From ceecf89892eb42f1cf6fd0616d357144cf3bc3c5 Mon Sep 17 00:00:00 2001 From: samifilali26 Date: Tue, 19 Dec 2023 18:08:12 +0100 Subject: [PATCH 01/10] add function to check if output is too long to be set in db --- htdocs/cron/class/cronjob.class.php | 33 +++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index 5101fcbe1c5..479051647cf 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -1268,13 +1268,15 @@ class Cronjob extends CommonObject dol_syslog(get_class($this)."::run_jobs END result=".$result." error=".$errmsg, LOG_ERR); $this->error = $errmsg; - $this->lastoutput = (!empty($object->output) ? $object->output."\n" : "").$errmsg; + if (!empty($object->output) && $this->canSetLastOutput(mb_strlen(trim($object->output."\n".$errmsg)))) $this->lastoutput = $object->output."\n".$errmsg; + else $this->lastoutput = $errmsg; $this->lastresult = is_numeric($result) ? $result : -1; $retval = $this->lastresult; $error++; } else { dol_syslog(get_class($this)."::run_jobs END"); - $this->lastoutput = (!empty($object->output) ? $object->output : ""); + if (!empty($object->output) && $this->canSetLastOutput(mb_strlen(trim($object->output)))) $this->lastoutput = $object->output; + else $this->lastoutput = ""; $this->lastresult = var_export($result, true); $retval = $this->lastresult; } @@ -1518,6 +1520,33 @@ class Cronjob extends CommonObject return dolGetStatus($this->labelStatus[$status], $this->labelStatusShort[$status], '', $statusType, $mode); } + + /** + * Check if the lastoutput column can be set for the cronjob table. + * + * @param int $lastoutput_length The length of lastoutput. + * @return bool True if lastoutput can be set, false otherwise. + */ + function canSetLastOutput($lastoutput_length) { + global $dolibarr_main_db_name; + + $sql = "SELECT character_maximum_length + FROM information_schema.columns + WHERE table_name = '".MAIN_DB_PREFIX."cronjob' + AND column_name = 'lastoutput' + AND table_schema = '$dolibarr_main_db_name'"; + $resql = $this->db->query($sql); + + if($resql) { + $row = $this->db->fetch_object($resql); + if($row->character_maximum_length >= $lastoutput_length) return true; + } + else { + dol_syslog($this->db->lasterror(), 'LOG_ERR'); + } + + return false; + } } From 4d6c39ed6e3711689b9bc11a42a299bd820acd2a Mon Sep 17 00:00:00 2001 From: samifilali26 Date: Tue, 19 Dec 2023 18:11:35 +0100 Subject: [PATCH 02/10] update --- htdocs/fourn/class/fournisseur.facture-rec.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/fourn/class/fournisseur.facture-rec.class.php b/htdocs/fourn/class/fournisseur.facture-rec.class.php index 322d1ed9285..f6f6c7ba763 100644 --- a/htdocs/fourn/class/fournisseur.facture-rec.class.php +++ b/htdocs/fourn/class/fournisseur.facture-rec.class.php @@ -1323,7 +1323,7 @@ class FactureFournisseurRec extends CommonInvoice } if (!$error && ($facturerec->auto_validate || $forcevalidation)) { $result = $new_fac_fourn->validate($user); - $laststep="Validate by user {$user->id}"; + $laststep="Validate by user {$user}"; if ($result <= 0) { $this->errors = $new_fac_fourn->errors; $this->error = $new_fac_fourn->error; From 292cf02d0c19c7a66d66d52690d269de9fbc4d76 Mon Sep 17 00:00:00 2001 From: samifilali26 Date: Tue, 19 Dec 2023 18:12:16 +0100 Subject: [PATCH 03/10] update --- htdocs/fourn/class/fournisseur.facture-rec.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/fourn/class/fournisseur.facture-rec.class.php b/htdocs/fourn/class/fournisseur.facture-rec.class.php index f6f6c7ba763..cb455ae5cc9 100644 --- a/htdocs/fourn/class/fournisseur.facture-rec.class.php +++ b/htdocs/fourn/class/fournisseur.facture-rec.class.php @@ -1323,7 +1323,7 @@ class FactureFournisseurRec extends CommonInvoice } if (!$error && ($facturerec->auto_validate || $forcevalidation)) { $result = $new_fac_fourn->validate($user); - $laststep="Validate by user {$user}"; + $laststep="Validate by user $user"; if ($result <= 0) { $this->errors = $new_fac_fourn->errors; $this->error = $new_fac_fourn->error; From b5d2fde37ddcdf53c9e96822ac6b58728d3cafce Mon Sep 17 00:00:00 2001 From: samifilali26 Date: Tue, 19 Dec 2023 18:13:19 +0100 Subject: [PATCH 04/10] update --- htdocs/fourn/class/fournisseur.facture-rec.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/fourn/class/fournisseur.facture-rec.class.php b/htdocs/fourn/class/fournisseur.facture-rec.class.php index cb455ae5cc9..322d1ed9285 100644 --- a/htdocs/fourn/class/fournisseur.facture-rec.class.php +++ b/htdocs/fourn/class/fournisseur.facture-rec.class.php @@ -1323,7 +1323,7 @@ class FactureFournisseurRec extends CommonInvoice } if (!