diff --git a/htdocs/core/ajax/ajaxcompanies.php b/htdocs/core/ajax/ajaxcompanies.php
index 330f0884605..086d20e7967 100644
--- a/htdocs/core/ajax/ajaxcompanies.php
+++ b/htdocs/core/ajax/ajaxcompanies.php
@@ -62,9 +62,9 @@ if (GETPOST('newcompany') || GETPOST('socid', 'int') || GETPOST('id_fourn')) {
$return_arr = array();
// Define filter on text typed
- $socid = $_GET['newcompany'] ? $_GET['newcompany'] : '';
- if (!$socid) $socid = $_GET['socid'] ? $_GET['socid'] : '';
- if (!$socid) $socid = $_GET['id_fourn'] ? $_GET['id_fourn'] : '';
+ $socid = GETPOST('newcompany');
+ if (!$socid) $socid = GETPOST('socid');
+ if (!$socid) $socid = GETPOST('id_fourn');
$sql = "SELECT s.rowid, s.nom, s.name_alias, s.code_client, s.code_fournisseur, s.address, s.zip, s.town, s.email, s.siren, s.siret, s.ape, s.idprof4, s.client, s.fournisseur, s.datec, s.logo";
$sql .= " , c.label as country, d.nom as departement";
@@ -84,9 +84,14 @@ if (GETPOST('newcompany') || GETPOST('socid', 'int') || GETPOST('id_fourn')) {
$sql .= " OR s.code_client LIKE '%".$db->escape($db->escapeforlike($socid))."%'";
$sql .= " OR s.code_fournisseur LIKE '%".$db->escape($db->escapeforlike($socid))."%'";
}
- if (!empty($conf->global->SOCIETE_ALLOW_SEARCH_ON_ROWID)) $sql .= " OR s.rowid = ".((int) $socid);
+ if (!empty($conf->global->SOCIETE_ALLOW_SEARCH_ON_ROWID)) {
+ $sql .= " OR s.rowid = ".((int) $socid);
+ }
$sql .= ")";
}
+ if ($user->socid > 0) {
+ $sql .= " AND s.rowid = ".((int) $user->socid);
+ }
//if (GETPOST("filter")) $sql.= " AND (".GETPOST("filter", "alpha").")"; // Add other filters
$sql .= " ORDER BY s.nom ASC";
diff --git a/htdocs/core/ajax/ajaxtooltip.php b/htdocs/core/ajax/ajaxtooltip.php
index 787829d5864..ae7b33f1f20 100644
--- a/htdocs/core/ajax/ajaxtooltip.php
+++ b/htdocs/core/ajax/ajaxtooltip.php
@@ -36,18 +36,13 @@ if (!defined('NOREQUIREAJAX')) {
define('NOREQUIREAJAX', '1');
}
include '../../main.inc.php';
-include_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
include_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';
-top_httphead();
-
-// opensurvey as aZ09 id
$id = GETPOST('id', 'aZ09');
$objecttype = GETPOST('objecttype', 'aZ09'); // 'module' or 'myobject@mymodule', 'mymodule_myobject'
-$regs = array();
$params = array();
if (GETPOSTISSET('infologin')) {
$params['infologin'] = GETPOST('infologin', 'int');
@@ -55,198 +50,15 @@ if (GETPOSTISSET('infologin')) {
if (GETPOSTISSET('option')) {
$params['option'] = GETPOST('option', 'restricthtml');
}
-// If we ask a resource form external module (instead of default path)
-if (preg_match('/^([^@]+)@([^@]+)$/i', $objecttype, $regs)) {
- $myobject = $regs[1];
- $module = $regs[2];
-} else {
- // Parse $objecttype (ex: project_task)
- $module = $myobject = $objecttype;
- if (preg_match('/^([^_]+)_([^_]+)/i', $objecttype, $regs)) {
- $module = $regs[1];
- $myobject = $regs[2];
- }
-}
-// Generic case for $classpath
-$classpath = $module.'/class';
+// Load object according to $element
+$object = fetchObjectByElement($id, $objecttype);
-// Special cases, to work with non standard path
-if ($objecttype == 'facture' || $objecttype == 'invoice') {
- $langs->load('bills');
- $classpath = 'compta/facture/class';
- $module = 'facture';
- $myobject = 'facture';
-} elseif ($objecttype == 'bank_account') {
- $langs->loadLangs(['banks', 'compta']);
- $classpath = 'compta/bank/class';
- $module = 'banque';
- $myobject = 'account';
-} elseif ($objecttype == 'category') {
- $langs->loadLangs(['categories']);
- $classpath = 'categories/class';
- $module = 'categorie';
- $myobject = 'categorie';
-} elseif ($objecttype == 'commande' || $objecttype == 'order') {
- $langs->load('orders');
- $classpath = 'commande/class';
- $module = 'commande';
- $myobject = 'commande';
-} elseif ($objecttype == 'propal') {
- $langs->load('propal');
- $classpath = 'comm/propal/class';
-} elseif ($objecttype == 'action') {
- $langs->load('agenda');
