From d9513da8de4670dc058f4949be65a63941146e6a Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Mon, 12 Apr 2021 17:05:09 +0200 Subject: [PATCH 01/10] email now required in the attendee_subscription page, company name no longer required. Check on existing third party now depends on the email. todo: what if the name is empty? --- .../attendee_subscription.php | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 800c6dc469d..bd655362a3d 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -77,6 +77,7 @@ $action = GETPOST('action', 'aZ09'); $key = 'DV3PH'; $id = dol_decode(GETPOST('id'), $key); +$email = GETPOST("email"); // Securekey check $securekey = GETPOST('securekey', 'alpha'); @@ -186,21 +187,24 @@ if (empty($reshook) && $action == 'add') { $error++; $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Email"))."
\n"; } - if (!GETPOST("societe")) { + /*if (!GETPOST("societe")) { $error++; $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Societe"))."
\n"; - } + }*/ if (GETPOST("email") && !isValidEmail(GETPOST("email"))) { $error++; $langs->load("errors"); $errmsg .= $langs->trans("ErrorBadEMail", GETPOST("email"))."
\n"; } + if (!GETPOST("country_id")) { + $error++; + $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Country"))."
\n"; + } if (!$error) { - // Vérifier si client existe + // Vérifier si client existe par l'email $thirdparty = new Societe($db); - $nomsociete = GETPOST("societe"); - $resultfetchthirdparty = $thirdparty->fetch('', $nomsociete); + $resultfetchthirdparty = $thirdparty->fetch('','','','','','','','','','',$email); if ($resultfetchthirdparty<0) { $error++; @@ -208,7 +212,7 @@ if (empty($reshook) && $action == 'add') { $readythirdparty = -1; } elseif ($resultfetchthirdparty==0) { // creation of a new thirdparty - $thirdparty->name = $nomsociete; + $thirdparty->name = GETPOST("societe"); $thirdparty->address = GETPOST("address"); $thirdparty->zip = GETPOST("zipcode"); $thirdparty->town = GETPOST("town"); @@ -216,6 +220,7 @@ if (empty($reshook) && $action == 'add') { $thirdparty->fournisseur = 0; $thirdparty->country_id = GETPOST("country_id", 'int'); $thirdparty->state_id = GETPOST("state_id", 'int'); + $thirdparty->email = $email; // Load object modCodeTiers $module = (!empty($conf->global->SOCIETE_CODECLIENT_ADDON) ? $conf->global->SOCIETE_CODECLIENT_ADDON : 'mod_codeclient_leopard'); @@ -331,8 +336,10 @@ jQuery(document).ready(function () { print ''."\n"; +// Email +print ''."\n"; // Company -print ''."\n"; +print ''."\n"; // Address print ''."\n"; @@ -343,7 +350,7 @@ print ' / '; print $formcompany->select_ziptown(GETPOST('town'), 'town', array('zipcode', 'selectcountry_id', 'state_id'), 0, 1); print ''; // Country -print ''; } -// Email -print ''."\n"; print "
'.$langs->trans("Email").' *
'.$langs->trans("Company").' *
'.$langs->trans("Company").'
