Merge remote-tracking branch 'Upstream/develop' into develop-cheque

ChangeLog

@@ -136,6 +136,7 @@ For users:
 - Fix: Iban was used instead of Bic into SEPA file.
 - Fix: Must unaccent strings into SEPA file.
 - Fix: Extrafield feature select from table should try to translate multiple column when not needed 
+- Fix: cents for indian ruppes are calle paisa and paise.
 
 ***** ChangeLog for 3.6 compared to 3.5.* *****
 For users:
@@ -269,9 +270,16 @@ Fix: When disabled, all fields to add time into task line must be disabled.
 Fix: Missing include files.lib.php in some pages that use dol_delete_recursive
 Fix: [ bug #1558 ] Product/service edit page title shows new Ref instead of old ref.
 Fix: [ bug #1553 ] Saving User displays setup removes menu.
-Fix: [ bug #1544 ] Can remove date from invoice
-Fix: list event view lost type event filter
-Fix: Add code save on create event
+Fix: [ bug #1544 ] Can remove date from invoice.
+Fix: list event view lost type event filter.
+Fix: Add code save on create event.
+Fix: SQL injection.
+Fix: [ bug #1589 ] Menu type in "Edit menu" page is not translated
+Fix: [ bug #1591 ] Linked object block shows Total HT/TTC even if not having permission to read them
+Fix: [ bug #1577 ] When creating new Private individual third, selected third type is ignored
+Fix: [ bug #1555 ] Update accountancy code of products does not throw PRODUCT_MODIFY trigger
+Fix: [ bug #1548 ] Supplier payment card shows type in French
+Fix: [ bug #1546 ] Incorrect page number when searching in the list of bank transactions
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.

build/debian/control

@@ -39,7 +39,7 @@ Description: Web based software to manage a company or foundation
  It's a web software you can install as a standalone program or on any web
  hosting provider to use it from anywhere with any web browser.
  .
- Dolibarr was designed to be easy to use. Only the features that you need 
+ Dolibarr was designed to be easy to use. Only the features that you need
  are visible, depending on which modules were activated.
  .
  This is an example of most common used modules:

build/debian/copyright

@@ -61,7 +61,7 @@ License: GPL-3+
 Files: htdocs/includes/adodbtime/*
 Copyright: 2003-2005, John Lim
            unknown, jackbbs
-License: BSD
+License: BSD-3-Clause
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:
@@ -272,7 +272,7 @@ Comment:
 
 Files: htdocs/includes/jquery/plugins/flot/*
 Copyright: Flot team
-License: Public Domain
+License: Public-Domain
  This work is not subject to copyright in any jurisdiction
 Comment:
  Those files are not shipped in the binary package because we configure

build/debian/get-orig-source.sh

@@ -7,40 +7,20 @@ tmpdir=$(mktemp -d)
 if [ -n "$1" ]; then
     uscan_opts="--download-version=$1"
 fi
-#uscan --noconf --force-download --no-symlink --destdir=$tmpdir $uscan_opts
+#uscan --noconf --force-download --no-symlink --verbose --destdir=$tmpdir $uscan_opts
 
 cd $tmpdir
 
 # Other method to download (comment uscan if you use this)
-wget http://sourceforge.net/projects/tcpdf/files/tcpdf_6_0_093.zip
+wget http://www.dolibarr.org/files/stable/standard/dolibarr-3.5.4.tgz
 
 # Rename file to add +dfsg
-zipfile=$(echo *.zip)
-version=$(echo "$zipfile" | perl -pi -e 's/^tcpdf_//; s/\.zip$//; s/_/./g; s/$/+dfsg/;')
-
-# Extract the zip file
-unzip -q $zipfile
-srcdir=$(find . -maxdepth 1 -mindepth 1 -type d | sed -e 's/\.\///')
-
-if [ ! -d "$srcdir" ]; then
-    echo "ERROR: Failed to identify the extracted directory in $tmpdir (got $srcdir)" >&2
-    rm -rf $tmpdir
-    exit 1
-fi
-
-# Cleanup unwanted files
-rm -rf $srcdir/fonts/free*
-
-# Repack as tar.xz
-tar Jcf tcpdf_${version}.orig.tar.xz $srcdir
+tgzfile=$(echo *.tgz)
+version=$(echo "$tgzfile" | perl -pi -e 's/^dolibarr-//; s/\.tgz$//; s/_/./g; s/\+nmu1//; ')
 
 cd - >/dev/null
 
-if [ -e ../tcpdf_${version}.orig.tar.xz ]; then
-    echo "Not overwriting ../tcpdf_${version}.orig.tar.xz";
-else
-    echo "Created ../tcpdf_${version}.orig.tar.xz"
-    mv $tmpdir/tcpdf_${version}.orig.tar.xz ../
-fi
+mv $tmpdir/dolibarr-${version}.tgz ../
+echo "File ../dolibarr-${version}.tgz is ready for git-import-orig"
 
