From f2f1eaa95e9ceb8f8d89fb0726d2e3407511053c Mon Sep 17 00:00:00 2001
From: Dorian Vabre <dorian.vabre@gmail.com>
Date: Tue, 27 Apr 2021 16:01:01 +0200
Subject: [PATCH] wip

---
 .../attendee_subscription.php                 | 28 +++++++++++--------
 htdocs/public/project/index.php               | 28 +++++++++----------
 2 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php
index 4940f5965fe..7a377a7121a 100644
--- a/htdocs/public/eventorganization/attendee_subscription.php
+++ b/htdocs/public/eventorganization/attendee_subscription.php
@@ -374,15 +374,15 @@ if (empty($reshook) && $action == 'add') {
 					$valid = true;
 					$sourcetouse = 'conferencesubscription';
 					$reftouse = $facture->id;
-					$redirection = $dolibarr_main_url_root.'/public/payment/newpayment.php?source='.$sourcetouse.'&ref='.$reftouse;
+					$redirection = $dolibarr_main_url_root . '/public/payment/newpayment.php?source=' . $sourcetouse . '&ref=' . $reftouse;
 					if (!empty($conf->global->PAYMENT_SECURITY_TOKEN)) {
 						if (!empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) {
-							$redirection .= '&securekey='.dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . $sourcetouse . $reftouse, 2); // Use the source in the hash to avoid duplicates if the references are identical
+							$redirection .= '&securekey=' . dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . $sourcetouse . $reftouse, 2); // Use the source in the hash to avoid duplicates if the references are identical
 						} else {
-							$redirection .= '&securekey='.$conf->global->PAYMENT_SECURITY_TOKEN;
+							$redirection .= '&securekey=' . $conf->global->PAYMENT_SECURITY_TOKEN;
 						}
 					}
-					Header("Location: ".$redirection);
+					Header("Location: " . $redirection);
 					exit;
 				}
 			}
@@ -392,8 +392,8 @@ if (empty($reshook) && $action == 'add') {
 			$confattendee->setStatut(1);
 
 			// Sending mail
-			require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php';
-			include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php';
+			require_once DOL_DOCUMENT_ROOT . '/core/class/CMailFile.class.php';
+			include_once DOL_DOCUMENT_ROOT . '/core/class/html.formmail.class.php';
 			$formmail = new FormMail($db);
 			// Set output language
 			$outputlangs = new Translate('', $conf);
@@ -410,7 +410,7 @@ if (empty($reshook) && $action == 'add') {
 
 			if (!empty($labeltouse) && is_object($arraydefaultmessage) && $arraydefaultmessage->id > 0) {
 				$subject = $arraydefaultmessage->topic;
-				$msg     = $arraydefaultmessage->content;
+				$msg = $arraydefaultmessage->content;
 			}
 
 			$substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $thirdparty);
@@ -429,19 +429,23 @@ if (empty($reshook) && $action == 'add') {
 
 			$result = $mailfile->sendfile();
 			if ($result) {
-				dol_syslog("EMail sent to ".$sendto, LOG_DEBUG, 0, '_payment');
+				dol_syslog("EMail sent to " . $sendto, LOG_DEBUG, 0, '_payment');
 			} else {
-				dol_syslog("Failed to send EMail to ".$sendto, LOG_ERR, 0, '_payment');
+				dol_syslog("Failed to send EMail to " . $sendto, LOG_ERR, 0, '_payment');
 			}
 
 			$encodedid = dol_encode($id, $dolibarr_main_instance_unique_id);
-			$securekeyurl = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
-			$redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?id='.$encodedid.'&securekey='.$securekeyurl;
-			Header("Location: ".$redirection);
+			$securekeyurl = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY . 'conferenceorbooth' . $id, 2);
+			$redirection = $dolibarr_main_url_root . '/public/eventorganization/subscriptionok.php?id=' . $encodedid . '&securekey=' . $securekeyurl;
+			Header("Location: " . $redirection);
 			exit;
 		}
 		//Header("Location: ".$urlback);
 		//exit;
+	}
+
+	if (!$error) {
+		$db->commit();
 	} else {
 		$db->rollback();
 	}
diff --git a/htdocs/public/project/index.php b/htdocs/public/project/index.php
index 7eb7f263a16..bbfe55a6522 100644
--- a/htdocs/public/project/index.php
+++ b/htdocs/public/project/index.php
@@ -100,16 +100,12 @@ if ($resultproject < 0) {
 	$errmsg .= $project->error;
 }
 
-// Getting 'securekey'.'id' from Post and decoding it
-$encodedsecurekeyandid = GETPOST('securekey', 'alpha');
-$securekeyandid = dol_decode($encodedsecurekeyandid, $dolibarr_main_instance_unique_id);
+// Security check
+$id = dol_decode($encodedid, $dolibarr_main_instance_unique_id);
+$securekeyreceived = GETPOST("securekey");
+$securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
 
-// Securekey decomposition into pure securekey and id added at the end
-$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($encodedid));
-$idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)), $dolibarr_main_instance_unique_id);
-
-// We check if the securekey collected is OK and if the id collected is the same than the id in the securekey
-if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) {
+if ($securekeytocompare != $securekeyreceived) {
 	print $langs->trans('MissingOrBadSecureKey');
 	exit;
 }
@@ -377,12 +373,13 @@ if (empty($reshook) && $action == 'add') {
 			$conforbooth->fk_soc = $thirdparty->id;
 			$conforbooth->fk_project = $project->id;
 			$conforbooth->note = $note;
-			//$conforbooth->fk_action =
+			$conforbooth->fk_action = 63;
 			$conforbooth->datep =$datestart;
 			$conforbooth->datep2 = $dateend;
 			$conforbooth->datec = dol_now();
 			$conforbooth->tms = dol_now();
 			$resultconforbooth = $conforbooth->create($user);
+			var_dump($conforbooth);
 			if ($resultconforbooth<=0) {
 				$error++;
 				$errmsg .= $conforbooth->error;
@@ -494,14 +491,17 @@ if (empty($reshook) && $action == 'add') {
 						dol_syslog("Failed to send EMail to ".$sendto, LOG_ERR, 0, '_payment');
 					}
 
-					$redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?securekey='.dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY, $dolibarr_main_instance_unique_id);
+					$encodedid = dol_encode($id, $dolibarr_main_instance_unique_id);
+					$securekeyurl = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2);
+					$redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?id='.$encodedid.'&securekey='.$securekeyurl;
 					Header("Location: ".$redirection);
 					exit;
 				}
 			}
-
-			$db->commit();
 		}
+	}
+	if (!$error) {
+		$db->commit();
 	} else {
 		$db->rollback();
 	}
@@ -540,7 +540,7 @@ print '<input type="hidden" name="token" value="'.newToken().'" / >';
 print '<input type="hidden" name="entity" value="'.$entity.'" />';
 print '<input type="hidden" name="action" value="add" />';
 print '<input type="hidden" name="id" value="'.$encodedid.'" />';
-print '<input type="hidden" name="securekey" value="'.$encodedsecurekeyandid.'" />';
+print '<input type="hidden" name="securekey" value="'.$securekeyreceived.'" />';
 
 print '<br>';