alxarafe / alixar

dolibarr/htdocs/core/class/html.form.class.php

Indentation +22 added lines, -22 removed lines

@@ -1995,28 +1995,28 @@
 

                     // phpcs:disable PEAR.NamingConventions.ValidFunctionName.NotCamelCaps

                     /**

-     * 	Return list of products for a customer

-     *

-     * 	@param      int		$selected           Preselected product

-     * 	@param      string	$htmlname           Name of select html

-     *  @param		string	$filtertype         Filter on product type (''=nofilter, 0=product, 1=service)

-     * 	@param      int		$limit              Limit on number of returned lines

-     * 	@param      int		$price_level        Level of price to show

-     * 	@param      string	$filterkey          Filter on product

-     * 	@param		int		$status             -1=Return all products, 0=Products not on sell, 1=Products on sell

-     *  @param      int		$finished           Filter on finished field: 2=No filter

-     *  @param      int		$outputmode         0=HTML select string, 1=Array

-     *  @param      int		$socid     		    Thirdparty Id (to get also price dedicated to this customer)

-     *  @param		string	$showempty		    '' to not show empty line. Translation key to show an empty line. '1' show empty line with no text.

-     * 	@param		int		$forcecombo		    Force to use combo box

-     *  @param      string  $morecss            Add more css on select

-     *  @param      int     $hidepriceinlabel   1=Hide prices in label

-     *  @param      string  $warehouseStatus    warehouse status filter, following comma separated filter options can be used

-     * 										    'warehouseopen' = select products from open warehouses,

-     * 										    'warehouseclosed' = select products from closed warehouses,

-     * 										    'warehouseinternal' = select products from warehouses for internal correct/transfer only

-     *  @return     array    				    Array of keys for json

-     */

+                     * 	Return list of products for a customer

+                     *

+                     * 	@param      int		$selected           Preselected product

+                     * 	@param      string	$htmlname           Name of select html

+                     *  @param		string	$filtertype         Filter on product type (''=nofilter, 0=product, 1=service)

+                     * 	@param      int		$limit              Limit on number of returned lines

+                     * 	@param      int		$price_level        Level of price to show

+                     * 	@param      string	$filterkey          Filter on product

+                     * 	@param		int		$status             -1=Return all products, 0=Products not on sell, 1=Products on sell

+                     *  @param      int		$finished           Filter on finished field: 2=No filter

+                     *  @param      int		$outputmode         0=HTML select string, 1=Array

+                     *  @param      int		$socid     		    Thirdparty Id (to get also price dedicated to this customer)

+                     *  @param		string	$showempty		    '' to not show empty line. Translation key to show an empty line. '1' show empty line with no text.

+                     * 	@param		int		$forcecombo		    Force to use combo box

+                     *  @param      string  $morecss            Add more css on select

+                     *  @param      int     $hidepriceinlabel   1=Hide prices in label

+                     *  @param      string  $warehouseStatus    warehouse status filter, following comma separated filter options can be used

+                     * 										    'warehouseopen' = select products from open warehouses,

+                     * 										    'warehouseclosed' = select products from closed warehouses,

+                     * 										    'warehouseinternal' = select products from warehouses for internal correct/transfer only

+                     *  @return     array    				    Array of keys for json

+                     */

     function select_produits_list($selected = '', $htmlname = 'productid', $filtertype = '', $limit = 20, $price_level = 0, $filterkey = '', $status = 1, $finished = 2, $outputmode = 0, $socid = 0, $showempty = '1', $forcecombo = 0, $morecss = '', $hidepriceinlabel = 0, $warehouseStatus = '')

     {

         // phpcs:enable

dolibarr/htdocs/viewimage.php

Indentation +75 added lines, -75 removed lines

@@ -40,23 +40,23 @@ 
 // Note that only directory logo is free to access without login.

 if (isset($_GET["modulepart"]) && $_GET["modulepart"] == 'mycompany' && preg_match('/^\/?logos\//', $_GET['file']))

 {

-	if (! defined("NOLOGIN"))		define("NOLOGIN",1);

-	if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.

-	if (! defined("NOIPCHECK"))		define("NOIPCHECK",1);		// Do not check IP defined into conf $dolibarr_main_restrict_ip

+    if (! defined("NOLOGIN"))		define("NOLOGIN",1);

+    if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.

+    if (! defined("NOIPCHECK"))		define("NOIPCHECK",1);		// Do not check IP defined into conf $dolibarr_main_restrict_ip

 }

 // For direct external download link, we don't need to load/check we are into a login session

 if (isset($_GET["hashp"]) && ! defined("NOLOGIN"))

 {

-	if (! defined("NOLOGIN"))		define("NOLOGIN",1);

-	if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.

-	if (! defined("NOIPCHECK"))		define("NOIPCHECK",1);		// Do not check IP defined into conf $dolibarr_main_restrict_ip

+    if (! defined("NOLOGIN"))		define("NOLOGIN",1);

+    if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.

+    if (! defined("NOIPCHECK"))		define("NOIPCHECK",1);		// Do not check IP defined into conf $dolibarr_main_restrict_ip

 }

 // Some value of modulepart can be used to get resources that are public so no login are required.

 if ((isset($_GET["modulepart"]) && $_GET["modulepart"] == 'medias'))

 {

-	if (! defined("NOLOGIN"))		define("NOLOGIN",1);

-	if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.

-	if (! defined("NOIPCHECK"))		define("NOIPCHECK",1);		// Do not check IP defined into conf $dolibarr_main_restrict_ip

+    if (! defined("NOLOGIN"))		define("NOLOGIN",1);

+    if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.

+    if (! defined("NOIPCHECK"))		define("NOIPCHECK",1);		// Do not check IP defined into conf $dolibarr_main_restrict_ip

 }

 

 // For multicompany

@@ -125,43 +125,43 @@ 
 // If we have a hash public (hashp), we guess the original_file.

 if (! empty($hashp))

 {

-	include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php';

-	$ecmfile=new EcmFiles($db);

-	$result = $ecmfile->fetch(0, '', '', '', $hashp);

-	if ($result > 0)

-	{

-		$tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory

-		// filepath can be 'users/X' or 'X/propale/PR11111'

-		if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.

-		{

-			$tmp = explode('/', $tmp[1], 2);

-		}

-		$moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path

-

-		if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.

-		{

-			if ($moduleparttocheck == $modulepart)

-			{

-				// We remove first level of directory

-				$original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename);		// this is relative to module dir

-				//var_dump($original_file); exit;

-			}

-			else

-			{

-				accessforbidden('Bad link. File is from another module part.',0,0,1);

-			}

-		}

-		else

-		{

-			$modulepart = $moduleparttocheck;

-			$original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename);		// this is relative to module dir

-		}

-	}

-	else

-	{

-		$langs->load("errors");

-		accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"),0,0,1);

-	}

+    include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php';

+    $ecmfile=new EcmFiles($db);

+    $result = $ecmfile->fetch(0, '', '', '', $hashp);

+    if ($result > 0)

+    {

+        $tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory

+        // filepath can be 'users/X' or 'X/propale/PR11111'

+        if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.

+        {

+            $tmp = explode('/', $tmp[1], 2);

+        }

+        $moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path

+

+        if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.

+        {

+            if ($moduleparttocheck == $modulepart)

+            {

+                // We remove first level of directory

+                $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename);		// this is relative to module dir

+                //var_dump($original_file); exit;

+            }

+            else

+            {

+                accessforbidden('Bad link. File is from another module part.',0,0,1);

+            }

+        }

+        else

+        {

+            $modulepart = $moduleparttocheck;

+            $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename);		// this is relative to module dir

+        }

+    }

+    else

+    {

+        $langs->load("errors");

+        accessforbidden($langs->trans("ErrorFileNotFoundWithSharedLink"),0,0,1);

+    }

 }

 

 // Define mime type

@@ -185,50 +185,50 @@ 
 

 if (! empty($hashp))

 {

-	$accessallowed = 1;					// When using hashp, link is public so we force $accessallowed

-	$sqlprotectagainstexternals = '';

+    $accessallowed = 1;					// When using hashp, link is public so we force $accessallowed

+    $sqlprotectagainstexternals = '';

 }

 else

 {

-	// Basic protection (against external users only)

-	if ($user->societe_id > 0)

-	{

-		if ($sqlprotectagainstexternals)

-		{

-			$resql = $db->query($sqlprotectagainstexternals);

-			if ($resql)

-			{

-				$num=$db->num_rows($resql);

-				$i=0;

-				while ($i < $num)

-				{

-					$obj = $db->fetch_object($resql);

-					if ($user->societe_id != $obj->fk_soc)

-					{

-						$accessallowed=0;

-						break;

-					}

-					$i++;

-				}

-			}

-		}

-	}

+    // Basic protection (against external users only)

+    if ($user->societe_id > 0)

+    {

+        if ($sqlprotectagainstexternals)

+        {

+            $resql = $db->query($sqlprotectagainstexternals);

+            if ($resql)

+            {

+                $num=$db->num_rows($resql);

+                $i=0;

+                while ($i < $num)

+                {

+                    $obj = $db->fetch_object($resql);

+                    if ($user->societe_id != $obj->fk_soc)

+                    {

+                        $accessallowed=0;

+                        break;

+                    }

+                    $i++;

+                }

+            }

+        }

+    }

 }

 

 // Security:

 // Limit access if permissions are wrong

 if (! $accessallowed)

 {

-	accessforbidden();

+    accessforbidden();

 }

 

 // Security:

 // On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.

 if (preg_match('/\.\./',$fullpath_original_file) || preg_match('/[<>|]/',$fullpath_original_file))

 {

-	dol_syslog("Refused to deliver file ".$fullpath_original_file);

-	print "ErrorFileNameInvalid: ".$original_file;

-	exit;

+    dol_syslog("Refused to deliver file ".$fullpath_original_file);

+    print "ErrorFileNameInvalid: ".$original_file;

+    exit;

 }