forked from Wavyzz/dolibarr
Merge branch '13.0' of git@github.com:Dolibarr/dolibarr.git into develop
Conflicts: htdocs/compta/facture/card.php htdocs/core/class/html.formmail.class.php htdocs/core/lib/product.lib.php htdocs/product/stock/productlot_card.php test/phpunit/SecurityTest.php
This commit is contained in:
Laurent Destailleur
@@ -1810,7 +1810,7 @@ class Contact extends CommonObject
|
||||
|
||||
$this->db->begin();
|
||||
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_contacts WHERE fk_socpeople=".$this->id." AND entity IN (".getEntity("societe_contact").")";
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_contacts WHERE fk_socpeople=".((int) $this->id)." AND entity IN (".getEntity("societe_contact").")";
|
||||
|
||||
$result = $this->db->query($sql);
|
||||
if (!$result) {
|
||||
|
||||
@@ -459,8 +459,8 @@ class Conf
|
||||
$this->service->dir_temp = $rootfortemp."/produit/temp";
|
||||
|
||||
// Module productbatch
|
||||
$this->productbatch->multidir_output = array($this->entity => $rootfordata."/produitlot");
|
||||
$this->productbatch->multidir_temp = array($this->entity => $rootfortemp."/produitlot/temp");
|
||||
$this->productbatch->multidir_output = array($this->entity => $rootfordata."/productlot");
|
||||
$this->productbatch->multidir_temp = array($this->entity => $rootfortemp."/productlot/temp");
|
||||
|
||||
// Module contrat
|
||||
$this->contrat->multidir_output = array($this->entity => $rootfordata."/contract");
|
||||
|
||||
@@ -537,9 +537,9 @@ function hideMessage(fieldId,message) {
|
||||
* Used by button to set on/off.
|
||||
* Call url then make complementary action (like show/hide, enable/disable or set another option).
|
||||
*
|
||||
* @param string url Url
|
||||
* @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token)
|
||||
* @param string code Code
|
||||
* @param string intput Input
|
||||
* @param string intput Array of complementary actions to do if success
|
||||
* @param int entity Entity
|
||||
* @param int strict Strict
|
||||
* @param int forcereload Force reload
|
||||
@@ -553,7 +553,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke
|
||||
entity: entity,
|
||||
token: token
|
||||
},
|
||||
function() {
|
||||
function() { /* handler for success of post */
|
||||
console.log("url request success forcereload="+forcereload);
|
||||
$("#set_" + code).hide();
|
||||
$("#del_" + code).show();
|
||||
@@ -611,9 +611,9 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke
|
||||
* Used by button to set on/off
|
||||
* Call url then make complementary action (like show/hide, enable/disable or set another option).
|
||||
*
|
||||
* @param string url Url
|
||||
* @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token)
|
||||
* @param string code Code
|
||||
* @param string intput Input
|
||||
* @param string intput Array of complementary actions to do if success
|
||||
* @param int entity Entity
|
||||
* @param int strict Strict
|
||||
* @param int forcereload Force reload
|
||||
@@ -678,12 +678,13 @@ function delConstant(url, code, input, entity, strict, forcereload, userid, toke
|
||||
}
|
||||
|
||||
/*
|
||||
* Used by button to set on/off
|
||||
* Call the setConstant or delConstant but with a confirmation before.
|
||||
* Used by button to set on/off.
|
||||
*
|
||||
* @param string action Action
|
||||
* @param string url Url
|
||||
* @param string code Code
|
||||
* @param string intput Input
|
||||
* @param string intput Array of complementary actions to do if success
|
||||
* @param string box Box
|
||||
* @param int entity Entity
|
||||
* @param int yesButton yesButton
|
||||
|
||||
@@ -535,13 +535,13 @@ function ajax_combobox($htmlname, $events = array(), $minLengthToAutocomplete =
|
||||
* On/off button for constant
|
||||
*
|
||||
* @param string $code Name of constant
|
||||
* @param array $input Array of options. ("disabled"|"enabled'|'set'|'del') => CSS element to switch, 'alert' => message to show, ... Example: array('disabled'=>array(0=>'cssid'))
|
||||
* @param int $entity Entity to set. Use current entity if null.
|
||||
* @param array $input Array of complementary actions to do if success ("disabled"|"enabled'|'set'|'del') => CSS element to switch, 'alert' => message to show, ... Example: array('disabled'=>array(0=>'cssid'))
|
||||
* @param int $entity Entity. Current entity is used if null.
|
||||
* @param int $revertonoff Revert on/off
|
||||
* @param int $strict Use only "disabled" with delConstant and "enabled" with setConstant
|
||||
* @param int $forcereload Force to reload page if we click/change value (this is supported only when there is no 'alert' option in input)
|
||||
* @param string $marginleftonlyshort 1 = Add a short left margin on picto, 2 = Add a larger left margin on picto, 0 = No left margin. Works for fontawesome picto only.
