[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpcompta-dev] r4701 - phpcompta/trunk/include
From: |
phpcompta-dev |
Subject: |
[Phpcompta-dev] r4701 - phpcompta/trunk/include |
Date: |
Mon, 9 Jan 2012 21:43:48 +0100 (CET) |
Author: danydb
Date: 2012-01-09 21:43:48 +0100 (Mon, 09 Jan 2012)
New Revision: 4701
Modified:
phpcompta/trunk/include/adm.inc.php
phpcompta/trunk/include/class_acc_ledger.php
phpcompta/trunk/include/class_acc_ledger_fin.php
phpcompta/trunk/include/class_acc_ledger_purchase.php
phpcompta/trunk/include/class_acc_ledger_sold.php
phpcompta/trunk/include/class_fiche.php
phpcompta/trunk/include/detail_adm.inc.php
phpcompta/trunk/include/detail_client.inc.php
phpcompta/trunk/include/detail_supplier.inc.php
phpcompta/trunk/include/supplier.inc.php
Log:
Security : avoid js inject + block access if an user cannot add card
Modified: phpcompta/trunk/include/adm.inc.php
===================================================================
--- phpcompta/trunk/include/adm.inc.php 2012-01-09 15:54:32 UTC (rev 4700)
+++ phpcompta/trunk/include/adm.inc.php 2012-01-09 20:43:48 UTC (rev 4701)
@@ -109,22 +109,25 @@
echo '<br>';
echo '<br>';
echo '<br>';
- /* Add button */
- $f_add_button=new IButton('add_card');
- $f_add_button->label=_('Créer une nouvelle fiche');
- $f_add_button->set_attribute('ipopup','ipop_newcard');
- $f_add_button->set_attribute('win_refresh','yes');
+ if ($g_user->check_action(FICADD)==1)
+ {
+ /* Add button */
+ $f_add_button=new IButton('add_card');
+ $f_add_button->label=_('Créer une nouvelle fiche');
+ $f_add_button->set_attribute('ipopup','ipop_newcard');
+ $f_add_button->set_attribute('win_refresh','yes');
- $f_add_button->set_attribute('type_cat',FICHE_TYPE_ADM_TAX);
- $f_add_button->javascript=" select_card_type(this);";
- echo $f_add_button->input();
+ $f_add_button->set_attribute('type_cat',FICHE_TYPE_ADM_TAX);
+ $f_add_button->javascript=" select_card_type(this);";
+ echo $f_add_button->input();
- $f_cat_button=new IButton('add_cat');
- $f_cat_button->set_attribute('ipopup','ipop_cat');
- $f_cat_button->set_attribute('type_cat',FICHE_TYPE_ADM_TAX);
- $f_cat_button->label=_('Ajout d\'une catégorie');
- $f_cat_button->javascript='add_category(this)';
- echo $f_cat_button->input();
+ $f_cat_button=new IButton('add_cat');
+ $f_cat_button->set_attribute('ipopup','ipop_cat');
+ $f_cat_button->set_attribute('type_cat',FICHE_TYPE_ADM_TAX);
+ $f_cat_button->label=_('Ajout d\'une catégorie');
+ $f_cat_button->javascript='add_category(this)';
+ echo $f_cat_button->input();
+ }
echo '</div>';
echo '</div>';
Modified: phpcompta/trunk/include/class_acc_ledger.php
===================================================================
--- phpcompta/trunk/include/class_acc_ledger.php 2012-01-09 15:54:32 UTC
(rev 4700)
+++ phpcompta/trunk/include/class_acc_ledger.php 2012-01-09 20:43:48 UTC
(rev 4701)
@@ -1498,14 +1498,16 @@
$add_js.='get_last_date();';
$ret="";
- /* Add button */
- $f_add_button=new IButton('add_card');
- $f_add_button->label=_('Créer une nouvelle fiche');
- $f_add_button->set_attribute('ipopup','ipop_newcard');
- $f_add_button->set_attribute('jrn',$this->id);
