Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: security update for multicompany

Browse Source
This commit is contained in:
Regis Houssin 2012-04-15 11:28:21 +02:00
parent a2f363c24b
commit 161e39794e
12 changed files with 92 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/adherents/card_subscriptions.php
View File

@ -39,8 +39,12 @@ $langs->load("users");
$langs->load("mails");
$action=GETPOST('action','alpha');
$rowid=GETPOST('rowid','int');
$typeid=GETPOST('typeid','int');
// Security check
if (! $user->rights->adherent->cotisation->lire) accessforbidden();
$result=restrictedArea($user,'adherent',$rowid);
$object = new Adherent($db);
$extrafields = new ExtraFields($db);
@ -50,10 +54,6 @@ $errmsg='';
$defaultdelay=1;
$defaultdelayunit='y';
$action=GETPOST('action');
$rowid=GETPOST('rowid');
$typeid=GETPOST('typeid');
if ($rowid)
{
// Load member

12
htdocs/adherents/class/adherent.class.php
View File

@ -968,7 +968,7 @@ class Adherent extends CommonObject
*/
function fetch($rowid,$ref='',$fk_soc='')
{
global $conf, $langs;
global $langs;
$sql = "SELECT d.rowid, d.civilite, d.prenom as firstname, d.nom as lastname, d.societe, d.fk_soc, d.statut, d.public, d.adresse as address, d.cp as zip, d.ville as town, d.note,";
$sql.= " d.email, d.phone, d.phone_perso, d.phone_mobile, d.login, d.pass,";
@ -989,10 +989,12 @@ class Adherent extends CommonObject
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."c_departements as dep ON d.fk_departement = dep.rowid";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON d.rowid = u.fk_member";
$sql.= " WHERE d.fk_adherent_type = t.rowid";
$sql.= " AND d.entity = ".$conf->entity;
if ($ref) $sql.= " AND d.rowid='".$ref."'";
elseif ($fk_soc) $sql.= " AND d.fk_soc='".$fk_soc."'";
else $sql.= " AND d.rowid=".$rowid;
if ($rowid) $sql.= " AND d.rowid=".$rowid;
elseif ($ref || $fk_soc) {
$sql.= " AND d.entity IN (".getEntity().")";
if ($ref) $sql.= " AND d.rowid='".$ref."'";
elseif ($fk_soc) $sql.= " AND d.fk_soc='".$fk_soc."'";
}
dol_syslog(get_class($this)."::fetch sql=".$sql);
$resql=$this->db->query($sql);

27
htdocs/adherents/document.php
View File

@ -1,7 +1,7 @@
<?php
/* Copyright (C) 2002-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2007 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
@ -31,18 +31,21 @@ require_once(DOL_DOCUMENT_ROOT."/core/class/html.formfile.class.php");
require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php");
require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php");
$langs->load("members");
$langs->load("companies");
$langs->load('other');
$id=GETPOST('id','int');
$action=GETPOST('action','alpha');
$confirm=GETPOST('confirm','alpha');
$mesg = "";
// Security check
$id = GETPOST('id','int');
if ($user->societe_id > 0)
{
$id = $user->societe_id;
}
//$result = restrictedArea($user, 'societe', $id);
$result=restrictedArea($user,'adherent',$id);
// Get parameters
$sortfield = GETPOST("sortfield",'alpha');
@ -65,7 +68,7 @@ $upload_dir = $conf->adherent->dir_output . "/" . get_exdir($id,2,0,1) . '/' . $
*/
// Envoie fichier
if ( $_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
{
require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
@ -96,7 +99,7 @@ if ( $_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
}
// Suppression fichier
if ($_REQUEST['action'] == 'confirm_deletefile' && $_REQUEST['confirm'] == 'yes')
if ($action == 'confirm_deletefile' && $confirm == 'yes')
{
$file = $upload_dir . "/" . $_GET['urlfile']; // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
dol_delete_file($file);
@ -197,21 +200,21 @@ if ($id > 0)
/*
* Confirmation suppression fichier
*/
if ($_GET['action'] == 'delete')
if ($action == 'delete')
{
$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?id='.$_GET["id"].'&urlfile='.urldecode($_GET["urlfile"]), $langs->trans('DeleteFile'), $langs->trans('ConfirmDeleteFile'), 'confirm_deletefile', '', 0, 1);
$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?id='.$member->id.'&urlfile='.urldecode($_GET["urlfile"]), $langs->trans('DeleteFile'), $langs->trans('ConfirmDeleteFile'), 'confirm_deletefile', '', 0, 1);
if ($ret == 'html') print '<br>';
}
// Affiche formulaire upload
$formfile=new FormFile($db);
$formfile->form_attach_new_file(DOL_URL_ROOT.'/adherents/document.php?id='.$id,'',0,0,$user->rights->adherent->creer);
$formfile->form_attach_new_file(DOL_URL_ROOT.'/adherents/document.php?id='.$member->id,'',0,0,$user->rights->adherent->creer);
// List of document
$param='&socid='.$societe->id;
$formfile->list_of_documents($filearray,$member,'member',$param, 0, get_exdir($id,2,0,1).'/'.$id.'/');
$formfile->list_of_documents($filearray,$member,'member',$param, 0, get_exdir($member->id,2,0,1).'/'.$member->id.'/');
print "<br><br>";
}
@ -226,9 +229,7 @@ else
print $langs->trans("ErrorRecordNotFound");
}
$db->close();
llxFooter();
$db->close();
?>