|
||||
* @param int $forcenoajax 1=Force to use a ahref link instead of ajax code.
|
||||
* @param int $forcenoajax 1 = Force to use a ahref link instead of ajax code.
|
||||
* @return string
|
||||
*/
|
||||
function ajax_constantonoff($code, $input = array(), $entity = null, $revertonoff = 0, $strict = 0, $forcereload = 0, $marginleftonlyshort = 2, $forcenoajax = 0)
|
||||
|
||||
@@ -6164,6 +6164,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
|
||||
$allowed_tags_string = join("><", $allowed_tags);
|
||||
$allowed_tags_string = '<'.$allowed_tags_string.'>';
|
||||
|
||||
$stringtoclean = str_replace('<!DOCTYPE html>', '__!DOCTYPE_HTML__', $stringtoclean); // Replace DOCTYPE to avoid to have it removed by the strip_tags
|
||||
|
||||
$stringtoclean = dol_string_nounprintableascii($stringtoclean, 0);
|
||||
$stringtoclean = preg_replace('/:/i', ':', $stringtoclean);
|
||||
|
||||
@@ -6186,6 +6188,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
|
||||
$temp = preg_replace('/javascript\s*:/i', '', $temp);
|
||||
}
|
||||
|
||||
$temp = str_replace('__!DOCTYPE_HTML__', '<!DOCTYPE html>', $temp); // Restore the DOCTYPE
|
||||
|
||||
return $temp;
|
||||
}
|
||||
|
||||
|
||||
@@ -376,7 +376,7 @@ function show_stats_for_company($product, $socid)
|
||||
}
|
||||
$langs->load("propal");
|
||||
print '<tr><td>';
|
||||
print '<a href="propal.php?id='.$product->id.'">'.img_object('', 'propal').' '.$langs->trans("Proposals").'</a>';
|
||||
print '<a href="propal.php?id='.$product->id.'">'.img_object('', 'propal', 'class="paddingright"').$langs->trans("Proposals").'</a>';
|
||||
print '</td><td class="right">';
|
||||
print $product->stats_propale['customers'];
|
||||
print '</td><td class="right">';
|
||||
@@ -393,9 +393,9 @@ function show_stats_for_company($product, $socid)
|
||||
if ($ret < 0) {
|
||||
dol_print_error($db);
|
||||
}
|
||||
$langs->load("propal");
|
||||
$langs->load("supplier_proposal");
|
||||
print '<tr><td>';
|
||||
print '<a href="supplier_proposal.php?id='.$product->id.'">'.img_object('', 'supplier_proposal').' '.$langs->trans("SupplierProposals").'</a>';
|
||||
print '<a href="supplier_proposal.php?id='.$product->id.'">'.img_object('', 'supplier_proposal', 'class="paddingright"').$langs->trans("SupplierProposals").'</a>';
|
||||
print '</td><td class="right">';
|
||||
print $product->stats_proposal_supplier['suppliers'];
|
||||
print '</td><td class="right">';
|
||||
@@ -414,7 +414,7 @@ function show_stats_for_company($product, $socid)
|
||||
}
|
||||
$langs->load("orders");
|
||||
print '<tr><td>';
|
||||
print '<a href="commande.php?id='.$product->id.'">'.img_object('', 'order').' '.$langs->trans("CustomersOrders").'</a>';
|
||||
print '<a href="commande.php?id='.$product->id.'">'.img_object('', 'order', 'class="paddingright"').$langs->trans("CustomersOrders").'</a>';
|
||||
print '</td><td class="right">';
|
||||
print $product->stats_commande['customers'];
|
||||
print '</td><td class="right">';
|
||||
@@ -433,7 +433,7 @@ function show_stats_for_company($product, $socid)
|
||||
}
|
||||
$langs->load("orders");
|
||||
print '<tr><td>';
|
||||
print '<a href="commande_fournisseur.php?id='.$product->id.'">'.img_object('', 'supplier_order').' '.$langs->trans("SuppliersOrders").'</a>';
|
||||
print '<a href="commande_fournisseur.php?id='.$product->id.'">'.img_object('', 'supplier_order', 'class="paddingright"').$langs->trans("SuppliersOrders").'</a>';
|
||||
print '</td><td class="right">';
|
||||
print $product->stats_commande_fournisseur['suppliers'];
|
||||
print '</td><td class="right">';
|
||||
@@ -471,7 +471,7 @@ function show_stats_for_company($product, $socid)
|
||||
}
|
||||
$langs->load("bills");
|
||||
print '<tr><td>';
|
||||
print '<a href="facture_fournisseur.php?id='.$product->id.'">'.img_object('', 'supplier_invoice').' '.$langs->trans("SuppliersInvoices").'</a>';
|
||||
print '<a href="facture_fournisseur.php?id='.$product->id.'">'.img_object('', 'supplier_invoice', 'class="paddingright"').$langs->trans("SuppliersInvoices").'</a>';
|
||||
