Merge branch '18.0' of git@github.com:Dolibarr/dolibarr.git into 19.0

ChangeLog

@@ -2,6 +2,72 @@
 English Dolibarr ChangeLog
 --------------------------------------------------------------
 
+***** ChangeLog for 18.0.5 compared to 18.0.4 *****
+FIX: 17.0: deprecated field should only be a fallback
+FIX: 17.0 - php8 warnings: test for $field existence before checking if it is null or empty
+FIX: #24185: v18: display of the merged pdf lists
+FIX: #26416 BOM_SUB_BOM blank page
+FIX: #27166
+FIX: #27262 Recurrent invoice - user to string conversion
+FIX: #27970 #26283 #27970
+FIX: Accountancy - Level 3 of binding not working on supplier side (#27462)
+FIX: Accounting files export - Use th instead of td on all title columns (#28003)
+FIX: add action update_extras to don card
+FIX: Adding hooks init
+FIX: Adding the $encode parameter to recursive _replaceHtmlWithOdtTag() utilisation
+FIX: add new hook context for mo production card (#28037)
+FIX: avoid from re-initializing result on nested hook getEntity (#27799)
+FIX: avoid sql error (issue #26342)
+FIX: bad accountancy code autoselection for supplier ventilation
+FIX: Bad visible status of proposal after reopen
+FIX: Barcode header cell not well displayed
+FIX: BarCode Header not well displayed
+FIX: Bar code verification should be done by entity because generation does (#28087)
+FIX: can edit reminders on past events
+FIX: check parameter socid before cloning a customer proposal (#28085)
+FIX: crabe PDF is generating in conf->entity instead of object->entity
+FIX: CVE-2024-23817 (#28089)
+FIX: disable pointer events on jQuery-UI tooltips to prevent a glitch (fast-blinking tooltip)
+FIX: Error on emailreminder not reported
+FIX: Fatal error converting object of class User to string (php8)
+FIX: filter by entity on contact is missing
+FIX: Fix supplier invoice security check
+FIX: format of color in manifest is wrong when using a custom color
+FIX: #GHSA-7947-48q7-cp5m
+FIX: HTML injection vulnerability in Dolibarr Application Home Page
+FIX: invoice add line save devise
+FIX: Keep a link to enable a 'always_enabled' module to solve pb.
+FIX: label
+FIX: line special_code never saved (#28051)
+FIX: link to print when there is a search on multiselect fields
+FIX: Menu Create of project no working on smartphone with no top menu.
+FIX: missing $search_sale var (backport from v19)
+FIX: Missing begin transaction when updating supplier recurring invoice
+FIX: missing entity filter for check if period exists
+FIX: more correctly parse the select part to be replaced in sql queries
+FIX: MouvementStock::origin is not an object
+FIX: notification information on intervention validated confirmation message (v17+)
+FIX: not load all contacts by default when creating an event
+FIX: port in Docker MailDev
+FIX: propal use devise changes
+FIX: public user photo not visible if $dolibarr_main_instance_unique_id
+FIX: remove DISTINCT (backport from v19)
+FIX: remove specific name from v19
+FIX: Retours PR
+FIX: Return a better error message when token is not valid
+FIX: search by ref & rowid in don list
+FIX: search by thirdparty in don list
+FIX: several names for one const THIRDPARTY_CAN_HAVE_CUSTOMER_CATEGORY_EVEN_IF_NOT_CUSTOMER_PROSPECT
+FIX: SQL concatenation error
+FIX: [TAKEPOS] display prices with or without taxes depending on setup (TAKEPOS_CHANGE_PRICE_HT)
+FIX: Ternary operator condition is always true/false
+FIX: too long output
+FIX: Undefined property: Task::$fk_parent
+FIX: uniformization to use "intervention"
+FIX: Update loan.class.php (#27971)
+FIX: update price extrafield on propal card
+FIX: user filter in per user view of event list (#28049)
+FIX: use the currency for propal signature page
 
 ***** ChangeLog for 19.0.0 compared to 18.0.0 *****
 
@@ -647,13 +713,13 @@ WARNING:
 
 Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
 * Minimal PHP version is now PHP 7.1 instead of PHP 7.0
-* Sensitive datas like keys in setup pages, that need encyption (for example the API keys of users, the CRON security key, the keys into the Stripe module, or 
+* Sensitive datas like keys in setup pages, that need encyption (for example the API keys of users, the CRON security key, the keys into the Stripe module, or
 external modules setup pages that store sensitive keys or password), are using the $dolibarr_main_instance_unique_id as part of the key for encryption. So,
-if you restore or duplicate the data from another instance dump, you must also update this parameter in ther conf.php file to allow decryption in the new instance, or 
+if you restore or duplicate the data from another instance dump, you must also update this parameter in ther conf.php file to allow decryption in the new instance, or
 better, you must reenter the sensitive data into the setup pages of the new instance to resave them correctly.
-Note that to find all the parameters that are encrypted into the setup database, you can do a "SELECT * FROM llx_const WHERE value LIKE '%dolcrypt%';"  
+Note that to find all the parameters that are encrypted into the setup database, you can do a "SELECT * FROM llx_const WHERE value LIKE '%dolcrypt%';"
 * The deprecated method "escapeunderscore()" of database handlers has been removed. You must use "escapeforlike()" instead.
-* The method "nb_expedition()" has been renamed into "countNbOfShipments()" 
+* The method "nb_expedition()" has been renamed into "countNbOfShipments()"
 * Revert default type of hooks. Default is now 'addreplace' hooks (and exception become 'output' hooks, that become deprecated).
 * Deprecated property libelle removed from entrepot class.
 * The type 'text' in ->fields property does not accept html content anymore. Use the type 'html' for that.
@@ -1055,7 +1121,7 @@ WARNING:
 Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
 * Minimal PHP version is now PHP 7.0 instead of PHP 5.6
 * Core has introduced a Universal Filter Syntax for seach criteria. Example: ((((field1:=:value1) OR (field2:in:1,2,3)) AND ...). In rare case, some filters
-  could be provided by URL parameters. For such cases (societe/ajax/company.php), use of Universal Filter Syntax become mandatory. 
+  could be provided by URL parameters. For such cases (societe/ajax/company.php), use of Universal Filter Syntax become mandatory.
 * The signature of method getNomUrl() of class ProductFournisseur has been modified to match the signature of method Product->getNomUrl()
 * Trigger ORDER_SUPPLIER_DISPATCH is removed, use ORDER_SUPPLIER_RECEIVE and/or LINEORDER_SUPPLIER_DISPATCH instead.
 * All functions fetch_all() have been set to deprecated for naming consitency, use fetchAll() instead.
@@ -1133,7 +1199,7 @@ FIX: #23019 Impossible to add task times to an existing draft invoice
 FIX: #23072
 FIX: #23075
 FIX: #23087
-FIX: #23115 
+FIX: #23115
 FIX: #23116
 FIX: #23117
 FIX: #23281

htdocs/barcode/codeinit.php

@@ -108,6 +108,7 @@ if ($action == 'initbarcodethirdparties') {
 		$nbok = 0;
 		if (!empty($eraseallthirdpartybarcode)) {
 			$sql = "UPDATE ".MAIN_DB_PREFIX."societe";
+			$sql .= " AND entity IN (".getEntity('societe').")";
 			$sql .= " SET barcode = NULL";
 			$resql = $db->query($sql);
 			if ($resql) {
@@ -120,6 +121,7 @@ if ($action == 'initbarcodethirdparties') {
 			$sql = "SELECT rowid";
 			$sql .= " FROM ".MAIN_DB_PREFIX."societe";
 			$sql .= " WHERE barcode IS NULL or barcode = ''";
+			$sql .= " AND entity IN (".getEntity('societe').")";
 			$sql .= $db->order("datec", "ASC");
 			$sql .= $db->plimit($maxperinit);
 
@@ -212,6 +214,7 @@ if ($action == 'initbarcodeproducts') {
 		if (!empty($eraseallproductbarcode)) {
 			$sql = "UPDATE ".MAIN_DB_PREFIX."product";
 			$sql .= " SET barcode = NULL";
+			$sql .= " WHERE entity IN (".getEntity('product').")";
 			$resql = $db->query($sql);
 			if ($resql) {
 				setEventMessages($langs->trans("AllBarcodeReset"), null, 'mesgs');
@@ -223,6 +226,7 @@ if ($action == 'initbarcodeproducts') {
 			$sql = "SELECT rowid, ref, fk_product_type";
 			$sql .= " FROM ".MAIN_DB_PREFIX."product";
 			$sql .= " WHERE barcode IS NULL or barcode = ''";
+			$sql .= " AND entity IN (".getEntity('product').")";
 			$sql .= $db->order("datec", "ASC");
 			$sql .= $db->plimit($maxperinit);
 
