Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix secured the Ajax components

Browse Source
This commit is contained in:
Laurent Destailleur 2023-03-27 11:52:56 +02:00
parent 1e94959042
commit 498b2d5279
29 changed files with 258 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
htdocs/core/ajax/ajaxdirpreview.php
View File

@ -117,14 +117,14 @@ if (empty($url)) { // autoset $url but it is better to have it defined before in
// Load translation files required by the page
$langs->loadLangs(array("ecm", "companies", "other"));
if (empty($modulepart)) {
$modulepart = $module;
}
// Security check
if ($user->socid > 0) {
$socid = $user->socid;
}
//print 'xxx'.$upload_dir;
// Security:
// On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
if (preg_match('/\.\./', $upload_dir) || preg_match('/[<>|]/', $upload_dir)) {
dol_syslog("Refused to deliver file ".$upload_dir);
@ -132,11 +132,6 @@ if (preg_match('/\.\./', $upload_dir) || preg_match('/[<>|]/', $upload_dir)) {
dol_print_error(0, $langs->trans("ErrorFileNameInvalid", $upload_dir));
exit;
}
if (empty($modulepart)) {
$modulepart = $module;
}
// Check permissions
if ($modulepart == 'ecm') {
if (!$user->hasRight('ecm', 'read')) {

2
htdocs/core/ajax/ajaxdirtree.php
View File

@ -103,7 +103,7 @@ if (empty($modulepart)) {
$modulepart = $module;
}
// Check permissions
// Security check
if ($modulepart == 'ecm') {
if (!$user->hasRight('ecm', 'read')) {
accessforbidden();

3
htdocs/core/ajax/bankconciliate.php
View File

@ -44,6 +44,9 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
$action = GETPOST('action', 'aZ09');
// Security check
// Checks are done later
/*
* View

10
htdocs/core/ajax/box.php
View File

@ -46,16 +46,16 @@ $boxorder = GETPOST('boxorder');
$zone = GETPOST('zone', 'int');
$userid = GETPOST('userid', 'int');
// Security check
if ($userid != $user->id) {
httponly_accessforbidden('Bad userid parameter. Must match logged user.');
}
/*
* View
*/
// Ajout directives pour resoudre bug IE
//header('Cache-Control: Public, must-revalidate');
//header('Pragma: public');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";

18
htdocs/core/ajax/check_notifications.php
View File

@ -44,6 +44,9 @@ $time = dol_now();
$action = GETPOST('action', 'aZ09');
$listofreminderids = GETPOST('listofreminderids', 'aZ09');
// Security check
// No permission check at top, but action later are all done with a test on $user->id.
/*
* Actions
@ -68,6 +71,7 @@ if ($action == 'stopreminder') {
// Clean database
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.'actioncomm_reminder';
$sql .= " WHERE dateremind < '".$db->idate(dol_time_plus_duree(dol_now(), -1, 'm'))."'";
$sql .= " AND fk_user = ".((int) $user->id).' AND entity = '.((int) $conf->entity);
$resql = $db->query($sql);
if (!$resql) {
dol_print_error($db);
@ -124,18 +128,10 @@ if (empty($_SESSION['auto_check_events_not_before']) || $time >= $_SESSION['auto
$sql = 'SELECT a.id as id_agenda, a.code, a.datep, a.label, a.location, ar.rowid as id_reminder, ar.dateremind, ar.fk_user as id_user_reminder';
$sql .= ' FROM '.MAIN_DB_PREFIX.'actioncomm as a';
if (!empty($user->conf->MAIN_USER_WANT_ALL_EVENTS_NOTIFICATIONS)) {
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id);
$sql .= ' WHERE a.code <> "AC_OTH_AUTO"';
$sql .= ' AND (';
$sql .= " ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity;
$sql .= ' )';
} else {
$sql .= ' JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id);
$sql .= " AND ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity;
}
$sql .= ' INNER JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id);
$sql .= " AND ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".((int) $conf->entity); // No sharing of entity for alerts
$sql .= $db->order('datep', 'ASC');
$sql .= ' LIMIT 10'; // Avoid too many notification at once
$sql .= $db->plimit(10); // Avoid too many notification at once
$resql = $db->query($sql);
if ($resql) {

