mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-02-20 13:46:52 +01:00
Fix: Disable feature by default. Need option MAIN_SOCIETE_UNSUBSCRIBE to
enable because feature is a security hole.
This commit is contained in:
Laurent Destailleur
parent
66b001653c
commit
befaf655aa
|
|
@ -47,8 +47,6 @@ $object=new Mailing($db);
|
|||
$substitutionarray=array(
|
||||
'__ID__' => 'IdRecord',
|
||||
'__EMAIL__' => 'EMail',
|
||||
'__CHECK_READ__' => 'CheckMail',
|
||||
'__UNSUSCRIBE__' => 'Unsuscribe',
|
||||
'__LASTNAME__' => 'Lastname',
|
||||
'__FIRSTNAME__' => 'Firstname',
|
||||
'__OTHER1__' => 'Other1',
|
||||
|
|
@ -59,11 +57,20 @@ $substitutionarray=array(
|
|||
'__SIGNATURE__' => 'Signature',
|
||||
'__PERSONALIZED__' => 'Personalized'
|
||||
);
|
||||
if ($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)
|
||||
{
|
||||
$substitutionarray=array_merge(
|
||||
$substitutionarray,
|
||||
array(
|
||||
'__CHECK_READ__' => 'CheckMail',
|
||||
'__UNSUSCRIBE__' => 'Unsuscribe'
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
$substitutionarrayfortest=array(
|
||||
'__ID__' => 'TESTIdRecord',
|
||||
'__EMAIL__' => 'TESTEMail',
|
||||
'__CHECK_READ__' => 'TESTCheckMail',
|
||||
'__UNSUSCRIBE__' => 'TESTUnsuscribe',
|
||||
'__LASTNAME__' => 'TESTLastname',
|
||||
'__FIRSTNAME__' => 'TESTFirstname',
|
||||
'__OTHER1__' => 'TESTOther1',
|
||||
|
|
@ -74,7 +81,16 @@ $substitutionarrayfortest=array(
|
|||
'__SIGNATURE__' => 'TESTSignature',
|
||||
'__PERSONALIZED__' => 'TESTPersonalized'
|
||||
);
|
||||
|
||||
if ($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)
|
||||
{
|
||||
$substitutionarray=array_merge(
|
||||
$substitutionarray,
|
||||
array(
|
||||
'__CHECK_READ__' => 'TESTCheckMail',
|
||||
'__UNSUSCRIBE__' => 'TESTCheckMail'
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
// Action clone object
|
||||
if ($action == 'confirm_clone' && $confirm == 'yes')
|
||||
|
|
@ -158,7 +174,7 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
|
|||
if ($num)
|
||||
{
|
||||
dol_syslog("comm/mailing/fiche.php: nb of targets = ".$num, LOG_DEBUG);
|
||||
|
||||
|
||||
$now=dol_now();
|
||||
|
||||
// Positionne date debut envoi
|
||||
|
|
@ -191,9 +207,9 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
|
|||
$tmpfield=explode('=',$other[4],2); $other5=(isset($tmpfield[1])?$tmpfield[1]:$tmpfield[0]);
|
||||
$substitutionarray=array(
|
||||
'__ID__' => $obj->source_id,
|
||||
'__EMAIL__' => '<a href="mailto:'.$obj->email.'">'.$obj->email.'</a>',
|
||||
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$obj->tag.'" width="0" height="0" style="width:0px;height:0px" border="0"/>',
|
||||
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-usubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
|
||||
'__EMAIL__' => $obj->email,
|
||||
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$obj->tag.'" width="0" height="0" style="width:0px;height:0px" border="0"/>',
|
||||
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
|
||||
'__LASTNAME__' => $obj->nom,
|
||||
'__FIRSTNAME__' => $obj->prenom,
|
||||
'__OTHER1__' => $other1,
|
||||
|
|
@ -270,11 +286,11 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
|
|||
{
|
||||
dol_print_error($db);
|
||||
}
|
||||
|
||||
|
||||
//Update status communication of contact prospect
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=2 WHERE rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.rowid=".$obj->rowid." AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
|
||||
dol_syslog("fiche.php: set prospect contact status sql=".$sql, LOG_DEBUG);
|
||||
|
||||
|
||||
$resql2=$db->query($sql);
|
||||
if (! $resql2)
|
||||
{
|
||||
|
|
@ -282,8 +298,8 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
//test if CHECK READ change statut prospect contact
|
||||
}
|
||||
else
|
||||
|
|
@ -531,11 +547,11 @@ if ($action == 'update' && empty($_POST["removedfile"]) && empty($_POST["cancel"
|
|||
|
||||
// Action confirmation validation
|
||||
if ($action == 'confirm_valid' && $confirm == 'yes')
|
||||
{
|
||||
{
|
||||
if ($object->fetch($id) >= 0)
|
||||
{
|
||||
$object->valid($user);
|
||||
|
||||
|
||||
Header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
|
||||
exit;
|
||||
}
|
||||
|
|
@ -547,17 +563,17 @@ if ($action == 'confirm_valid' && $confirm == 'yes')
|
|||
|
||||
// Resend
|
||||
if ($action == 'confirm_reset' && $confirm == 'yes')
|
||||
{
|
||||
{
|
||||
if ($object->fetch($id) >= 0)
|
||||
{
|
||||
$db->begin();
|
||||
|
||||
|
||||
$result=$object->valid($user);
|
||||
if ($result > 0)
|
||||
{
|
||||
$result=$object->reset_targets_status($user);
|
||||
}
|
||||
|
||||
|
||||
if ($result > 0)
|
||||
{
|
||||
$db->commit();
|
||||
|
|
@ -580,7 +596,7 @@ if ($action == 'confirm_reset' && $confirm == 'yes')
|
|||
if ($action == 'confirm_delete' && $confirm == 'yes')
|
||||
{
|
||||
$object->fetch($id);
|
||||
|
||||
|
||||
if ($object->delete($object->id))
|
||||
{
|
||||
Header("Location: liste.php");
|
||||
|
|
@ -1027,8 +1043,11 @@ else
|
|||
print '<br><i>'.$langs->trans("CommonSubstitutions").':<br>';
|
||||
print '__ID__ = '.$langs->trans("IdRecord").'<br>';
|
||||
print '__EMAIL__ = '.$langs->trans("EMail").'<br>';
|
||||
print '__CHECK_READ__ = '.$langs->trans("CheckRead").'<br>';
|
||||
print '__UNSUSCRIBE__ = '.$langs->trans("MailUnsubcribe").'<br>';
|
||||
if ($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)
|
||||
{
|
||||
print '__CHECK_READ__ = '.$langs->trans("CheckRead").'<br>';
|
||||
print '__UNSUSCRIBE__ = '.$langs->trans("MailUnsubcribe").'<br>';
|
||||
}
|
||||
print '__LASTNAME__ = '.$langs->trans("Lastname").'<br>';
|
||||
print '__FIRSTNAME__ = '.$langs->trans("Firstname").'<br>';
|
||||
print '__OTHER1__ = '.$langs->trans("Other").'1<br>';
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
* \ingroup mailing
|
||||
* \brief Script use to update mail status if destinaries read it (if images during mail read are display)
|
||||
*/
|
||||
|
||||
|
||||
define("NOLOGIN",1); // This means this output page does not require to be logged.
|
||||
define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
|
||||
|
||||
|
|
@ -32,31 +32,34 @@ require("../../main.inc.php");
|
|||
|
||||
$id=GETPOST('tag');
|
||||
|
||||
if (empty($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)) accessforbidden('Option not enabled');
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
||||
if ($id!='')
|
||||
{
|
||||
$statut='2';
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE tag='".$id."'";
|
||||
dol_syslog("public/emailing/mailing-read.php : Mail read : ".$sql, LOG_DEBUG);
|
||||
|
||||
|
||||
$resql=$db->query($sql);
|
||||
|
||||
//Update status communication of thirdparty prospect
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE rowid IN (SELECT source_id FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE tag='".$id."' AND source_type='thirdparty' AND source_id is not null)";
|
||||
dol_syslog("public/emailing/mailing-read.php : Mail read thirdparty : ".$sql, LOG_DEBUG);
|
||||
|
||||
|
||||
$resql=$db->query($sql);
|
||||
|
||||
//Update status communication of contact prospect
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.tag = '".$id."' AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
|
||||
dol_syslog("public/emailing/mailing-read.php : Mail read contact : ".$sql, LOG_DEBUG);
|
||||
|
||||
|
||||
$resql=$db->query($sql);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
$db->close();
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -20,11 +20,11 @@
|
|||
|
||||
|
||||
/**
|
||||
* \file scripts/emailings/mailing-usubscribe.php
|
||||
* \file scripts/emailings/mailing-unsubscribe.php
|
||||
* \ingroup mailing
|
||||
* \brief Script use to update unsubcribe contact to prospect mailing list
|
||||
*/
|
||||
|
||||
|
||||
define("NOLOGIN",1); // This means this output page does not require to be logged.