print '</td><td class="right">';
|
||||
print $product->stats_facture_fournisseur['suppliers'];
|
||||
print '</td><td class="right">';
|
||||
@@ -491,7 +491,7 @@ function show_stats_for_company($product, $socid)
|
||||
}
|
||||
$langs->load("contracts");
|
||||
print '<tr><td>';
|
||||
print '<a href="contrat.php?id='.$product->id.'">'.img_object('', 'contract').' '.$langs->trans("Contracts").'</a>';
|
||||
print '<a href="contrat.php?id='.$product->id.'">'.img_object('', 'contract', 'class="paddingright"').$langs->trans("Contracts").'</a>';
|
||||
print '</td><td class="right">';
|
||||
print $product->stats_contrat['customers'];
|
||||
print '</td><td class="right">';
|
||||
@@ -512,15 +512,15 @@ function show_stats_for_company($product, $socid)
|
||||
$langs->load("mrp");
|
||||
|
||||
print '<tr><td>';
|
||||
print '<a href="bom.php?id='.$product->id.'">'.img_object('', 'mrp').' '.$langs->trans("BOM").'</a>';
|
||||
print '<a href="bom.php?id='.$product->id.'">'.img_object('', 'bom', 'class="paddingright"').$langs->trans("BOM").'</a>';
|
||||
print '</td><td class="right">';
|
||||
|
||||
print '</td><td class="right">';
|
||||
print $form->textwithpicto($product->stats_bom['nb_toproduce'], $langs->trans("QtyToProduce"));
|
||||
print $form->textwithpicto($product->stats_bom['nb_toconsume'], $langs->trans("ToConsume"));
|
||||
print $form->textwithpicto($product->stats_bom['nb_toconsume'], $langs->trans("RowMaterial"));
|
||||
print $form->textwithpicto($product->stats_bom['nb_toproduce'], $langs->trans("Finished"));
|
||||
print '</td><td class="right">';
|
||||
print $form->textwithpicto($product->stats_bom['qty_toproduce'], $langs->trans("QtyToProduce"));
|
||||
print $form->textwithpicto($product->stats_bom['qty_toconsume'], $langs->trans("ToConsume"));
|
||||
print $form->textwithpicto($product->stats_bom['qty_toconsume'], $langs->trans("RowMaterial"));
|
||||
print $form->textwithpicto($product->stats_bom['qty_toproduce'], $langs->trans("Finished"));
|
||||
print '</td>';
|
||||
print '</tr>';
|
||||
}
|
||||
@@ -534,7 +534,7 @@ function show_stats_for_company($product, $socid)
|
||||
}
|
||||
$langs->load("mrp");
|
||||
print '<tr><td>';
|
||||
print '<a href="mo.php?id='.$product->id.'">'.img_object('', 'mrp').' '.$langs->trans("MO").'</a>';
|
||||
print '<a href="mo.php?id='.$product->id.'">'.img_object('', 'mrp', 'class="paddingright"').$langs->trans("MO").'</a>';
|
||||
print '</td><td class="right">';
|
||||
print $form->textwithpicto($product->stats_mo['customers_toconsume'], $langs->trans("ToConsume"));
|
||||
print $form->textwithpicto($product->stats_mo['customers_consumed'], $langs->trans("QtyAlreadyConsumed"));
|
||||
|
||||
@@ -2464,7 +2464,7 @@ class Product extends CommonObject
|
||||
$this->stats_bom['qty_toconsume'] = 0;
|
||||
|
||||
$sql = "SELECT COUNT(DISTINCT b.rowid) as nb_toproduce,";
|
||||
$sql .= " b.qty as qty_toproduce";
|
||||
$sql .= " SUM(b.qty) as qty_toproduce";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."bom_bom as b";
|
||||
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."bom_bomline as bl ON bl.fk_bom=b.rowid";
|
||||
$sql .= " WHERE ";
|
||||
|
||||
@@ -244,8 +244,8 @@ if ($id > 0 || !empty($ref))
|
||||
print '<tr class="liste_titre">';
|
||||
print_liste_field_titre("Ref", $_SERVER["PHP_SELF"], "b.rowid", "", "&id=".$product->id, '', $sortfield, $sortorder);
|
||||
print_liste_field_titre("Date", $_SERVER["PHP_SELF"], "b.date_valid", "", "&id=".$product->id, 'align="center"', $sortfield, $sortorder);
|
||||
print_liste_field_titre("ToConsume", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center ');
|
||||
print_liste_field_titre("QtyToProduce", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center ');
|
||||
print_liste_field_titre("RowMaterial", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center ');
|
||||
print_liste_field_titre("Finished", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center ');
|
||||
print_liste_field_titre("Status", $_SERVER["PHP_SELF"], "b.status", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center ');