15
htdocs/core/ajax/constantonoff.php
View File

@ -52,6 +52,11 @@ $name = GETPOST('name', 'alpha');
$entity = GETPOST('entity', 'int');
$value = (GETPOST('value', 'aZ09') != '' ? GETPOST('value', 'aZ09') : 1);
// Security check
if (empty($user->admin)) {
httponly_accessforbidden('This ajax component can be called by admin user only');
}
/*
* View
@ -63,12 +68,10 @@ top_httphead();
// Registering the new value of constant
if (!empty($action) && !empty($name)) {
if ($user->admin) {
if ($action == 'set') {
dolibarr_set_const($db, $name, $value, 'chaine', 0, '', $entity);
} elseif ($action == 'del') {
dolibarr_del_const($db, $name, $entity);
}
if ($action == 'set') {
dolibarr_set_const($db, $name, $value, 'chaine', 0, '', $entity);
} elseif ($action == 'del') {
dolibarr_del_const($db, $name, $entity);
}
} else {
http_response_code(403);

69
htdocs/core/ajax/extraparams.php
View File

@ -17,7 +17,8 @@
/**
* \file /htdocs/core/ajax/extraparams.php
* \brief File to make Ajax action on setting extra parameters of elements
* \brief File to make Ajax action on setting extra parameters of elements.
* Called bu bloc_showhide.tpl.php, itself called when MAIN_DISABLE_CONTACTS_TAB or MAIN_DISABLE_NOTES_TAB are set
*/
if (!defined('NOTOKENRENEWAL')) {
@ -39,10 +40,29 @@ if (!defined('NOREQUIRESOC')) {
include '../../main.inc.php';
$id = GETPOST('id', 'int');
$element = GETPOST('element', 'alpha');
$element = GETPOST('element', 'aZ09arobase');
$htmlelement = GETPOST('htmlelement', 'alpha');
$type = GETPOST('type', 'alpha');
// Load object according to $id and $element
$object = fetchObjectByElement($id, $element);
$module = $object->module;
$element = $object->element;
$usesublevelpermission = ($module != $element ? $element : '');
if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly
$usesublevelpermission = '';
}
//print $object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n";
// Security check
$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return
if (!$result) {
httponly_accessforbidden('Not allowed by restrictArea');
}
/*
* View
*/
@ -57,47 +77,10 @@ if (!empty($id) && !empty($element) && !empty($htmlelement) && !empty($type)) {
dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG);
$classpath = $subelement = $element;
if (is_object($object)) {
$params[$htmlelement] = array($type => $value);
$object->extraparams = array_merge($object->extraparams, $params);
// For compatibility
if ($element == 'order' || $element == 'commande') {
$classpath = $subelement = 'commande';
} elseif ($element == 'propal') {
$classpath = 'comm/propal';
$subelement = 'propal';
} elseif ($element == 'facture') {
$classpath = 'compta/facture';
$subelement = 'facture';
} elseif ($element == 'contract') {
$classpath = $subelement = 'contrat';
} elseif ($element == 'shipping') {
$classpath = $subelement = 'expedition';
} elseif ($element == 'deplacement') {
$classpath = 'compta/deplacement';
$subelement = 'deplacement';
} elseif ($element == 'order_supplier') {
$classpath = 'fourn';
$subelement = 'fournisseur.commande';
} elseif ($element == 'invoice_supplier') {
$classpath = 'fourn';
$subelement = 'fournisseur.facture';
$result = $object->setExtraParameters();
}
dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php');
if ($element == 'order_supplier') {
$classname = 'CommandeFournisseur';
} elseif ($element == 'invoice_supplier') {
$classname = 'FactureFournisseur';
} else {
$classname = ucfirst($subelement);
}
$object = new $classname($db);
$object->fetch($id);
$params[$htmlelement] = array($type => $value);
$object->extraparams = array_merge($object->extraparams, $params);
$result = $object->setExtraParameters();
}

2
htdocs/core/ajax/fetchKnowledgeRecord.php
View File

@ -55,7 +55,7 @@ $idticketgroup = GETPOST('idticketgroup', 'aZ09');
$lang = GETPOST('lang', 'aZ09');
// Security check
if (!defined("NOLOGIN")) { // No need for restrictedArea if not logged. Later the select will filter on public articles only if not logged.
if (!defined("NOLOGIN")) { // No need of restrictedArea if not logged: Later the select will filter on public articles only if not logged.
restrictedArea($user, 'knowledgemanagement', 0, 'knowledgemanagement_knowledgerecord', 'knowledgerecord');
}

