mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-02-20 13:46:52 +01:00
Clean and secured code for ajax/row.php
This commit is contained in:
Laurent Destailleur
parent
b275789223
commit
00e48aa922
|
|
@ -59,15 +59,52 @@ top_httphead();
|
|||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
if (GETPOST('roworder', 'alpha') && GETPOST('table_element_line', 'alpha', 2)
|
||||
&& GETPOST('fk_element', 'alpha', 2) && GETPOST('element_id', 'int', 2)) {
|
||||
if (GETPOST('roworder', 'alpha', 2) && GETPOST('table_element_line', 'aZ09', 2)
|
||||
&& GETPOST('fk_element', 'aZ09', 2) && GETPOST('element_id', 'int', 2)) {
|
||||
$roworder = GETPOST('roworder', 'alpha', 2);
|
||||
$table_element_line = GETPOST('table_element_line', 'alpha', 2);
|
||||
$fk_element = GETPOST('fk_element', 'alpha', 2);
|
||||
$table_element_line = GETPOST('table_element_line', 'aZ09', 2);
|
||||
$fk_element = GETPOST('fk_element', 'aZ09', 2);
|
||||
$element_id = GETPOST('element_id', 'int', 2);
|
||||
|
||||
dol_syslog("AjaxRow roworder=".$roworder." table_element_line=".$table_element_line." fk_element=".$fk_element." element_id=".$element_id, LOG_DEBUG);
|
||||
|
||||
// Make test on pemrission
|
||||
$perm = 0;
|
||||
if ($table_element_line == 'propaldet' && $user->rights->propal->creer) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'commandedet' && $user->rights->commande->creer) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'facturedet' && $user->rights->facture->creer) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'facturerecdet' && $user->rights->facture->creer) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'ecm_files' && $user->rights->ecm->creer) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'emailcollector_emailcollectoraction' && $user->admin) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'bom_bomline' && $user->rights->bom->write) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'mrp_production' && $user->rights->mrp->write) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'supplier_proposaldet' && $user->rights->supplier_proposal->write) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'commande_fournisseurdet' && $user->rights->fourn->commande->creer) {
|
||||
$perm = 1;
|
||||
} elseif ($table_element_line == 'facture_fourn_det' && $user->rights->fourn->facture->creer) {
|
||||
$perm = 1;
|
||||
} else {
|
||||
$tmparray = explode('_', $table_element_line);
|
||||
$tmpmodule = $tmparray[0]; $tmpobject = preg_replace('/line$/', '', $tmparray[1]);
|
||||
if (!empty($tmpmodule) && !empty($tmpobject) && !empty($conf->$tmpmodule->enabled) && !empty($user->rights->$tmpobject->read)) {
|
||||
$perm = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (! $perm) {
|
||||
print 'Bad permission to modify position of lines for object in table '.$table_element_line;
|
||||
accessforbidden('Bad permission to modify position of lines for object in table '.$table_element_line);
|
||||
}
|
||||
|
||||
$rowordertab = explode(',', $roworder);
|
||||
$newrowordertab = array();
|
||||
foreach ($rowordertab as $value) {
|
||||
|
|
@ -88,4 +125,6 @@ if (GETPOST('roworder', 'alpha') && GETPOST('table_element_line', 'alpha', 2)
|
|||
if (in_array($fk_element, array('fk_facture', 'fk_propal', 'fk_commande'))) {
|
||||
$result = $row->line_order(true);
|
||||
}
|
||||
} else {
|
||||
print 'Bad parameters for row.php';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3022,8 +3022,8 @@ abstract class CommonObject
|
|||
$fieldposition = 'position';
|
||||
}
|
||||
|
||||
$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.$rang;
|
||||
$sql .= ' WHERE rowid = '.$rowid;
|
||||
$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang);
|
||||
$sql .= ' WHERE rowid = '.((int) $rowid);
|
||||
|
||||
dol_syslog(get_class($this)."::updateRangOfLine", LOG_DEBUG);
|
||||
if (!$this->db->query($sql)) {
|
||||
|
|
|
|||
|
|
@ -555,55 +555,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
|
|||
|
||||
print dol_get_fiche_end();
|
||||
|
||||
|
||||
/*
|
||||
* Lines
|
||||
*/
|
||||
|
||||
if (!empty($object->table_element_line)) {
|
||||
// Show object lines
|
||||
$result = $object->getLinesArray();
|
||||
|
||||
print ' <form name="addproduct" id="addproduct" action="'.$_SERVER["PHP_SELF"].'?id='.$object->id.(($action != 'editline') ? '#addline' : '#line_'.GETPOST('lineid', 'int')).'" method="POST">
|
||||
<input type="hidden" name="token" value="' . newToken().'">
|
||||
<input type="hidden" name="action" value="' . (($action != 'editline') ? 'addline' : 'updateline').'">
|
||||
<input type="hidden" name="mode" value="">
|
||||
<input type="hidden" name="id" value="' . $object->id.'">
|
||||
';
|
||||
|
||||
if (!empty($conf->use_javascript_ajax) && $object->status == 0) {
|
||||
include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php';
|
||||
}
|
||||
|
||||
print '<div class="div-table-responsive-no-min">';
|
||||
if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) {
|
||||
print '<table id="tablelines" class="noborder noshadow" width="100%">';
|
||||
}
|
||||
|
||||
if (!empty($object->lines)) {
|
||||
$object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1);
|
||||
}
|
||||
|
||||
// Form to add new line
|
||||
if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') {
