From 40fe3849dc0df5f0bf1ece51a6ebc5794fd3687f Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Mon, 12 Feb 2018 08:21:35 +0100
Subject: [PATCH 01/21] Fix: avoid Warning: A non-numeric value encountered

---
 htdocs/product/class/product.class.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index e6439031146..06e234ff0c0 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -1649,7 +1649,7 @@ class Product extends CommonObject
      *  @param      string  $newdefaultvatcode  Default vat code
 	 * 	@return		int						    <0 if KO, >0 if OK
 	 */
-	function updatePrice($newprice, $newpricebase, $user, $newvat='',$newminprice='', $level=0, $newnpr=0, $newpbq=0, $ignore_autogen=0, $localtaxes_array=array(), $newdefaultvatcode='')
+	function updatePrice($newprice, $newpricebase, $user, $newvat='',$newminprice=0, $level=0, $newnpr=0, $newpbq=0, $ignore_autogen=0, $localtaxes_array=array(), $newdefaultvatcode='')
 	{
 		global $conf,$langs;
 
@@ -1677,7 +1677,7 @@ class Product extends CommonObject
 			return -1;
 		}
 
-		if ($newprice!='' || $newprice==0)
+		if ($newprice != '' || $newprice == 0)
 		{
 			if ($newpricebase == 'TTC')
 			{
@@ -1685,7 +1685,7 @@ class Product extends CommonObject
 				$price = price2num($newprice) / (1 + ($newvat / 100));
 				$price = price2num($price,'MU');
 
-				if ($newminprice!='' || $newminprice==0)
+				if ($newminprice != '' || $newminprice == 0)
 				{
 					$price_min_ttc = price2num($newminprice,'MU');
 					$price_min = price2num($newminprice) / (1 + ($newvat / 100));
@@ -1703,7 +1703,7 @@ class Product extends CommonObject
 				$price_ttc = ( $newnpr != 1 ) ? price2num($newprice) * (1 + ($newvat / 100)) : $price;
 				$price_ttc = price2num($price_ttc,'MU');
 
-				if ($newminprice!='' || $newminprice==0)
+				if ($newminprice != '' || $newminprice == 0)
 				{
 					$price_min = price2num($newminprice,'MU');
 					$price_min_ttc = price2num($newminprice) * (1 + ($newvat / 100));

From f37d48233183d8fc1c7cf24a167d83cfd013c696 Mon Sep 17 00:00:00 2001
From: florian HENRY <florian.henry@atm-consulting.fr>
Date: Fri, 9 Mar 2018 11:37:23 +0100
Subject: [PATCH 02/21] fix warning and sql error

---
 htdocs/blockedlog/class/blockedlog.class.php | 1 +
 htdocs/core/modules/modFournisseur.class.php | 6 +++++-
 htdocs/holiday/define_holiday.php            | 5 +++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/htdocs/blockedlog/class/blockedlog.class.php b/htdocs/blockedlog/class/blockedlog.class.php
index 8c35ec11834..77bf90e2717 100644
--- a/htdocs/blockedlog/class/blockedlog.class.php
+++ b/htdocs/blockedlog/class/blockedlog.class.php
@@ -103,6 +103,7 @@ class BlockedLog
 	public $ref_object = '';
 
 	public $object_data = null;
+	public $user_fullname='';
 
 	/**
 	 * Array of tracked event codes
diff --git a/htdocs/core/modules/modFournisseur.class.php b/htdocs/core/modules/modFournisseur.class.php
index 9e8bdc8ea03..d8ed86907fd 100644
--- a/htdocs/core/modules/modFournisseur.class.php
+++ b/htdocs/core/modules/modFournisseur.class.php
@@ -531,7 +531,11 @@ class modFournisseur extends DolibarrModules
 					case 'sellist':
 						$tmp='';
 						$tmpparam=unserialize($obj->param);	// $tmp ay be array 'options' => array 'c_currencies:code_iso:code_iso' => null
-						if ($tmpparam['options'] && is_array($tmpparam['options'])) $tmp=array_shift(array_keys($tmpparam['options']));
+
+						if ($tmpparam['options'] && is_array($tmpparam['options'])) {
+							$tmpparam_param_key=array_keys($tmpparam['options']);
+							$tmp=array_shift($tmpparam_param_key);
+						}
 						if (preg_match('/[a-z0-9_]+:[a-z0-9_]+:[a-z0-9_]+/', $tmp)) $typeFilter="List:".$tmp;
 						break;
 				}
diff --git a/htdocs/holiday/define_holiday.php b/htdocs/holiday/define_holiday.php
index a7d4789468e..e5bd8c0e8c0 100644
--- a/htdocs/holiday/define_holiday.php
+++ b/htdocs/holiday/define_holiday.php
@@ -216,8 +216,9 @@ if (empty($user->rights->holiday->read_all))
 	$userchilds=$user->getAllChildIds(1);
 	$filters.=' AND u.rowid IN ('.join(', ',$userchilds).')';
 }
-
-$filters.=natural_search(array('u.firstname','u.lastname'), $search_name);
+if (!empty($search_name)) {
+	$filters.=natural_search(array('u.firstname','u.lastname'), $search_name);
+}
 if ($search_supervisor > 0) $filters.=natural_search(array('u.fk_user'), $search_supervisor, 2);
 
 $listUsers = $holiday->fetchUsers(false, true, $filters);

From ee557768865200c759948872bd4aa6919f0b811a Mon Sep 17 00:00:00 2001
From: Romain DELVAL <r.delval@dhimyotis.com>
Date: Fri, 9 Mar 2018 12:38:28 +0100
Subject: [PATCH 03/21] FIX Duplicate product_type asignement on order addline

On addline order method, ther is a duplicate assignation on
line->product_type before call to "insert" method.
The second assignement always make product_type to "0" while it was
fetched from product himsel like it was made on first asignement few
lines above
---
 htdocs/commande/class/commande.class.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php
index c107dff6960..b7b92eb997d 100644
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -1405,7 +1405,6 @@ class Commande extends CommonOrder
             $this->line->total_localtax1=$total_localtax1;
             $this->line->total_localtax2=$total_localtax2;
             $this->line->total_ttc=$total_ttc;
-            $this->line->product_type=$type;
             $this->line->special_code=$special_code;
             $this->line->origin=$origin;
             $this->line->origin_id=$origin_id;

From 1c966d4769b5257ee68dfd6f6a8ed5ed70f2ddb3 Mon Sep 17 00:00:00 2001
From: florian HENRY <florian.henry@atm-consulting.fr>
Date: Fri, 9 Mar 2018 12:57:58 +0100
Subject: [PATCH 04/21] on going

---
 htdocs/core/menus/standard/eldy.lib.php |  6 +++---
 htdocs/product/inventory/card.php       | 10 ++++++----
 htdocs/product/inventory/list.php       |  1 +
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php
index 077b6c8ba64..3abff3f714e 100644
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@@ -1257,9 +1257,9 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu
     			if (! empty($conf->stock->enabled))
     			{
     				$langs->load("stocks");
-    				$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->lire, '', $mainmenu, 'stock');
-    				$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->creer);
-    				$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->lire);
+    				$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->advance_inventory->read, '', $mainmenu, 'stock');
+    				$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->advance_inventory->create);
+    				$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->advance_inventory->read);
     			}
 			}
 
diff --git a/htdocs/product/inventory/card.php b/htdocs/product/inventory/card.php
index e393721c47d..5fc63653ffc 100644
--- a/htdocs/product/inventory/card.php
+++ b/htdocs/product/inventory/card.php
@@ -36,6 +36,8 @@ $action		= GETPOST('action', 'alpha');
 $cancel     = GETPOST('cancel', 'aZ09');
 $backtopage = GETPOST('backtopage', 'alpha');
 