$error && ($facturerec->auto_validate || $forcevalidation)) { $result = $new_fac_fourn->validate($user); - $laststep="Validate by user $user"; + $laststep="Validate by user {$user->id}"; if ($result <= 0) { $this->errors = $new_fac_fourn->errors; $this->error = $new_fac_fourn->error; From 7d3c348c686a71b23e0cd9bb5c8716ec81f383bf Mon Sep 17 00:00:00 2001 From: samifilali26 Date: Mon, 8 Jan 2024 10:08:06 +0100 Subject: [PATCH 05/10] update --- htdocs/cron/class/cronjob.class.php | 32 +++-------------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index 479051647cf..4186c65f4ff 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -187,6 +187,7 @@ class Cronjob extends CommonObject const STATUS_DISABLED = 0; const STATUS_ENABLED = 1; const STATUS_ARCHIVED = 2; + const MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD = 65535; /** @@ -1268,14 +1269,14 @@ class Cronjob extends CommonObject dol_syslog(get_class($this)."::run_jobs END result=".$result." error=".$errmsg, LOG_ERR); $this->error = $errmsg; - if (!empty($object->output) && $this->canSetLastOutput(mb_strlen(trim($object->output."\n".$errmsg)))) $this->lastoutput = $object->output."\n".$errmsg; + if (!empty($object->output) && $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD > mb_strlen(trim($object->output."\n".$errmsg))) $this->lastoutput = $object->output."\n".$errmsg; else $this->lastoutput = $errmsg; $this->lastresult = is_numeric($result) ? $result : -1; $retval = $this->lastresult; $error++; } else { dol_syslog(get_class($this)."::run_jobs END"); - if (!empty($object->output) && $this->canSetLastOutput(mb_strlen(trim($object->output)))) $this->lastoutput = $object->output; + if (!empty($object->output) && $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD > mb_strlen(trim($object->output))) $this->lastoutput = $object->output; else $this->lastoutput = ""; $this->lastresult = var_export($result, true); $retval = $this->lastresult; @@ -1520,33 +1521,6 @@ class Cronjob extends CommonObject return dolGetStatus($this->labelStatus[$status], $this->labelStatusShort[$status], '', $statusType, $mode); } - - /** - * Check if the lastoutput column can be set for the cronjob table. - * - * @param int $lastoutput_length The length of lastoutput. - * @return bool True if lastoutput can be set, false otherwise. - */ - function canSetLastOutput($lastoutput_length) { - global $dolibarr_main_db_name; - - $sql = "SELECT character_maximum_length - FROM information_schema.columns - WHERE table_name = '".MAIN_DB_PREFIX."cronjob' - AND column_name = 'lastoutput' - AND table_schema = '$dolibarr_main_db_name'"; - $resql = $this->db->query($sql); - - if($resql) { - $row = $this->db->fetch_object($resql); - if($row->character_maximum_length >= $lastoutput_length) return true; - } - else { - dol_syslog($this->db->lasterror(), 'LOG_ERR'); - } - - return false; - } } From 5453f0c628787ecec4319f32c69669fef19a257c Mon Sep 17 00:00:00 2001 From: atm-sami <139965072+atm-sami@users.noreply.github.com> Date: Mon, 15 Jan 2024 12:06:11 +0100 Subject: [PATCH 06/10] Update cronjob.class.php --- htdocs/cron/class/cronjob.class.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index 4186c65f4ff..dc2751faff3 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -1269,15 +1269,13 @@ class Cronjob extends CommonObject dol_syslog(get_class($this)."::run_jobs END result=".$result." error=".$errmsg, LOG_ERR); $this->error = $errmsg; - if (!empty($object->output) && $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD > mb_strlen(trim($object->output."\n".$errmsg))) $this->lastoutput = $object->output."\n".$errmsg; - else $this->lastoutput = $errmsg; + $this->lastoutput = dol_substr(!empty($object->output) ? $object->output."\n" : "").$errmsg, 0, $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD, 'UTF-8', 1); $this->lastresult = is_numeric($result) ? $result : -1; $retval = $this->lastresult; $error++; } else { dol_syslog(get_class($this)."::run_jobs END"); - if (!empty($object->output) && $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD > mb_strlen(trim($object->output))) $this->lastoutput = $object->output; - else $this->lastoutput = ""; + $this->lastoutput = dol_substr(!empty($object->output) ? $object->output."\n" : "").$errmsg, 0, $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD, 'UTF-8', 1); $this->lastresult = var_export($result, true); $retval = $this->lastresult; } From 6a2d7d152386d34c12a0bbf0e53dabdbff726bf4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 15 Jan 2024 14:14:51 +0100 Subject: [PATCH 07/10] Update cronjob.class.php --- htdocs/cron/class/cronjob.