'.$langs->trans("Address").''."\n"; print '
'.$langs->trans('Country').''; +print '
'.$langs->trans('Country').'*'.''; $country_id = GETPOST('country_id'); if (!$country_id && !empty($conf->global->MEMBER_NEWFORM_FORCECOUNTRYCODE)) { $country_id = getCountry($conf->global->MEMBER_NEWFORM_FORCECOUNTRYCODE, 2, $db, $langs); @@ -372,8 +379,6 @@ if (empty($conf->global->SOCIETE_DISABLE_STATE)) { } print '
'.$langs->trans("Email").' *
\n"; From 358a2bf36595e6e399d2d87dab4645f295c638db Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Mon, 12 Apr 2021 17:10:57 +0200 Subject: [PATCH 02/10] hardcoded label put in ->trans --- htdocs/eventorganization/conferenceorbooth_card.php | 2 +- htdocs/langs/en_US/eventorganization.lang | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/eventorganization/conferenceorbooth_card.php b/htdocs/eventorganization/conferenceorbooth_card.php index 4f0720d11e3..87418402f2b 100644 --- a/htdocs/eventorganization/conferenceorbooth_card.php +++ b/htdocs/eventorganization/conferenceorbooth_card.php @@ -498,7 +498,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea $key = 'DV3PH'; $link_subscription .= dol_encode($id, $key); $link_subscription .= '&securekey='.urlencode($conf->global->EVENTORGANIZATION_SECUREKEY); - $object->fields['pubregister'] = array('type'=>'url', 'label'=>'Lien public d\'enregistrement à une conférence', 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1); + $object->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1); $object->pubregister = $link_subscription; $keyforbreak='pubregister'; diff --git a/htdocs/langs/en_US/eventorganization.lang b/htdocs/langs/en_US/eventorganization.lang index 03fb460d6b9..e124d1254d8 100644 --- a/htdocs/langs/en_US/eventorganization.lang +++ b/htdocs/langs/en_US/eventorganization.lang @@ -19,7 +19,6 @@ ModuleEventOrganizationName = Event Organization EventOrganizationDescription = Event Organization through Module Project EventOrganizationDescriptionLong= Manage Event organization for conference, attendees, speaker, and attendees, with public subcription page - # # Menu # @@ -94,6 +93,7 @@ EvntOrgCancelled = Cancelled # # Public page # +PublicAttendeeSubscriptionPage = Public link of registration to a conference MissingOrBadSecureKey = The security key is invalid or missing EvntOrgWelcomeMessage = This form allows you to register as a new participant to the conference EvntOrgStartDuration = This conference starts on From 167da1445db543b44314cea657526bffb20bbc30 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Mon, 12 Apr 2021 17:16:24 +0200 Subject: [PATCH 03/10] securekey added in --- htdocs/admin/eventorganization.php | 2 +- htdocs/langs/en_US/eventorganization.lang | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/admin/eventorganization.php b/htdocs/admin/eventorganization.php index 9338aa3a6dd..b6a964d8617 100644 --- a/htdocs/admin/eventorganization.php +++ b/htdocs/admin/eventorganization.php @@ -60,7 +60,7 @@ $arrayofparameters = array( 'EVENTORGANIZATION_TEMPLATE_EMAIL_AFT_SUBS_EVENT'=>array('type'=>'emailtemplate:eventorganization_send', 'enabled'=>1), 'EVENTORGANIZATION_TEMPLATE_EMAIL_BULK_SPEAKER'=>array('type'=>'emailtemplate:eventorganization_send', 'enabled'=>1), 'EVENTORGANIZATION_TEMPLATE_EMAIL_BULK_ATTENDES'=>array('type'=>'emailtemplate:eventorganization_send', 'enabled'=>1), - 'EVENTORGANIZATION_SECUREKEY'=>array('type'=>'securekey', 'enabled'=>1), + 'EVENTORGANIZATION_SECUREKEY'=>array('type'=>'securekey', 'enabled'=>1), ); $error = 0; diff --git a/htdocs/langs/en_US/eventorganization.lang b/htdocs/langs/en_US/eventorganization.lang index e124d1254d8..a9d31c1dbaf 100644 --- a/htdocs/langs/en_US/eventorganization.lang +++ b/htdocs/langs/en_US/eventorganization.lang @@ -81,6 +81,7 @@ PriceOfBoothHelp=Subscription price to stand a booth EventOrganizationICSLink=Link ICS for events ConferenceOrBoothInformation=Conference Or Booth informations Attendees = Attendees +EVENTORGANIZATION_SECUREKEY = Secure Key of the public registration link to a conference # # Status # From 7644174c4af4aeb166af1fea3154d4840dd86def Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Mon, 12 Apr 2021 17:29:44 +0200 Subject: [PATCH 04/10] subscriptionok page addition --- .../eventorganization/subscriptionok.php | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 htdocs/public/eventorganization/subscriptionok.php diff --git a/htdocs/public/eventorganization/subscriptionok.php b/htdocs/public/eventorganization/subscriptionok.php new file mode 100644 index 00000000000..50077099d51 --- /dev/null +++ b/htdocs/public/eventorganization/subscriptionok.php @@ -0,0 +1,163 @@ + + * Copyright (C) 2006-2013 Laurent Destailleur + * Copyright (C) 2012 Regis Houssin + * Copyright (C) 2021 Waël Almoman + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +/** + * \file htdocs/public/payment/paymentok.php + * \ingroup core + * \brief File to show page after a successful payment + * This page is called by payment system with url provided to it completed with parameter TOKEN=xxx + * This token can be used to get more informations. + */ + +if (!defined('NOLOGIN')) { + define("NOLOGIN", 1); // This means this output page does not require to be logged. +} +if (!defined('NOCSRFCHECK')) { + define("NOCSRFCHECK", 1); // We accept to go on this page from external web site. +} +if (!defined('NOIPCHECK')) { + define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip +} +if (!defined('NOBROWSERNOTIF')) { + define('NOBROWSERNOTIF', '1'); +} + +// For MultiCompany module. +// Do not use GETPOST here, function is not defined and define must be done before including main.inc.php +// TODO This should be useless. Because entity must be retrieve from object ref and not from url. +$entity = (!empty($_GET['e']) ? (int) $_GET['e'] : (!empty($_POST['e']) ? (int) $_POST['e'] : 1)); +if (is_numeric($entity)) { + define("DOLENTITY", $entity); +} + +require '../../main.inc.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php'; + +if (!empty($conf->paypal->enabled)) { + require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypal.lib.php'; + require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypalfunctions.lib.php'; +} + +$langs->loadLangs(array("main", "companies", "install", "other", "eventorganization")); + +$object = new stdClass(); // For triggers + +$error = 0; + + +/* + * Actions + */ + + + +/* + * View + */ + +$now = dol_now(); + +dol_syslog("Callback url when a payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"]) ?dol_escape_htmltag($_SERVER["QUERY_STRING"]) : '')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"]) ?dol_escape_htmltag($_SERVER["SCRIPT_URI"]) : ''), LOG_DEBUG, 0, '_payment'); + +$tracepost = ""; +foreach ($_POST as $k => $v) { + $tracepost .= "{$k} - {$v}\n"; +} +dol_syslog("POST=".$tracepost, LOG_DEBUG, 0, '_payment'); + +$head = ''; +if (!empty($conf->global->ONLINE_PAYMENT_CSS_URL)) { + $head = ''."\n"; +} + +$conf->dol_hide_topmenu = 1; +$conf->dol_hide_leftmenu = 1; + +$replacemainarea = (empty($conf->dol_hide_leftmenu) ? '
' : '').'
'; +llxHeader($head, $langs->trans("PaymentForm"), '', '', 0, 0, '', '', '', 'onlinepaymentbody', $replacemainarea); + + +// Show message +print ''."\n"; +print '
'."\n"; + + +// Show logo (search order: logo defined by PAYMENT_LOGO_suffix, then PAYMENT_LOGO, then small company logo, large company logo, theme logo, common logo) +// Define logo and logosmall +$logosmall = $mysoc->logo_small; +$logo = $mysoc->logo; +$paramlogo = 'ONLINE_PAYMENT_LOGO_'.$suffix; +if (!empty($conf->global->$paramlogo)) { + $logosmall = $conf->global->$paramlogo; +} elseif (!empty($conf->global->ONLINE_PAYMENT_LOGO)) { + $logosmall = $conf->global->ONLINE_PAYMENT_LOGO; +} +//print ''."\n"; +// Define urllogo +$urllogo = ''; +$urllogofull = ''; +if (!empty($logosmall) && is_readable($conf->mycompany->dir_output.'/logos/thumbs/'.$logosmall)) { + $urllogo = DOL_URL_ROOT.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/thumbs/'.$logosmall); + $urllogofull = $dolibarr_main_url_root.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/thumbs/'.$logosmall); +} elseif (!empty($logo) && is_readable($conf->mycompany->dir_output.'/logos/'.$logo)) { + $urllogo = DOL_URL_ROOT.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/'.$logo); + $urllogofull = $dolibarr_main_url_root.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/'.$logo); +} + +// Output html code for logo +if ($urllogo) { + print '
'; + print '
'; + print ''; + print '
'; + if (empty($conf->global->MAIN_HIDE_POWERED_BY)) { + print '
'.$langs->trans("PoweredBy").'