+$result = restrictedArea($user, 'stock', $id, '', 'advance_inventory');
+
 // Initialize technical objects
 $object=new Inventory($db);
 $extrafields = new ExtraFields($db);
@@ -80,8 +82,8 @@ if (empty($reshook))
 {
 	$error=0;
 
-	$permissiontoadd = $user->rights->stock->creer;
-	$permissiontodelete = $user->rights->stock->supprimer;
+	$permissiontoadd = $user->rights->stock->advance_inventory->create;
+	$permissiontodelete = $user->rights->stock->advance_inventory->write;
 	$backurlforlist = DOL_URL_ROOT.'/product/inventory/list.php';
 
 	// Actions cancel, add, update or delete
@@ -327,7 +329,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
     	    // Send
             print '<a class="butAction" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&action=presend&mode=init#formmailbeforetitle">' . $langs->trans('SendMail') . '</a>'."\n";
 
-    		if ($user->rights->inventory->write)
+            if ($user->rights->stock->advance_inventory->write)
     		{
     			print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=edit">'.$langs->trans("Modify").'</a>'."\n";
     		}
@@ -336,7 +338,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
     			print '<a class="butActionRefused" href="#" title="'.dol_escape_htmltag($langs->trans("NotEnoughPermissions")).'">'.$langs->trans('Modify').'</a>'."\n";
     		}
 
-    		if ($user->rights->inventory->delete)
+    		if ($user->rights->stock->advance_inventory->write)
     		{
     			print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>'."\n";
     		}
diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php
index cb67168b214..c53ffafa8a3 100644
--- a/htdocs/product/inventory/list.php
+++ b/htdocs/product/inventory/list.php
@@ -72,6 +72,7 @@ if ($user->societe_id > 0)
 	//$socid = $user->societe_id;
 	accessforbidden();
 }
+$result = restrictedArea($user, 'stock', $objectid, '', 'advance_inventory');
 
 // Initialize array of search criterias
 $search_all=trim(GETPOST("search_all",'alpha'));

From f0164f268996f893083f53570fb4854b1b05919c Mon Sep 17 00:00:00 2001
From: florian HENRY <florian.henry@atm-consulting.fr>
Date: Fri, 9 Mar 2018 14:25:37 +0100
Subject: [PATCH 05/21] fix type date

---
 htdocs/core/actions_addupdatedelete.inc.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/actions_addupdatedelete.inc.php b/htdocs/core/actions_addupdatedelete.inc.php
index 6318e4d5c54..b8ede4d7d14 100644
--- a/htdocs/core/actions_addupdatedelete.inc.php
+++ b/htdocs/core/actions_addupdatedelete.inc.php
@@ -93,8 +93,16 @@ if ($action == 'update' && ! empty($permissiontoadd))
 		if (in_array($key, array('rowid', 'entity', 'date_creation', 'tms', 'fk_user_creat', 'fk_user_modif', 'import_key'))) continue;	// Ignore special fields
 
 		// Set value to update
-		if (in_array($object->fields[$key]['type'], array('text', 'html'))) $value = GETPOST($key,'none');
-		else $value = GETPOST($key,'alpha');
+		if (in_array($object->fields[$key]['type'], array('text', 'html'))) {
+			$value = GETPOST($key,'none');
+		}
+		elseif ($object->fields[$key]['type']=='date') {
+			$value = dol_mktime(12, 0, 0, GETPOST($key.'month'), GETPOST($key.'day'), GETPOST($key.'year'));
+		} elseif ($object->fields[$key]['type']=='datetime') {
+			$value = dol_mktime(GETPOST($key.'hour'), GETPOST($key.'min'), 0, GETPOST($key.'month'), GETPOST($key.'day'), GETPOST($key.'year'));
+		} else {
+			$value = GETPOST($key,'alpha');
+		}
 		if (preg_match('/^integer:/i', $object->fields[$key]['type']) && $value == '-1') $value='';		// This is an implicit foreign key field
 		if (! empty($object->fields[$key]['foreignkey']) && $value == '-1') $value='';					// This is an explicit foreign key field
 

From d82c62b638191f5ec960af456c8a841e306f8210 Mon Sep 17 00:00:00 2001
From: Maxime Kohlhaas <maxime@atm-consulting.fr>
Date: Fri, 9 Mar 2018 21:51:59 +0100
Subject: [PATCH 06/21] Fix supplier order clone was keeping objectlinked

---
 htdocs/fourn/class/fournisseur.commande.class.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php
index a42546fdb84..a58f33502aa 100644
--- a/htdocs/fourn/class/fournisseur.commande.class.php
+++ b/htdocs/fourn/class/fournisseur.commande.class.php
@@ -321,8 +321,6 @@ class CommandeFournisseur extends CommonOrder
 
             if ($this->statut == 0) $this->brouillon = 1;
 
-			$this->fetchObjectLinked();
-
 			//$result=$this->fetch_lines();
             $this->lines=array();
 

From d92fa3a69c1ab614e99ee519fbb770002942688b Mon Sep 17 00:00:00 2001
From: Maxime Kohlhaas <maxime@atm-consulting.fr>
Date: Fri, 9 Mar 2018 23:49:40 +0100
Subject: [PATCH 07/21] Fix required field + space in dispatch

---
 htdocs/fourn/commande/card.php     | 2 +-
 htdocs/fourn/commande/dispatch.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php
index f083d71740e..ad27a496672 100644
--- a/htdocs/fourn/commande/card.php
+++ b/htdocs/fourn/commande/card.php
@@ -2453,7 +2453,7 @@ elseif (! empty($object->id))
 				print $form->select_date('','',1,1,'',"commande",1,1,1);
 				print "</td></tr>\n";
 
-				print "<tr><td>".$langs->trans("Delivery")."</td><td>\n";
+				print "<tr><td class=\"fieldrequired\">".$langs->trans("Delivery")."</td><td>\n";
 				$liv = array();
 				$liv[''] = '&nbsp;';
 				$liv['tot']	= $langs->trans("CompleteOrNoMoreReceptionExpected");
diff --git a/htdocs/fourn/commande/dispatch.php b/htdocs/fourn/commande/dispatch.php
index 049f158a0be..04c039cfbb1 100644
--- a/htdocs/fourn/commande/dispatch.php
+++ b/htdocs/fourn/commande/dispatch.php
@@ -457,7 +457,7 @@ if ($id > 0 || ! empty($ref)) {
 		print '<input type="hidden" name="token" value="' . $_SESSION['newtoken'] . '">';
 		print '<input type="hidden" name="action" value="dispatch">';
 
-		print '<div class="div-table-responsive">';
+		print '<div class="div-table-responsive-no-min">';
 		print '<table class="noborder" width="100%">';
 
 		// Set $products_dispatched with qty dispatched for each product id

From 04bcc4dd46666d73518c22db3e2bfa6184a10586 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 12:39:39 +0100
Subject: [PATCH 08/21] Update eldy.lib.php

---
 htdocs/core/menus/standard/eldy.lib.php | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php
index 3abff3f714e..e976408c285 100644
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@@ -1257,9 +1257,18 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu
     			if (! empty($conf->stock->enabled))
     			{
     				$langs->load("stocks");
-    				$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->advance_inventory->read, '', $mainmenu, 'stock');
-    				$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->advance_inventory->create);
-    				$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->advance_inventory->read);
+				if (empty(MAIN_USE_ADVANCED_PERMS))
+				{
+    					$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->read, '', $mainmenu, 'stock');
+    					$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->create);
+    					$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->read);
+				}
+				else
+				{
+					$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->advance_inventory->read, '', $mainmenu, 'stock');
+    					$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->advance_inventory->create);
+    					$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->advance_inventory->read);
+				}
     			}
 			}
 