7
htdocs/core/ajax/fileupload.php
View File

@ -70,18 +70,17 @@ if (!empty($user->socid)) {
}
$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return
if (!$result) {
header('HTTP/1.0 403 Forbidden');
exit;
httponly_accessforbidden('Not allowed by restrictArea');
}
$upload_handler = new FileUpload(null, $id, $elementupload);
/*
* View
*/
$upload_handler = new FileUpload(null, $id, $elementupload);
top_httphead();
header('Pragma: no-cache');

44
htdocs/core/ajax/flowjs-server.php
View File

@ -1,5 +1,5 @@
<?php
/* Copyright (C) 2012 Laurent Destailleur <eldy@users.sourceforge.net>
/* Copyright (C) 2023 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -16,8 +16,8 @@
*/
/**
* \file htdocs/core/ajax/bankconciliate.php
* \brief File to set data for bank concilation
* \file htdocs/core/ajax/flowjs-server.php
* \brief File to upload very large file, higher than PHP limit. Using flowjs library.
*/
if (!defined('NOTOKENRENEWAL')) {
@ -46,20 +46,33 @@ require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
$action = GETPOST('action', 'aZ09');
$module = GETPOST('module', 'aZ09');
$upload_dir = GETPOST('upload_dir', 'alpha');
$module = GETPOST('module', 'aZ09arobase');
$flowFilename = GETPOST('flowFilename', 'alpha');
$flowIdentifier = GETPOST('flowIdentifier', 'alpha');
$flowChunkNumber = GETPOST('flowChunkNumber', 'alpha');
$flowChunkSize = GETPOST('flowChunkSize', 'alpha');
$flowTotalSize = GETPOST('flowTotalSize', 'alpha');
$result = restrictedArea($user, $module, 0, '', 0, 'fk_soc', 'rowid', 0, 1); // Call with mode return
if ($action != 'upload') {
httponly_accessforbidden("Param action must be 'upload'");
}
if (!empty($conf->$module->dir_temp)) {
$upload_dir = $conf->$module->dir_temp;
} else {
httponly_accessforbidden("Param module does not has a dir_temp directory. Module does not exists or is not activated.");
}
/*
* Action
*/
top_httphead();
dol_syslog(join(',', $_GET));
$result = false;
@ -123,19 +136,19 @@ if ($result) {
/**
* Check if all the parts exist, and
* gather all the parts of the file together
* @param string $temp_dir - the temporary directory holding all the parts of the file
* @param string $upload_dir - the temporary directory to create file
* @param string $fileName - the original file name
* @param string $chunkSize - each chunk size (in bytes)
* @param string $totalSize - original file size (in bytes)
* @return bool true if Ok false else
* Check if all the parts exist, and gather all the parts of the file together.
*
* @param string $temp_dir the temporary directory holding all the parts of the file
* @param string $upload_dir the temporary directory to create file
* @param string $fileName the original file name
* @param string $chunkSize each chunk size (in bytes)
* @param string $totalSize original file size (in bytes)
* @return bool true if Ok false else
*/
function createFileFromChunks($temp_dir, $upload_dir, $fileName, $chunkSize, $totalSize)
{
dol_syslog(__METHOD__, LOG_DEBUG);
// count all the parts of this file
$total_files = 0;
$files = dol_dir_list($temp_dir, 'files');
@ -164,5 +177,6 @@ function createFileFromChunks($temp_dir, $upload_dir, $fileName, $chunkSize, $to
// concurrent chunks uploads)
@rename($temp_dir, $temp_dir.'_UNUSED');
}
return true;
}

3
htdocs/core/ajax/getaccountcurrency.php
View File

@ -35,6 +35,9 @@ require '../../main.inc.php';
$id = GETPOST('id', 'int');
// Security check
$result = restrictedArea($user, 'banque', $id, 'bank_account&bank_account');
/*
* View

