From 67272dddd32224868dfcb55a54fab0803072f919 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 12 Feb 2024 12:26:47 +0100 Subject: [PATCH 1/6] Prepare 18.0.4 --- ChangeLog | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/ChangeLog b/ChangeLog index 32c5c901a25..f6333556481 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,72 @@ English Dolibarr ChangeLog -------------------------------------------------------------- +***** ChangeLog for 18.0.5 compared to 18.0.4 ***** +FIX: 17.0: deprecated field should only be a fallback +FIX: 17.0 - php8 warnings: test for $field existence before checking if it is null or empty +FIX: #24185: v18: display of the merged pdf lists +FIX: #26416 BOM_SUB_BOM blank page +FIX: #27166 +FIX: #27262 Recurrent invoice - user to string conversion +FIX: #27970 #26283 #27970 +FIX: Accountancy - Level 3 of binding not working on supplier side (#27462) +FIX: Accounting files export - Use th instead of td on all title columns (#28003) +FIX: add action update_extras to don card +FIX: Adding hooks init +FIX: Adding the $encode parrameter to recursive _replaceHtmlWithOdtTag() utilisation +FIX: add new hook context for mo production card (#28037) +FIX: avoid from re-initializing result on nested hook getEntity (#27799) +FIX: avoid sql error (issue #26342) +FIX: bad accountancy code autoselection for supplier ventilation +FIX: Bad visible status of proposal after reopen +FIX: Barcode header cell not well displayed +FIX: BarCode Header not well displayed +FIX: Bar code verification should be done by entity because generation does (#28087) +FIX: can edit reminders on past events +FIX: check parameter socid before cloning a customer proposal (#28085) +FIX: crabe PDF is generating in conf->entity instead of object->entity +FIX: CVE-2024-23817 (#28089) +FIX: disable pointer events on jQuery-UI tooltips to prevent a glitch (fast-blinking tooltip) +FIX: Error on emailreminder not reported +FIX: Fatal error converting object of class User to string (php8) +FIX: filter by entity on contact is missing +FIX: Fix supplier invoice security check +FIX: format of color in manifest is wrong when using a custom color +FIX: #GHSA-7947-48q7-cp5m +FIX: HTML injection vulnerability in Dolibarr Application Home Page +FIX: invoice add line save devise +FIX: Keep a link to enable a 'always_enabled' module to solve pb. +FIX: label +FIX: line special_code never saved (#28051) +FIX: link to print when there is a search on multiselect fields +FIX: Menu Create of project no working on smartphone with no top menu. +FIX: missing $search_sale var (backport from v19) +FIX: Missing begin transaction when updating supplier recurring invoice +FIX: missing entity filter for check if period exists +FIX: more correctly parse the select part to be replaced in sql queries +FIX: MouvementStock::origin is not an object +FIX: notification information on intervention validated confirmation message (v17+) +FIX: not load all contacts by default when creating an event +FIX: port in Docker MailDev +FIX: propal use devise changes +FIX: public user photo not visible if $dolibarr_main_instance_unique_id +FIX: remove DISTINCT (backport from v19) +FIX: remove specific name from v19 +FIX: Retours PR +FIX: Return a better error message when token is not valid +FIX: search by ref & rowid in don list +FIX: search by thirdparty in don list +FIX: several names for one const THIRDPARTY_CAN_HAVE_CUSTOMER_CATEGORY_EVEN_IF_NOT_CUSTOMER_PROSPECT +FIX: SQL concatenation error +FIX: [TAKEPOS] display prices with or without taxes depending on setup (TAKEPOS_CHANGE_PRICE_HT) +FIX: Ternary operator condition is always true/false +FIX: too long output +FIX: Undefined property: Task::$fk_parent +FIX: uniformization to use "intervention" +FIX: Update loan.class.php (#27971) +FIX: update price extrafield on propal card +FIX: user filter in