Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix add security check and fix the function call in societe/list

Browse Source
This commit is contained in:
FLIO 2023-05-09 18:37:37 +02:00
parent 34181d8214
commit 05bbdc435b
2 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
htdocs/core/ajax/ajaxstatusprospect.php
View File

@ -23,21 +23,30 @@
* \brief File to return Ajax response on third parties request
*/
if (!defined('NOTOKENRENEWAL')) {
define('NOTOKENRENEWAL', '1'); // Disables token renewal
}
if (!defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', 1); // Disables token renewal
if (!defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1');
if (!defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1');
if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1');
if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1');
// If there is no need to load and show top and left menu
if (!defined("NOLOGIN")) {
define("NOLOGIN", '1');
}
// Load Dolibarr environment
require '../../main.inc.php';
$idstatus = GETPOST('id', 'int');
$idprospect = GETPOST('prospectid', 'int');
$action = GETPOST('action', 'aZ09');
// Security check
if ($user->socid > 0) {
if ($idprospect != $user->socid) {
accessforbidden('Not allowed on this thirdparty');
}
}
// var_dump( $user, 'societe', $idprospect, '&societe');
$result = restrictedArea($user, 'societe', $idprospect, '&societe');
$permisstiontoupdate = $user->hasRight('societe', 'creer');
/*
* View
@ -45,11 +54,8 @@ require '../../main.inc.php';
top_httphead();
$idstatus = GETPOST('id', 'int');
$idprospect = GETPOST('prospectid', 'int');
$action = GETPOST('action', 'aZ09');
if ($action === "updatestatusprospect") {
if ($action === "updatestatusprospect" && $permisstiontoupdate) {
$response = '';
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET ";

2
htdocs/societe/list.php
View File

@ -1912,7 +1912,7 @@ while ($i < $imaxinloop) {
}
// Line that calls the select_status function by passing it js as the 5th parameter in order to activate the js script
$formcompany->select_status('status_prospect', null, null, null, "js");
$formcompany->selectStatus('status_prospect', null, null, null, "js");
// If no record found
if ($num == 0) {