From 75b470b5801c653c2d525f4aceac937c1fb7b198 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 12:43:01 +0100
Subject: [PATCH 09/21] Update eldy.lib.php

---
 htdocs/core/menus/standard/eldy.lib.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php
index e976408c285..15a262654f4 100644
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@@ -1257,16 +1257,16 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu
     			if (! empty($conf->stock->enabled))
     			{
     				$langs->load("stocks");
-				if (empty(MAIN_USE_ADVANCED_PERMS))
+				if (empty($conf->global->MAIN_USE_ADVANCED_PERMS))
 				{
-    					$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->read, '', $mainmenu, 'stock');
-    					$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->create);
-    					$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->read);
+    					$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->lire, '', $mainmenu, 'stock');
+    					$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->creer);
+    					$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->lire);
 				}
 				else
 				{
 					$newmenu->add("/product/inventory/list.php?leftmenu=stock", $langs->trans("Inventory"), 0, $user->rights->stock->advance_inventory->read, '', $mainmenu, 'stock');
-    					$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->advance_inventory->create);
+    					$newmenu->add("/product/inventory/card.php?action=create", $langs->trans("NewInventory"), 1, $user->rights->stock->advance_inventory->write);
     					$newmenu->add("/product/inventory/list.php", $langs->trans("List"), 1, $user->rights->stock->advance_inventory->read);
 				}
     			}

From a7f82af352555379fcd7d2d8e85b3252365f8cd1 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 12:49:25 +0100
Subject: [PATCH 10/21] Update card.php

---
 htdocs/product/inventory/card.php | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/htdocs/product/inventory/card.php b/htdocs/product/inventory/card.php
index 5fc63653ffc..69658f2b42a 100644
--- a/htdocs/product/inventory/card.php
+++ b/htdocs/product/inventory/card.php
@@ -36,7 +36,14 @@ $action		= GETPOST('action', 'alpha');
 $cancel     = GETPOST('cancel', 'aZ09');
 $backtopage = GETPOST('backtopage', 'alpha');
 
-$result = restrictedArea($user, 'stock', $id, '', 'advance_inventory');
+if (empty($conf->global->MAIN_USE_ADVANCED_PERMS))
+{
+	$result = restrictedArea($user, 'stock', $id);
+}
+else
+{
+	$result = restrictedArea($user, 'stock', $id, '', 'advance_inventory');
+}
 
 // Initialize technical objects
 $object=new Inventory($db);
@@ -82,8 +89,16 @@ if (empty($reshook))
 {
 	$error=0;
 
-	$permissiontoadd = $user->rights->stock->advance_inventory->create;
-	$permissiontodelete = $user->rights->stock->advance_inventory->write;
+	if (empty($conf->global->MAIN_USE_ADVANCED_PERMS))
+	{
+		$permissiontoadd = $user->rights->stock->write;
+		$permissiontodelete = $user->rights->stock->write;
+	}
+	else
+	{
+		$permissiontoadd = $user->rights->stock->advance_inventory->create;
+		$permissiontodelete = $user->rights->stock->advance_inventory->write;
+	}
 	$backurlforlist = DOL_URL_ROOT.'/product/inventory/list.php';
 
 	// Actions cancel, add, update or delete

From 64f2f324de8d40e4438e5ec1f354e39f25f92492 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 12:52:09 +0100
Subject: [PATCH 11/21] Update card.php

---
 htdocs/product/inventory/card.php | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/htdocs/product/inventory/card.php b/htdocs/product/inventory/card.php
index 69658f2b42a..30bb3312576 100644
--- a/htdocs/product/inventory/card.php
+++ b/htdocs/product/inventory/card.php
@@ -75,6 +75,16 @@ $extralabels = $extrafields->fetch_name_optionals_label($object->table_element);
 // Load object
 include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php';  // Must be include, not include_once  // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals
 
+if (empty($conf->global->MAIN_USE_ADVANCED_PERMS))
+{
+	$permissiontoadd = $user->rights->stock->write;
+	$permissiontodelete = $user->rights->stock->write;
+}
+else
+{
+	$permissiontoadd = $user->rights->stock->advance_inventory->create;
+	$permissiontodelete = $user->rights->stock->advance_inventory->write;
+}
 
 
 /*
@@ -89,16 +99,6 @@ if (empty($reshook))
 {
 	$error=0;
 
-	if (empty($conf->global->MAIN_USE_ADVANCED_PERMS))
-	{
-		$permissiontoadd = $user->rights->stock->write;
-		$permissiontodelete = $user->rights->stock->write;
-	}
-	else
-	{
-		$permissiontoadd = $user->rights->stock->advance_inventory->create;
-		$permissiontodelete = $user->rights->stock->advance_inventory->write;
-	}
 	$backurlforlist = DOL_URL_ROOT.'/product/inventory/list.php';
 
 	// Actions cancel, add, update or delete
@@ -344,7 +344,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
     	    // Send
             print '<a class="butAction" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&action=presend&mode=init#formmailbeforetitle">' . $langs->trans('SendMail') . '</a>'."\n";
 
-            if ($user->rights->stock->advance_inventory->write)
+        	if ($permissiontoadd)
     		{
     			print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=edit">'.$langs->trans("Modify").'</a>'."\n";
     		}
@@ -353,7 +353,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
     			print '<a class="butActionRefused" href="#" title="'.dol_escape_htmltag($langs->trans("NotEnoughPermissions")).'">'.$langs->trans('Modify').'</a>'."\n";
     		}
 
-    		if ($user->rights->stock->advance_inventory->write)
+    		if ($permissiontodelete)
     		{
     			print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>'."\n";
     		}

From 212536a3fdf9e1b89aaa17bdf7e5a09b5011564c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 12:54:20 +0100
Subject: [PATCH 12/21] Update list.php

---
 htdocs/product/inventory/list.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php
index c53ffafa8a3..f3089099efe 100644
--- a/htdocs/product/inventory/list.php
+++ b/htdocs/product/inventory/list.php
@@ -72,7 +72,14 @@ if ($user->societe_id > 0)
 	//$socid = $user->societe_id;
 	accessforbidden();
 }
-$result = restrictedArea($user, 'stock', $objectid, '', 'advance_inventory');
+if (empty($conf->global->MAIN_USE_ADVANCED_PERMS))
+{
+	$result = restrictedArea($user, 'stock', $objectid);
+}
+else
+{
+	$result = restrictedArea($user, 'stock', $objectid, '', 'advance_inventory');	
+}
 
 // Initialize array of search criterias
 $search_all=trim(GETPOST("search_all",'alpha'));

From 6793bfae3a1f0740cf5449c89f3ea5740a0e5161 Mon Sep 17 00:00:00 2001
From: jean <jean@tiaris.info>
Date: Sat, 10 Mar 2018 14:17:52 +0100
Subject: [PATCH 13/21] FIX #8289 add a cofoiguration for correct stopck
 calculation