- $classpath = 'comm/action/class';
- $module = 'agenda';
- $myobject = 'actioncomm';
-} elseif ($objecttype == 'supplier_proposal') {
- $langs->load('supplier_proposal');
- $classpath = 'supplier_proposal/class';
-} elseif ($objecttype == 'shipping') {
- $langs->load('sendings');
- $classpath = 'expedition/class';
- $myobject = 'expedition';
- $module = 'expedition_bon';
-} elseif ($objecttype == 'delivery') {
- $langs->load('deliveries');
- $classpath = 'delivery/class';
- $myobject = 'delivery';
- $module = 'delivery_note';
-} elseif ($objecttype == 'contract') {
- $langs->load('contracts');
- $classpath = 'contrat/class';
- $module = 'contrat';
- $myobject = 'contrat';
-} elseif ($objecttype == 'member') {
- $classpath = 'adherents/class';
- $module = 'adherent';
- $myobject = 'adherent';
-} elseif ($objecttype == 'fichinter') {
- $langs->load('interventions');
- $classpath = 'fichinter/class';
- $module = 'ficheinter';
- $myobject = 'fichinter';
-} elseif ($objecttype == 'project') {
- $langs->load('projects');
- $classpath = 'projet/class';
- $module = 'projet';
-} elseif ($objecttype == 'project_task') {
- $classpath = 'projet/class';
- $module = 'projet';
- $myobject = 'task';
-} elseif ($objecttype == 'stock') {
- $classpath = 'product/stock/class';
- $module = 'stock';
- $myobject = 'stock';
-} elseif ($objecttype == 'inventory') {
- $classpath = 'product/inventory/class';
- $module = 'stock';
- $myobject = 'inventory';
-} elseif ($objecttype == 'mo') {
- $classpath = 'mrp/class';
- $module = 'mrp';
- $myobject = 'mo';
-} elseif ($objecttype == 'productlot') {
- $classpath = 'product/stock/class';
- $module = 'stock';
- $myobject = 'productlot';
-} elseif ($objecttype == 'usergroup') {
- $classpath = 'user/class';
- $module = 'user';
- $myobject = 'usergroup';
-} elseif ($objecttype == 'dolresource') {
- $classpath = 'resource/class';
- $module = 'resource';
- $myobject = 'dolresource';
-} elseif ($objecttype == 'opensurvey_sondage') {
- $classpath = 'opensurvey/class';
- $module = 'opensurvey';
- $myobject = 'opensurveysondage';
-} elseif ($objecttype == 'knowledgerecord') {
- $classpath = 'knowledgemanagement/class';
- $module = 'knowledgemanagement';
- $myobject = 'knowledgerecord';
-}
+$module = $object->module;
+$element = $object->element;
-// Generic case for $classfile and $classname
-$classfile = strtolower($myobject);
-$classname = ucfirst($myobject);
-
-if ($objecttype == 'invoice_supplier') {
- $classfile = 'fournisseur.facture';
- $classname = 'FactureFournisseur';
- $classpath = 'fourn/class';
- $module = 'fournisseur';
-} elseif ($objecttype == 'order_supplier') {
- $classfile = 'fournisseur.commande';
- $classname = 'CommandeFournisseur';
- $classpath = 'fourn/class';
- $module = 'fournisseur';
-} elseif ($objecttype == 'supplier_proposal') {
- $classfile = 'supplier_proposal';
- $classname = 'SupplierProposal';
- $classpath = 'supplier_proposal/class';
- $module = 'supplier_proposal';
-} elseif ($objecttype == 'stock') {
- $classpath = 'product/stock/class';
- $classfile = 'entrepot';
- $classname = 'Entrepot';
-} elseif ($objecttype == 'facturerec') {
- $classpath = 'compta/facture/class';
- $classfile = 'facture-rec';
- $classname = 'FactureRec';
- $module = 'facture';
-} elseif ($objecttype == 'mailing') {
- $classpath = 'comm/mailing/class';
- $classfile = 'mailing';
- $classname = 'Mailing';
-} elseif ($objecttype == 'adherent_type') {
- $classpath = 'adherents/class';
- $classfile = 'adherent_type';
- $module = 'adherent';
- $myobject = 'adherent_type';
- $classname = 'AdherentType';
-} elseif ($objecttype == 'contact') {
- $module = 'societe';
-} elseif ($objecttype == 'salary') {
- $classpath = 'salaries/class';
- $module = 'salaries';
-}
-// print "objecttype=".$objecttype." module=".$module." subelement=".$subelement." classfile=".$classfile." classname=".$classname." classpath=".$classpath."