25
htdocs/adherents/fiche.php
View File

@ -41,21 +41,22 @@ $langs->load("bills");
$langs->load("members");
$langs->load("users");
$action=GETPOST('action','alpha');
$confirm=GETPOST('confirm','alpha');
$rowid=GETPOST('rowid','int');
$typeid=GETPOST('typeid','int');
$userid=GETPOST('userid','int');
$socid=GETPOST('socid','int');
// Security check
if (! $user->rights->adherent->lire) accessforbidden();
$result=restrictedArea($user,'adherent',$rowid);
$object = new Adherent($db);
$extrafields = new ExtraFields($db);
$errmsg=''; $errmsgs=array();
$action=GETPOST('action','alpha');
$confirm=GETPOST('confirm','alpha');
$rowid=GETPOST('rowid','int');
$typeid=GETPOST('typeid','int');
$userid=GETPOST('userid','int');
$socid=GETPOST('socid','int');
if ($rowid > 0)
{
// Load member
@ -67,10 +68,10 @@ if ($rowid > 0)
if ($object->user_id)
{
// $user est le user qui edite, $object->user_id est l'id de l'utilisateur lies au membre edite
$caneditfielduser=( (($user->id == $object->user_id) && $user->rights->user->self->creer)
|| (($user->id != $object->user_id) && $user->rights->user->user->creer) );
$caneditpassworduser=( (($user->id == $object->user_id) && $user->rights->user->self->password)
|| (($user->id != $object->user_id) && $user->rights->user->user->password) );
$caneditfielduser=((($user->id == $object->user_id) && $user->rights->user->self->creer)
|| (($user->id != $object->user_id) && $user->rights->user->user->creer));
$caneditpassworduser=((($user->id == $object->user_id) && $user->rights->user->self->password)
|| (($user->id != $object->user_id) && $user->rights->user->user->password));
}
}

