Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '7.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/admin/company.php
This commit is contained in:
Laurent Destailleur
2018-04-07 12:30:30 +02:00
parent d5089f2099 15c7bbf9d8
commit d46a8eb8f0
15 changed files with 179 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
htdocs/admin/company.php
View File

@@ -80,7 +80,7 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_REGION", GETPOST("region_code",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'aZ09'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity);
@@ -156,26 +156,26 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
}
}
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'int'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'aZ09'),'chaine',0,'',$conf->entity);
// Local taxes
dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'aZ09'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'aZ09'),'chaine',0,'',$conf->entity);
if($_POST["optionlocaltax1"]=="localtax1on")
{
@@ -185,9 +185,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
}
else
{
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','aZ09'),'chaine',0,'',$conf->entity);
}
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'aZ09'),'chaine',0,'',$conf->entity);
}
if($_POST["optionlocaltax2"]=="localtax2on")
{
@@ -197,9 +197,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
}
else
{
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','aZ09'),'chaine',0,'',$conf->entity);
}
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'aZ09'),'chaine',0,'',$conf->entity);
}
if ($action != 'updateedit' && ! $error)
@@ -415,7 +415,7 @@ if ($action == 'edit' || $action == 'updateedit')
// IDs of the company (country-specific)
print '<table class="noborder" width="100%">';
print '<tr class="liste_titre"><td>'.$langs->trans("CompanyIds").'</td><td>'.$langs->trans("Value").'</td></tr>';
print '<tr class="liste_titre"><td class="titlefield">'.$langs->trans("CompanyIds").'</td><td>'.$langs->trans("Value").'</td></tr>';
$langs->load("companies");
@@ -568,7 +568,7 @@ if ($action == 'edit' || $action == 'updateedit')
print '<br>';
print '<table class="noborder" width="100%">';
print '<tr class="liste_titre">';
print '<td class="titlefield">'.$langs->trans("VATManagement").'</td><td>'.$langs->trans("Description").'</td>';
print '<td width="140">'.$langs->trans("VATManagement").'</td><td>'.$langs->trans("Description").'</td>';
print '<td align="right">&nbsp;</td>';
print "</tr>\n";
@@ -601,7 +601,7 @@ if ($action == 'edit' || $action == 'updateedit')
print '<br>';
print '<table class="noborder" width="100%">';
print '<tr class="liste_titre">';
print '<td>'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).'</td><td>'.$langs->trans("Description").'</td>';
print '<td width="140">'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).'</td><td>'.$langs->trans("Description").'</td>';
print '<td align="right">&nbsp;</td>';
print "</tr>\n";

4
htdocs/comm/action/class/api_agendaevents.class.php
View File

@@ -115,12 +115,16 @@ class AgendaEvents extends DolibarrApi
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
if (empty($conf->societe->enabled)) $search_sale = 0; // If module thirdparty not enabled, sale representative is something that does not exists
$sql = "SELECT t.id as rowid";
if (! empty($conf->societe->enabled))
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects)
$sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as t";
if (! empty($conf->societe->enabled))
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale
$sql.= ' WHERE t.entity IN ('.getEntity('agenda').')';
if (! empty($conf->societe->enabled))
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc";
if ($user_ids) $sql.=" AND t.fk_user_action IN (".$user_ids.")";
if ($socid > 0) $sql.= " AND t.fk_soc = ".$socid;