per user view of event list (#28049) +FIX: use the currency for propal signature page ***** ChangeLog for 18.0.4 compared to 18.0.3 ***** FIX: $this->newref already exists and could have been modified by trigger but we still use a local variable for the filesystem-based renaming From 1527dfc7c1439f5e4a492d441b6f26b89b1922ec Mon Sep 17 00:00:00 2001 From: MDW Date: Mon, 12 Feb 2024 16:32:43 +0100 Subject: [PATCH 2/6] Qual: Correct spelling errors (#28135) # Qual: Correct spelling errors Fix new error in Changelog --- ChangeLog | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index f6333556481..821b8ac8c40 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,7 +14,7 @@ FIX: Accountancy - Level 3 of binding not working on supplier side (#27462) FIX: Accounting files export - Use th instead of td on all title columns (#28003) FIX: add action update_extras to don card FIX: Adding hooks init -FIX: Adding the $encode parrameter to recursive _replaceHtmlWithOdtTag() utilisation +FIX: Adding the $encode parameter to recursive _replaceHtmlWithOdtTag() utilisation FIX: add new hook context for mo production card (#28037) FIX: avoid from re-initializing result on nested hook getEntity (#27799) FIX: avoid sql error (issue #26342) @@ -273,7 +273,7 @@ NEW: Accountancy - Manage intra-community VAT on supplier invoices - FPC22 NEW: Accountancy - iSuiteExpert export model NEW: Accountancy - Quadratus export with attachments in accountancy export NEW: Accountancy - Can filter on a custom group of accounts. Perf or ledger list. -NEW: Can upload a file with drag and drop on purchase invoice, vats, salaries and social contributions +NEW: Can upload a file with drag and drop on purchase invoice, vats, salaries and social contributions NEW: Authentication: #22740 add OpenID Connect impl NEW: Authentication: add experimental support for Google OAuth2 connexion NEW: Authentication: can now edit service name for OAuth token @@ -462,13 +462,13 @@ WARNING: Following changes may create regressions for some external modules, but were necessary to make Dolibarr better: * Minimal PHP version is now PHP 7.1 instead of PHP 7.0 -* Sensitive datas like keys in setup pages, that need encyption (for example the API keys of users, the CRON security key, the keys into the Stripe module, or +* Sensitive datas like keys in setup pages, that need encyption (for example the API keys of users, the CRON security key, the keys into the Stripe module, or external modules setup pages that store sensitive keys or password), are using the $dolibarr_main_instance_unique_id as part of the key for encryption. So, -if you restore or duplicate the data from another instance dump, you must also update this parameter in ther conf.php file to allow decryption in the new instance, or +if you restore or duplicate the data from another instance dump, you must also update this parameter in ther conf.php file to allow decryption in the new instance, or better, you must reenter the sensitive data into the setup pages of the new instance to resave them correctly. -Note that to find all the parameters that are encrypted into the setup database, you can do a "SELECT * FROM llx_const WHERE value LIKE '%dolcrypt%';" +Note that to find all the parameters that are encrypted into the setup database, you can do a "SELECT * FROM llx_const WHERE value LIKE '%dolcrypt%';" * The deprecated method "escapeunderscore()" of database handlers has been removed. You must use "escapeforlike()" instead. -* The method "nb_expedition()" has been renamed into "countNbOfShipments()" +* The method "nb_expedition()" has been renamed into "countNbOfShipments()" * Revert default type of hooks. Default is now 'addreplace' hooks (and exception become 'output' hooks, that become deprecated). * Deprecated property libelle removed from entrepot class. * The type 'text' in ->fields property