29
htdocs/adherents/index.php
View File

@ -1,7 +1,8 @@
<?php
/* Copyright (C) 2001-2002 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2003 Jean-Louis Bergamo <jlb@j1b.org>
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
/* Copyright (C) 2001-2002 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2003 Jean-Louis Bergamo <jlb@j1b.org>
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -59,7 +60,10 @@ $AdherentType=array();
$sql = "SELECT t.rowid, t.libelle, t.cotisation,";
$sql.= " d.statut, count(d.rowid) as somme";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent_type as t";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."adherent as d ON t.rowid = d.fk_adherent_type";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."adherent as d";
$sql.= " ON t.rowid = d.fk_adherent_type";
$sql.= " AND d.entity IN (".getEntity().")";
$sql.= " WHERE t.entity IN (".getEntity().")";
$sql.= " GROUP BY t.rowid, t.libelle, t.cotisation, d.statut";
dol_syslog("index.php::select nb of members by type sql=".$sql, LOG_DEBUG);
@ -94,8 +98,9 @@ $now=dol_now();
// old rule: uptodate = if type does not need payment, that end date is null, if type need payment that end date is in future)
$sql = "SELECT count(*) as somme , d.fk_adherent_type";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent as d, ".MAIN_DB_PREFIX."adherent_type as t";
//$sql.= " WHERE d.statut = 1 AND ((t.cotisation = 0 AND d.datefin IS NULL) OR d.datefin >= ".$db->idate($now).')';
$sql.= " WHERE d.statut = 1 AND d.datefin >= ".$db->idate($now);
$sql.= " WHERE d.entity IN (".getEntity().")";
//$sql.= " AND d.statut = 1 AND ((t.cotisation = 0 AND d.datefin IS NULL) OR d.datefin >= ".$db->idate($now).')';
$sql.= " AND d.statut = 1 AND d.datefin >= ".$db->idate($now);
$sql.= " AND t.rowid = d.fk_adherent_type";
$sql.= " GROUP BY d.fk_adherent_type";
@ -212,7 +217,8 @@ $sql = "SELECT a.rowid, a.statut, a.nom as lastname, a.prenom as firstname,";
$sql.= " a.tms as datem, datefin as date_end_subscription,";
$sql.= " ta.rowid as typeid, ta.libelle, ta.cotisation";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent as a, ".MAIN_DB_PREFIX."adherent_type as ta";
$sql.= " WHERE a.fk_adherent_type = ta.rowid";
$sql.= " WHERE a.entity IN (".getEntity().")";
$sql.= " AND a.fk_adherent_type = ta.rowid";
$sql.= $db->order("a.tms","DESC");
$sql.= $db->plimit($max, 0);
@ -264,7 +270,8 @@ $sql = "SELECT a.rowid, a.statut, a.nom, a.prenom,";
$sql.= " datefin as date_end_subscription,";
$sql.= " c.rowid as cid, c.tms as datem, c.datec as datec, c.dateadh as date_start, c.datef as date_end, c.cotisation";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent as a, ".MAIN_DB_PREFIX."cotisation as c";
$sql.= " WHERE c.fk_adherent = a.rowid";
$sql.= " WHERE a.entity IN (".getEntity().")";
$sql.= " AND c.fk_adherent = a.rowid";
$sql.= $db->order("c.tms","DESC");
$sql.= $db->plimit($max, 0);
@ -350,7 +357,8 @@ $numb=0;
$sql = "SELECT c.cotisation, c.dateadh";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent as d, ".MAIN_DB_PREFIX."cotisation as c";
$sql.= " WHERE d.rowid = c.fk_adherent";
$sql.= " WHERE d.entity IN (".getEntity().")";
$sql.= " AND d.rowid = c.fk_adherent";
if(isset($date_select) && $date_select != '')
{
$sql .= " AND dateadh LIKE '$date_select%'";
@ -406,7 +414,6 @@ print '</td></tr>';
print '</table>';
$db->close();
llxFooter();
$db->close();
?>

16
htdocs/adherents/info.php
View File

@ -1,6 +1,6 @@
<?php
/* Copyright (C) 2005-2009 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2006 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -32,8 +32,10 @@ $langs->load("bills");
$langs->load("members");
$langs->load("users");
if (!$user->rights->adherent->lire)
accessforbidden();
$id=(GETPOST('id','int') ? GETPOST('id','int') : GETPOST('rowid','int'));
// Security check
$result=restrictedArea($user,'adherent',$id);
/*
@ -43,9 +45,8 @@ if (!$user->rights->adherent->lire)
llxHeader('',$langs->trans("Member"),'EN:Module_Foundations|FR:Module_Adh&eacute;rents|ES:M&oacute;dulo_Miembros');
$adh = new Adherent($db);
$adh->id=$_GET["id"];
$adh->fetch($_GET["id"]);
$adh->info($_GET["id"]);
$adh->fetch($id);
$adh->info($id);
$head = member_prepare_head($adh);
@ -59,7 +60,6 @@ print '</td></tr></table>';
print '</div>';
$db->close();
llxFooter();
$db->close();
?>

17
htdocs/adherents/note.php
View File

@ -27,14 +27,15 @@ require_once(DOL_DOCUMENT_ROOT.'/core/lib/member.lib.php');
require_once(DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php');
require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php");
$action=GETPOST('action');
$id=GETPOST('id','int');
$langs->load("companies");
$langs->load("members");
$langs->load("companies");
$langs->load("members");
$langs->load("bills");
if (!$user->rights->adherent->lire) accessforbidden();
$action=GETPOST('action','alpha');
$id=GETPOST('id','int');
// Security check
$result=restrictedArea($user,'adherent',$id);
$object = new Adherent($db);
$result=$object->fetch($id);
@ -49,7 +50,7 @@ if ($result > 0)
* Actions
*/
if ($_POST["action"] == 'update' && $user->rights->adherent->creer && ! $_POST["cancel"])
if ($action == 'update' && $user->rights->adherent->creer && ! $_POST["cancel"])
{
$db->begin();
@ -174,7 +175,7 @@ if ($id)
}
$db->close();
llxFooter();
$db->close();
?>