'; + } + print '
'; +} + + +print '


'; + + +$fulltag = $FULLTAG; +$tmptag = dolExplodeIntoArray($fulltag, '.', '='); + + +dol_syslog("ispaymentok=".$ispaymentok." tmptag=".var_export($tmptag, true), LOG_DEBUG, 0, '_payment'); + +print $langs->trans("SubscriptionOk"); + +print "\n
\n"; + + +htmlPrintOnlinePaymentFooter($mysoc, $langs, 0, $suffix); + + +// Clean session variables to avoid duplicate actions if post is resent +unset($_SESSION["FinalPaymentAmt"]); +unset($_SESSION["TRANSACTIONID"]); + + +llxFooter('', 'public'); + +$db->close(); From caeb357aabc58c4f005f2273446fac764f888d67 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 13 Apr 2021 10:40:33 +0200 Subject: [PATCH 05/10] security improvement by adding id to securekey before encryption --- .../conferenceorbooth_card.php | 13 ++++++++---- .../attendee_subscription.php | 21 ++++++++++++++----- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/htdocs/eventorganization/conferenceorbooth_card.php b/htdocs/eventorganization/conferenceorbooth_card.php index 87418402f2b..0f0027b663d 100644 --- a/htdocs/eventorganization/conferenceorbooth_card.php +++ b/htdocs/eventorganization/conferenceorbooth_card.php @@ -494,10 +494,15 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea //unset($object->fields['fk_project']); // Hide field already shown in banner //unset($object->fields['fk_soc']); // Hide field already shown in banner global $dolibarr_main_url_root; - $link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='; - $key = 'DV3PH'; - $link_subscription .= dol_encode($id, $key); - $link_subscription .= '&securekey='.urlencode($conf->global->EVENTORGANIZATION_SECUREKEY); + + $keyforid = 'DV3PH'; + $encodedid = dol_encode($id, $keyforid); + $link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid; + + $keyforsecurekey = 'CGLOO'; + $encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$id, $keyforsecurekey); + $link_subscription .= '&securekey='.urlencode($encodedsecurekey); + $object->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1); $object->pubregister = $link_subscription; $keyforbreak='pubregister'; diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index bd655362a3d..fec49e6648d 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -75,13 +75,24 @@ $error = 0; $backtopage = GETPOST('backtopage', 'alpha'); $action = GETPOST('action', 'aZ09'); -$key = 'DV3PH'; -$id = dol_decode(GETPOST('id'), $key); $email = GETPOST("email"); -// Securekey check -$securekey = GETPOST('securekey', 'alpha'); -if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY) { +// Getting id from Post and decoding it +$encodedid = GETPOST('id'); +$keyforid = 'DV3PH'; +$id = dol_decode($encodedid, $keyforid); + +// Getting 'securekey'.'id' from Post and decoding it +$encodedsecurekeyandid = GETPOST('securekey', 'alpha'); +$keyforsecurekey = 'CGLOO'; +$securekeyandid = dol_decode($encodedsecurekeyandid, $keyforsecurekey); + +// Securekey decomposition into pure securekey and id added at the end +$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($id)); +$idgotfromsecurekey = substr($securekeyandid, -strlen($id), strlen($id)); + +// We check if the securekey collected is OK and if the id collected is the same than the id in the securekey +if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) { print $langs->trans('MissingOrBadSecureKey'); exit; } From 0b4149cb91a97945b4e82a2a13be26b2026a88ad Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 13 Apr 2021 10:43:23 +0200 Subject: [PATCH 06/10] removal of subscriptionok page, bad branch --- .../eventorganization/subscriptionok.php | 163 ------------------ 1 file changed, 163 deletions(-) delete mode 100644 htdocs/public/eventorganization/subscriptionok.php diff --git a/htdocs/public/eventorganization/subscriptionok.php b/htdocs/public/eventorganization/subscriptionok.php deleted file mode 100644 index 50077099d51..00000000000 --- a/htdocs/public/eventorganization/subscriptionok.php +++ /dev/null @@ -1,163 +0,0 @@ - - * Copyright (C) 2006-2013 