26
htdocs/core/ajax/loadinplace.php
View File

@ -17,7 +17,7 @@
/**
* \file htdocs/core/ajax/loadinplace.php
* \brief File to load field value
* \brief File to load field value. used only when option "Edit In Place" is set (MAIN_USE_JQUERY_JEDITABLE).
*/
if (!defined('NOTOKENRENEWAL')) {
@ -41,6 +41,30 @@ $field = GETPOST('field', 'alpha');
$element = GETPOST('element', 'alpha');
$table_element = GETPOST('table_element', 'alpha');
$fk_element = GETPOST('fk_element', 'alpha');
$id = $fk_element;
// Load object according to $id and $element
$object = fetchObjectByElement($id, $element);
$module = $object->module;
$element = $object->element;
$usesublevelpermission = ($module != $element ? $element : '');
if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly
$usesublevelpermission = '';
}
//print $object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n";
// Security check
$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return
if (!$result) {
httponly_accessforbidden('Not allowed by restrictArea');
}
if (!getDolGlobalString('MAIN_USE_JQUERY_JEDITABLE')) {
httponly_accessforbidden('Can be used only when option MAIN_USE_JQUERY_JEDITABLE is set');
}
/*
* View

7
htdocs/core/ajax/locationincoterms.php
View File

@ -43,9 +43,12 @@ if (!defined('NOREQUIRESOC')) {
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';
// Security check
if (!isModEnabled('incoterm')) {
httponly_accessforbidden("Module incoterm not enabled"); // This includes the exit.
}
// There is no other permission on this component. Everybody connected can read content of the incoterm table
/*
* View
@ -73,12 +76,12 @@ if (GETPOST('location_incoterms')) {
if (!empty($conf->global->MAIN_USE_LOCATION_INCOTERMS_DICTIONNARY)) { // Use location_incoterms
$sql = "SELECT z.location as location_incoterms, z.label as label";
$sql .= " FROM ".MAIN_DB_PREFIX."c_location_incoterms as z";
$sql .= " WHERE z.active = 1 AND UPPER(z.location) LIKE UPPER('%".$db->escape($db->escapeforlike($location_incoterms))."%')";
$sql .= " WHERE z.active = 1 AND z.location LIKE '%".$db->escape($db->escapeforlike($location_incoterms))."%'";
$sql .= " ORDER BY z.location";
$sql .= $db->plimit(100); // Avoid pb with bad criteria
} else { // Use table of sale orders
$sql = "SELECT DISTINCT s.location_incoterms FROM ".MAIN_DB_PREFIX.'commande as s';
$sql .= " WHERE UPPER(s.location_incoterms) LIKE UPPER('%".$db->escape($db->escapeforlike($location_incoterms))."%')";
$sql .= " WHERE s.location_incoterms LIKE '%".$db->escape($db->escapeforlike($location_incoterms))."%'";
//Todo: merge with data from table of supplier order
/* $sql .=" UNION";

2
htdocs/core/ajax/onlineSign.php
View File

@ -66,7 +66,7 @@ $response = "";
$type = $mode;
// Check securitykey
// Security check
$securekeyseed = '';
if ($type == 'proposal') {
$securekeyseed = getDolGlobalString('PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN');

5
htdocs/core/ajax/pingresult.php
View File

@ -50,15 +50,16 @@ $hash_algo = GETPOST('hash_algo', 'alpha');
// Security check
// None.
// None. Beeing connected is enough.
$now = dol_now();
/*
* View
*/
$now = dol_now();
top_httphead();
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";

4
htdocs/core/ajax/price.php
View File

@ -40,6 +40,10 @@ $output = GETPOST('output', 'alpha');
$amount = price2num(GETPOST('amount', 'alpha'));
$tva_tx = str_replace('*', '', GETPOST('tva_tx', 'alpha'));
// Security check
// None. This is a formatting only component.
/*
* View
*/

2
htdocs/core/ajax/row.php
View File

@ -49,7 +49,9 @@ if (!defined('NOREQUIRETRAN')) {
// Load Dolibarr environment
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
$hookmanager->initHooks(array('rowinterface'));
// Security check
// This is done later into view.