";
-
-
-// Define a generic object with a very low cost memory and cpu load
-$object = new stdClass();
-$object->module = $module;
-$object->element = $myobject;
-if (empty($classname)) {
- $classname = ucfirst($module);
-}
-if (empty($classpath)) {
- $classpath = $module.'/class';
-}
-if (empty($classfile)) {
- $classfile = $myobject;
-}
-
-// Load object
-if (isModEnabled($module)) {
- $res = dol_include_once('/'.$classpath.'/'.$classfile.'.class.php');
- if ($res) {
- if (class_exists($classname) && $id > 0) {
- $object = new $classname($db);
- $res = $object->fetch($id);
- } else {
- dol_syslog("Class with classname ".$classname." is unknown even after the include", LOG_ERR);
- }
- } else {
- dol_syslog("Failed to include ".$classpath."/".$classfile, LOG_ERR);
- }
-}
-
-$usesublevelpermission = ($module != $myobject ? $myobject : '');
-if ($usesublevelpermission && !isset($user->rights->$module->$myobject)) { // There is no permission on object defined, we will check permission on module directly
+$usesublevelpermission = ($module != $element ? $element : '');
+if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly
$usesublevelpermission = '';
}
@@ -258,6 +70,8 @@ restrictedArea($user, $object->module, $object, $object->table_element, $usesubl
* View
*/
+top_httphead();
+
$html = '';
if (is_object($object)) {
diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php
index a6a93c69f68..b08b1cd81c0 100644
--- a/htdocs/core/ajax/box.php
+++ b/htdocs/core/ajax/box.php
@@ -18,7 +18,7 @@
/**
* \file htdocs/core/ajax/box.php
- * \brief File to return Ajax response on Box move or close
+ * \brief File to return Ajax response on a Box move or close
*/
if (!defined('NOTOKENRENEWAL')) {
diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php
index 3a8ffda3ae6..aff62dc6f6b 100644
--- a/htdocs/core/ajax/constantonoff.php
+++ b/htdocs/core/ajax/constantonoff.php
@@ -57,11 +57,6 @@ $value = (GETPOST('value', 'aZ09') != '' ? GETPOST('value', 'aZ09') : 1);
* View
*/
-// Ajout directives pour resoudre bug IE
-//header('Cache-Control: Public, must-revalidate');
-//header('Pragma: public');
-
-//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print ''."\n";
diff --git a/htdocs/core/ajax/fetchKnowledgeRecord.php b/htdocs/core/ajax/fetchKnowledgeRecord.php
index afadf119e16..d4113d626f8 100644
--- a/htdocs/core/ajax/fetchKnowledgeRecord.php
+++ b/htdocs/core/ajax/fetchKnowledgeRecord.php
@@ -36,7 +36,7 @@ if (!defined('NOREQUIREMENU')) {
define('NOREQUIREMENU', '1');
}
// If there is no need to load and show top and left menu
-if (!empty($_GET['public'])) {
+if (!empty($_GET['public'])) { // GETPOST() is not yet defined so we use $_GET
if (!defined("NOLOGIN")) {
define("NOLOGIN", '1');
}
diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php
index af033c8cdd3..59306740334 100644
--- a/htdocs/core/ajax/loadinplace.php
+++ b/htdocs/core/ajax/loadinplace.php
@@ -94,6 +94,7 @@ if (!empty($field) && !empty($element) && !empty($table_element) && !empty($fk_e
}
} elseif (!empty($ext_element)) {
$module = $subelement = $ext_element;
+ $regs = array();
if (preg_match('/^([^_]+)_([^_]+)/i', $ext_element, $regs)) {
$module = $regs[1];
$subelement = $regs[2];
diff --git a/htdocs/core/ajax/locationincoterms.php b/htdocs/core/ajax/locationincoterms.php
index 057322ec5fb..b6138c1e950 100644
--- a/htdocs/core/ajax/locationincoterms.php
+++ b/htdocs/core/ajax/locationincoterms.php
@@ -43,6 +43,9 @@ if (!defined('NOREQUIRESOC')) {
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';
+if (!isModEnabled('incoterm')) {
+ httponly_accessforbidden("Module incoterm not enabled"); // This includes the exit.