9
htdocs/comm/action/list.php
View File

@@ -234,7 +234,7 @@ $sql.= ' a.fk_user_author,a.fk_user_action,';
$sql.= " a.fk_contact, a.note, a.percent as percent,";
$sql.= " a.fk_element, a.elementtype,";
$sql.= " c.code as type_code, c.libelle as type_label,";
$sql.= " sp.lastname, sp.firstname";
$sql.= " sp.lastname, sp.firstname, sp.email, sp.phone, sp.address, sp.phone as phone_pro, sp.phone_mobile, sp.phone_perso, sp.fk_pays as country_id";
// Add fields from extrafields
foreach ($extrafields->attribute_label as $key => $val) $sql.=($extrafields->attribute_type[$key] != 'separate' ? ",ef.".$key.' as options_'.$key : '');
$sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a";
@@ -602,9 +602,14 @@ if ($resql)
print '<td>';
if ($obj->fk_contact > 0)
{
$contactstatic->id=$obj->fk_contact;
$contactstatic->email=$obj->email;
$contactstatic->lastname=$obj->lastname;
$contactstatic->firstname=$obj->firstname;
$contactstatic->id=$obj->fk_contact;
$contactstatic->phone_pro=$obj->phone_pro;
$contactstatic->phone_mobile=$obj->phone_mobile;
$contactstatic->phone_perso=$obj->phone_perso;
$contactstatic->country_id=$obj->country_id;
print $contactstatic->getNomUrl(1,'',28);
}
else

26
htdocs/compta/bank/transfer.php
View File

@@ -49,8 +49,8 @@ if ($action == 'add')
$dateo = dol_mktime(12,0,0,GETPOST('remonth','int'),GETPOST('reday','int'),GETPOST('reyear','int'));
$label = GETPOST('label','alpha');
$amount= GETPOST('amount');
$amountto= GETPOST('amountto');
$amount= GETPOST('amount','alpha');
$amountto= GETPOST('amountto','alpha');
if (! $label)
{
@@ -125,7 +125,7 @@ if ($action == 'add')
if (! $error)
{
$mesgs = $langs->trans("TransferFromToDone",'<a href="bankentries_list.php?id='.$accountfrom->id.'&sortfield=b.datev,b.dateo,b.rowid&sortorder=desc">'.$accountfrom->label."</a>",'<a href="bankentries_list.php?id='.$accountto->id.'">'.$accountto->label."</a>",$amount,$langs->transnoentities("Currency".$conf->currency));
$mesgs = $langs->trans("TransferFromToDone", '<a href="bankentries_list.php?id='.$accountfrom->id.'&sortfield=b.datev,b.dateo,b.rowid&sortorder=desc">'.$accountfrom->label."</a>", '<a href="bankentries_list.php?id='.$accountto->id.'">'.$accountto->label."</a>", $amount, $langs->transnoentities("Currency".$conf->currency));
setEventMessages($mesgs, null, 'mesgs');
$db->commit();
}
@@ -153,6 +153,12 @@ llxHeader();
print ' <script type="text/javascript">
$(document).ready(function () {
$(".selectbankaccount").change(function() {
console.log("We change bank account");
init_page();
});
function init_page() {
console.log("Set fields according to currency");
var account1 = $("#selectaccount_from").val();
var account2 = $("#selectaccount_to").val();
var currencycode1="";
@@ -199,7 +205,9 @@ print ' <script type="text/javascript">
}).fail(function( data ) {
console.error("Error: has returned an empty page. Should be an empty json array.");
});
});
}
init_page();
});
</script>';
@@ -210,12 +218,12 @@ $account_to='';
$label='';
$amount='';
if($error)
if ($error)
{
$account_from = GETPOST('account_from','int');
$account_to = GETPOST('account_to','int');
$label = GETPOST('label','alpha');
$amount = GETPOST('amount','int');
$amount = GETPOST('amount','alpha');
}
print load_fiche_titre($langs->trans("MenuBankInternalTransfer"), '', 'title_bank.png');
@@ -246,9 +254,9 @@ print "</td>\n";
print "<td>";
$form->select_date((! empty($dateo)?$dateo:''),'','','','','add');
print "</td>\n";
print '<td><input name="label" class="flat quatrevingtpercent" type="text" value="'.$label.'"></td>';
print '<td><input name="amount" class="flat" type="text" size="6" value="'.$amount.'"></td>';
print '<td style="display:none" class="multicurrency"><input name="amountto" class="flat" type="text" size="6" value="'.$amountto.'"></td>';
print '<td><input name="label" class="flat quatrevingtpercent" type="text" value="'.dol_escape_htmltag($label).'"></td>';
print '<td><input name="amount" class="flat" type="text" size="6" value="'.dol_escape_htmltag($amount).'"></td>';
print '<td style="display:none" class="multicurrency"><input name="amountto" class="flat" type="text" size="6" value="'.dol_escape_htmltag($amountto).'"></td>';
print "</table>";