25
htdocs/core/ajax/saveinplace.php
View File

@ -17,7 +17,7 @@
/**
* \file htdocs/core/ajax/saveinplace.php
* \brief File to save field value
* \brief File to load field value. used only when option "Edit In Place" is set (MAIN_USE_JQUERY_JEDITABLE).
*/
if (!defined('NOTOKENRENEWAL')) {
@ -41,6 +41,7 @@ $field = GETPOST('field', 'alpha', 2);
$element = GETPOST('element', 'alpha', 2);
$table_element = GETPOST('table_element', 'alpha', 2);
$fk_element = GETPOST('fk_element', 'alpha', 2);
$id = $fk_element;
/* Example:
field:editval_ref_customer (8 first chars will removed to know name of property)
@ -54,6 +55,28 @@ savemethod:
savemethodname:
*/
// Load object according to $id and $element
$object = fetchObjectByElement($id, $element);
$module = $object->module;
$element = $object->element;
$usesublevelpermission = ($module != $element ? $element : '');
if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly
$usesublevelpermission = '';
}
//print $object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n";
// Security check
$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return
if (!$result) {
httponly_accessforbidden('Not allowed by restrictArea');
}
if (!getDolGlobalString('MAIN_USE_JQUERY_JEDITABLE')) {
httponly_accessforbidden('Can be used only when option MAIN_USE_JQUERY_JEDITABLE is set');
}
/*
* View

7
htdocs/core/ajax/security.php
View File

@ -17,8 +17,8 @@
/**
* \file htdocs/core/ajax/security.php
* \brief This ajax component is used to generated hash keys for security purposes
* like key to use into URL to protect them.
* \brief This ajax component is used to generated hash keys for security purposes,
* like the key to use into URL to protect them.
*/
if (!defined('NOTOKENRENEWAL')) {
@ -46,6 +46,9 @@ require '../../main.inc.php';
$action = GETPOST('action');
// Security check
// None. This is public component with no effect on data.
/*
* View

50
htdocs/core/ajax/selectobject.php
View File

@ -38,33 +38,18 @@ if (!defined('NOREQUIRESOC')) {
// Load Dolibarr environment
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';
$objectdesc = GETPOST('objectdesc', 'alpha');
$htmlname = GETPOST('htmlname', 'aZ09');
$outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0);
$id = GETPOST('id', 'int');
$filter = GETPOST('filter', 'alphanohtml');
/*
* View
*/
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
//print_r($_GET);
require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';
$form = new Form($db);
//$langs->load("companies");
top_httphead();
$filter = GETPOST('filter', 'alphanohtml'); // Universal Syntax filter
if (empty($htmlname)) {
return;
httponly_accessforbidden('Bad value for param htmlname');
}
$InfoFieldList = explode(":", $objectdesc);
$classname = $InfoFieldList[0];
$classpath = $InfoFieldList[1];
@ -75,16 +60,41 @@ if (!empty($classpath)) {
}
}
if (!is_object($objecttmp)) {
dol_syslog('Error bad param objectdesc', LOG_WARNING);
print 'Error bad param objectdesc';
httponly_accessforbidden('Bad value for param objectdesc');
}
/*
// Load object according to $id and $element
$object = fetchObjectByElement($id, $element);
$module = $object->module;
$element = $object->element;
$usesublevelpermission = ($module != $element ? $element : '');
if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly
$usesublevelpermission = '';
}
*/
// When used from jQuery, the search term is added as GET param "term".
$searchkey = (($id && GETPOST($id, 'alpha')) ? GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ? GETPOST($htmlname, 'alpha') : ''));
// Add a security test to avoid to get content of all tables
restrictedArea($user, $objecttmp->element, $id);
/*
* View
*/
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
//print_r($_GET);
//$langs->load("companies");
$form = new Form($db);
top_httphead($outjson ? 'application/json' : 'text/html');
$arrayresult = $form->selectForFormsList($objecttmp, $htmlname, '', 0, $searchkey, '', '', '', 0, 1, 0, '', $filter);
$db->close();

7
htdocs/core/ajax/selectsearchbox.php
View File

@ -1,5 +1,5 @@
<?php
/* Copyright (C) 2015-2018 Laurent Destailleur <eldy@users.sourceforge.net>
/* Copyright (C) 2015-2023 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -18,7 +18,7 @@
/**
* \file htdocs/core/ajax/selectsearchbox.php
* \ingroup core
* \brief This script returns content of possible search
* \brief This script returns json array of possible searches or just set the array if called by an include
*/
// This script is called with a POST method or as an include.
@ -43,6 +43,9 @@ if (!isset($usedbyinclude) || empty($usedbyinclude)) {
$res = @include '../../main.inc.php';
// Security check
// None. Beeing connected is enough.
top_httphead('application/json');
if ($res == 'ERROR_NOT_LOGGED') {