- $f_add_button->javascript="
this.jrn=\$('p_jrn').value;select_card_type(this);";
- $f_add_button->input();
-
+ if ( $user->check_action(FICADD) == 1)
+ {
+ /* Add button */
+ $f_add_button=new IButton('add_card');
+ $f_add_button->label=_('Créer une nouvelle fiche');
+ $f_add_button->set_attribute('ipopup','ipop_newcard');
+ $f_add_button->set_attribute('jrn',$this->id);
+ $f_add_button->javascript="
this.jrn=\$('p_jrn').value;select_card_type(this);";
+ $f_add_button->input();
+ }
$wLedger=$this->select_ledger('ODS',2);
if ($wLedger == null) exit (_('Pas de journal disponible'));
$wLedger->javascript="onChange='update_name();update_predef(\"ods\",\"t\");$add_js'";
@@ -1593,7 +1595,7 @@
$ret.=HtmlInput::hidden('jrn_type',$this->get_type());
$info= HtmlInput::infobulle(0);
$info_poste=HtmlInput::infobulle(9);
- $ret.=$f_add_button->input();
+ if ($user->check_action(FICADD)==1)
$ret.=$f_add_button->input();
$ret.='<table id="quick_item" style="width:100%">';
$ret.='<tr>'.
'<th style="text-align:left">Quickcode'.$info.'</th>'.
@@ -2564,7 +2566,7 @@
{
$desc=sql_string($desc);
$fil_desc=$and." ( upper(jr_comment) like upper('%".$desc."%') or
upper(jr_pj_number) like upper('%".$desc."%') ".
- " or upper(jr_internal) like upper('%".$desc."%')
+ " or upper(jr_internal) like upper('%".$desc."%')
or jr_grpt_id in (select j_grpt from jrnx where
j_text ~* '".$desc."'))";
$and=" and ";
}
Modified: phpcompta/trunk/include/class_acc_ledger_fin.php
===================================================================
--- phpcompta/trunk/include/class_acc_ledger_fin.php 2012-01-09 15:54:32 UTC
(rev 4700)
+++ phpcompta/trunk/include/class_acc_ledger_fin.php 2012-01-09 20:43:48 UTC
(rev 4701)
@@ -193,12 +193,13 @@
$pview_only=false;
$user = new User($this->db);
+
$f_add_button=new IButton('add_card');
$f_add_button->label=_('Créer une nouvelle fiche');
$f_add_button->set_attribute('ipopup','ipop_newcard');
$f_add_button->set_attribute('jrn',$this->id);
$f_add_button->javascript="
this.jrn=\$('p_jrn').value;select_card_type(this);";
- $str_add_button=$f_add_button->input();
+
$str_add_button=($user->check_action(FICADD)==1)?$f_add_button->input():"";
// The first day of the periode
$pPeriode=new Periode($this->db);
Modified: phpcompta/trunk/include/class_acc_ledger_purchase.php
===================================================================
--- phpcompta/trunk/include/class_acc_ledger_purchase.php 2012-01-09
15:54:32 UTC (rev 4700)
+++ phpcompta/trunk/include/class_acc_ledger_purchase.php 2012-01-09
20:43:48 UTC (rev 4701)
@@ -895,10 +895,13 @@
$f_add_button2->set_attribute('filter',$this->get_all_fiche_def ());
// $f_add_button2->set_attribute('jrn',$this->id);
$f_add_button2->javascript="
this.jrn=\$('p_jrn').value;select_card_type(this);";
-
- $str_add_button=$f_add_button->input();
- $str_add_button2=$f_add_button2->input();
-
+ $str_add_button="";
+ $str_add_button2="";
+ if ($user->check_action(FICADD)==1)
+ {
+ $str_add_button=$f_add_button->input();
+ $str_add_button2=$f_add_button2->input();
+ }
// The first day of the periode
$oPeriode=new Periode($this->db);
list