68
htdocs/contact/card.php
View File

@@ -176,26 +176,26 @@ if (empty($reshook))
$object->entity = (GETPOSTISSET('entity')?GETPOST('entity', 'int'):$conf->entity);
$object->socid = GETPOST("socid",'int');
$object->lastname = GETPOST("lastname");
$object->firstname = GETPOST("firstname");
$object->lastname = GETPOST("lastname",'alpha');
$object->firstname = GETPOST("firstname",'alpha');
$object->civility_id = GETPOST("civility_id",'alpha');
$object->poste = GETPOST("poste");
$object->address = GETPOST("address");
$object->zip = GETPOST("zipcode");
$object->town = GETPOST("town");
$object->poste = GETPOST("poste",'alpha');
$object->address = GETPOST("address",'alpha');
$object->zip = GETPOST("zipcode",'alpha');
$object->town = GETPOST("town",'alpha');
$object->country_id = GETPOST("country_id",'int');
$object->state_id = GETPOST("state_id",'int');
$object->skype = GETPOST("skype");
$object->skype = GETPOST("skype",'alpha');
$object->email = GETPOST("email",'alpha');
$object->phone_pro = GETPOST("phone_pro");
$object->phone_perso = GETPOST("phone_perso");
$object->phone_mobile = GETPOST("phone_mobile");
$object->fax = GETPOST("fax");
$object->phone_pro = GETPOST("phone_pro",'alpha');
$object->phone_perso = GETPOST("phone_perso",'alpha');
$object->phone_mobile = GETPOST("phone_mobile",'alpha');
$object->fax = GETPOST("fax",'alpha');
$object->jabberid = GETPOST("jabberid",'alpha');
$object->no_email = GETPOST("no_email",'int');
$object->priv = GETPOST("priv",'int');
$object->note_public = GETPOST("note_public");
$object->note_private = GETPOST("note_private");
$object->note_public = GETPOST("note_public",'none');
$object->note_private = GETPOST("note_private",'none');
$object->statut = 1; //Defult status to Actif
// Note: Correct date should be completed with location to have exact GM time of birth.
@@ -340,33 +340,33 @@ if (empty($reshook))
$object->oldcopy = clone $object;
$object->old_lastname = GETPOST("old_lastname");
$object->old_firstname = GETPOST("old_firstname");
$object->old_lastname = GETPOST("old_lastname",'alpha');
$object->old_firstname = GETPOST("old_firstname",'alpha');
$object->socid = GETPOST("socid",'int');
$object->lastname = GETPOST("lastname");
$object->firstname = GETPOST("firstname");
$object->lastname = GETPOST("lastname",'alpha');
$object->firstname = GETPOST("firstname",'alpha');
$object->civility_id = GETPOST("civility_id",'alpha');
$object->poste = GETPOST("poste");
$object->poste = GETPOST("poste",'alpha');
$object->address = GETPOST("address");
$object->zip = GETPOST("zipcode");
$object->town = GETPOST("town");
$object->address = GETPOST("address",'alpha');
$object->zip = GETPOST("zipcode",'alpha');
$object->town = GETPOST("town",'alpha');
$object->state_id = GETPOST("state_id",'int');
$object->fk_departement = GETPOST("state_id",'int'); // For backward compatibility
$object->country_id = GETPOST("country_id",'int');
$object->email = GETPOST("email",'alpha');
$object->skype = GETPOST("skype",'alpha');
$object->phone_pro = GETPOST("phone_pro");
$object->phone_perso = GETPOST("phone_perso");
$object->phone_mobile = GETPOST("phone_mobile");
$object->fax = GETPOST("fax");
$object->phone_pro = GETPOST("phone_pro",'alpha');
$object->phone_perso = GETPOST("phone_perso",'alpha');
$object->phone_mobile = GETPOST("phone_mobile",'alpha');
$object->fax = GETPOST("fax",'alpha');
$object->jabberid = GETPOST("jabberid",'alpha');
$object->no_email = GETPOST("no_email",'int');
$object->priv = GETPOST("priv",'int');
$object->note_public = GETPOST("note_public");
$object->note_private = GETPOST("note_private");
$object->note_public = GETPOST("note_public",'none');
$object->note_private = GETPOST("note_private",'none');
// Fill array 'array_options' with data from add form
$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@@ -541,9 +541,9 @@ else
// Name