does not accept html content anymore. Use the type 'html' for that. @@ -870,7 +870,7 @@ WARNING: Following changes may create regressions for some external modules, but were necessary to make Dolibarr better: * Minimal PHP version is now PHP 7.0 instead of PHP 5.6 * Core has introduced a Universal Filter Syntax for seach criteria. Example: ((((field1:=:value1) OR (field2:in:1,2,3)) AND ...). In rare case, some filters - could be provided by URL parameters. For such cases (societe/ajax/company.php), use of Universal Filter Syntax become mandatory. + could be provided by URL parameters. For such cases (societe/ajax/company.php), use of Universal Filter Syntax become mandatory. * The signature of method getNomUrl() of class ProductFournisseur has been modified to match the signature of method Product->getNomUrl() * Trigger ORDER_SUPPLIER_DISPATCH is removed, use ORDER_SUPPLIER_RECEIVE and/or LINEORDER_SUPPLIER_DISPATCH instead. * All functions fetch_all() have been set to deprecated for naming consitency, use fetchAll() instead. @@ -948,7 +948,7 @@ FIX: #23019 Impossible to add task times to an existing draft invoice FIX: #23072 FIX: #23075 FIX: #23087 -FIX: #23115 +FIX: #23115 FIX: #23116 FIX: #23117 FIX: #23281 From 549f10c1500ce867b97e9fcb84b3618c274f1fd0 Mon Sep 17 00:00:00 2001 From: atm-sami <139965072+atm-sami@users.noreply.github.com> Date: Mon, 12 Feb 2024 18:10:48 +0100 Subject: [PATCH 3/6] 18.0 FIX remove consumed and produced lines for mo clone (#28140) * add new hook context for mo production card * remove consumed and produced line when we clone mo --- htdocs/mrp/class/mo.class.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/htdocs/mrp/class/mo.class.php b/htdocs/mrp/class/mo.class.php index 166d0a247df..0a74230ba92 100644 --- a/htdocs/mrp/class/mo.class.php +++ b/htdocs/mrp/class/mo.class.php @@ -373,6 +373,13 @@ class Mo extends CommonObject unset($object->fk_user_creat); unset($object->import_key); + // Remove produced and consumed lines + foreach ($object->lines as $key => $line) { + if (in_array($line->role, array('consumed', 'produced'))) { + unset($object->lines[$key]); + } + } + // Clear fields $object->ref = empty($this->fields['ref']['default']) ? "copy_of_".$object->ref : $this->fields['ref']['default']; $object->label = empty($this->fields['label']['default']) ? $langs->trans("CopyOf")." ".$object->label : $this->fields['label']['default']; From 3867d1619ea7331e25823459ff302161f7335430 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Tue, 13 Feb 2024 09:03:08 +0100 Subject: [PATCH 4/6] FIX Payment on customer invoice - Remove accountid in url if empty for apply default value (#28156) --- htdocs/compta/facture/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index a65358b7d58..4aa791482d0 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -5696,7 +5696,7 @@ if ($action == 'create') { // Sometimes we can receive more, so we accept to enter more and will offer a button to convert into discount (but it is not a credit note, just a prepayment done) //print ''.$langs->trans('DoPayment').''; $params['attr']['title'] = ''; - print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&action=create&accountid='.$object->fk_account, '', true, $params); + print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&action=create'.($object->fk_account > 0 ? '&accountid='.$object->fk_account : ''), '', true, $params); } } } From a417b4eda93ccd7ba78bcfa7d219e8b63e0b0717 Mon Sep 17 00:00:00 2001 From: "I. Antunes" <52953274+iantun-x@users.noreply.github.com> Date: Sun, 18 Feb 2024 14:48:01 +0100 Subject: [PATCH 5/6] FIX 28251 Fixing subpermission name on api_multicurrencies.class.php (#28252) --- htdocs/multicurrency/class/api_multicurrencies.class.