|
||||
if ($action != 'editline') {
|
||||
// Add products/services form
|
||||
$object->formAddObjectLine(1, $mysoc, $soc);
|
||||
|
||||
$parameters = array();
|
||||
$reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook
|
||||
}
|
||||
}
|
||||
|
||||
if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) {
|
||||
print '</table>';
|
||||
}
|
||||
print '</div>';
|
||||
|
||||
print "</form>\n";
|
||||
}
|
||||
|
||||
|
||||
// Buttons for actions
|
||||
|
||||
if ($action != 'presend' && $action != 'editline') {
|
||||
|
|
|
|||
|
|
@ -412,54 +412,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
|
|||
|
||||
print dol_get_fiche_end();
|
||||
|
||||
|
||||
/*
|
||||
* Lines
|
||||
*/
|
||||
|
||||
if (!empty($object->table_element_line)) {
|
||||
// Show object lines
|
||||
$result = $object->getLinesArray();
|
||||
|
||||
print ' <form name="addproduct" id="addproduct" action="'.$_SERVER["PHP_SELF"].'?id='.$object->id.(($action != 'editline') ? '#addline' : '#line_'.GETPOST('lineid', 'int')).'" method="POST">
|
||||
<input type="hidden" name="token" value="' . newToken().'">
|
||||
<input type="hidden" name="action" value="' . (($action != 'editline') ? 'addline' : 'updateline').'">
|
||||
<input type="hidden" name="mode" value="">
|
||||
<input type="hidden" name="id" value="' . $object->id.'">
|
||||
';
|
||||
|
||||
if (!empty($conf->use_javascript_ajax) && $object->status == 0) {
|
||||
include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php';
|
||||
}
|
||||
|
||||
print '<div class="div-table-responsive-no-min">';
|
||||
if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) {
|
||||
print '<table id="tablelines" class="noborder noshadow" width="100%">';
|
||||
}
|
||||
|
||||
if (!empty($object->lines)) {
|
||||
$object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1);
|
||||
}
|
||||
|
||||
// Form to add new line
|
||||
if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') {
|
||||
if ($action != 'editline') {
|
||||
// Add products/services form
|
||||
$object->formAddObjectLine(1, $mysoc, $soc);
|
||||
|
||||
$parameters = array();
|
||||
$reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook
|
||||
}
|
||||
}
|
||||
|
||||
if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) {
|
||||
print '</table>';
|
||||
}
|
||||
print '</div>';
|
||||
|
||||
print "</form>\n";
|
||||
}
|
||||
|
||||
print '<br>'.$langs->trans("FeatureNotYetAvailable");
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -440,54 +440,6 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
|
|||
print dol_get_fiche_end();
|
||||
|
||||
|
||||
/*
|
||||
* Lines
|
||||
*/
|
||||
|
||||
if (!empty($object->table_element_line)) {
|
||||
// Show object lines
|
||||
$result = $object->getLinesArray();
|
||||
|
||||
print ' <form name="addproduct" id="addproduct" action="'.$_SERVER["PHP_SELF"].'?id='.$object->id.(($action != 'editline') ? '#addline' : '#line_'.GETPOST('lineid', 'int')).'" method="POST">
|
||||
<input type="hidden" name="token" value="' . newToken().'">
|
||||
<input type="hidden" name="action" value="' . (($action != 'editline') ? 'addline' : 'updateline').'">
|
||||
<input type="hidden" name="mode" value="">
|
||||
<input type="hidden" name="id" value="' . $object->id.'">
|
||||
';
|
||||
|
||||
if (!empty($conf->use_javascript_ajax) && $object->status == 0) {
|
||||
include DOL_DOCUMENT_ROOT.'/core/tpl/ajaxrow.tpl.php';
|
||||
}
|
||||
|
||||
print '<div class="div-table-responsive-no-min">';
|
||||
if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) {
|
||||
print '<table id="tablelines" class="noborder noshadow" width="100%">';
|
||||
}
|
||||
|
||||
if (!empty($object->lines)) {
|
||||
$object->printObjectLines($action, $mysoc, null, GETPOST('lineid', 'int'), 1);
|
||||
}
|
||||
|
||||
// Form to add new line
|
||||
if ($object->status == 0 && $permissiontoadd && $action != 'selectlines') {
|
||||
if ($action != 'editline') {
|
||||
// Add products/services form
|
||||
$object->formAddObjectLine(1, $mysoc, $soc);
|
||||
|
||||
$parameters = array();
|
||||
$reshook = $hookmanager->executeHooks('formAddObjectLine', $parameters, $object, $action); // Note that $action and $object may have been modified by hook
|
||||
}
|
||||
}
|
||||
|
||||
if (!empty($object->lines) || ($object->status == $object::STATUS_DRAFT && $permissiontoadd && $action != 'selectlines' && $action != 'editline')) {
|
||||
print '</table>';
|
||||
}
|
||||
print '</div>';
|
||||
|
||||
print "</form>\n";
|
||||
}
|
||||
|
||||
|
||||
// Buttons for actions
|
||||
|
||||
if ($action != 'presend' && $action != 'editline') {
|
||||
|
|
|
|||
|
|
@ -118,6 +118,7 @@ $usercancreateorder = $user->rights->fournisseur->commande->creer;
|
|||
$permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php
|
||||
$permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php
|
||||
$permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php
|
||||
$permissiontoadd = $usercancreate;
|
||||
|
||||
|
||||
/*
|
||||
|
|
@ -485,7 +486,6 @@ if (empty($reshook)) {
|
|||
|
||||
// Actions to build doc
|
||||
$upload_dir = $conf->supplier_proposal->dir_output;
|
||||
$permissiontoadd = $usercancreate;
|
||||
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user