($l_date_start,$l_date_end)=$oPeriode->get_date_limit($user->get_periode());
Modified: phpcompta/trunk/include/class_acc_ledger_sold.php
===================================================================
--- phpcompta/trunk/include/class_acc_ledger_sold.php 2012-01-09 15:54:32 UTC
(rev 4700)
+++ phpcompta/trunk/include/class_acc_ledger_sold.php 2012-01-09 20:43:48 UTC
(rev 4701)
@@ -1017,9 +1017,13 @@
// $f_add_button2->set_attribute('jrn',$this->id);
$f_add_button2->javascript="
this.jrn=\$('p_jrn').value;select_card_type(this);";
- $str_add_button=$f_add_button->input();
- $str_add_button2=$f_add_button2->input();
-
+ $str_add_button="";
+ $str_add_button2="";
+ if ($user->check_action(FICADD)==1)
+ {
+ $str_add_button=$f_add_button->input();
+ $str_add_button2=$f_add_button2->input();
+ }
// The first day of the periode
$oPeriode=new Periode($this->db);
list
($l_date_start,$l_date_end)=$oPeriode->get_date_limit($user->get_periode());
@@ -1257,7 +1261,7 @@
if ( $g_parameter->MY_UPDLAB == 'Y')
{
$Span=new IText("e_march".$i."_label");
-
+
$Span->css_size="100%";
} else
{
Modified: phpcompta/trunk/include/class_fiche.php
===================================================================
--- phpcompta/trunk/include/class_fiche.php 2012-01-09 15:54:32 UTC (rev
4700)
+++ phpcompta/trunk/include/class_fiche.php 2012-01-09 20:43:48 UTC (rev
4701)
@@ -581,7 +581,7 @@
}
if ($p_readonly == false)
{
-
+
if ($r->ad_id == ATTR_DEF_ACCOUNT)
{
$w = new IPoste("av_text" . $r->ad_id);
@@ -835,7 +835,7 @@
$value2=sql_string($value);
$sql=sprintf("select attribut_insert(%d,%d,'%s')",
- $fiche_id,$id,trim($value2));
+ $fiche_id,$id, strip_tags(trim($value2)));
$this->cn->exec_sql($sql);
}
}
@@ -1004,7 +1004,7 @@
// Normal traitement
$sql="update fiche_detail set ad_value=$1 where jft_id=$2";
- $this->cn->exec_sql($sql,array($value,$jft_id));
+
$this->cn->exec_sql($sql,array(strip_tags($value),$jft_id));
}
}
catch (Exception $e )
Modified: phpcompta/trunk/include/detail_adm.inc.php
===================================================================
--- phpcompta/trunk/include/detail_adm.inc.php 2012-01-09 15:54:32 UTC (rev
4700)
+++ phpcompta/trunk/include/detail_adm.inc.php 2012-01-09 20:43:48 UTC (rev
4701)
@@ -25,9 +25,9 @@
* contact,operation,invoice and financial)
* include from adm.inc.php and concerned only the customer card and
* the customer category
- * parameter
+ * parameter
* - p_action = adm
- * - sb = detail
+ * - sb = detail
* - sc = dc
*/
//----------------------------------------------------------------------------
@@ -44,18 +44,18 @@
}
-echo '<div class="u_content">';
+echo '<div class="u_content" style="width:50%">';
$f_id=$_REQUEST['f_id'];
echo '<div class="content">';
if ( isset($_POST['mod'])) echo hb('Information sauvée');
$adm=new Fiche($cn,$f_id);
-
-echo '<form method="post">';
+$p_readonly=($g_user->check_action(FICADD)==0)?true:false;
+if ( ! $p_readonly) echo '<form method="post">';
echo dossier::hidden();
echo HtmlInput::hidden('sb','detail');
echo HtmlInput::hidden('dc','cc');
-echo $adm->Display(false);
+echo $adm->Display($p_readonly);
$w=new IHidden();