11
htdocs/core/ajax/vatrates.php
View File

@ -17,7 +17,7 @@
/**
* \file htdocs/core/ajax/vatrates.php
* \brief File to load vat rates combobox
* \brief File to load vat rates combobox according to thirdparty ID. Values are returned in JSON format.
*/
if (!defined('NOTOKENRENEWAL')) {
@ -34,16 +34,20 @@ if (!defined('NOREQUIREAJAX')) {
require '../../main.inc.php';
$id = GETPOST('id', 'int');
$action = GETPOST('action', 'aZ09');
$action = GETPOST('action', 'aZ09'); // 'getSellerVATRates' or 'getBuyerVATRates'
$htmlname = GETPOST('htmlname', 'alpha');
$selected = (GETPOST('selected') ?GETPOST('selected') : '-1');
$productid = (GETPOST('productid', 'int') ?GETPOST('productid', 'int') : 0);
// Security check
$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
/*
* View
*/
top_httphead();
top_httphead('application/json');
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
@ -63,7 +67,6 @@ if (!empty($id) && !empty($action) && !empty($htmlname)) {
}
$return = array();
$return['value'] = $form->load_tva('tva_tx', $selected, $seller, $buyer, $productid, 0, '', true);
$return['num'] = $form->num;
$return['error'] = $form->error;

22
htdocs/core/ajax/ziptown.php
View File

@ -42,6 +42,11 @@ if (!defined('NOREQUIRESOC')) {
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
// Security check
if (!getDolGlobalString('MAIN_USE_ZIPTOWN_DICTIONNARY')) {
// If MAIN_USE_ZIPTOWN_DICTIONNARY is set, we make a search into a public page. If not we search into societe so we must check we have read permission.
$result = restrictedArea($user, 'societe', 0, '&societe', '', 'fk_soc', 'rowid', 0);
}
/*
@ -53,11 +58,11 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
//header('Pragma: public');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
top_httphead('application/json');
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog('ziptown call with MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY) ? '' : $conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
dol_syslog('ziptown call with MAIN_USE_ZIPTOWN_DICTIONNARY='.getDolGlobalString('MAIN_USE_ZIPTOWN_DICTIONNARY'));
//var_dump($_GET);
// Generation of list of zip-town
@ -69,7 +74,7 @@ if (GETPOST('zipcode') || GETPOST('town')) {
$zipcode = GETPOST('zipcode');
$town = GETPOST('town');
if (!empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)) { // Use zip-town table
if (getDolGlobalString('MAIN_USE_ZIPTOWN_DICTIONNARY')) { // Use zip-town table
$sql = "SELECT z.rowid, z.zip, z.town, z.fk_county, z.fk_pays as fk_country";
$sql .= ", c.rowid as fk_country, c.code as country_code, c.label as country";
$sql .= ", d.rowid as fk_county, d.code_departement as county_code, d.nom as county";
@ -80,15 +85,14 @@ if (GETPOST('zipcode') || GETPOST('town')) {
$sql .= " WHERE z.fk_pays = c.rowid";
$sql .= " AND z.active = 1 AND c.active = 1";
if ($zipcode) {
$sql .= " AND z.zip LIKE '".$db->escape($zipcode)."%'";
$sql .= " AND z.zip LIKE '".$db->escape($db->escapeforlike($zipcode))."%'";
}
if ($town) {
$sql .= " AND z.town LIKE '%".$db->escape($town)."%'";
$sql .= " AND z.town LIKE '%".$db->escape($db->escapeforlike($town))."%'";
}
$sql .= " ORDER BY z.zip, z.town";
$sql .= $db->plimit(100); // Avoid pb with bad criteria
} else // Use table of third parties
{
} else { // Use table of third parties
$sql = "SELECT DISTINCT s.zip, s.town, s.fk_departement as fk_county, s.fk_pays as fk_country";
$sql .= ", c.code as country_code, c.label as country";
$sql .= ", d.code_departement as county_code , d.nom as county";
@ -97,10 +101,10 @@ if (GETPOST('zipcode') || GETPOST('town')) {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX.'c_country as c ON s.fk_pays = c.rowid';
$sql .= " WHERE";
if ($zipcode) {
$sql .= " s.zip LIKE '".$db->escape($zipcode)."%'";
$sql .= " s.zip LIKE '".$db->escape($db->escapeforlike($zipcode))."%'";
}
if ($town) {
$sql .= " s.town LIKE '%".$db->escape($town)."%'";
$sql .= " s.town LIKE '%".$db->escape($db->escapeforlike($town))."%'";
}
$sql .= " ORDER BY s.fk_pays, s.zip, s.town";
$sql .= $db->plimit(100); // Avoid pb with bad criteria