+}
/*
* View
@@ -70,13 +73,12 @@ if (GETPOST('location_incoterms')) {
if (!empty($conf->global->MAIN_USE_LOCATION_INCOTERMS_DICTIONNARY)) { // Use location_incoterms
$sql = "SELECT z.location as location_incoterms, z.label as label";
$sql .= " FROM ".MAIN_DB_PREFIX."c_location_incoterms as z";
- $sql .= " WHERE z.active = 1 AND UPPER(z.location) LIKE UPPER('%".$db->escape($location_incoterms)."%')";
+ $sql .= " WHERE z.active = 1 AND UPPER(z.location) LIKE UPPER('%".$db->escape($db->escapeforlike($location_incoterms))."%')";
$sql .= " ORDER BY z.location";
$sql .= $db->plimit(100); // Avoid pb with bad criteria
- } else // Use table of commande
- {
+ } else { // Use table of sale orders
$sql = "SELECT DISTINCT s.location_incoterms FROM ".MAIN_DB_PREFIX.'commande as s';
- $sql .= " WHERE UPPER(s.location_incoterms) LIKE UPPER('%".$db->escape($location_incoterms)."%')";
+ $sql .= " WHERE UPPER(s.location_incoterms) LIKE UPPER('%".$db->escape($db->escapeforlike($location_incoterms))."%')";
//Todo: merge with data from table of supplier order
/* $sql .=" UNION";
diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php
index 54344da699e..f3b292889e5 100644
--- a/htdocs/core/ajax/objectonoff.php
+++ b/htdocs/core/ajax/objectonoff.php
@@ -45,50 +45,30 @@ require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
$action = GETPOST('action', 'aZ09');
+
$id = GETPOST('id', 'int');
-$value = GETPOST('value', 'int');
+$element = GETPOST('element', 'alpha'); // 'module' or 'myobject@mymodule' or 'mymodule_myobject'
$field = GETPOST('field', 'alpha');
-$element = GETPOST('element', 'alpha');
+$value = GETPOST('value', 'int');
$format = 'int';
-$object = new GenericObject($db);
+// Load object according to $element
+$object = fetchObjectByElement($id, $element);
-$tmparray = explode('@', $element);
-if (empty($tmparray[1])) {
- $subelement = '';
-
- $object->module = $element;
- $object->element = $element;
- $object->table_element = $element;
-
- // Special case for compatibility
- if ($object->table_element == 'websitepage') {
- $object->table_element = 'website_page';
- }
-} else {
- $element = $tmparray[0];
- $subelement = $tmparray[1];
-
- $object->module = $element;
- $object->element = $subelement;
- $object->table_element = $object->module.'_'.$object->element;
-}
-$object->id = $id;
$object->fields[$field] = array('type' => $format, 'enabled' => 1);
$module = $object->module;
$element = $object->element;
-
//var_dump($object->module); var_dump($object->element); var_dump($object->table_element);
// Security check
if (!empty($user->socid)) {
$socid = $user->socid;
+ if (!empty($object->socid) && $socid != $object->socid) {
+ httponly_accessforbidden("Access on object not allowed for this external user."); // This includes the exit.
+ }
}
-//$user->hasRight('societe', 'lire') = 0;$user->rights->fournisseur->lire = 0;
-//restrictedArea($user, 'societe', $id);
-
// We check permission.