Laurent Destailleur - * Copyright (C) 2012 Regis Houssin - * Copyright (C) 2021 Waël Almoman - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -/** - * \file htdocs/public/payment/paymentok.php - * \ingroup core - * \brief File to show page after a successful payment - * This page is called by payment system with url provided to it completed with parameter TOKEN=xxx - * This token can be used to get more informations. - */ - -if (!defined('NOLOGIN')) { - define("NOLOGIN", 1); // This means this output page does not require to be logged. -} -if (!defined('NOCSRFCHECK')) { - define("NOCSRFCHECK", 1); // We accept to go on this page from external web site. -} -if (!defined('NOIPCHECK')) { - define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip -} -if (!defined('NOBROWSERNOTIF')) { - define('NOBROWSERNOTIF', '1'); -} - -// For MultiCompany module. -// Do not use GETPOST here, function is not defined and define must be done before including main.inc.php -// TODO This should be useless. Because entity must be retrieve from object ref and not from url. -$entity = (!empty($_GET['e']) ? (int) $_GET['e'] : (!empty($_POST['e']) ? (int) $_POST['e'] : 1)); -if (is_numeric($entity)) { - define("DOLENTITY", $entity); -} - -require '../../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; -require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php'; - -if (!empty($conf->paypal->enabled)) { - require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypal.lib.php'; - require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypalfunctions.lib.php'; -} - -$langs->loadLangs(array("main", "companies", "install", "other", "eventorganization")); - -$object = new stdClass(); // For triggers - -$error = 0; - - -/* - * Actions - */ - - - -/* - * View - */ - -$now = dol_now(); - -dol_syslog("Callback url when a payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"]) ?dol_escape_htmltag($_SERVER["QUERY_STRING"]) : '')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"]) ?dol_escape_htmltag($_SERVER["SCRIPT_URI"]) : ''), LOG_DEBUG, 0, '_payment'); - -$tracepost = ""; -foreach ($_POST as $k => $v) { - $tracepost .= "{$k} - {$v}\n"; -} -dol_syslog("POST=".$tracepost, LOG_DEBUG, 0, '_payment'); - -$head = ''; -if (!empty($conf->global->ONLINE_PAYMENT_CSS_URL)) { - $head = ''."\n"; -} - -$conf->dol_hide_topmenu = 1; -$conf->dol_hide_leftmenu = 1; - -$replacemainarea = (empty($conf->dol_hide_leftmenu) ? '
' : '').'
'; -llxHeader($head, $langs->trans("PaymentForm"), '', '', 0, 0, '', '', '', 'onlinepaymentbody', $replacemainarea); - - -// Show message -print ''."\n"; -print '
'."\n"; - - -// Show logo (search order: logo defined by PAYMENT_LOGO_suffix, then PAYMENT_LOGO, then small company logo, large company logo, theme logo, common logo) -// Define logo and logosmall -$logosmall = $mysoc->logo_small; -$logo = $mysoc->logo; -$paramlogo = 'ONLINE_PAYMENT_LOGO_'.$suffix; -if (!empty($conf->global->$paramlogo)) { - $logosmall = $conf->global->$paramlogo; -} elseif (!empty($conf->global->ONLINE_PAYMENT_LOGO)) { - $logosmall = $conf->global->ONLINE_PAYMENT_LOGO; -} -//print ''."\n"; -// Define urllogo -$urllogo = ''; -$urllogofull = ''; -if (!empty($logosmall) && is_readable($conf->mycompany->dir_output.'/logos/thumbs/'.$logosmall)) { - $urllogo = DOL_URL_ROOT.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/thumbs/'.$logosmall); - $urllogofull = $dolibarr_main_url_root.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/thumbs/'.$logosmall); -} elseif (!empty($logo) && is_readable($conf->mycompany->dir_output.'/logos/'.$logo)) { - $urllogo = DOL_URL_ROOT.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/'.$logo); - $urllogofull = $dolibarr_main_url_root.'/viewimage.php?modulepart=mycompany&entity='.$conf->entity.'&file='.urlencode('logos/'.$logo); -} - -// Output html code for logo -if ($urllogo) { - print '
'; - print '
'; - print ''; - print '
'; - if (empty($conf->global->MAIN_HIDE_POWERED_BY)) { - print '
'.$langs->trans("PoweredBy").'
'; - } - print '
'; -} - - -print '


'; - - -$fulltag = $FULLTAG; -$tmptag = dolExplodeIntoArray($fulltag, '.', '='); - - -dol_syslog("ispaymentok=".$ispaymentok." tmptag=".var_export($tmptag, true), LOG_DEBUG, 0, '_payment'); - -print $langs->trans("SubscriptionOk"); - -print "\n
\n"; - - -htmlPrintOnlinePaymentFooter($mysoc, $langs, 0, $suffix); - - -// Clean session variables to avoid duplicate actions if post is resent -unset($_SESSION["FinalPaymentAmt"]); -unset($_SESSION["TRANSACTIONID"]); - - -llxFooter('', 'public'); - -$db->close(); From 149aa8e81b3057b5a98bdb466077694eaa06db79 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 13 Apr 2021 11:31:22 +0200 Subject: [PATCH 07/10] email is now used as name, if name is empty --- .../eventorganization/attendee_subscription.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index fec49e6648d..0250229e269 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -187,13 +187,10 @@ if ($reshook < 0) { if (empty($reshook) && $action == 'add') { $error = 0; - - $urlback = ''; $db->begin(); - if (!GETPOST("email")) { $error++; $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Email"))."
\n"; @@ -223,7 +220,12 @@ if (empty($reshook) && $action == 'add') { $readythirdparty = -1; } elseif ($resultfetchthirdparty==0) { // creation of a new thirdparty - $thirdparty->name = GETPOST("societe"); + if(!empty(GETPOST("societe"))){ + $thirdparty->name = GETPOST("societe"); + } else { + $thirdparty->name = $email; + } + $thirdparty->address = GETPOST("address"); $thirdparty->zip = GETPOST("zipcode"); $thirdparty->town = GETPOST("town"); @@ -324,8 +326,8 @@ print '
'. print ''; print ''; print ''; -print ''; -print ''; +print ''; +print ''; print '
'; From 14e64f4a33d3f44657167a07d4b7ef49d54be2ea Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 13 Apr 2021 11:57:36 +0200 Subject: [PATCH 08/10] security changes: encryption is now with instead of hard coded keys --- htdocs/eventorganization/conferenceorbooth_card.php | 6 ++---- .../public/eventorganization/attendee_subscription.php | 10 ++++------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/htdocs/eventorganization/conferenceorbooth_card.php b/htdocs/eventorganization/conferenceorbooth_card.php index 0f0027b663d..db7654dc703 100644 --- a/htdocs/eventorganization/conferenceorbooth_card.php +++ b/htdocs/eventorganization/conferenceorbooth_card.php @@ -495,12 +495,10 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea //unset($object->fields['fk_soc']); // Hide field already shown in banner global $dolibarr_main_url_root; - $keyforid = 'DV3PH'; - $encodedid = dol_encode($id, $keyforid); + $encodedid = dol_encode($id, $dolibarr_main_instance_unique_id); $link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid; - $keyforsecurekey = 'CGLOO'; - $encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$id, $keyforsecurekey); + $encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$encodedid, $dolibarr_main_instance_unique_id); $link_subscription .= '&securekey='.urlencode($encodedsecurekey); $object->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1); diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 0250229e269..558bcb23d21 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -79,17 +79,15 @@ $email = GETPOST("email"); // Getting id from Post and decoding it $encodedid = GETPOST('id'); -$keyforid = 'DV3PH'; -$id = dol_decode($encodedid, $keyforid); +$id = dol_decode($encodedid, $dolibarr_main_instance_unique_id); // Getting 'securekey'.'id' from Post and decoding it $encodedsecurekeyandid = GETPOST('securekey', 'alpha'); -$keyforsecurekey = 'CGLOO'; -$securekeyandid = dol_decode($encodedsecurekeyandid, $keyforsecurekey); +$securekeyandid = dol_decode($encodedsecurekeyandid, $dolibarr_main_instance_unique_id); // Securekey decomposition into pure securekey and id added at the end -$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($id)); -$idgotfromsecurekey = substr($securekeyandid, -strlen($id), strlen($id)); +$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($encodedid)); +$idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)),$dolibarr_main_instance_unique_id); // We check if the securekey collected is OK and if the id collected is the same than the id in the securekey if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) { From 839edb5abe721c292c70ee5871437002faefe085 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Tue, 13 Apr 2021 10:06:42 +0000 Subject: [PATCH 09/10] Fixing style errors. --- .../conferenceorbooth_card.php | 6 +++--- .../attendee_subscription.php | 20 +++++++++---------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/htdocs/eventorganization/conferenceorbooth_card.php b/htdocs/eventorganization/conferenceorbooth_card.php index db7654dc703..15b52eda038 100644 --- a/htdocs/eventorganization/conferenceorbooth_card.php +++ b/htdocs/eventorganization/conferenceorbooth_card.php @@ -494,13 +494,13 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea //unset($object->fields['fk_project']); // Hide field already shown in banner //unset($object->fields['fk_soc']); // Hide field already shown in banner global $dolibarr_main_url_root; - + $encodedid = dol_encode($id, $dolibarr_main_instance_unique_id); $link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid; - + $encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$encodedid, $dolibarr_main_instance_unique_id); $link_subscription .= '&securekey='.urlencode($encodedsecurekey); - + $object->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1); $object->pubregister = $link_subscription; $keyforbreak='pubregister'; diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 558bcb23d21..1195fd64cfa 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -87,7 +87,7 @@ $securekeyandid = dol_decode($encodedsecurekeyandid, $dolibarr_main_instance_uni // Securekey decomposition into pure securekey and id added at the end $securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($encodedid)); -$idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)),$dolibarr_main_instance_unique_id); +$idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)), $dolibarr_main_instance_unique_id); // We check if the securekey collected is OK and if the id collected is the same than the id in the securekey if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) { @@ -203,14 +203,14 @@ if (empty($reshook) && $action == 'add') { $errmsg .= $langs->trans("ErrorBadEMail", GETPOST("email"))."
\n"; } if (!GETPOST("country_id")) { - $error++; - $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Country"))."
\n"; + $error++; + $errmsg .= $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Country"))."
\n"; } if (!$error) { // Vérifier si client existe par l'email $thirdparty = new Societe($db); - $resultfetchthirdparty = $thirdparty->fetch('','','','','','','','','','',$email); + $resultfetchthirdparty = $thirdparty->fetch('', '', '', '', '', '', '', '', '', '', $email); if ($resultfetchthirdparty<0) { $error++; @@ -218,12 +218,12 @@ if (empty($reshook) && $action == 'add') { $readythirdparty = -1; } elseif ($resultfetchthirdparty==0) { // creation of a new thirdparty - if(!empty(GETPOST("societe"))){ - $thirdparty->name = GETPOST("societe"); - } else { - $thirdparty->name = $email; - } - + if (!empty(GETPOST("societe"))) { + $thirdparty->name = GETPOST("societe"); + } else { + $thirdparty->name = $email; + } + $thirdparty->address = GETPOST("address"); $thirdparty->zip = GETPOST("zipcode"); $thirdparty->town = GETPOST("town"); From 3c265b2a5bcd33cab7b23b8c1f74f3c580061374 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 13 Apr 2021 12:09:53 +0200 Subject: [PATCH 10/10] fixing style error --- htdocs/public/eventorganization/attendee_subscription.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 558bcb23d21..7124f76415f 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -361,7 +361,7 @@ print ' / '; print $formcompany->select_ziptown(GETPOST('town'), 'town', array('zipcode', 'selectcountry_id', 'state_id'), 0, 1); print ''; // Country -print ''.$langs->trans('Country').'*'.''; +print ''.$langs->trans('Country').'*'; $country_id = GETPOST('country_id'); if (!$country_id && !empty($conf->global->MEMBER_NEWFORM_FORCECOUNTRYCODE)) { $country_id = getCountry($conf->global->MEMBER_NEWFORM_FORCECOUNTRYCODE, 2, $db, $langs);