---
 htdocs/product/class/product.class.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index e6439031146..8d6042907ca 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -2271,6 +2271,29 @@ class Product extends CommonObject
 					}
 				}
 			}
+			
+			if (! empty($conf->global->STOCK_CALCULATE_ON_BILL) && ! empty($conf->global->DECREASE_ONLY_UNINVOICEDPRODUCTS))
+			{
+				$adeduire = 0;
+				$sql = "SELECT sum(fd.qty) as count FROM ".MAIN_DB_PREFIX."facturedet fd ";
+				$sql .= " JOIN ".MAIN_DB_PREFIX."facture f ON fd.fk_facture = f.rowid ";
+				$sql .= " JOIN ".MAIN_DB_PREFIX."element_element el ON el.fk_target = f.rowid and el.targettype = 'facture' and sourcetype = 'commande'";
+				$sql .= " JOIN ".MAIN_DB_PREFIX."commande c ON el.fk_source = c.rowid ";
+				$sql .= " WHERE c.fk_statut IN (".$filtrestatut.") AND c.facture = 0 AND fd.fk_product = ".$this->id;
+				dol_syslog(__METHOD__.":: sql $sql", LOG_NOTICE);
+		
+				$resql = $this->db->query($sql);
+				if ( $resql )
+				{
+					if ($this->db->num_rows($resql) > 0)
+					{
+						$obj = $this->db->fetch_object($resql);
+						$adeduire += $obj->count;
+					}
+				}
+
+				$this->stats_commande['qty'] -= $adeduire ;
+			}
 
 			return 1;
 		}

From 836054a8b3eb67b776a79daafd475c470b1ff0aa Mon Sep 17 00:00:00 2001
From: BadPixxel <eshop.bpaquier@gmail.com>
Date: Sat, 10 Mar 2018 14:51:24 +0100
Subject: [PATCH 14/21] BugFix Issue #8261: Variants module. Combinations
 cannot be edited

---
 htdocs/variants/combinations.php | 36 +++++++++++++++++---------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php
index 3101d44ecf5..84f3b7fa91c 100644
--- a/htdocs/variants/combinations.php
+++ b/htdocs/variants/combinations.php
@@ -346,12 +346,12 @@ if (! empty($id) || ! empty($ref))
 			foreach ($prodattr_all as $each) {
 				$prodattr_alljson[$each->id] = $each;
 			}
-
+                
 		?>
 
 		<script type="text/javascript">
 
-			variants_available = <?php echo json_encode($prodattr_alljson) ?>;
+			variants_available = <?php echo json_encode($prodattr_alljson); ?>;
 			variants_selected = {
 				index: [],
 				info: []
@@ -425,8 +425,11 @@ if (! empty($id) || ! empty($ref))
 		print '<form method="post" id="combinationform" action="'.$_SERVER["PHP_SELF"].'">'."\n";
 		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="id" value="'.dol_escape_htmltag($id).'">'."\n";
-		print '<input type="hidden" name="action" value="create">'."\n";
-
+		print '<input type="hidden" name="action" value="' .  (($valueid > 0) ? "update" : "create") .'">'."\n";
+                if($valueid > 0) {
+                    print '<input type="hidden" name="valueid" value="' . $valueid .'">'."\n";
+                }
+                    
 		print dol_fiche_head();
 
 		?>
@@ -485,7 +488,7 @@ if (! empty($id) || ! empty($ref))
 		<?php
 		}
 
-		if (is_array($selectedvariant)) {
+		if (is_array($productCombination2ValuePairs1)) {
 		?>
 		<hr>
 		<table class="border" style="width: 100%">
@@ -494,18 +497,17 @@ if (! empty($id) || ! empty($ref))
 				<td class="tdtop">
 					<div class="inline-block valignmiddle quatrevingtpercent">
 					<?php
-					if (is_array($selectedvariant))
+					if (is_array($productCombination2ValuePairs1))
 					{
-    					foreach ($selectedvariant as $key => $val) {
-    				        $tmp = explode(':',$val);
-    				        $result1 = $prodattr->fetch($tmp[0]);
-    				        $result2 = $prodattr_val->fetch($tmp[1]);
-    				        if ($result1 > 0 && $result2 > 0)
-    				        {
-    					       print $prodattr->label . ' - '.$prodattr_val->value.'<br>';
-    					       // TODO Add delete link
-    				        }
-    					}
+                                            foreach ($productCombination2ValuePairs1 as $key => $val) {
+                                            $result1 = $prodattr->fetch($val->fk_prod_attr);
+                                            $result2 = $prodattr_val->fetch($val->fk_prod_attr_val);
+                                                if ($result1 > 0 && $result2 > 0)
+                                                {
+                                                       print $prodattr->label . ' - '.$prodattr_val->value.'<br>';
+                                                       // TODO Add delete link
+                                                }
+                                            }
 					}
 					?>
 					</div>
@@ -533,7 +535,7 @@ if (! empty($id) || ! empty($ref))
         ?>
 
 		<div style="text-align: center">
-		<input type="submit" name="create" <?php if (! is_array($selectedvariant)) print ' disabled="disabled"'; ?> value="<?php echo $action == 'add' ? $langs->trans('Create') : $langs->trans('Save') ?>" class="button">
+		<input type="submit" name="create" <?php if (! is_array($productCombination2ValuePairs1)) print ' disabled="disabled"'; ?> value="<?php echo $action == 'add' ? $langs->trans('Create') : $langs->trans('Save') ?>" class="button">
 		&nbsp;
 		<input type="submit" name="cancel" value="<?php echo $langs->trans('Cancel'); ?>" class="button">
 		</div>

From 44d18027f2bd4c882b711144cc229c9c4502b676 Mon Sep 17 00:00:00 2001
From: BadPixxel <eshop.bpaquier@gmail.com>
Date: Sat, 10 Mar 2018 15:48:40 +0100
Subject: [PATCH 15/21] BugFix for PHP7.1: PHP Warning:  A non-numeric value
 encountered in /tmp/Dolibarr/htdocs/product/class/product.class.php on line
 1709

---
 htdocs/product/class/product.class.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index e6439031146..6e3604a4e68 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -1677,7 +1677,7 @@ class Product extends CommonObject
 			return -1;
 		}
 
-		if ($newprice!='' || $newprice==0)
+		if ($newprice !== '' || $newprice === 0)
 		{
 			if ($newpricebase == 'TTC')
 			{
@@ -1703,8 +1703,8 @@ class Product extends CommonObject
 				$price_ttc = ( $newnpr != 1 ) ? price2num($newprice) * (1 + ($newvat / 100)) : $price;
 				$price_ttc = price2num($price_ttc,'MU');
 
-				if ($newminprice!='' || $newminprice==0)
-				{
+				if ( $newminprice !== '' || $newminprice === 0)
+				{                                    
 					$price_min = price2num($newminprice,'MU');
 					$price_min_ttc = price2num($newminprice) * (1 + ($newvat / 100));
 					$price_min_ttc = price2num($price_min_ttc,'MU');

From 241b5e9a939e30c70941048978a9b3067556419c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 15:52:11 +0100
Subject: [PATCH 16/21] FIX security report DIGITEMIS CYBERSECURITY & PRIVACY

---
 htdocs/expensereport/card.php                 | 91 +++++++++----------
 .../class/expensereport.class.php             | 42 ++++-----
 2 files changed, 62 insertions(+), 71 deletions(-)

diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php
index 6cebfb0fe2d..a6252cc333f 100644
--- a/htdocs/expensereport/card.php
+++ b/htdocs/expensereport/card.php
@@ -52,22 +52,15 @@ $action=GETPOST('action','aZ09');
 $cancel=GETPOST('cancel','alpha');
 $confirm = GETPOST('confirm', 'alpha');
 