|
||||
define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
|
||||
|
||||
|
|
@ -39,26 +39,32 @@ $langs->load("mails");
|
|||
$id=GETPOST('tag');
|
||||
$unsuscrib=GETPOST('unsuscrib');
|
||||
|
||||
if (empty($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)) accessforbidden('Option not enabled');
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
||||
if (($id!='') && ($unsuscrib=='1'))
|
||||
{
|
||||
//Udate status of mail in Destinaries maling list
|
||||
$statut='3';
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE tag='".$id."'";
|
||||
dol_syslog("public/emailing/mailing-usubscribe.php : Mail unsubcribe : ".$sql, LOG_DEBUG);
|
||||
|
||||
dol_syslog("public/emailing/mailing-unsubscribe.php : Mail unsubcribe : ".$sql, LOG_DEBUG);
|
||||
|
||||
$resql=$db->query($sql);
|
||||
|
||||
|
||||
//Update status communication of thirdparty prospect
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=-1 WHERE rowid IN (SELECT source_id FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE tag='".$id."' AND source_type='thirdparty' AND source_id is not null)";
|
||||
dol_syslog("public/emailing/mailing-unsubscribe.php : Mail unsubcribe thirdparty : ".$sql, LOG_DEBUG);
|
||||
|
||||
|
||||
$resql=$db->query($sql);
|
||||
|
||||
//Update status communication of contact prospect
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=-1 WHERE rowid IN (SELECT fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.tag = '".$id."' AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
|
||||
dol_syslog("public/emailing/mailing-unsubscribe.php : Mail unsubcribe contact : ".$sql, LOG_DEBUG);
|
||||
|
||||
|
||||
$resql=$db->query($sql);
|
||||
|
||||
$sql = "SELECT mc.email";
|
||||
|
|
@ -66,9 +72,9 @@ if (($id!='') && ($unsuscrib=='1'))
|
|||
$sql .= " WHERE mc.tag='".$id."'";
|
||||
|
||||
$resql=$db->query($sql);
|
||||
|
||||
|
||||
$obj = $db->fetch_object($resql);
|
||||
|
||||
|
||||
header("Content-type: text/html; charset=".$conf->file->character_set_client);
|
||||
|
||||
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
|
||||
|
|
@ -92,8 +98,6 @@ if (($id!='') && ($unsuscrib=='1'))
|
|||
print '</td></tr></table>';
|
||||
print "</body>\n";
|
||||
print "</html>\n";
|
||||
|
||||
|
||||
}
|
||||
|
||||
$db->close();
|
||||
|
|
|
|||
|
|
@ -106,8 +106,11 @@ if ($resql)
|
|||
{
|
||||
dol_syslog("nb of targets = ".$num, LOG_DEBUG);
|
||||
|
||||
$now=dol_now();
|
||||
|
||||
// Positionne date debut envoi
|
||||
$sql="UPDATE ".MAIN_DB_PREFIX."mailing SET date_envoi=SYSDATE() WHERE rowid=".$id;
|
||||
$sql="UPDATE ".MAIN_DB_PREFIX."mailing SET date_envoi='".$db->idate($now)."' WHERE rowid=".$id;
|
||||
|
||||
$resql2=$db->query($sql);
|
||||
if (! $resql2)
|
||||
{
|
||||
|
|
@ -135,9 +138,9 @@ if ($resql)
|
|||
$other5=$other[4];
|
||||
$substitutionarray=array(
|
||||
'__ID__' => $obj->source_id,
|
||||
'__EMAIL__' => '<a href="mailto:'.$obj->email.'">'.$obj->email.'</a>',
|
||||
'__EMAIL__' => $obj->email,
|
||||
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$obj->tag.'" width="0" height="0" style="width:0px;height:0px" border="0"/>',
|
||||
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-usubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
|
||||
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
|
||||
'__LASTNAME__' => $obj->lastname,
|
||||
'__FIRSTNAME__' => $obj->firstname,
|
||||
'__OTHER1__' => $other1,
|
||||
|
|
@ -212,11 +215,11 @@ if ($resql)
|
|||
{
|
||||
dol_print_error($db);
|
||||
}
|
||||
|
||||
|
||||
//Update status communication of contact prospect
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=2 WHERE rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.rowid=".$obj->rowid." AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
|
||||
dol_syslog("fiche.php: set prospect contact status sql=".$sql, LOG_DEBUG);
|
||||
|
||||
|
||||
$resql2=$db->query($sql);
|
||||
if (! $resql2)
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user