28
htdocs/core/class/html.form.class.php
View File

@ -7879,20 +7879,20 @@ class Form
* Output html form to select an object.
* Note, this function is called by selectForForms or by ajax selectobject.php
*
* @param Object $objecttmp Object to knwo the table to scan for combo.
* @param string $htmlname Name of HTML select component
* @param int $preselectedvalue Preselected value (ID of element)
* @param string $showempty ''=empty values not allowed, 'string'=value show if we allow empty values (for example 'All', ...)
* @param string $searchkey Search value
* @param string $placeholder Place holder
* @param string $morecss More CSS
* @param string $moreparams More params provided to ajax call
* @param int $forcecombo Force to load all values and output a standard combobox (with no beautification)
* @param int $outputmode 0=HTML select string, 1=Array
* @param int $disabled 1=Html component is disabled
* @param string $sortfield Sort field
* @param string $filter Add more filter
* @return string|array Return HTML string
* @param Object $objecttmp Object to knwo the table to scan for combo.
* @param string $htmlname Name of HTML select component
* @param int $preselectedvalue Preselected value (ID of element)
* @param string $showempty ''=empty values not allowed, 'string'=value show if we allow empty values (for example 'All', ...)
* @param string $searchkey Search value
* @param string $placeholder Place holder
* @param string $morecss More CSS
* @param string $moreparams More params provided to ajax call
* @param int $forcecombo Force to load all values and output a standard combobox (with no beautification)
* @param int $outputmode 0=HTML select string, 1=Array
* @param int $disabled 1=Html component is disabled
* @param string $sortfield Sort field
* @param string $filter Add more filter
* @return string|array Return HTML string
* @see selectForForms()
*/
public function selectForFormsList($objecttmp, $htmlname, $preselectedvalue, $showempty = '', $searchkey = '', $placeholder = '', $morecss = '', $moreparams = '', $forcecombo = 0, $outputmode = 0, $disabled = 0, $sortfield = '', $filter = '')

15
htdocs/core/class/html.formother.class.php
View File

@ -1289,18 +1289,21 @@ class FormOther
containment: \'document\',
connectWith: \'#boxhalfleft, #boxhalfright\',
stop: function(event, ui) {
console.log("We moved box so we call updateBoxOrder with ajax actions");
updateBoxOrder(1); /* 1 to avoid message after a move */
}
});
jQuery(".boxclose").click(function() {
var self = this; // because JQuery can modify this
var boxid=self.id.substring(8);
var label=jQuery(\'#boxlabelentry\'+boxid).val();
console.log("We close box "+boxid);
jQuery(\'#boxto_\'+boxid).remove();
if (boxid > 0) jQuery(\'#boxcombo\').append(new Option(label, boxid));
updateBoxOrder(1); /* 1 to avoid message after a remove */
var boxid = self.id.substring(8);
if (boxid > 0) {
var label = jQuery(\'#boxlabelentry\'+boxid).val();
console.log("We close box "+boxid);
jQuery(\'#boxto_\'+boxid).remove();
jQuery(\'#boxcombo\').append(new Option(label, boxid));
updateBoxOrder(1); /* 1 to avoid message after a remove */
}
});
});'."\n";