-$date_start = dol_mktime(0, 0, 0, GETPOST('date_debutmonth'), GETPOST('date_debutday'), GETPOST('date_debutyear'));
-$date_end = dol_mktime(0, 0, 0, GETPOST('date_finmonth'), GETPOST('date_finday'), GETPOST('date_finyear'));
-$date = dol_mktime(0, 0, 0, GETPOST('datemonth'), GETPOST('dateday'), GETPOST('dateyear'));
-$fk_projet=GETPOST('fk_projet');
-$vatrate=GETPOST('vatrate');
+$date_start = dol_mktime(0, 0, 0, GETPOST('date_debutmonth','int'), GETPOST('date_debutday','int'), GETPOST('date_debutyear','int'));
+$date_end = dol_mktime(0, 0, 0, GETPOST('date_finmonth','int'), GETPOST('date_finday','int'), GETPOST('date_finyear','int'));
+$date = dol_mktime(0, 0, 0, GETPOST('datemonth','int'), GETPOST('dateday','int'), GETPOST('dateyear','int'));
+$fk_projet=GETPOST('fk_projet','int');
+$vatrate=GETPOST('vatrate','alpha');
 $ref=GETPOST("ref",'alpha');
-$comments=GETPOST('comments');
+$comments=GETPOST('comments','none');
 $fk_c_type_fees=GETPOST('fk_c_type_fees','int');
-
-// If socid provided by ajax company selector
-if (! empty($_REQUEST['socid_id']))
-{
-	$_GET['socid'] = $_GET['socid_id'];
-	$_POST['socid'] = $_POST['socid_id'];
-	$_REQUEST['socid'] = $_REQUEST['socid_id'];
-}
+$socid = GETPOST('socid','int')?GETPOST('socid','int'):GETPOST('socid_id','int');
 
 // Security check
 $id=GETPOST("id",'int');
@@ -154,7 +147,7 @@ if (empty($reshook))
     // Action clone object
     if ($action == 'confirm_clone' && $confirm == 'yes' && $user->rights->expensereport->creer)
     {
-        if (1==0 && ! GETPOST('clone_content') && ! GETPOST('clone_receivers'))
+        if (1==0 && ! GETPOST('clone_content','alpha') && ! GETPOST('clone_receivers','alpha'))
         {
             setEventMessages($langs->trans("NoCloneOptionsSpecified"), null, 'errors');
         }
@@ -181,7 +174,7 @@ if (empty($reshook))
         }
     }
 
-    if ($action == 'confirm_delete' && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->supprimer)
+    if ($action == 'confirm_delete' && GETPOST("confirm",'alpha') == "yes" && $id > 0 && $user->rights->expensereport->supprimer)
     {
     	$object = new ExpenseReport($db);
     	$result = $object->fetch($id);
@@ -288,7 +281,7 @@ if (empty($reshook))
     {
         // Fill array 'array_options' with data from update form
         $extralabels = $extrafields->fetch_name_optionals_label($object->table_element);
-        $ret = $extrafields->setOptionalsFromPost($extralabels, $object, GETPOST('attribute'));
+        $ret = $extrafields->setOptionalsFromPost($extralabels, $object, GETPOST('attribute', 'alpha'));
         if ($ret < 0) $error++;
 
         if (! $error)
@@ -313,7 +306,7 @@ if (empty($reshook))
             $action = 'edit_extras';
     }
 
-    if ($action == "confirm_validate" && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->creer)
+    if ($action == "confirm_validate" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->rights->expensereport->creer)
     {
     	$error = 0;
 
@@ -439,7 +432,7 @@ if (empty($reshook))
 		}
     }
 
-    if ($action == "confirm_save_from_refuse" && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->creer)
+    if ($action == "confirm_save_from_refuse" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->rights->expensereport->creer)
     {
     	$object = new ExpenseReport($db);
     	$object->fetch($id);
@@ -556,7 +549,7 @@ if (empty($reshook))
     }
 
     // Approve
-    if ($action == "confirm_approve" && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->approve)
+    if ($action == "confirm_approve" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->rights->expensereport->approve)
     {
     	$object = new ExpenseReport($db);
     	$object->fetch($id);
@@ -679,12 +672,12 @@ if (empty($reshook))
    		setEventMessages($object->error, $object->errors, 'errors');
    	}
 
-    if ($action == "confirm_refuse" && GETPOST('confirm')=="yes" && $id > 0 && $user->rights->expensereport->approve)
+    if ($action == "confirm_refuse" && GETPOST('confirm', 'alpha')=="yes" && $id > 0 && $user->rights->expensereport->approve)
     {
     	$object = new ExpenseReport($db);
     	$object->fetch($id);
 
-    	$result = $object->setDeny($user,GETPOST('detail_refuse'));
+    	$result = $object->setDeny($user, GETPOST('detail_refuse', 'alpha'));
 
     	if ($result > 0)
     	{
@@ -800,14 +793,14 @@ if (empty($reshook))
     }
 
     //var_dump($user->id == $object->fk_user_validator);exit;
-    if ($action == "confirm_cancel" && GETPOST('confirm')=="yes" && GETPOST('detail_cancel') && $id > 0 && $user->rights->expensereport->creer)
+    if ($action == "confirm_cancel" && GETPOST('confirm', 'alpha')=="yes" && GETPOST('detail_cancel', 'alpha') && $id > 0 && $user->rights->expensereport->creer)
     {
     	$object = new ExpenseReport($db);
     	$object->fetch($id);
 
     	if ($user->id == $object->fk_user_valid || $user->id == $object->fk_user_author)
     	{
-    		$result = $object->set_cancel($user,GETPOST('detail_cancel'));
+    		$result = $object->set_cancel($user, GETPOST('detail_cancel', 'alpha'));
 
     		if ($result > 0)
     		{
@@ -923,7 +916,7 @@ if (empty($reshook))
     	}
     }
 
-    if ($action == "confirm_brouillonner" && GETPOST('confirm')=="yes" && $id > 0 && $user->rights->expensereport->creer)
+    if ($action == "confirm_brouillonner" && GETPOST('confirm', 'alpha')=="yes" && $id > 0 && $user->rights->expensereport->creer)
     {
     	$object = new ExpenseReport($db);
     	$object->fetch($id);
@@ -1091,10 +1084,10 @@ if (empty($reshook))
     	if (empty($vatrate)) $vatrate = "0.000";
     	$vatrate = price2num($vatrate);
 
-		$value_unit=price2num(GETPOST('value_unit'),'MU');
-    	$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat');
+		$value_unit=price2num(GETPOST('value_unit', 'alpha'),'MU');
+    	$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat', 'int');
 
-    	$qty  = GETPOST('qty','int');
+    	$qty = GETPOST('qty','int');
     	if (empty($qty)) $qty=1;
 
     	if (! $fk_c_type_fees > 0)
@@ -1128,7 +1121,7 @@ if (empty($reshook))
     		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Date")), null, 'errors');
     	}
     	// Si aucun prix n'est rentré
-    	if($value_unit==0)
+    	if ($value_unit==0)
     	{
     		$error++;
     		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("PriceUTTC")), null, 'errors');
@@ -1175,17 +1168,17 @@ if (empty($reshook))
     	$action='';
     }
 
-    if ($action == 'confirm_delete_line' && GETPOST("confirm") == "yes" && $user->rights->expensereport->creer)
+    if ($action == 'confirm_delete_line' && GETPOST("confirm", 'alpha') == "yes" && $user->rights->expensereport->creer)
     {
     	$object = new ExpenseReport($db);
     	$object->fetch($id);
 
     	$object_ligne = new ExpenseReportLine($db);
-    	$object_ligne->fetch(GETPOST("rowid"));
+    	$object_ligne->fetch(GETPOST("rowid", 'int'));
     	$total_ht = $object_ligne->total_ht;
     	$total_tva = $object_ligne->total_tva;
 
-    	$result=$object->deleteline(GETPOST("rowid"), $user);
+    	$result=$object->deleteline(GETPOST("rowid", 'int'), $user);
     	if ($result >= 0)
     	{
     		if ($result > 0)
@@ -1224,19 +1217,19 @@ if (empty($reshook))
     	$object->fetch($id);
 
     	$rowid = $_POST['rowid'];
-    	$type_fees_id = GETPOST('fk_c_type_fees');
-		$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat');
+    	$type_fees_id = GETPOST('fk_c_type_fees', 'int');
+		$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat', 'int');
     	$projet_id = $fk_projet;
-    	$comments = GETPOST('comments');
-    	$qty = GETPOST('qty');
-    	$value_unit = GETPOST('value_unit');
-    	$vatrate = GETPOST('vatrate');
+    	$comments = GETPOST('comments', 'none');
+    	$qty = GETPOST('qty', 'int');
+    	$value_unit = price2num(GETPOST('value_unit', 'alpha'), 'MU');
+    	$vatrate = GETPOST('vatrate', 'alpha');
 
         // if VAT is not used in Dolibarr, set VAT rate to 0 because VAT rate is necessary.
         if (empty($vatrate)) $vatrate = "0.000";
         $vatrate = price2num($vatrate);
 
-    	if (! GETPOST('fk_c_type_fees') > 0)
+    	if (! GETPOST('fk_c_type_fees', 'int') > 0)
     	{
     		$error++;
     		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Type")), null, 'errors');
@@ -1352,7 +1345,7 @@ if ($action == 'create')
 	print '<td class="fieldrequired">'.$langs->trans("User").'</td>';
 	print '<td>';
 	$defaultselectuser=$user->id;
-	if (GETPOST('fk_user_author') > 0) $defaultselectuser=GETPOST('fk_user_author');
+	if (GETPOST('fk_user_author', 'int') > 0) $defaultselectuser=GETPOST('fk_user_author', 'int');
     $include_users = 'hierarchyme';
     if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->expensereport->writeall_advance)) $include_users=array();
 	$s=$form->select_dolusers($defaultselectuser, "fk_user_author", 0, "", 0, $include_users);
@@ -1370,7 +1363,7 @@ if ($action == 'create')
 	{
     	$defaultselectuser=$user->fk_user;	// Will work only if supervisor has permission to approve so is inside include_users
     	if (! empty($conf->global->EXPENSEREPORT_DEFAULT_VALIDATOR)) $defaultselectuser=$conf->global->EXPENSEREPORT_DEFAULT_VALIDATOR;   // Can force default approver
-    	if (GETPOST('fk_user_validator') > 0) $defaultselectuser=GETPOST('fk_user_validator');
+    	if (GETPOST('fk_user_validator', 'int') > 0) $defaultselectuser=GETPOST('fk_user_validator', 'int');
     	$s=$form->select_dolusers($defaultselectuser, "fk_user_validator", 1, "", 0, $include_users);
     	print $form->textwithpicto($s, $langs->trans("AnyOtherInThisListCanValidate"));
 	}
@@ -1628,7 +1621,7 @@ else
 
 				if ($action == 'delete_line')
 				{
-					$formconfirm=$form->form_confirm($_SERVER["PHP_SELF"]."?id=".$id."&rowid=".GETPOST('rowid'),$langs->trans("DeleteLine"),$langs->trans("ConfirmDeleteLine"),"confirm_delete_line",'','yes',1);
+					$formconfirm=$form->form_confirm($_SERVER["PHP_SELF"]."?id=".$id."&rowid=".GETPOST('rowid','int'),$langs->trans("DeleteLine"),$langs->trans("ConfirmDeleteLine"),"confirm_delete_line",'','yes',1);
 				}
 
 				// Print form confirm
@@ -2004,7 +1997,7 @@ else
 					{
 						$numline = $i + 1;
 
-						if ($action != 'editline' || $line->rowid != GETPOST('rowid'))
+						if ($action != 'editline' || $line->rowid != GETPOST('rowid', 'int'))
 						{
 							print '<tr class="oddeven">';
 
@@ -2069,7 +2062,7 @@ else
 							print '</tr>';
 						}
 
-						if ($action == 'editline' && $line->rowid == GETPOST('rowid'))
+						if ($action == 'editline' && $line->rowid == GETPOST('rowid', 'int'))
 						{
 								print '<tr class="oddeven">';
 
@@ -2113,12 +2106,12 @@ else
 
 								// Unit price
 								print '<td style="text-align:right;">';
-								print '<input type="text" min="0" class="maxwidth100" name="value_unit" value="'.$line->value_unit.'" />';
+								print '<input type="text" min="0" class="maxwidth100" name="value_unit" value="'.dol_escape_htmltag($line->value_unit).'" />';
 								print '</td>';
 
 								// Quantity
 								print '<td style="text-align:right;">';
-								print '<input type="number" min="0" class="maxwidth100" name="qty" value="'.$line->qty.'" />';
+								print '<input type="number" min="0" class="maxwidth100" name="qty" value="'.dol_escape_htmltag($line->qty).'" />';
 								print '</td>';
 
 								if ($action != 'editline')
@@ -2198,12 +2191,12 @@ else
 
 					// Unit price
 					print '<td align="right">';
-					print '<input type="text" class="right maxwidth50" name="value_unit" value="'.$value_unit.'">';
+					print '<input type="text" class="right maxwidth50" name="value_unit" value="'.dol_escape_htmltag($value_unit).'">';
 					print '</td>';
 
 					// Quantity
 					print '<td align="right">';
-					print '<input type="text" min="0" class="right maxwidth50" name="qty" value="'.($qty?$qty:1).'">';    // We must be able to enter decimal qty
+					print '<input type="text" min="0" class="right maxwidth50" name="qty" value="'.dol_escape_htmltag($qty?$qty:1).'">';    // We must be able to enter decimal qty
 					print '</td>';
 
 					if ($action != 'editline')
@@ -2409,7 +2402,7 @@ print '</div>';
 
 
 // Select mail models is same action as presend
-if (GETPOST('modelselected')) {
+if (GETPOST('modelselected', 'alpha')) {
 	$action = 'presend';
 }
 
diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php
index b1523f3bbf9..6bbd45eef14 100644
--- a/htdocs/expensereport/class/expensereport.class.php
+++ b/htdocs/expensereport/class/expensereport.class.php
@@ -2482,24 +2482,22 @@ class ExpenseReportLine
         $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'expensereport_det';
         $sql.= ' (fk_expensereport, fk_c_type_fees, fk_projet,';
         $sql.= ' tva_tx, vat_src_code, comments, qty, value_unit, total_ht, total_tva, total_ttc, date, rule_warning_message, fk_c_exp_tax_cat)';
-        $sql.= " VALUES (".$this->fk_expensereport.",";
-        $sql.= " ".$this->fk_c_type_fees.",";
-        $sql.= " ".($this->fk_projet>0?$this->fk_projet:'null').",";
-        $sql.= " ".$this->vatrate.",";
+        $sql.= " VALUES (".$this->db->escape($this->fk_expensereport).",";
+        $sql.= " ".$this->db->escape($this->fk_c_type_fees).",";
+        $sql.= " ".$this->db->escape($this->fk_projet>0?$this->fk_projet:'null').",";
+        $sql.= " ".$this->db->escape($this->vatrate).",";
         $sql.= " '".$this->db->escape($this->vat_src_code)."',";
         $sql.= " '".$this->db->escape($this->comments)."',";
-        $sql.= " ".$this->qty.",";
-        $sql.= " ".$this->value_unit.",";
-        $sql.= " ".$this->total_ht.",";
-        $sql.= " ".$this->total_tva.",";
-        $sql.= " ".$this->total_ttc.",";
+        $sql.= " ".$this->db->escape($this->qty).",";
+        $sql.= " ".$this->db->escape($this->value_unit).",";
+        $sql.= " ".$this->db->escape($this->total_ht).",";
+        $sql.= " ".$this->db->escape($this->total_tva).",";
+        $sql.= " ".$this->db->escape($this->total_ttc).",";
         $sql.= "'".$this->db->idate($this->date)."',";
 		$sql.= " '".$this->db->escape($this->rule_warning_message)."',";
-		$sql.= " ".$this->fk_c_exp_tax_cat;
+		$sql.= " ".$this->db->escape($this->fk_c_exp_tax_cat);
         $sql.= ")";
 
-        dol_syslog("ExpenseReportLine::insert sql=".$sql);
-
         $resql=$this->db->query($sql);
         if ($resql)
         {
@@ -2603,21 +2601,21 @@ class ExpenseReportLine
         // Update line in database
         $sql = "UPDATE ".MAIN_DB_PREFIX."expensereport_det SET";
         $sql.= " comments='".$this->db->escape($this->comments)."'";
-        $sql.= ",value_unit=".$this->value_unit;
-        $sql.= ",qty=".$this->qty;
+        $sql.= ",value_unit=".$this->db->escape($this->value_unit);
+        $sql.= ",qty=".$this->db->escape($this->qty);
         $sql.= ",date='".$this->db->idate($this->date)."'";
-        $sql.= ",total_ht=".$this->total_ht."";
-        $sql.= ",total_tva=".$this->total_tva."";
-        $sql.= ",total_ttc=".$this->total_ttc."";
-        $sql.= ",tva_tx=".$this->vatrate;
+        $sql.= ",total_ht=".$this->db->escape($this->total_ht)."";
+        $sql.= ",total_tva=".$this->db->escape($this->total_tva)."";
+        $sql.= ",total_ttc=".$this->db->escape($this->total_ttc)."";
+        $sql.= ",tva_tx=".$this->db->escape($this->vatrate);
 		$sql.= ",vat_src_code='".$this->db->escape($this->vat_src_code)."'";
         $sql.= ",rule_warning_message='".$this->db->escape($this->rule_warning_message)."'";
-		$sql.= ",fk_c_exp_tax_cat=".$this->fk_c_exp_tax_cat;
-        if ($this->fk_c_type_fees) $sql.= ",fk_c_type_fees=".$this->fk_c_type_fees;
+		$sql.= ",fk_c_exp_tax_cat=".$this->db->escape($this->fk_c_exp_tax_cat);
+        if ($this->fk_c_type_fees) $sql.= ",fk_c_type_fees=".$this->db->escape($this->fk_c_type_fees);
         else $sql.= ",fk_c_type_fees=null";
-        if ($this->fk_projet) $sql.= ",fk_projet=".$this->fk_projet;
+        if ($this->fk_projet) $sql.= ",fk_projet=".$this->db->escape($this->fk_projet);
         else $sql.= ",fk_projet=null";
-        $sql.= " WHERE rowid = ".$this->rowid;
+        $sql.= " WHERE rowid = ".$this->db->escape($this->rowid);
 
         dol_syslog("ExpenseReportLine::update sql=".$sql);
 

From ea3872b0cb6cdfc44c3482169a16c89af9d3b3cd Mon Sep 17 00:00:00 2001
From: BadPixxel <eshop.bpaquier@gmail.com>
Date: Sat, 10 Mar 2018 15:48:40 +0100
Subject: [PATCH 17/21] BugFix for PHP7.1: PHP Warning:  A non-numeric value
 encountered in /tmp/Dolibarr/htdocs/product/class/product.class.php on line
 1709

---
 htdocs/product/class/product.class.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index e6439031146..6e3604a4e68 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -1677,7 +1677,7 @@ class Product extends CommonObject
 			return -1;
 		}
 
-		if ($newprice!='' || $newprice==0)
+		if ($newprice !== '' || $newprice === 0)
 		{
 			if ($newpricebase == 'TTC')
 			{
@@ -1703,8 +1703,8 @@ class Product extends CommonObject
 				$price_ttc = ( $newnpr != 1 ) ? price2num($newprice) * (1 + ($newvat / 100)) : $price;
 				$price_ttc = price2num($price_ttc,'MU');
 
-				if ($newminprice!='' || $newminprice==0)
-				{
+				if ( $newminprice !== '' || $newminprice === 0)
+				{                                    
 					$price_min = price2num($newminprice,'MU');
 					$price_min_ttc = price2num($newminprice) * (1 + ($newvat / 100));
 					$price_min_ttc = price2num($price_min_ttc,'MU');

From e3ace1f89f204354f91d741bfe54a7e235005f83 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 18:17:54 +0100
Subject: [PATCH 18/21] Fix morecss not provided

---
 htdocs/core/class/html.formprojet.class.php | 4 ++--
 htdocs/expensereport/card.php               | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php
index f1d407d3bba..a6c94d79780 100644
--- a/htdocs/core/class/html.formprojet.class.php
+++ b/htdocs/core/class/html.formprojet.class.php
@@ -91,7 +91,7 @@ class FormProjets
 		}
 		else
 		{
-			$out.=$this->select_projects_list($socid, $selected, $htmlname, $maxlength, $option_only, $show_empty, $discard_closed, $forcefocus, $disabled, 0, $filterkey, 1, $forceaddid, $htmlid);
+			$out.=$this->select_projects_list($socid, $selected, $htmlname, $maxlength, $option_only, $show_empty, $discard_closed, $forcefocus, $disabled, 0, $filterkey, 1, $forceaddid, $htmlid, $morecss);
 		}
 		if ($discard_closed)
 		{
@@ -177,7 +177,7 @@ class FormProjets
 				include_once DOL_DOCUMENT_ROOT . '/core/lib/ajax.lib.php';
 	           	$comboenhancement = ajax_combobox($htmlid, array(), 0, $forcefocus);
             	$out.=$comboenhancement;
-            	$morecss='minwidth100 maxwidth500';
+            	$morecss.=' minwidth100';
 			}
 
 			if (empty($option_only)) {
diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php
index a6252cc333f..4ad5aaba356 100644
--- a/htdocs/expensereport/card.php
+++ b/htdocs/expensereport/card.php
@@ -2160,7 +2160,7 @@ else
 					if (! empty($conf->projet->enabled))
 					{
 						print '<td>';
-						$formproject->select_projects(-1, $fk_projet, 'fk_projet', 0, 0, 1, 1);
+						$formproject->select_projects(-1, $fk_projet, 'fk_projet', 0, 0, 1, 1, 0, 0, 0, '', 0, 0, 'maxwidth300');
 						print '</td>';
 					}
 

From 3911738b885c2da362f0cc57db33f7d55d6b6b01 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 18:40:45 +0100
Subject: [PATCH 19/21] Fix vulnerability reported by DIGITEMIS CYBERSECURITY &
 PRIVACY