9
htdocs/adherents/stats/geo.php
View File

@ -73,7 +73,8 @@ if ($mode)
$data = array();
$sql.="SELECT COUNT(d.rowid) as nb, MAX(d.datevalid) as lastdate, c.code, c.libelle as label";
$sql.=" FROM ".MAIN_DB_PREFIX."adherent as d LEFT JOIN ".MAIN_DB_PREFIX."c_pays as c on d.pays = c.rowid";
$sql.=" WHERE d.statut = 1";
$sql.=" WHERE d.entity IN (".getEntity().")";
$sql.=" AND d.statut = 1";
$sql.=" GROUP BY c.libelle, c.code";
//print $sql;
}
@ -88,7 +89,8 @@ if ($mode)
$sql.=" FROM ".MAIN_DB_PREFIX."adherent as d LEFT JOIN ".MAIN_DB_PREFIX."c_departements as c on d.fk_departement = c.rowid";
$sql.=" LEFT JOIN ".MAIN_DB_PREFIX."c_regions as r on c.fk_region = r.code_region";
$sql.=" LEFT JOIN ".MAIN_DB_PREFIX."c_pays as p on d.pays = p.rowid";
$sql.=" WHERE d.statut = 1";
$sql.=" WHERE d.entity IN (".getEntity().")";
$sql.=" AND d.statut = 1";
$sql.=" GROUP BY p.libelle, p.code, c.nom";
//print $sql;
}
@ -102,7 +104,8 @@ if ($mode)
$sql.="SELECT COUNT(d.rowid) as nb, MAX(d.datevalid) as lastdate, p.code, p.libelle as label, d.ville as label2";
$sql.=" FROM ".MAIN_DB_PREFIX."adherent as d";
$sql.=" LEFT JOIN ".MAIN_DB_PREFIX."c_pays as p on d.pays = p.rowid";
$sql.=" WHERE d.statut = 1";
$sql.=" WHERE d.entity IN (".getEntity().")";
$sql.=" AND d.statut = 1";
$sql.=" GROUP BY p.libelle, p.code, d.ville";
//print $sql;
}

2
htdocs/adherents/stats/index.php
View File

@ -1,7 +1,7 @@
<?php
/* Copyright (C) 2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by

13
htdocs/adherents/type.php
View File

@ -2,7 +2,7 @@
/* Copyright (C) 2001-2002 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2003 Jean-Louis Bergamo <jlb@j1b.org>
* Copyright (C) 2004-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -49,8 +49,8 @@ $pagenext = $page + 1;
if (! $sortorder) { $sortorder="DESC"; }
if (! $sortfield) { $sortfield="d.nom"; }
// Security check
if (! $user->rights->adherent->lire) accessforbidden();
// Security check
$result=restrictedArea($user,'adherent',$rowid,'adherent_type');
if (GETPOST('button_removefilter'))
{
@ -153,7 +153,8 @@ if (! $rowid && $action != 'create' && $action != 'edit')
$sql = "SELECT d.rowid, d.libelle, d.cotisation, d.vote";
$sql .= " FROM ".MAIN_DB_PREFIX."adherent_type as d";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent_type as d";
$sql.= " WHERE d.entity IN (".getEntity().")";
$result = $db->query($sql);
if ($result)
@ -267,10 +268,8 @@ if ($rowid > 0)
if ($action != 'edit')
{
$adht = new AdherentType($db);
$adht->id = $rowid;
$adht->fetch($rowid);
$h=0;
$head[$h][0] = $_SERVER["PHP_SELF"].'?rowid='.$adht->id;
@ -344,7 +343,7 @@ if ($rowid > 0)
$sql.= " t.libelle as type, t.cotisation";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent as d, ".MAIN_DB_PREFIX."adherent_type as t";
$sql.= " WHERE d.fk_adherent_type = t.rowid ";
$sql.= " AND d.entity = ".$conf->entity;
$sql.= " AND d.entity IN (".getEntity().")";
$sql.= " AND t.rowid = ".$adht->id;
if ($sall)
{

2
htdocs/categories/categorie.php
View File

@ -75,7 +75,7 @@ if ($id || $ref)
$objecttype = 'adherent&categorie';
$objectid = isset($id)?$id:(isset($ref)?$ref:'');
$dbtablename = 'adherent';
$fieldid = isset($ref)?'ref':'rowid';
$fieldid = ! empty($ref)?'ref':'rowid';
}
}

8
htdocs/user/fiche.php
View File

@ -57,10 +57,10 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
if ($id)
{
// $user est le user qui edite, $_GET["id"] est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
|| (($user->id != $id) && $user->rights->user->user->creer) );
$caneditpassword=( (($user->id == $id) && $user->rights->user->self->password)
|| (($user->id != $id) && $user->rights->user->user->password) );
$caneditfield=((($user->id == $id) && $user->rights->user->self->creer)
|| (($user->id != $id) && $user->rights->user->user->creer));
$caneditpassword=((($user->id == $id) && $user->rights->user->self->password)
|| (($user->id != $id) && $user->rights->user->user->password));
}
//Multicompany in mode transversal