print '<tr><td class="titlefieldcreate fieldrequired"><label for="lastname">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</label></td>';
print '<td><input name="lastname" id="lastname" type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("lastname")?GETPOST("lastname"):$object->lastname).'" autofocus="autofocus"></td>';
print '<td><input name="lastname" id="lastname" type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("lastname",'alpha')?GETPOST("lastname",'alpha'):$object->lastname).'" autofocus="autofocus"></td>';
print '<td><label for="firstname">'.$langs->trans("Firstname").'</label></td>';
print '<td><input name="firstname" id="firstname"type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("firstname")?GETPOST("firstname"):$object->firstname).'"></td></tr>';
print '<td><input name="firstname" id="firstname"type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("firstname",'alpha')?GETPOST("firstname",'alpha'):$object->firstname).'"></td></tr>';
// Company
if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
@@ -595,8 +595,8 @@ else
if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->zip)) == 0) $object->zip = $objsoc->zip; // Predefined with third party
if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->town)) == 0) $object->town = $objsoc->town; // Predefined with third party
print '<tr><td><label for="zipcode">'.$langs->trans("Zip").'</label> / <label for="town">'.$langs->trans("Town").'</label></td><td colspan="'.$colspan.'" class="maxwidthonsmartphone">';
print $formcompany->select_ziptown((GETPOST("zipcode")?GETPOST("zipcode"):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).'&nbsp;';
print $formcompany->select_ziptown((GETPOST("town")?GETPOST("town"):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
print $formcompany->select_ziptown((GETPOST("zipcode",'alpha')?GETPOST("zipcode",'alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).'&nbsp;';
print $formcompany->select_ziptown((GETPOST("town",'alpha')?GETPOST("town",'alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
print '</td></tr>';
// Country
@@ -644,7 +644,7 @@ else
// EMail
if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->email)) == 0) $object->email = $objsoc->email; // Predefined with third party
print '<tr><td><label for="email">'.$langs->trans("Email").'</label></td>';
print '<td><input name="email" id="email" type="text" class="maxwidth100onsmartphone" value="'.(GETPOST("email",'alpha')?GETPOST("email",'alpha'):$object->email).'"></td>';
print '<td><input name="email" id="email" type="text" class="maxwidth100onsmartphone" value="'.dol_escape_htmltag(GETPOST("email",'alpha')?GETPOST("email",'alpha'):$object->email).'"></td>';
if (! empty($conf->mailing->enabled))
{
print '<td><label for="no_email">'.$langs->trans("No_Email").'</label></td>';
@@ -658,13 +658,13 @@ else
// Instant message and no email
print '<tr><td><label for="jabberid">'.$langs->trans("IM").'</label></td>';
print '<td colspan="3"><input name="jabberid" id="jabberid" type="text" class="minwidth100" maxlength="80" value="'.(GETPOST("jabberid",'alpha')?GETPOST("jabberid",'alpha'):$object->jabberid).'"></td></tr>';
print '<td colspan="3"><input name="jabberid" id="jabberid" type="text" class="minwidth100" maxlength="80" value="'.dol_escape_htmltag(GETPOST("jabberid",'alpha')?GETPOST("jabberid",'alpha'):$object->jabberid).'"></td></tr>';
// Skype
if (! empty($conf->skype->enabled))
{
print '<tr><td><label for="skype">'.$langs->trans("Skype").'</label></td>';
print '<td colspan="3"><input name="skype" id="skype" type="text" class="minwidth100" maxlength="80" value="'.(GETPOST("skype",'alpha')?GETPOST("skype",'alpha'):$object->skype).'"></td></tr>';
print '<td colspan="3"><input name="skype" id="skype" type="text" class="minwidth100" maxlength="80" value="'.dol_escape_htmltag(GETPOST("skype",'alpha')?GETPOST("skype",'alpha'):$object->skype).'"></td></tr>';
}
// Visibility