|
||||
print "</tr>\n";
|
||||
|
||||
|
||||
@@ -472,7 +472,7 @@ if ($action != 'presend') {
|
||||
if ($includedocgeneration) {
|
||||
$objref = dol_sanitizeFileName($object->ref);
|
||||
$relativepath = $objref.'/'.$objref.'.pdf';
|
||||
$filedir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 0, $object, 'product_batch').dol_sanitizeFileName($object->ref);
|
||||
$filedir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 1, $object, 'product_batch');
|
||||
$urlsource = $_SERVER["PHP_SELF"]."?id=".$object->id;
|
||||
$genallowed = $usercanread; // If you can read, you can build the PDF to read content
|
||||
$delallowed = $usercancreate; // If you can create/edit, you can remove a file on card
|
||||
@@ -485,7 +485,7 @@ if ($action != 'presend') {
|
||||
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/class/html.formactions.class.php';
|
||||
$formactions = new FormActions($db);
|
||||
$somethingshown = $formactions->showactions($object, 'productlot', $socid, 1, '', $MAXEVENT);
|
||||
$somethingshown = $formactions->showactions($object, 'productlot', 0, 1, '', $MAXEVENT);
|
||||
|
||||
print '</div></div></div>';
|
||||
}
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
/**
|
||||
* \file htdocs/product/stock/productlot_document.php
|
||||
* \ingroup product
|
||||
* \brief Page des documents joints sur les lots produits
|
||||
* \brief Page of attached documents for porudct lots
|
||||
*/
|
||||
|
||||
require '../../main.inc.php';
|
||||
@@ -79,7 +79,7 @@ if ($id || $ref)
|
||||
$object->fetch($id, $productid, $batch);
|
||||
$object->ref = $object->batch; // For document management ( it use $object->ref)
|
||||
|
||||
if (!empty($conf->productbatch->enabled)) $upload_dir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 0, $object, $modulepart).dol_sanitizeFileName($object->ref);
|
||||
if (!empty($conf->productbatch->enabled)) $upload_dir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 1, $object, $modulepart);
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -352,7 +352,7 @@ foreach ($search as $key => $val)
|
||||
if (count($newarrayofstatus)) $sql .= natural_search($key, join(',', $newarrayofstatus), 2);
|
||||
continue;
|
||||
}
|
||||
if ($key == 'fk_user_assign' || $key == 'fk_user_create')
|
||||
if ($key == 'fk_user_assign' || $key == 'fk_user_create' || $key == 'fk_project')
|
||||
{
|
||||
if ($search[$key] > 0) $sql .= natural_search($key, $search[$key], 2);
|
||||
continue;
|
||||
@@ -362,7 +362,7 @@ foreach ($search as $key => $val)
|
||||
}
|
||||
if ($search_all) $sql .= natural_search(array_keys($fieldstosearchall), $search_all);
|
||||
if ($search_societe) $sql .= natural_search('s.nom', $search_societe);
|
||||
if ($search_fk_project) $sql .= natural_search('fk_project', $search_fk_project, 2);
|
||||
//if ($search_fk_project) $sql .= natural_search('fk_project', $search_fk_project, 2);
|
||||
if ($search_date_start) $sql .= " AND t.datec >= '".$db->idate($search_date_start)."'";
|
||||
if ($search_date_end) $sql .= " AND t.datec <= '".$db->idate($search_date_end)."'";
|
||||
if ($search_dateread_start) $sql .= " AND t.date_read >= '".$db->idate($search_dateread_start)."'";
|
||||
|
||||
@@ -315,6 +315,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
|
||||
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
|
||||
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
|
||||
$_POST["param11"]=' Name <email@email.com> ';
|
||||
$_POST["param12"]='<!DOCTYPE html><html>aaa</html>';
|
||||
|
||||
$result=GETPOST('id', 'int'); // Must return nothing
|
||||
print __METHOD__." result=".$result."\n";
|
||||
@@ -412,6 +413,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
|
||||
print __METHOD__." result=".$result."\n";
|
||||
$this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
|
||||
|
||||
$result=GETPOST("param12", 'restricthtml');
|
||||
print __METHOD__." result=".$result."\n";
|
||||
$this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml');
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user