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/multicurrency/class/api_multicurrencies.class.php b/htdocs/multicurrency/class/api_multicurrencies.class.php index 99fc1c2bb95..6cb66c9c3ac 100644 --- a/htdocs/multicurrency/class/api_multicurrencies.class.php +++ b/htdocs/multicurrency/class/api_multicurrencies.class.php @@ -196,7 +196,7 @@ class MultiCurrencies extends DolibarrApi */ public function post($request_data = null) { - if (!DolibarrApiAccess::$user->rights->multicurrency->currency->create) { + if (!DolibarrApiAccess::$user->rights->multicurrency->currency->write) { throw new RestException(401, "Insufficient rights to create currency"); } @@ -240,7 +240,7 @@ class MultiCurrencies extends DolibarrApi */ public function put($id, $request_data = null) { - if (!DolibarrApiAccess::$user->rights->multicurrency->currency->create) { + if (!DolibarrApiAccess::$user->rights->multicurrency->currency->write) { throw new RestException(401, "Insufficient rights to update currency"); } @@ -307,7 +307,7 @@ class MultiCurrencies extends DolibarrApi */ public function updateRate($id, $request_data = null) { - if (!DolibarrApiAccess::$user->rights->multicurrency->currency->create) { + if (!DolibarrApiAccess::$user->rights->multicurrency->currency->write) { throw new RestException(401, "Insufficient rights to update currency rate"); } From 8edebd56be708cffdb8c4098dd875389e74c5ac1 Mon Sep 17 00:00:00 2001 From: HENRY Florian Date: Sun, 18 Feb 2024 15:40:10 +0100 Subject: [PATCH 6/6] fix: Init bar code page must filter by entity (#28218) * fix: Init bar code page must filter by entity * missing one filter --- htdocs/barcode/codeinit.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/htdocs/barcode/codeinit.php b/htdocs/barcode/codeinit.php index 9c45d29cf79..4aff6593448 100644 --- a/htdocs/barcode/codeinit.php +++ b/htdocs/barcode/codeinit.php @@ -108,6 +108,7 @@ if ($action == 'initbarcodethirdparties') { $nbok = 0; if (!empty($eraseallthirdpartybarcode)) { $sql = "UPDATE ".MAIN_DB_PREFIX."societe"; + $sql .= " AND entity IN (".getEntity('societe').")"; $sql .= " SET barcode = NULL"; $resql = $db->query($sql); if ($resql) { @@ -120,6 +121,7 @@ if ($action == 'initbarcodethirdparties') { $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."societe"; $sql .= " WHERE barcode IS NULL or barcode = ''"; + $sql .= " AND entity IN (".getEntity('societe').")"; $sql .= $db->order("datec", "ASC"); $sql .= $db->plimit($maxperinit); @@ -211,6 +213,7 @@ if ($action == 'initbarcodeproducts') { if (!empty($eraseallproductbarcode)) { $sql = "UPDATE ".MAIN_DB_PREFIX."product"; $sql .= " SET barcode = NULL"; + $sql .= " WHERE entity IN (".getEntity('product').")"; $resql = $db->query($sql); if ($resql) { setEventMessages($langs->trans("AllBarcodeReset"), null, 'mesgs'); @@ -222,6 +225,7 @@ if ($action == 'initbarcodeproducts') { $sql = "SELECT rowid, ref, fk_product_type"; $sql .= " FROM ".MAIN_DB_PREFIX."product"; $sql .= " WHERE barcode IS NULL or barcode = ''"; + $sql .= " AND entity IN (".getEntity('product').")"; $sql .= $db->order("datec", "ASC"); $sql .= $db->plimit($maxperinit); @@ -322,6 +326,7 @@ if (isModEnabled('societe')) { } $sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."societe"; + $sql .= " WHERE entity IN (".getEntity('societe').")"; $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -376,6 +381,7 @@ if (isModEnabled('product') || isModEnabled('service')) { $sql = "SELECT count(rowid) as nb, fk_product_type, datec"; $sql .= " FROM ".MAIN_DB_PREFIX."product"; $sql .= " WHERE barcode IS NULL OR barcode = ''"; + $sql .= " AND entity IN (".getEntity('product').")"; $sql .= " GROUP BY fk_product_type, datec"; $sql .= " ORDER BY datec"; $resql = $db->query($sql); @@ -394,6 +400,7 @@ if (isModEnabled('product') || isModEnabled('service')) { } $sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product"; + $sql .= " WHERE entity IN (".getEntity('product').")"; $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql);