diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 879e6ac8b61..051f8a031ca 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -3160,8 +3160,8 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $
// Define $color
$arrayconvpictotocolor = array(
- 'address'=>'#aaa', 'building'=>'#aaa', 'bom'=>'#a69944',
- 'companies'=>'#aaa', 'company'=>'#aaa', 'contact'=>'#37a', 'dynamicprice'=>'#a69944',
+ 'address'=>'#6c6aa8', 'building'=>'#6c6aa8', 'bom'=>'#a69944',
+ 'companies'=>'#6c6aa8', 'company'=>'#6c6aa8', 'contact'=>'#37a', 'dynamicprice'=>'#a69944',
'edit'=>'#444', 'note'=>'#999', 'error'=>'', 'help'=>'#bbb', 'listlight'=>'#999',
'dolly'=>'#a69944', 'dollyrevert'=>'#a69944', 'lot'=>'#a69944',
'map-marker-alt'=>'#aaa', 'mrp'=>'#a69944', 'product'=>'#a69944', 'service'=>'#a69944', 'stock'=>'#a69944',
diff --git a/htdocs/core/modules/modOpenSurvey.class.php b/htdocs/core/modules/modOpenSurvey.class.php
index 165cb9d5858..1c1774c83fd 100644
--- a/htdocs/core/modules/modOpenSurvey.class.php
+++ b/htdocs/core/modules/modOpenSurvey.class.php
@@ -64,7 +64,7 @@ class modOpenSurvey extends DolibarrModules
// Name of image file used for this module.
// If file is in theme/yourtheme/img directory under name object_pictovalue.png, use this->picto='pictovalue'
// If file is in module/img directory under name object_pictovalue.png, use this->picto='pictovalue@module'
- $this->picto = '^date@opensurvey';
+ $this->picto = 'poll';
// Data directories to create when module is enabled
$this->dirs = array();
diff --git a/htdocs/langs/en_US/main.lang b/htdocs/langs/en_US/main.lang
index 04d29a7e0e2..31f0e536558 100644
--- a/htdocs/langs/en_US/main.lang
+++ b/htdocs/langs/en_US/main.lang
@@ -1092,3 +1092,4 @@ APPROVEDInDolibarr=Record %s approved
DefaultMailModel=Default Mail Model
PublicVendorName=Public name of vendor
DateOfBirth=Date of birth
+SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry=Security token has expired, so action has been canceled. Please try again.
\ No newline at end of file
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index db8f7beec45..84356148724 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -351,19 +351,22 @@ if (!defined('NOTOKENRENEWAL'))
if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
|| defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set
{
- if ($_SERVER['REQUEST_METHOD'] == 'POST' && !GETPOSTISSET('token')) // Note: offender can still send request by GET
+ if ($_SERVER['REQUEST_METHOD'] == 'POST' || (GETPOSTISSET('action') && defined('CSRFCHECK_WITH_TOKEN'))) // Note: offender can still send request by GET without token (but never for an action on page with CSRFCHECK_WITH_TOKEN defined)
{
- dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided.");
- print "Access by POST method refused by CSRF protection in main.inc.php. Token not provided.\n";
- print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n";
- die;
+ if (!GETPOSTISSET('token')) {
+ dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided.");
+ print "Access by POST method (or to a page with CSRFCHECK_WITH_TOKEN on) is refused by CSRF protection in main.inc.php. Token not provided.\n";
+ print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n";
+ die;
+ }
}
if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token'])
{
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
- if ($conf->global->MAIN_FEATURES_LEVEL > 1) setEventMessages('Unset POST by CSRF protection in main.inc.php (POST for this token was already done or was done by a not allowed web page with a wrong token).'."
\n".'$_SERVER[REQUEST_URI] = '.$_SERVER['REQUEST_URI'].' $_SERVER[REQUEST_METHOD] = '.$_SERVER['REQUEST_METHOD'].' GETPOST(token) = '.GETPOST('token', 'alpha').' $_SESSION[token] = '.$_SESSION['token'], null, 'warnings');
+ setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');
+ //if ($conf->global->MAIN_FEATURES_LEVEL >= 1) setEventMessages('Unset POST and GET params by CSRF protection in main.inc.php (Token provided was not generated by the previous page).'."
\n".'$_SERVER[REQUEST_URI] = '.$_SERVER['REQUEST_URI'].' $_SERVER[REQUEST_METHOD] = '.$_SERVER['REQUEST_METHOD'].' GETPOST(token) = '.GETPOST('token', 'alpha').' $_SESSION[token] = '.$_SESSION['token'], null, 'warnings');
unset($_POST);
unset($_GET['confirm']);
}
diff --git a/htdocs/modulebuilder/template/myobject_agenda.php b/htdocs/modulebuilder/template/myobject_agenda.php
index 96396437314..e05b4e93491 100644
--- a/htdocs/modulebuilder/template/myobject_agenda.php
+++ b/htdocs/modulebuilder/template/myobject_agenda.php
@@ -19,9 +19,29 @@
/**
* \file htdocs/modulebuilder/template/myobject_agenda.php
* \ingroup mymodule
- * \brief Page of MyObject events
+ * \brief Tab of events on MyObject
*/
+//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db
+//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user
+//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc
+//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs
+//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters
+//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters
+//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
+//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
+//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
+//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
+//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
+//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library
+//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too.
+//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
+//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value
+//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler
+//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
+//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies
+//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET
+
// Load Dolibarr environment
$res = 0;
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
diff --git a/htdocs/modulebuilder/template/myobject_card.php b/htdocs/modulebuilder/template/myobject_card.php
index 1fcfabbe7c6..d97bc8f7f35 100644
--- a/htdocs/modulebuilder/template/myobject_card.php
+++ b/htdocs/modulebuilder/template/myobject_card.php
@@ -40,7 +40,7 @@
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies
-
+//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET
// Load Dolibarr environment
$res = 0;
diff --git a/htdocs/modulebuilder/template/myobject_document.php b/htdocs/modulebuilder/template/myobject_document.php
index 186edc11da1..46a8d0c3a10 100644
--- a/htdocs/modulebuilder/template/myobject_document.php
+++ b/htdocs/modulebuilder/template/myobject_document.php
@@ -22,6 +22,26 @@
* \brief Tab for documents linked to MyObject
*/
+//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db
+//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user
+//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc
+//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs
+//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters
+//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters
+//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
+//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
+//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
+//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
+//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
+//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library
+//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too.
+//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
+//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value
+//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler
+//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
+//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies
+//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET
+
// Load Dolibarr environment
$res = 0;
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php
index 9f2cda9bcc3..86c0e456e14 100644
--- a/htdocs/modulebuilder/template/myobject_list.php
+++ b/htdocs/modulebuilder/template/myobject_list.php
@@ -22,24 +22,25 @@
* \brief List page for myobject
*/
-//if (! defined('NOREQUIREDB')) define('NOREQUIREDB', '1'); // Do not create database handler $db
-//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER', '1'); // Do not load object $user
-//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); // Do not load object $mysoc
-//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); // Do not load object $langs
-//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION', '1'); // Do not check injection attack on GET parameters
-//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION', '1'); // Do not check injection attack on POST parameters
-//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
-//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
-//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
-//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
-//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
-//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
-//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
-//if (! defined("NOLOGIN")) define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
-//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
-//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', '1'); // The main.inc.php does not make a redirect if not logged, instead show simple error message
-//if (! defined("XFRAMEOPTIONS_ALLOWALL")) define('XFRAMEOPTIONS_ALLOWALL', '1'); // Do not add the HTTP header 'X-Frame-Options: SAMEORIGIN' but 'X-Frame-Options: ALLOWALL'
+//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db
+//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user
+//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc
+//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs
+//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters
+//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters
+//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
+//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
+//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
+//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
+//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
+//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library
+//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too.