// Check is done on $user->rights->element->create or $user->rights->element->subelement->create (because $action = 'set')
if (preg_match('/status$/', $field)) {
diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index 410f6f0961e..5415a96ed4f 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -710,19 +710,23 @@ abstract class CommonObject
{
global $action, $extrafields, $langs, $hookmanager;
+ $MAX_EXTRAFIELDS_TO_SHOW_IN_TOOLTIP = 5; // If there is too much extrafields, we do not include them into tooltip
+
$datas = $this->getTooltipContentArray($params);
if (!empty($extrafields->attributes[$this->table_element]['label'])) {
- foreach ($extrafields->attributes[$this->table_element]['label'] as $key => $val) {
- if (!empty($extrafields->attributes[$this->table_element]['langfile'][$key])) {
- $langs->load($extrafields->attributes[$this->table_element]['langfile'][$key]);
- }
- $labelextra = $langs->trans((string) $extrafields->attributes[$this->table_element]['label'][$key]);
- if ($extrafields->attributes[$this->table_element]['type'][$key] == 'separate') {
- $datas[$key]= '
'. $labelextra . '';
- } else {
- $value = (empty($this->array_options['options_' . $key]) ? '' : $this->array_options['options_' . $key]);
- $datas[$key]= '
'. $labelextra . ': ' . $extrafields->showOutputField($key, $value, '', $this->table_element);
+ if (count($extrafields->attributes[$this->table_element]['label']) < $MAX_EXTRAFIELDS_TO_SHOW_IN_TOOLTIP) {
+ foreach ($extrafields->attributes[$this->table_element]['label'] as $key => $val) {
+ if (!empty($extrafields->attributes[$this->table_element]['langfile'][$key])) {
+ $langs->load($extrafields->attributes[$this->table_element]['langfile'][$key]);
+ }
+ $labelextra = $langs->trans((string) $extrafields->attributes[$this->table_element]['label'][$key]);
+ if ($extrafields->attributes[$this->table_element]['type'][$key] == 'separate') {
+ $datas[$key]= '
'. $labelextra . '';
+ } else {
+ $value = (empty($this->array_options['options_' . $key]) ? '' : $this->array_options['options_' . $key]);
+ $datas[$key]= '
'. $labelextra . ': ' . $extrafields->showOutputField($key, $value, '', $this->table_element);
+ }
}
}
}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 918046fc218..9261fc85bc0 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -11193,10 +11193,10 @@ function dolGetButtonTitle($label, $helpText = '', $iconClass = 'fa fa-file', $u
/**
* Get an array with properties of an element.
- * Called by fetchObjectByElement.
*
- * @param string $element_type Element type (Value of $object->element). Example: 'action', 'facture', 'project_task' or 'object@mymodule'...
+ * @param string $element_type Element type (Value of $object->element). Example: 'action', 'facture', 'project_task', 'myobject@mymodule' or 'mymodule_myobject' ...
* @return array (module, classpath, element, subelement, classfile, classname)
+ * @see fetchObjectByElement()
*/
function getElementProperties($element_type)
{
@@ -11328,25 +11328,34 @@ function getElementProperties($element_type)
* Inclusion of classes is automatic
*
* @param int $element_id Element id
- * @param string $element_type Element type
+ * @param string $element_type Element type ('module' or 'myobject@mymodule' or 'mymodule_myobject')
* @param string $element_ref Element ref (Use this or element_id but not both)
- * @return int|object object || 0 || -1 if error
+ * @return int|object object || 0 || <0 if error
*/
function fetchObjectByElement($element_id, $element_type, $element_ref = '')
{
global $conf, $db;
+ $ret = 0;
+
$element_prop = getElementProperties($element_type);
- if (is_array($element_prop) && $conf->{$element_prop['module']}->enabled) {
+
+ if (is_array($element_prop) && isModEnabled($element_prop['module'])) {
dol_include_once('/'.$element_prop['classpath'].'/'.$element_prop['classfile'].'.class.php');
- $objecttmp = new $element_prop['classname']($db);
- $ret = $objecttmp->fetch($element_id, $element_ref);
- if ($ret >= 0) {
- return $objecttmp;
+ if (class_exists($element_prop['classname'])) {
+ $classname = $element_prop['classname'];
+ $objecttmp = new $classname($db);
+ $ret = $objecttmp->fetch($element_id, $element_ref);
+ if ($ret >= 0) {
+ return $objecttmp;
+ }
+ } else {
+ return -1;
}
}
- return 0;
+
+ return $ret;
}
/**
diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php
index 368ceec6dfc..8de5fbe7339 100644
--- a/htdocs/societe/class/societe.class.php
+++ b/htdocs/societe/class/societe.class.php
@@ -2603,6 +2603,7 @@ class Societe extends CommonObject
/**
* getTooltipContentArray
+ *
* @param array $params params to construct tooltip data
* @since v18
* @return array
@@ -2619,6 +2620,7 @@ class Societe extends CommonObject
$nofetch = !empty($params['nofetch']);
$name = $this->name;
+ $noaliasinname = (empty($params['noaliasinname']) ? 0 : $params['noaliasinname']);
if (!empty($this->name_alias) && empty($noaliasinname)) {
$name .= ' ('.$this->name_alias.')';
@@ -2718,6 +2720,9 @@ class Societe extends CommonObject
$datas['profid6'] = '
'.$langs->trans('ProfId6'.$this->country_code).': '.$this->idprof6;
}
}
+
+ $datas['separator'] = '
';
+
if (!empty($this->code_client) && ($this->client == 1 || $this->client == 3)) {
$datas['customercode'] = '
'.$langs->trans('CustomerCode').': '.$this->code_client;
}