@@ -324,6 +328,7 @@ if (isModEnabled('societe')) {
 	}
 
 	$sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."societe";
+	$sql .= " WHERE entity IN (".getEntity('societe').")";
 	$resql = $db->query($sql);
 	if ($resql) {
 		$obj = $db->fetch_object($resql);
@@ -378,6 +383,7 @@ if (isModEnabled('product') || isModEnabled('service')) {
 	$sql = "SELECT count(rowid) as nb, fk_product_type, datec";
 	$sql .= " FROM ".MAIN_DB_PREFIX."product";
 	$sql .= " WHERE barcode IS NULL OR barcode = ''";
+	$sql .= " AND entity IN (".getEntity('product').")";
 	$sql .= " GROUP BY fk_product_type, datec";
 	$sql .= " ORDER BY datec";
 	$resql = $db->query($sql);
@@ -396,6 +402,7 @@ if (isModEnabled('product') || isModEnabled('service')) {
 	}
 
 	$sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product";
+	$sql .= " WHERE entity IN (".getEntity('product').")";
 	$resql = $db->query($sql);
 	if ($resql) {
 		$obj = $db->fetch_object($resql);

htdocs/compta/facture/card.php

@@ -5767,7 +5767,7 @@ if ($action == 'create') {
 						// Sometimes we can receive more, so we accept to enter more and will offer a button to convert into discount (but it is not a credit note, just a prepayment done)
 						//print '<a class="butAction" href="'.DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&amp;action=create&amp;accountid='.$object->fk_account.'">'.$langs->trans('DoPayment').'</a>';
 						$params['attr']['title'] = '';
-						print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&amp;action=create&amp;accountid='.$object->fk_account, '', true, $params);
+						print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&amp;action=create'.($object->fk_account > 0 ? '&amp;accountid='.$object->fk_account : ''), '', true, $params);
 					}
 				}
 			}

htdocs/mrp/class/mo.class.php

@@ -380,6 +380,13 @@ class Mo extends CommonObject
 		unset($object->fk_user_creat);
 		unset($object->import_key);
 
+		// Remove produced and consumed lines
+		foreach ($object->lines as $key => $line) {
+			if (in_array($line->role, array('consumed', 'produced'))) {
+				unset($object->lines[$key]);
+			}
+		}
+
 		// Clear fields
 		$object->ref = empty($this->fields['ref']['default']) ? "copy_of_".$object->ref : $this->fields['ref']['default'];
 		$object->label = empty($this->fields['label']['default']) ? $langs->trans("CopyOf")." ".$object->label : $this->fields['label']['default'];

htdocs/multicurrency/class/api_multicurrencies.class.php

@@ -199,7 +199,7 @@ class MultiCurrencies extends DolibarrApi
 	 */
 	public function post($request_data = null)
 	{
-		if (!DolibarrApiAccess::$user->rights->multicurrency->currency->create) {
+		if (!DolibarrApiAccess::$user->rights->multicurrency->currency->write) {
 			throw new RestException(401, "Insufficient rights to create currency");
 		}
 
@@ -243,7 +243,7 @@ class MultiCurrencies extends DolibarrApi
 	 */
 	public function put($id, $request_data = null)
 	{
-		if (!DolibarrApiAccess::$user->rights->multicurrency->currency->create) {
+		if (!DolibarrApiAccess::$user->rights->multicurrency->currency->write) {
 			throw new RestException(401, "Insufficient rights to update currency");
 		}
 
@@ -316,7 +316,7 @@ class MultiCurrencies extends DolibarrApi
 	 */
 	public function updateRate($id, $request_data = null)
 	{
-		if (!DolibarrApiAccess::$user->rights->multicurrency->currency->create) {
+		if (!DolibarrApiAccess::$user->rights->multicurrency->currency->write) {
 			throw new RestException(401, "Insufficient rights to update currency rate");
 		}