+//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
+//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value
+//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler
+//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
+//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies
+//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET
// Load Dolibarr environment
$res = 0;
diff --git a/htdocs/modulebuilder/template/myobject_note.php b/htdocs/modulebuilder/template/myobject_note.php
index 99b706d4a76..1a6fd1a4cc6 100644
--- a/htdocs/modulebuilder/template/myobject_note.php
+++ b/htdocs/modulebuilder/template/myobject_note.php
@@ -19,9 +19,29 @@
/**
* \file htdocs/modulebuilder/template/myobject_note.php
* \ingroup mymodule
- * \brief Car with notes on MyObject
+ * \brief Tab for notes on MyObject
*/
+//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db
+//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user
+//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc
+//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs
+//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters
+//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters
+//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
+//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
+//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data
+//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu
+//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php
+//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library
+//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too.
+//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
+//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value
+//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler
+//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
+//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies
+//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET
+
// Load Dolibarr environment
$res = 0;
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php
index a6f5fbe1c7f..4827af26bb6 100644
--- a/htdocs/user/perms.php
+++ b/htdocs/user/perms.php
@@ -23,9 +23,11 @@
/**
* \file htdocs/user/perms.php
- * \brief Onglet user et permissions de la fiche utilisateur
+ * \brief Page to set permission of a user record
*/
+if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET
+
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
@@ -87,7 +89,7 @@ $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action
if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');
if (empty($reshook)) {
- if ($action == 'addrights' && $caneditperms) {
+ if ($action == 'addrights' && $caneditperms && $confirm == 'yes') {
$edituser = new User($db);
$edituser->fetch($object->id);
$result = $edituser->addrights($rights, $module, '', $entity);
@@ -107,7 +109,7 @@ if (empty($reshook)) {
$object->getrights();
}
- if ($action == 'delrights' && $caneditperms) {
+ if ($action == 'delrights' && $caneditperms && $confirm == 'yes') {
$edituser = new User($db);
$edituser->fetch($object->id);
$result = $edituser->delrights($rights, $module, '', $entity);
@@ -278,9 +280,9 @@ if (($caneditperms && empty($objMod->rights_admin_allowed)) || empty($object->ad
if ($caneditperms)
{
print '';
- print ''.$langs->trans("All")."";
+ print ''.$langs->trans("All")."";
print ' / ';
- print ''.$langs->trans("None")."";
+ print ''.$langs->trans("None")."";
print ' | ';
}
print ' | ';
@@ -349,9 +351,9 @@ if ($result)
if ($caneditperms)
{
print '';
- print 'module.'">'.$langs->trans("All")."";
+ print 'module.'&confirm=yes&token='.newToken().'">'.$langs->trans("All")."";
print ' / ';
- print 'module.'">'.$langs->trans("None")."";
+ print 'module.'&confirm=yes&token='.newToken().'">'.$langs->trans("None")."";
print ' | ';
}
print ' | ';
@@ -365,7 +367,7 @@ if ($result)
print ' | ';
// Module Id
- if ($user->admin) print ''.$objMod->numero.' | ';
+ print ' | ';
print ''."\n";
}
@@ -392,7 +394,7 @@ if ($result)
{
if ($caneditperms)
{
- print 'id.'">'.img_edit_remove($langs->trans("Remove")).' | ';
+ print 'id.'&confirm=yes&token='.newToken().'">'.img_edit_remove($langs->trans("Remove")).' | ';
}
print '';
print img_picto($langs->trans("Active"), 'tick');
@@ -414,7 +416,7 @@ if ($result)
// Do not own permission
if ($caneditperms)
{
- print ' | id.'">'.img_edit_add($langs->trans("Add")).' | ';
+ print 'id.'&confirm=yes&token='.newToken().'">'.img_edit_add($langs->trans("Add")).' | ';
}
print ' | ';
}
@@ -422,7 +424,7 @@ if ($result)
// Do not own permission
if ($caneditperms)
{
- print 'id.'">'.img_edit_add($langs->trans("Add")).' | ';
+ print 'id.'&confirm=yes&token='.newToken().'">'.img_edit_add($langs->trans("Add")).' | ';
}
print ' | ';
}