2
htdocs/core/actions_linkedfiles.inc.php
View File

@@ -27,7 +27,7 @@
// Submit file/link
if (GETPOST('sendit','none') && ! empty($conf->global->MAIN_UPLOAD_DOC))
if (GETPOST('sendit','alpha') && ! empty($conf->global->MAIN_UPLOAD_DOC))
{
if (! empty($_FILES))
{

4
htdocs/core/lib/functions.lib.php
View File

@@ -545,10 +545,10 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU
case 'array':
if (! is_array($out) || empty($out)) $out=array();
break;
case 'nohtml':
case 'nohtml': // Recommended for most scalar parameters
$out=dol_string_nohtmltag($out, 0);
break;
case 'alphanohtml': // Recommended for search params
case 'alphanohtml': // Recommended for search parameters
if (! is_array($out))
{
$out=trim($out);

8
htdocs/expensereport/list.php
View File

@@ -73,7 +73,7 @@ $search_user = GETPOST('search_user','int');
$search_amount_ht = GETPOST('search_amount_ht','alpha');
$search_amount_vat = GETPOST('search_amount_vat','alpha');
$search_amount_ttc = GETPOST('search_amount_ttc','alpha');
$search_status = (GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha'));
$search_status = (GETPOST('search_status','intcomma')!=''?GETPOST('search_status','intcomma'):GETPOST('statut','intcomma'));
$month_start = GETPOST("month_start","int");
$year_start = GETPOST("year_start","int");
$month_end = GETPOST("month_end","int");
@@ -304,11 +304,7 @@ if ($search_amount_ttc != '') $sql.= natural_search('d.total_ttc', $search_amoun
// User
if ($search_user != '' && $search_user >= 0) $sql.= " AND u.rowid = '".$db->escape($search_user)."'";
// Status
if ($search_status != '' && $search_status >= 0)
{
if (strstr($search_status, ',')) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")";
else $sql.=" AND d.fk_statut = ".$search_status;
}
if ($search_status != '' && $search_status >= 0) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")";
// RESTRICT RIGHTS
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))

16
htdocs/filefunc.inc.php
View File

@@ -151,14 +151,24 @@ if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php s
// Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
{
if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
&& (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']))
{
//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
$csrfattack=false;
if (empty($_SERVER['HTTP_REFERER'])) $csrfattack=true; // An evil browser was used
else
{
$tmpa=parse_url($_SERVER['HTTP_HOST']);
$tmpb=parse_url($_SERVER['HTTP_REFERER']);
if ((empty($tmpa['host'])?$tmpa['path']:$tmpa['host']) != (empty($tmpb['host'])?$tmpb['path']:$tmpb['host'])) $csrfattack=true;
}
if ($csrfattack)
{
//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
die;
}
}
// Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on.
}
if (empty($dolibarr_main_db_host))

4
htdocs/holiday/list.php
View File

@@ -85,7 +85,7 @@ if (! $sortorder) $sortorder="DESC";
$sall = trim((GETPOST('search_all', 'alphanohtml')!='')?GETPOST('search_all', 'alphanohtml'):GETPOST('sall', 'alphanohtml'));
$search_ref = GETPOST('search_ref','alpha');
$search_ref = GETPOST('search_ref','alphanohtml');
$search_day_create = GETPOST('search_day_create','int');
$search_month_create = GETPOST('search_month_create','int');
$search_year_create = GETPOST('search_year_create','int');
@@ -185,7 +185,7 @@ $order = $db->order($sortfield,$sortorder).$db->plimit($limit + 1, $offset);
// Ref
if(!empty($search_ref))
{
$filter.= " AND cp.rowid = ".$db->escape($search_ref);
$filter.= " AND cp.rowid = ".(int) $db->escape($search_ref);
}
// Start date