---
 htdocs/expensereport/card.php | 13 ++++++-------
 htdocs/expensereport/note.php |  8 ++++----
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php
index 4ad5aaba356..34b78e4eb80 100644
--- a/htdocs/expensereport/card.php
+++ b/htdocs/expensereport/card.php
@@ -2028,15 +2028,14 @@ else
 								print dol_getIdFromCode($db, $line->fk_c_exp_tax_cat, 'c_exp_tax_cat', 'rowid', 'label');
 								print '</td>';
 							}
-							// print '<td style="text-align:center;">'.$langs->trans("TF_".strtoupper(empty($objp->type_fees_libelle)?'OTHER':$objp->type_fees_libelle)).'</td>';
-							print '<td style="text-align:center;">';
+							print '<td class="center">';
 							$labeltype = ($langs->trans(($line->type_fees_code)) == $line->type_fees_code ? $line->type_fees_libelle : $langs->trans($line->type_fees_code));
 							print $labeltype;
 							print '</td>';
-							print '<td style="text-align:left;">'.$line->comments.'</td>';
+							print '<td style="text-align:left;">'.dol_escape_htmltag($line->comments).'</td>';
 							print '<td style="text-align:right;">'.vatrate($line->vatrate,true).'</td>';
 							print '<td style="text-align:right;">'.price($line->value_unit).'</td>';
-							print '<td style="text-align:right;">'.$line->qty.'</td>';
+							print '<td style="text-align:right;">'.dol_escape_htmltag($line->qty).'</td>';
 
 							if ($action != 'editline')
 							{
@@ -2096,7 +2095,7 @@ else
 
 								// Add comments
 								print '<td>';
-								print '<textarea name="comments" class="flat_ndf centpercent">'.$line->comments.'</textarea>';
+								print '<textarea name="comments" class="flat_ndf centpercent">'.dol_escape_htmltag($line->comments).'</textarea>';
 								print '</td>';
 
 								// VAT
@@ -2147,7 +2146,7 @@ else
 					print '<td colspan="3"></td>';
 					print '</tr>';
 
-					print '<tr '.$bc[true].'>';
+					print '<tr class="oddeven">';
 
 					print '<td></td>';
 
@@ -2179,7 +2178,7 @@ else
 
 					// Add comments
 					print '<td>';
-					print '<textarea class="flat_ndf centpercent" name="comments">'.$comments.'</textarea>';
+					print '<textarea class="flat_ndf centpercent" name="comments">'.dol_escape_htmltag($comments).'</textarea>';
 					print '</td>';
 
 					// Select VAT
diff --git a/htdocs/expensereport/note.php b/htdocs/expensereport/note.php
index 8376733d634..a715d85f6a6 100644
--- a/htdocs/expensereport/note.php
+++ b/htdocs/expensereport/note.php
@@ -19,9 +19,9 @@
  */
 
 /**
- *  \file       htdocs/commande/note.php
- *  \ingroup    commande
- *  \brief      Fiche de notes sur une commande
+ *  \file       htdocs/expensereport/note.php
+ *  \ingroup    expensereport
+ *  \brief      Tab for notes on expense reports
  */
 
 require '../main.inc.php';
@@ -90,7 +90,7 @@ if ($id > 0 || ! empty($ref))
 
     print '<div class="fichecenter">';
     print '<div class="underbanner clearboth"></div>';
-
+var_dump($value_public);
 	$cssclass="titlefield";
 	include DOL_DOCUMENT_ROOT.'/core/tpl/notes.tpl.php';
 

From 6fcc271790c9b2dc3c9e2114415aa19f7260f4b0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 10 Mar 2018 18:57:55 +0100
Subject: [PATCH 20/21] Update product.class.php

---
 htdocs/product/class/product.class.php | 42 +++++++++++++++-----------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 8d6042907ca..7f1387261b4 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -2272,27 +2272,33 @@ class Product extends CommonObject
 				}
 			}
 			
-			if (! empty($conf->global->STOCK_CALCULATE_ON_BILL) && ! empty($conf->global->DECREASE_ONLY_UNINVOICEDPRODUCTS))
+			// If stock decrease is on invoice validation, the theorical stock continue to 
+			// count the orders to ship in theorical stock when some are already removed b invoice validation.
+			// If option DECREASE_ONLY_UNINVOICEDPRODUCTS is on, we make a compensation.
+			if (! empty($conf->global->STOCK_CALCULATE_ON_BILL))
 			{
-				$adeduire = 0;
-				$sql = "SELECT sum(fd.qty) as count FROM ".MAIN_DB_PREFIX."facturedet fd ";
-				$sql .= " JOIN ".MAIN_DB_PREFIX."facture f ON fd.fk_facture = f.rowid ";
-				$sql .= " JOIN ".MAIN_DB_PREFIX."element_element el ON el.fk_target = f.rowid and el.targettype = 'facture' and sourcetype = 'commande'";
-				$sql .= " JOIN ".MAIN_DB_PREFIX."commande c ON el.fk_source = c.rowid ";
-				$sql .= " WHERE c.fk_statut IN (".$filtrestatut.") AND c.facture = 0 AND fd.fk_product = ".$this->id;
-				dol_syslog(__METHOD__.":: sql $sql", LOG_NOTICE);
-		
-				$resql = $this->db->query($sql);
-				if ( $resql )
+				if (! empty($conf->global->DECREASE_ONLY_UNINVOICEDPRODUCTS))
 				{
-					if ($this->db->num_rows($resql) > 0)
-					{
-						$obj = $this->db->fetch_object($resql);
-						$adeduire += $obj->count;
-					}
-				}
+					$adeduire = 0;
+					$sql = "SELECT sum(fd.qty) as count FROM ".MAIN_DB_PREFIX."facturedet fd ";
+					$sql .= " JOIN ".MAIN_DB_PREFIX."facture f ON fd.fk_facture = f.rowid ";
+					$sql .= " JOIN ".MAIN_DB_PREFIX."element_element el ON el.fk_target = f.rowid and el.targettype = 'facture' and sourcetype = 'commande'";
+					$sql .= " JOIN ".MAIN_DB_PREFIX."commande c ON el.fk_source = c.rowid ";
+					$sql .= " WHERE c.fk_statut IN (".$filtrestatut.") AND c.facture = 0 AND fd.fk_product = ".$this->id;
+					dol_syslog(__METHOD__.":: sql $sql", LOG_NOTICE);
 
-				$this->stats_commande['qty'] -= $adeduire ;
+					$resql = $this->db->query($sql);
+					if ( $resql )
+					{
+						if ($this->db->num_rows($resql) > 0)
+						{
+							$obj = $this->db->fetch_object($resql);
+							$adeduire += $obj->count;
+						}
+					}
+
+					$this->stats_commande['qty'] -= $adeduire;
+				}
 			}
 
 			return 1;

From 74dc815bfa0efc945970cdd515a9660cb42d974b Mon Sep 17 00:00:00 2001
From: Alexis Algoud <alexis@atm-consulting.fr>
Date: Sat, 10 Mar 2018 14:14:31 +0100
Subject: [PATCH 21/21] fix commonobject isInt for module builder capabilities

---
 htdocs/core/class/commonobject.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index d55e564d774..388dfe9799b 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -5371,7 +5371,7 @@ abstract class CommonObject
 		$label = $val['label'];
 		$type  = $val['type'];
 		$size  = $val['css'];
-
+		
 		// Convert var to be able to share same code than showOutputField of extrafields
 		if (preg_match('/varchar\((\d+)\)/', $type, $reg))
 		{
@@ -6047,7 +6047,7 @@ abstract class CommonObject
 	{
 		if(is_array($info))
 		{
-			if(isset($info['type']) && ($info['type']=='int' || $info['type']=='integer' )) return true;
+			if(isset($info['type']) && ($info['type']=='int' || preg_match('/^integer/i',$info['type']) ) ) return true;
 			else return false;
 		}
 		else return false;