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index dc2751faff3..b89d7ea3cb7 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -1269,13 +1269,13 @@ class Cronjob extends CommonObject dol_syslog(get_class($this)."::run_jobs END result=".$result." error=".$errmsg, LOG_ERR); $this->error = $errmsg; - $this->lastoutput = dol_substr(!empty($object->output) ? $object->output."\n" : "").$errmsg, 0, $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD, 'UTF-8', 1); + $this->lastoutput = dol_substr((empty($object->output) ? "" : $object->output."\n").$errmsg, 0, $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD, 'UTF-8', 1); $this->lastresult = is_numeric($result) ? $result : -1; $retval = $this->lastresult; $error++; } else { dol_syslog(get_class($this)."::run_jobs END"); - $this->lastoutput = dol_substr(!empty($object->output) ? $object->output."\n" : "").$errmsg, 0, $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD, 'UTF-8', 1); + $this->lastoutput = dol_substr((empty($object->output) ? "" : $object->output."\n").$errmsg, 0, $this::MAXIMUM_LENGTH_FOR_LASTOUTPUT_FIELD, 'UTF-8', 1); $this->lastresult = var_export($result, true); $retval = $this->lastresult; } From 5a04b2393df0f549f57fca0d957c21291685e627 Mon Sep 17 00:00:00 2001 From: Eric Seigne Date: Mon, 15 Jan 2024 18:43:17 +0100 Subject: [PATCH 08/10] end fix #10417 : custom payment number for supplier invoices --- htdocs/core/lib/functions2.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index 066027aa24a..4c20f648932 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -973,7 +973,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if (!is_object($objsoc)) { $valueforccc = $objsoc; - } elseif ($table == "commande_fournisseur" || $table == "facture_fourn") { + } elseif ($table == "commande_fournisseur" || $table == "facture_fourn" || $table == "paiementfourn") { $valueforccc = dol_string_unaccent($objsoc->code_fournisseur); } else { $valueforccc = dol_string_unaccent($objsoc->code_client); From 4c5d9f2742cc46bd064b51e68337662c486777a3 Mon Sep 17 00:00:00 2001 From: Thomas905 Date: Thu, 18 Jan 2024 13:56:46 +0100 Subject: [PATCH 09/10] add action update_extras to don card --- htdocs/don/card.php | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/htdocs/don/card.php b/htdocs/don/card.php index ae0e510d135..af3ea6525f2 100644 --- a/htdocs/don/card.php +++ b/htdocs/don/card.php @@ -308,6 +308,30 @@ if (empty($reshook)) { $object->setProject($projectid); } + if ($action == 'update_extras') { + $object->fetch($id); + + $object->oldcopy = dol_clone($object); + + // Fill array 'array_options' with data from update form + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); + + if ($ret < 0) { + $error++; + } + + if (!$error) { + $result = $object->insertExtraFields('DON_MODIFY'); + if ($result < 0) { + setEventMessages($object->error, $object->errors, 'errors'); + $error++; + } + } + + if ($error) { + $action = 'edit_extras'; + } + } // Actions to build doc include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; From bc14550dedc49d34e9209b6953dc00d374f705c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alo=C3=AFs=20Micard?= Date: Thu, 18 Jan 2024 14:55:45 +0100 Subject: [PATCH 10/10] FIX: Fix supplier invoice security check --- .../class/api_supplier_invoices.class.php | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 17146eecd35..39f2b09b372 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -380,15 +380,15 @@ class SupplierInvoices extends DolibarrApi throw new RestException(400, 'Invoice ID is mandatory'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); - } - $result = $this->invoice->fetch($id); if (!$result) { throw new RestException(404, 'Invoice not found'); } + if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { + throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + $result = $this->invoice->getListOfPayments(); if ($result < 0) { throw new RestException(405, $this->invoice->error); @@ -429,6 +429,11 @@ class SupplierInvoices extends DolibarrApi throw new RestException(400, 'Invoice ID is mandatory'); } + $result = $this->invoice->fetch($id); + if (!$result) { + throw new RestException(404, 'Invoice not found'); + } + if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } @@ -443,12 +448,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(400, 'Payment mode ID is mandatory'); } - - $result = $this->invoice->fetch($id); - if (!$result) { - throw new RestException(404, 'Invoice not found'); - } - // Calculate amount to pay $totalpaid = $this->invoice->getSommePaiement(); $totaldeposits = $this->invoice->getSumDepositsUsed();