lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix tooltip for linkto object.

Browse Source 
Fix security of ajax selectobject.php
This commit is contained in:
Laurent Destailleur 2020-09-19 00:44:47 +02:00
parent 63bc3aa48a
commit f62d52f89a
6 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/core/ajax/selectobject.php
View File

@ -75,9 +75,10 @@ if (!is_object($objecttmp))
}
// When used from jQuery, the search term is added as GET param "term".
$searchkey = (($id && GETPOST($id, 'alpha')) ?GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ?GETPOST($htmlname, 'alpha') : ''));
$searchkey = (($id && GETPOST($id, 'alpha')) ? GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ? GETPOST($htmlname, 'alpha') : ''));
// TODO Add a security test to avoid to get content of all tables
// Add a security test to avoid to get content of all tables
restrictedArea($user, $objecttmp->element, $id);
$arrayresult = $form->selectForFormsList($objecttmp, $htmlname, '', 0, $searchkey, '', '', '', 0, 1);

1
htdocs/core/class/html.form.class.php
View File

@ -5782,6 +5782,7 @@ class Form
/**
* Generic method to select a component from a combo list.
* Can use autocomplete with ajax after x key pressed or a full combo, depending on setup.
* This is the generic method that will replace all specific existing methods.
*
* @param string $objectdesc ObjectClass:PathToClass[:AddCreateButtonOrNot[:Filter]]

2
htdocs/core/lib/security.lib.php
View File

@ -194,6 +194,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
if ($features == 'member') $features = 'adherent';
if ($features == 'subscription') { $features = 'adherent'; $feature2 = 'cotisation'; };
if ($features == 'websitepage') { $features = 'website'; $tableandshare = 'website_page'; $parentfortableentity = 'fk_website@website'; }
if ($features == 'project') $features = 'projet';
if ($features == 'product') $features = 'produit';
// Get more permissions checks from hooks
$parameters = array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select);

6
htdocs/core/tpl/admin_extrafields_add.tpl.php
View File

@ -37,6 +37,8 @@ if (empty($conf) || !is_object($conf))
$langs->load("modulebuilder");
$listofexamplesforlink = 'Societe:societe/class/societe.class.php<br>Contact:contact/class/contact.class.php<br>Product:product/class/product.class.php<br>Project:projet/class/project.class.php';
?>
<!-- BEGIN PHP TEMPLATE admin_extrafields_add.tpl.php -->
@ -168,7 +170,7 @@ $langs->load("modulebuilder");
<span id="helpselect" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpselect"), 1, 0, '', 0, 2, 'helpvalue1')?></span>
<span id="helpsellist" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpsellist"), 1, 0, '', 0, 2, 'helpvalue2')?></span>
<span id="helpchkbxlst" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpchkbxlst"), 1, 0, '', 0, 2, 'helpvalue3')?></span>
<span id="helplink" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelplink"), 1, 0, '', 0, 2, 'helpvalue4')?></span>
<span id="helplink" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelplink").'<br><br>'.$langs->trans("Examples").':<br>'.$listofexamplesforlink, 1, 0, '', 0, 2, 'helpvalue4')?></span>
<span id="helppassword" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpPassword"), 1, 0, '', 0, 2, 'helpvalue5')?></span>
<span id="helpseparate" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpSeparator"), 1, 0, '', 0, 2, 'helpvalue6')?></span>
</td></tr>
@ -176,7 +178,7 @@ $langs->load("modulebuilder");
</td>
</tr>
<!-- Position -->
<tr><td class="titlefield"><?php echo $langs->trans("Position"); ?></td><td class="valeur"><input type="text" name="pos" size="5" value="<?php echo GETPOSTISSET('pos') ?GETPOST('pos', 'int') : 100; ?>"></td></tr>
<tr><td class="titlefield"><?php echo $langs->trans("Position"); ?></td><td class="valeur"><input type="text" name="pos" size="5" value="<?php echo GETPOSTISSET('pos') ? GETPOST('pos', 'int') : 100; ?>"></td></tr>
<!-- Language file -->
<tr><td class="titlefield"><?php echo $langs->trans("LanguageFile"); ?></td><td class="valeur"><input type="text" id="langfile" name="langfile" class="minwidth200" value="<?php echo dol_escape_htmltag(GETPOST('langfile', 'alpha')); ?>"></td></tr>
<!-- Computed Value -->