28
htdocs/core/lib/files.lib.php
View File

@ -3199,41 +3199,45 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
// Define $accessallowed
$reg = array();
if (preg_match('/^([a-z]+)_user_temp$/i', $modulepart, $reg)) {
if (empty($conf->{$reg[1]}->dir_temp)) { // modulepart not supported
$tmpmodule = $reg[1];
if (empty($conf->$tmpmodule->dir_temp)) { // modulepart not supported
dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')');
exit;
}
if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) {
if ($fuser->hasRight($tmpmodule, $lire) || $fuser->hasRight($tmpmodule, $read) || $fuser->hasRight($tmpmodule, $download)) {
$accessallowed = 1;
}
$original_file = $conf->{$reg[1]}->dir_temp.'/'.$fuser->id.'/'.$original_file;
} elseif (preg_match('/^([a-z]+)_temp$/i', $modulepart, $reg)) {
if (empty($conf->{$reg[1]}->dir_temp)) { // modulepart not supported
$tmpmodule = $reg[1];
if (empty($conf->$tmpmodule->dir_temp)) { // modulepart not supported
dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')');
exit;
}
if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) {
if ($fuser->hasRight($tmpmodule, $lire) || $fuser->hasRight($tmpmodule, $read) || $fuser->hasRight($tmpmodule, $download)) {
$accessallowed = 1;
}
$original_file = $conf->{$reg[1]}->dir_temp.'/'.$original_file;
$original_file = $conf->$tmpmodule->dir_temp.'/'.$original_file;
} elseif (preg_match('/^([a-z]+)_user$/i', $modulepart, $reg)) {
if (empty($conf->{$reg[1]}->dir_output)) { // modulepart not supported
$tmpmodule = $reg[1];
if (empty($conf->$tmpmodule->dir_output)) { // modulepart not supported
dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')');
exit;
}
if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) {
if ($fuser->hasRight($tmpmodule, $lire) || $fuser->hasRight($tmpmodule, $read) || $fuser->hasRight($tmpmodule, $download)) {
$accessallowed = 1;
}
$original_file = $conf->{$reg[1]}->dir_output.'/'.$fuser->id.'/'.$original_file;
$original_file = $conf->$tmpmodule->dir_output.'/'.$fuser->id.'/'.$original_file;
} elseif (preg_match('/^massfilesarea_([a-z]+)$/i', $modulepart, $reg)) {
if (empty($conf->{$reg[1]}->dir_output)) { // modulepart not supported
$tmpmodule = $reg[1];
if (empty($conf->$tmpmodule->dir_output)) { // modulepart not supported
dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')');
exit;
}
if ($fuser->rights->{$reg[1]}->{$lire} || preg_match('/^specimen/i', $original_file)) {
if ($fuser->hasRight($tmpmodule, $lire) || preg_match('/^specimen/i', $original_file)) {
$accessallowed = 1;
}
$original_file = $conf->{$reg[1]}->dir_output.'/temp/massgeneration/'.$user->id.'/'.$original_file;
$original_file = $conf->$tmpmodule->dir_output.'/temp/massgeneration/'.$user->id.'/'.$original_file;
} else {
if (empty($conf->$modulepart->dir_output)) { // modulepart not supported
dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.'). The module for this modulepart value may not be activated.');
@ -3248,7 +3252,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
$accessallowed = 1;
}
}
if (!empty($fuser->rights->$modulepart->{$lire}) || !empty($fuser->rights->$modulepart->{$read})) {
if ($fuser->hasRight($modulepart, $lire) || $fuser->hasRight($modulepart, $read)) {
$accessallowed = 1;
}

2
htdocs/core/lib/security.lib.php
View File

@ -548,7 +548,7 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
$createok = 1;
$nbko = 0;
$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || in_array(GETPOST('action', 'aZ09'), array('create', 'update', 'set', 'add_element_resource', 'confirm_delete_linked_resource')) || GETPOST('roworder', 'alpha', 2));
$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || in_array(GETPOST('action', 'aZ09'), array('create', 'update', 'set', 'upload', 'add_element_resource', 'confirm_delete_linked_resource')) || GETPOST('roworder', 'alpha', 2));
$wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete');
if ($wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft) {

6
htdocs/core/tpl/bloc_showhide.tpl.php
View File

@ -52,9 +52,9 @@ print ' $("#hide-'.$blocname.'").show();'."\n";
print '});'."\n";
print 'function setShowHide(status) {'."\n";
print ' var id = '.$object->id.";\n";
print " var element = '".$object->element."';\n";
print " var htmlelement = '".$blocname."';\n";
print ' var id = '.((int) $object->id).";\n";
print " var element = '".dol_escape_js($object->element)."';\n";
print " var htmlelement = '".dol_escape_js($blocname)."';\n";
print ' var type = "showhide";'."\n";
print ' $.get("'.dol_buildpath('/core/ajax/extraparams.php', 1);
print '?id="+id+"&element="+element+"&htmlelement="+htmlelement+"&type="+type+"&value="+status);'."\n";

1
htdocs/master.inc.php
View File

@ -250,4 +250,3 @@ if (!defined('NOREQUIRETRAN')) {
if (!defined('MAIN_LABEL_MENTION_NPR')) {
define('MAIN_LABEL_MENTION_NPR', 'NPR');
}
//if (! defined('PCLZIP_TEMPORARY_DIR')) define('PCLZIP_TEMPORARY_DIR', $conf->user->dir_temp);