17
htdocs/main.inc.php
View File

@@ -73,7 +73,7 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* deprecated in PHP
*
* @param string $val Value
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return int >0 if there is an injection
* @return int >0 if there is an injection, 0 if none
*/
function test_sql_and_script_inject($val, $type)
{
@@ -101,6 +101,7 @@ function test_sql_and_script_inject($val, $type)
// More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
$inj += preg_match('/<script/i', $val);
$inj += preg_match('/<iframe/i', $val);
$inj += preg_match('/<audio/i', $val);
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
@@ -108,6 +109,7 @@ function test_sql_and_script_inject($val, $type)
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be set on svg tag <svg/onload=alert(1)> or other tag like body <body onload=alert(1)>
$inj += preg_match('/onloadstart\s*=/i', $val); // onload can be set on audio tag <audio onloadstart=alert(1)>
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be on textarea
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
@@ -128,17 +130,17 @@ function test_sql_and_script_inject($val, $type)
*
* @param string $var Variable name
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return boolean||null true if there is an injection. Stop code if injection found.
* @return boolean|null true if there is no injection. Stop code if injection found.
*/
function analyseVarsForSqlAndScriptsInjection(&$var, $type)
{
if (is_array($var))
{
foreach ($var as $key => $value)
foreach ($var as $key => $value) // Warning, $key may also be used for attacks
{
if (analyseVarsForSqlAndScriptsInjection($value,$type))
if (analyseVarsForSqlAndScriptsInjection($key, $type) && analyseVarsForSqlAndScriptsInjection($value, $type))
{
$var[$key] = $value;
//$var[$key] = $value; // This is useless
}
else
{
@@ -150,7 +152,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
}
else
{
return (test_sql_and_script_inject($var,$type) <= 0);
return (test_sql_and_script_inject($var, $type) <= 0);
}
}
@@ -351,7 +353,8 @@ if (! defined('NOTOKENRENEWAL'))
$token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token;
}
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) // Check validity of token, only if option enabled (this option breaks some features sometimes)
if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
|| defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set
{
if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token','alpha')) // Note, offender can still send request by GET
{

33
htdocs/product/card.php
View File

@@ -1310,12 +1310,16 @@ else
print '</td></tr>';
// Batch number managment
if ($conf->productbatch->enabled) {
if ($conf->productbatch->enabled)
{
if ($object->isProduct() || ! empty($conf->global->STOCK_SUPPORTS_SERVICES))
{
print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="3">';
$statutarray=array('0' => $langs->trans("ProductStatusNotOnBatch"), '1' => $langs->trans("ProductStatusOnBatch"));
print $form->selectarray('status_batch',$statutarray,$object->status_batch);
print '</td></tr>';
}
}
// Barcode
$showbarcode=empty($conf->barcode->enabled)?0:1;
@@ -1406,7 +1410,6 @@ else
print '<input name="duration_unit" type="radio" value="m"'.($object->duration_unit=='m'?' checked':'').'>'.$langs->trans("Month");
print '&nbsp; ';
print '<input name="duration_unit" type="radio" value="y"'.($object->duration_unit=='y'?' checked':'').'>'.$langs->trans("Year");
print '</td></tr>';
}
else
@@ -1733,28 +1736,11 @@ else
}
print '</td></tr>';
// Status (to sell)
/*
print '<tr><td>'.$langs->trans("Status").' ('.$langs->trans("Sell").')</td><td colspan="2">';
if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
print ajax_object_onoff($object, 'status', 'tosell', 'ProductStatusOnSell', 'ProductStatusNotOnSell');
} else {
print $object->getLibStatut(2,0);
}
print '</td></tr>';
// Status (to buy)
print '<tr><td>'.$langs->trans("Status").' ('.$langs->trans("Buy").')</td><td colspan="2">';
if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
print ajax_object_onoff($object, 'status_buy', 'tobuy', 'ProductStatusOnBuy', 'ProductStatusNotOnBuy');
} else {
print $object->getLibStatut(2,1);
}
print '</td></tr>';
*/
// Batch number management (to batch)
if (! empty($conf->productbatch->enabled)) {
if (! empty($conf->productbatch->enabled))
{
if ($object->isProduct() || ! empty($conf->global->STOCK_SUPPORTS_SERVICES))
{
print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="2">';
if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch');
@@ -1763,6 +1749,7 @@ else
}
print '</td></tr>';
}
}
// Description
print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td colspan="2">'.(dol_textishtml($object->description)?$object->description:dol_nl2br($object->description,1,true)).'</td></tr>';

