obj->amount).'';
$totalarray['val']['total_deb'] += $obj->amount;
}
if (!$i) {
@@ -687,7 +687,7 @@ if ($result) {
if ($arrayfields['credit']['checked']) {
print ' | ';
if ($obj->sens == 1) {
- print price($obj->amount);
+ print ''.price($obj->amount).'';
$totalarray['val']['total_cred'] += $obj->amount;
}
if (!$i) {
diff --git a/htdocs/compta/cashcontrol/cashcontrol_list.php b/htdocs/compta/cashcontrol/cashcontrol_list.php
index 3b97b967208..79ac1e1b708 100644
--- a/htdocs/compta/cashcontrol/cashcontrol_list.php
+++ b/htdocs/compta/cashcontrol/cashcontrol_list.php
@@ -31,14 +31,17 @@
//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
-//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library
-//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session)
+//if (! defined("NOLOGIN")) define("NOLOGIN", '1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too.
+//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
+//if (! defined("FORCECSP")) define('FORCECSP', 'none'); // Disable all Content Security Policies
+//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
+//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/compta/cashcontrol/class/cashcontrol.class.php';
@@ -66,7 +69,7 @@ $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
$sortfield = GETPOST('sortfield', 'aZ09comma');
$sortorder = GETPOST('sortorder', 'aZ09comma');
$page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int');
-if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) {
+if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) {
$page = 0;
} // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action
$offset = $limit * $page;
@@ -83,11 +86,13 @@ $hookmanager->initHooks(array('cashcontrol')); // Note that conf->hooks_modules
// Fetch optionals attributes and labels
$extrafields->fetch_name_optionals_label($object->table_element);
+//$extrafields->fetch_name_optionals_label($object->table_element_line);
$search_array_options = $extrafields->getOptionalsFromPost($object->table_element, '', 'search_');
// Default sort order (if not yet defined by previous GETPOST)
if (!$sortfield) {
+ reset($object->fields); // Reset is required to avoid key() to return null.
$sortfield = "t.".key($object->fields); // Set here default search field. By default 1st field in definition.
}
if (!$sortorder) {
@@ -95,12 +100,16 @@ if (!$sortorder) {
}
// Initialize array of search criterias
-$search_all = GETPOST("search_all", 'alpha');
+$search_all = GETPOST('search_all', 'alphanohtml') ? GETPOST('search_all', 'alphanohtml') : GETPOST('sall', 'alphanohtml');
$search = array();
foreach ($object->fields as $key => $val) {
- if (GETPOST('search_'.$key, 'alpha')) {
+ if (GETPOST('search_'.$key, 'alpha') !== '') {
$search[$key] = GETPOST('search_'.$key, 'alpha');
}
+ if (preg_match('/^(date|timestamp|datetime)/', $val['type'])) {
+ $search[$key.'_dtstart'] = dol_mktime(0, 0, 0, GETPOST('search_'.$key.'_dtstartmonth', 'int'), GETPOST('search_'.$key.'_dtstartday', 'int'), GETPOST('search_'.$key.'_dtstartyear', 'int'));
+ $search[$key.'_dtend'] = dol_mktime(23, 59, 59, GETPOST('search_'.$key.'_dtendmonth', 'int'), GETPOST('search_'.$key.'_dtendday', 'int'), GETPOST('search_'.$key.'_dtendyear', 'int'));
+ }
}
// List of fields to search into when doing a "search in all"
@@ -161,6 +170,10 @@ if (empty($reshook)) {
if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) { // All tests are required to be compatible with all browsers
foreach ($object->fields as $key => $val) {
$search[$key] = '';
+ if (preg_match('/^(date|timestamp|datetime)/', $val['type'])) {
+ $search[$key.'_dtstart'] = '';
+ $search[$key.'_dtend'] = '';
+ }
}
$toselect = '';
$search_array_options = array();
@@ -198,9 +211,7 @@ $title = $langs->trans('CashControl');
// Build and execute select
// --------------------------------------------------------------------
$sql = 'SELECT ';
-foreach ($object->fields as $key => $val) {
- $sql .= 't.'.$key.', ';
-}
+$sql .= $object->getFieldList('t');
// Add fields from extrafields
if (!empty($extrafields->attributes[$object->table_element]['label'])) {
foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) {
@@ -210,24 +221,48 @@ if (!empty($extrafields->attributes[$object->table_element]['label'])) {
// Add fields from hooks
$parameters = array();
$reshook = $hookmanager->executeHooks('printFieldListSelect', $parameters, $object); // Note that $action and $object may have been modified by hook
-$sql .= $hookmanager->resPrint;
-$sql = preg_replace('/, $/', '', $sql);
+$sql .= preg_replace('/^,/', '', $hookmanager->resPrint);
+$sql = preg_replace('/,\s*$/', '', $sql);
$sql .= " FROM ".MAIN_DB_PREFIX.$object->table_element." as t";
if (is_array($extrafields->attributes[$object->table_element]['label']) && count($extrafields->attributes[$object->table_element]['label'])) {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX.$object->table_element."_extrafields as ef on (t.rowid = ef.fk_object)";