$w->name="p_action";
$w->value="adm";
@@ -63,11 +63,13 @@
$w->name="f_id";
$w->value=$f_id;
echo $w->input();
-
-echo HtmlInput::submit('mod',_('Sauver les modifications'));
-echo HtmlInput::reset(_("Annuler"));
-echo HtmlInput::submit('delete_card','Effacer cette fiche','onclick="return
confirm(\'Confirmer effacement ?\');"');
-echo '</form>';
+if ( ! $p_readonly)
+{
+ echo HtmlInput::submit('mod',_('Sauver les modifications'));
+ echo HtmlInput::reset(_("Annuler"));
+ echo HtmlInput::submit('delete_card','Effacer cette
fiche','onclick="return confirm(\'Confirmer effacement ?\');"');
+ echo '</form>';
+}
echo $return->input();
echo '</div>';
Modified: phpcompta/trunk/include/detail_client.inc.php
===================================================================
--- phpcompta/trunk/include/detail_client.inc.php 2012-01-09 15:54:32 UTC
(rev 4700)
+++ phpcompta/trunk/include/detail_client.inc.php 2012-01-09 20:43:48 UTC
(rev 4701)
@@ -25,9 +25,9 @@
* contact,operation,invoice and financial)
* include from client.inc.php and concerned only the customer card and
* the customer category
- * parameter
+ * parameter
* - p_action = client
- * - sb = detail
+ * - sb = detail
* - sc = dc
*/
//----------------------------------------------------------------------------
@@ -46,16 +46,16 @@
echo '<div class="u_content">';
$f_id=$_REQUEST['f_id'];
-echo '<div class="content">';
+echo '<div class="content" style="width:50%">';
if ( isset($_POST['mod'])) echo hb(_('Information sauvée'));
$client=new Customer($cn,$f_id);
-
-echo '<form method="post">';
+$p_readonly=($g_user->check_action(FICADD)==0)?true:false;
+if ( ! $p_readonly) echo '<form method="post">';
echo dossier::hidden();
echo HtmlInput::hidden('sb','detail');
echo HtmlInput::hidden('dc','cc');
-echo $client->Display(false);
+echo $client->Display($p_readonly);
$w=new IHidden();
$w->name="p_action";
$w->value="client";
@@ -63,11 +63,13 @@
$w->name="f_id";
$w->value=$f_id;
echo $w->input();
-
-echo HtmlInput::submit('mod',_('Sauver les modifications'));
-echo HtmlInput::reset(_("Annuler"));
-echo HtmlInput::submit('delete_card',_('Effacer cette fiche'),'onclick="return
confirm(\'Confirmer effacement ?\');"');
-echo '</form>';
+if ( ! $p_readonly)
+{
+ echo HtmlInput::submit('mod',_('Sauver les modifications'));
+ echo HtmlInput::reset(_("Annuler"));
+ echo HtmlInput::submit('delete_card',_('Effacer cette
fiche'),'onclick="return confirm(\'Confirmer effacement ?\');"');
+ echo '</form>';
+}
echo $return;
echo '</div>';
Modified: phpcompta/trunk/include/detail_supplier.inc.php
===================================================================
--- phpcompta/trunk/include/detail_supplier.inc.php 2012-01-09 15:54:32 UTC
(rev 4700)
+++ phpcompta/trunk/include/detail_supplier.inc.php 2012-01-09 20:43:48 UTC
(rev 4701)
@@ -25,9 +25,9 @@
* contact,operation,invoice and financial)
* include from supplier.inc.php and concerned only the customer card and
* the customer category
- * parameter
+ * parameter
* - p_action = supplier
- * - sb = detail
+ * - sb = detail
* - sc = dc
*/
//----------------------------------------------------------------------------
@@ -46,16 +46,16 @@
echo '<div class="u_content">';
$f_id=$_REQUEST['f_id'];
-echo '<div class="content">';
+echo '<div class="content" style="width:50%">';
if ( isset($_POST['mod'])) echo hb(_('Information sauvée'));
$supplier=new Supplier($cn,$f_id);
-
-echo '<form method="post">';
+$p_readonly=($g_user->check_action(FICADD)==0)?true:false;
+if ( ! $p_readonly) echo '<form method="post">';
echo dossier::hidden();
echo HtmlInput::hidden('sb','detail');
echo HtmlInput::hidden('dc','cc');
-echo $supplier->Display(false);
+echo $supplier->Display($p_readonly);
$w=new IHidden();
$w->name="p_action";
$w->value="supplier";
@@ -63,11 +63,13 @@
$w->name="f_id";
$w->value=$f_id;
echo $w->input();
-
-echo HtmlInput::submit('mod',_('Sauver les modifications'));
-echo HtmlInput::reset(_("Annuler"));
-echo HtmlInput::submit('delete_card',_('Effacer cette fiche'),'onclick="return
confirm(\'Confirmer effacement ?\');"');
-echo '</form>';
+if ( ! $p_readonly)
+{
+ echo HtmlInput::submit('mod',_('Sauver les modifications'));
+ echo HtmlInput::reset(_("Annuler"));
+ echo HtmlInput::submit('delete_card',_('Effacer cette
fiche'),'onclick="return confirm(\'Confirmer effacement ?\');"');
+ echo '</form>';
+}
echo $return->input();
echo '</div>';
Modified: phpcompta/trunk/include/supplier.inc.php
===================================================================
--- phpcompta/trunk/include/supplier.inc.php 2012-01-09 15:54:32 UTC (rev
4700)
+++ phpcompta/trunk/include/supplier.inc.php 2012-01-09 20:43:48 UTC (rev
4701)
@@ -110,22 +110,26 @@
echo '<br>';
echo '<br>';
echo '<br>';
- /* Add button */
- $f_add_button=new IButton('add_card');
- $f_add_button->label=_('Créer une nouvelle fiche');
- $f_add_button->set_attribute('ipopup','ipop_newcard');
- $f_add_button->set_attribute('win_refresh','yes');
+ if ($g_user->check_action(FICADD)==1)
+ {
+ /* Add button */
+ $f_add_button=new IButton('add_card');
+ $f_add_button->label=_('Créer une nouvelle fiche');
+ $f_add_button->set_attribute('ipopup','ipop_newcard');
+ $f_add_button->set_attribute('win_refresh','yes');
- $f_add_button->set_attribute('type_cat',FICHE_TYPE_FOURNISSEUR);
- $f_add_button->javascript=" select_card_type(this);";
- echo $f_add_button->input();
+ $f_add_button->set_attribute('type_cat',FICHE_TYPE_FOURNISSEUR);
+ $f_add_button->javascript=" select_card_type(this);";
+ echo $f_add_button->input();
- $f_cat_button=new IButton('add_cat');
- $f_cat_button->set_attribute('ipopup','ipop_cat');
- $f_cat_button->set_attribute('type_cat',FICHE_TYPE_FOURNISSEUR);
- $f_cat_button->label=_('Ajout d\'une catégorie');
- $f_cat_button->javascript='add_category(this)';
- echo $f_cat_button->input();
+ $f_cat_button=new IButton('add_cat');
+ $f_cat_button->set_attribute('ipopup','ipop_cat');
+ $f_cat_button->set_attribute('type_cat',FICHE_TYPE_FOURNISSEUR);
+ $f_cat_button->label=_('Ajout d\'une catégorie');
+ $f_cat_button->javascript='add_category(this)';
+ echo $f_cat_button->input();
+ }
+
echo '</div>';
echo '</div>';
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpcompta-dev] r4701 - phpcompta/trunk/include,
phpcompta-dev <=