14
htdocs/projet/card.php
View File

@@ -1047,13 +1047,23 @@ elseif ($object->id > 0)
jQuery("#divtocloseproject").hide();
}
/* Change percent of default percent of new status is higher */
if (parseFloat(jQuery("#opp_percent").val()) != parseFloat(defaultpercent))
/* Change percent with default percent (defaultpercent) if new status (defaultpercent) is higher than current (jQuery("#opp_percent").val()) */
console.log("oldpercent="+oldpercent);
if (oldpercent != \'\' && (parseFloat(defaultpercent) < parseFloat(oldpercent)))
{
if (jQuery("#opp_percent").val() != \'\' && oldpercent != \'\') jQuery("#oldopppercent").text(\' - '.dol_escape_js($langs->transnoentities("PreviousValue")).': \'+oldpercent+\' %\');
if (parseFloat(oldpercent) != 100) { jQuery("#opp_percent").val(oldpercent); }
else { jQuery("#opp_percent").val(defaultpercent); }
}
else
{
if ((parseFloat(jQuery("#opp_percent").val()) < parseFloat(defaultpercent)));
{
if (jQuery("#opp_percent").val() != \'\' && oldpercent != \'\') jQuery("#oldopppercent").text(\' - '.dol_escape_js($langs->transnoentities("PreviousValue")).': \'+oldpercent+\' %\');
jQuery("#opp_percent").val(defaultpercent);
}
}
}
jQuery("#opp_status").change(function() {
change_percent();

18
htdocs/public/opensurvey/studs.php
View File

@@ -60,18 +60,18 @@ $nbcolonnes = substr_count($object->sujet, ',') + 1;
$listofvoters=explode(',',$_SESSION["savevoter"]);
// Add comment
if (GETPOST('ajoutcomment'))
if (GETPOST('ajoutcomment','alpha'))
{
if (!$canbemodified) accessforbidden();
$error=0;
if (! GETPOST('comment'))
if (! GETPOST('comment','none'))
{
$error++;
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Comment")), null, 'errors');
}
if (! GETPOST('commentuser'))
if (! GETPOST('commentuser','nohtml'))
{
$error++;
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("User")), null, 'errors');
@@ -79,8 +79,8 @@ if (GETPOST('ajoutcomment'))
if (! $error)
{
$comment = GETPOST("comment");
$comment_user = GETPOST('commentuser');
$comment = GETPOST("comment",'none');
$comment_user = GETPOST('commentuser','nohtml');
$resql = $object->addComment($comment, $comment_user);
@@ -94,7 +94,7 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // bout
if (!$canbemodified) accessforbidden();
//Si le nom est bien entré
if (GETPOST('nom'))
if (GETPOST('nom','nohtml'))
{
$nouveauchoix = '';
for ($i=0;$i<$nbcolonnes;$i++)
@@ -112,7 +112,7 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // bout
}
}
$nom=substr(GETPOST("nom"),0,64);
$nom=substr(GETPOST("nom",'nohtml'),0,64);
// Check if vote already exists
$sql = 'SELECT id_users, nom as name';
@@ -739,9 +739,9 @@ if ($comments)
if ($object->allow_comments) {
print '<div class="addcomment">' .$langs->trans("AddACommentForPoll") . "<br>\n";
print '<textarea name="comment" rows="'.ROWS_2.'" class="quatrevingtpercent"></textarea><br>'."\n";
print '<textarea name="comment" rows="'.ROWS_2.'" class="quatrevingtpercent">'.dol_escape_htmltag(GETPOST('comment','none')).'</textarea><br>'."\n";
print $langs->trans("Name") .': ';
print '<input type="text" name="commentuser" maxlength="64" /> &nbsp; '."\n";
print '<input type="text" name="commentuser" maxlength="64" value="'.GETPOST('commentuser','nohtml').'"> &nbsp; '."\n";
print '<input type="submit" class="button" name="ajoutcomment" value="'.dol_escape_htmltag($langs->trans("AddComment")).'"><br>'."\n";
print '</form>'."\n";

20
htdocs/user/group/card.php
View File

@@ -112,9 +112,9 @@ if (empty($reshook)) {
setEventMessages($langs->trans("NameNotDefined"), null, 'errors');
$action="create"; // Go back to create page
} else {
$object->nom = trim($_POST["nom"]); // For backward compatibility
$object->name = trim($_POST["nom"]);
$object->note = trim($_POST["note"]);
$object->name = trim(GETPOST("nom",'nohtml'));
$object->nom = $object->name; // For backward compatibility
$object->note = trim(GETPOST("note",'none'));
// Fill array 'array_options' with data from add form
$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@@ -195,9 +195,9 @@ if (empty($reshook)) {
$object->oldcopy = clone $object;
$object->name = trim($_POST["group"]);
$object->name = trim(GETPOST("group",'nohtml'));
$object->nom = $object->name; // For backward compatibility
$object->note = dol_htmlcleanlastbr($_POST["note"]);
$object->note = dol_htmlcleanlastbr(GETPOST("note",'none'));
// Fill array 'array_options' with data from add form
$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@@ -260,7 +260,7 @@ if ($action == 'create')
print "<tr>";
print '<td class="fieldrequired titlefield">'.$langs->trans("Name").'</td>';
print '<td><input type="text" id="nom" name="nom" value="'.GETPOST('nom','alpha').'"></td></tr>';
print '<td><input type="text" id="nom" name="nom" value="'.dol_escape_htmltag(GETPOST('nom','nohtml')).'"></td></tr>';
// Multicompany
if (! empty($conf->multicompany->enabled) && is_object($mc))
@@ -343,7 +343,7 @@ else
if (! empty($conf->mutlicompany->enabled))
{
print '<tr><td class="titlefield">'.$langs->trans("Name").'</td>';
print '<td class="valeur">'.$object->name;
print '<td class="valeur">'.dol_escape_htmltag($object->name);
if (empty($object->entity))
{
print img_picto($langs->trans("GlobalGroup"),'redstar');
@@ -356,7 +356,7 @@ else
{
$mc->getInfo($object->entity);
print "<tr>".'<td class="titlefield">'.$langs->trans("Entity").'</td>';
print '<td class="valeur">'.$mc->label;
print '<td class="valeur">'.dol_escape_htmltag($mc->label);
print "</td></tr>\n";
}
@@ -490,7 +490,7 @@ else
$genallowed = $user->rights->user->user->creer;
$delallowed = $user->rights->user->user->supprimer;
$somethingshown = $formfile->show_documents('usergroup', $filename, $filedir, $urlsource, $genallowed, $delallowed, $object->modelpdf, 1, 0, 0, 28, 0, '', 0, '', $soc->default_lang);
$somethingshown = $formfile->showdocuments('usergroup', $filename, $filedir, $urlsource, $genallowed, $delallowed, $object->modelpdf, 1, 0, 0, 28, 0, '', 0, '', $soc->default_lang);
// Show links to link elements
$linktoelem = $form->showLinkToObjectBlock($object, null, null);
@@ -520,7 +520,7 @@ else
print '<table class="border" width="100%">';
print '<tr><td class="titlefield fieldrequired">'.$langs->trans("Name").'</td>';
print '<td class="valeur"><input size="15" type="text" name="group" value="'.$object->name.'">';
print '<td class="valeur"><input class="minwidth300" type="text" name="group" value="'.dol_escape_htmltag($object->name).'">';
print "</td></tr>\n";
// Multicompany