}
+// Add table from hooks
+$parameters = array();
+$reshook = $hookmanager->executeHooks('printFieldListFrom', $parameters, $object); // Note that $action and $object may have been modified by hook
+$sql .= $hookmanager->resPrint;
if ($object->ismultientitymanaged == 1) {
$sql .= " WHERE t.entity IN (".getEntity($object->element).")";
} else {
$sql .= " WHERE 1 = 1";
}
foreach ($search as $key => $val) {
- if ($key == 'status' && $search[$key] == -1) {
- continue;
- }
- $mode_search = (($object->isInt($object->fields[$key]) || $object->isFloat($object->fields[$key])) ? 1 : 0);
- if ($search[$key] != '') {
- $sql .= natural_search($key, $search[$key], (($key == 'status') ? 2 : $mode_search));
+ if (array_key_exists($key, $object->fields)) {
+ if ($key == 'status' && $search[$key] == -1) {
+ continue;
+ }
+ $mode_search = (($object->isInt($object->fields[$key]) || $object->isFloat($object->fields[$key])) ? 1 : 0);
+ if ((strpos($object->fields[$key]['type'], 'integer:') === 0) || (strpos($object->fields[$key]['type'], 'sellist:') === 0)) {
+ if ($search[$key] == '-1' || $search[$key] === '0') {
+ $search[$key] = '';
+ }
+ $mode_search = 2;
+ }
+ if ($search[$key] != '') {
+ $sql .= natural_search($key, $search[$key], (($key == 'status') ? 2 : $mode_search));
+ }
+ } else {
+ if (preg_match('/(_dtstart|_dtend)$/', $key) && $search[$key] != '') {
+ $columnName=preg_replace('/(_dtstart|_dtend)$/', '', $key);
+ if (preg_match('/^(date|timestamp|datetime)/', $object->fields[$columnName]['type'])) {
+ if (preg_match('/_dtstart$/', $key)) {
+ $sql .= " AND t." . $columnName . " >= '" . $db->idate($search[$key]) . "'";
+ }
+ if (preg_match('/_dtend$/', $key)) {
+ $sql .= " AND t." . $columnName . " <= '" . $db->idate($search[$key]) . "'";
+ }
+ }
+ }
}
}
if ($search_all) {
@@ -241,20 +276,20 @@ $reshook = $hookmanager->executeHooks('printFieldListWhere', $parameters, $objec
$sql .= $hookmanager->resPrint;
/* If a group by is required
- $sql.= " GROUP BY "
- foreach($object->fields as $key => $val)
- {
- $sql.='t.'.$key.', ';
- }
- // Add fields from extrafields
- if (! empty($extrafields->attributes[$object->table_element]['label'])) {
- foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) $sql.=($extrafields->attributes[$object->table_element]['type'][$key] != 'separate' ? "ef.".$key.', ' : '');
- // Add where from hooks
- $parameters=array();
- $reshook=$hookmanager->executeHooks('printFieldListGroupBy',$parameters); // Note that $action and $object may have been modified by hook
- $sql.=$hookmanager->resPrint;
- $sql=preg_replace('/, $/','', $sql);
- */
+$sql.= " GROUP BY ";
+foreach($object->fields as $key => $val) {
+ $sql.='t.'.$key.', ';
+}
+// Add fields from extrafields
+if (! empty($extrafields->attributes[$object->table_element]['label'])) {
+ foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) $sql.=($extrafields->attributes[$object->table_element]['type'][$key] != 'separate' ? "ef.".$key.', ' : '');
+}
+// Add where from hooks
+$parameters=array();
+$reshook=$hookmanager->executeHooks('printFieldListGroupBy',$parameters, $object); // Note that $action and $object may have been modified by hook
+$sql.=$hookmanager->resPrint;
+$sql=preg_replace('/,\s*$/','', $sql);
+*/
$sql .= $db->order($sortfield, $sortorder);
@@ -269,10 +304,12 @@ if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) {
}
}
// if total of record found is smaller than limit, no need to do paging and to restart another select with limits set.
-if (is_numeric($nbtotalofrecords) && $limit > $nbtotalofrecords) {
+if (is_numeric($nbtotalofrecords) && ($limit > $nbtotalofrecords || empty($limit))) {
$num = $nbtotalofrecords;
} else {
- $sql .= $db->plimit($limit + 1, $offset);
+ if ($limit) {
+ $sql .= $db->plimit($limit + 1, $offset);
+ }
$resql = $db->query($sql);
if (!$resql) {
@@ -284,10 +321,10 @@ if (is_numeric($nbtotalofrecords) && $limit > $nbtotalofrecords) {
}
// Direct jump if only one record found
-if ($num == 1 && !empty($conf->global->MAIN_SEARCH_DIRECT_OPEN_IF_ONLY_ONE) && $search_all) {
+if ($num == 1 && !empty($conf->global->MAIN_SEARCH_DIRECT_OPEN_IF_ONLY_ONE) && $search_all && !$page) {
$obj = $db->fetch_object($resql);
$id = $obj->rowid;
- header("Location: ".dol_buildpath('/compta/cashcontrol/cashcontrol_card.php', 1).'?id='.$id);
+ header("Location: ".DOL_URL_ROOT.'/compta/cashcontrol/cashcontrol_card.php?id='.$id);
exit;
}
@@ -295,7 +332,7 @@ if ($num == 1 && !empty($conf->global->MAIN_SEARCH_DIRECT_OPEN_IF_ONLY_ONE) && $
// Output page
// --------------------------------------------------------------------
-llxHeader('', $title, $help_url);
+llxHeader('', $title, $help_url, '', 0, 0, $morejs, $morecss, '', 'classforhorizontalscrolloftabs');
// Example : Adding jquery code
print ' |