4
htdocs/core/tpl/admin_extrafields_edit.tpl.php
View File

@ -36,6 +36,8 @@ if (empty($conf) || !is_object($conf))
$langs->load("modulebuilder");
$listofexamplesforlink = 'Societe:societe/class/societe.class.php<br>Contact:contact/class/contact.class.php<br>Product:product/class/product.class.php<br>Project:projet/class/project.class.php<br>...';
?>
<!-- BEGIN PHP TEMPLATE admin_extrafields_edit.tpl.php -->
@ -245,7 +247,7 @@ if (in_array($type, array_keys($typewecanchangeinto)))
<span id="helpselect" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpselect"), 1, 0, '', 0, 2, 'helpvalue1')?></span>
<span id="helpsellist" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpsellist"), 1, 0, '', 0, 2, 'helpvalue2')?></span>
<span id="helpchkbxlst" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpchkbxlst"), 1, 0, '', 0, 2, 'helpvalue3')?></span>
<span id="helplink" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelplink"), 1, 0, '', 0, 2, 'helpvalue4')?></span>
<span id="helplink" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelplink").'<br><br>'.$langs->trans("Examples").':<br>'.$listofexamplesforlink, 1, 0, '', 0, 2, 'helpvalue4')?></span>
<span id="helppassword" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpPassword"), 1, 0, '', 0, 2, 'helpvalue5')?></span>
<span id="helpseparate" class="spanforparamtooltip"><?php print $form->textwithpicto('', $langs->trans("ExtrafieldParamHelpSeparator"), 1, 0, '', 0, 2, 'helpvalue6')?></span>
</td></tr>

2
htdocs/langs/en_US/admin.lang
View File

@ -440,7 +440,7 @@ ExtrafieldParamHelpcheckbox=List of values must be lines with format key,value (
ExtrafieldParamHelpradio=List of values must be lines with format key,value (where key can't be '0')<br><br> for example: <br>1,value1<br>2,value2<br>3,value3<br>...
ExtrafieldParamHelpsellist=List of values comes from a table<br>Syntax: table_name:label_field:id_field::filter<br>Example: c_typent:libelle:id::filter<br><br>- idfilter is necessarly a primary int key<br>- filter can be a simple test (eg active=1) to display only active value<br>You can also use $ID$ in filter witch is the current id of current object<br>To do a SELECT in filter use $SEL$<br>if you want to filter on extrafields use syntax extra.fieldcode=... (where field code is the code of extrafield)<br><br>In order to have the list depending on another complementary attribute list:<br>c_typent:libelle:id:options_<i>parent_list_code</i>|parent_column:filter <br><br>In order to have the list depending on another list:<br>c_typent:libelle:id:<i>parent_list_code</i>|parent_column:filter
ExtrafieldParamHelpchkbxlst=List of values comes from a table<br>Syntax: table_name:label_field:id_field::filter<br>Example: c_typent:libelle:id::filter<br><br>filter can be a simple test (eg active=1) to display only active value<br>You can also use $ID$ in filter witch is the current id of current object<br>To do a SELECT in filter use $SEL$<br>if you want to filter on extrafields use syntax extra.fieldcode=... (where field code is the code of extrafield)<br><br>In order to have the list depending on another complementary attribute list:<br>c_typent:libelle:id:options_<i>parent_list_code</i>|parent_column:filter <br><br>In order to have the list depending on another list:<br>c_typent:libelle:id:<i>parent_list_code</i>|parent_column:filter
ExtrafieldParamHelplink=Parameters must be ObjectName:Classpath<br>Syntax: ObjectName:Classpath<br>Examples:<br>Societe:societe/class/societe.class.php<br>Contact:contact/class/contact.class.php
ExtrafieldParamHelplink=Parameters must be ObjectName:Classpath<br>Syntax: ObjectName:Classpath
ExtrafieldParamHelpSeparator=Keep empty for a simple separator<br>Set this to 1 for a collapsing separator (open by default for new session, then status is kept for each user session)<br>Set this to 2 for a collapsing separator (collapsed by default for new session, then status is kept fore each user session)
LibraryToBuildPDF=Library used for PDF generation
LocalTaxDesc=Some countries may apply two or three taxes on each invoice line. If this is the case, choose the type for the second and third tax and its rate. Possible type are:<br>1: local tax apply on products and services without vat (localtax is calculated on amount without tax)<br>2: local tax apply on products and services including vat (localtax is calculated on amount + main tax)<br>3: local tax apply on products without vat (localtax is calculated on amount without tax)<br>4: local tax apply on products including vat (localtax is calculated on amount + main vat)<br>5: local tax apply on services without vat (localtax is calculated on amount without tax)<br>6: local tax apply on services including vat (localtax is calculated on amount + tax)