 rm -rf $tmpdir

htdocs/adherents/class/adherent.class.php

@@ -1070,7 +1070,7 @@ function fetch($rowid,$ref='',$fk_soc='',$ref_ext='')
         if ($rowid) $sql.= " AND d.rowid=".$rowid;
         elseif ($ref || $fk_soc) {
         	$sql.= " AND d.entity IN (".getEntity().")";
-        	if ($ref) $sql.= " AND d.rowid='".$ref."'";
+        	if ($ref) $sql.= " AND d.rowid='".$this->db->escape($ref)."'";
         	elseif ($fk_soc) $sql.= " AND d.fk_soc='".$fk_soc."'";
         }
         elseif ($ref_ext)

htdocs/admin/menus/edit.php

@@ -316,7 +316,7 @@ function init_topleft()
     print '<tr><td class="fieldrequired">'.$langs->trans('Type').'</td><td>';
     if ($parent_rowid)
     {
-        print 'Left';
+        print $langs->trans('Left');
         print '<input type="hidden" name="type" value="left">';
     }
     else

htdocs/cashdesk/index.php

@@ -39,6 +39,7 @@
 }
 
 $usertxt=GETPOST('user','',1);
+$err=GETPOST("err");
 
 
 /*
@@ -64,7 +65,7 @@
 
 <div class="contenu">
 <div class="principal_login">
-<?php if (! empty($_GET["err"])) print $_GET["err"]."<br><br>\n"; ?>
+<?php if ($err) print dol_escape_htmltag($err)."<br><br>\n"; ?>
 <fieldset class="cadre_facturation"><legend class="titre1"><?php echo $langs->trans("Identification"); ?></legend>
 <form id="frmLogin" method="POST" action="index_verif.php">
 	<input type="hidden" name="token" value="<?php echo $_SESSION['newtoken']; ?>" />

htdocs/comm/propal/class/propal.class.php

@@ -1069,7 +1069,7 @@ function fetch($rowid,$ref='')
         $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_input_reason as dr ON p.fk_input_reason = dr.rowid';
         $sql.= " WHERE p.fk_statut = c.id";
         $sql.= " AND p.entity = ".$conf->entity;
-        if ($ref) $sql.= " AND p.ref='".$ref."'";
+        if ($ref) $sql.= " AND p.ref='".$this->db->escape($ref)."'";
         else $sql.= " AND p.rowid=".$rowid;
 
         dol_syslog(get_class($this)."::fetch", LOG_DEBUG);

htdocs/comm/propal/tpl/linkedobjectblock.tpl.php

@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2010-2011  Regis Houssin <regis.houssin@capnetworks.com>
- * Copyright (C) 2013		Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2013       Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2014       Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -27,6 +28,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -52,17 +55,23 @@
 	<a href="<?php echo DOL_URL_ROOT.'/comm/propal.php?id='.$object->id ?>"><?php echo img_object($langs->trans("ShowPropal"),"propal").' '.$object->ref; ?></a></td>
 	<td><?php echo $object->ref_client; ?></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->propale->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="3"><?php echo $langs->trans('TotalHT'); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->propale->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>

htdocs/commande/info.php

@@ -34,7 +34,7 @@
 
 // Security check
 $socid=0;
-$comid = isset($_GET["id"])?$_GET["id"]:'';
+$comid = GETPOST("id",'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'commande',$comid,'');
 
@@ -47,8 +47,8 @@
 llxHeader('',$langs->trans('Order'),'EN:Customers_Orders|FR:Commandes_Clients|ES:Pedidos de clientes');
 
 $commande = new Commande($db);
-$commande->fetch($_GET["id"]);
-$commande->info($_GET["id"]);
+$commande->fetch($comid);
+$commande->info($comid);
 $soc = new Societe($db);
 $soc->fetch($commande->socid);
 

htdocs/commande/orderstoinvoice.php

@@ -45,7 +45,7 @@
 if (! $user->rights->facture->creer)
 	accessforbidden();
 
-$id				= (GETPOST('id')?GETPOST("id"):GETPOST("facid"));  // For backward compatibility
+$id				= (GETPOST('id')?GETPOST('id','int'):GETPOST("facid"));  // For backward compatibility
 $ref			= GETPOST('ref','alpha');
 $action			= GETPOST('action','alpha');
 $confirm		= GETPOST('confirm','alpha');

htdocs/commande/tpl/linkedobjectblock.tpl.php

@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2010-2011	Regis Houssin <regis.houssin@capnetworks.com>
  * Copyright (C) 2013		Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2014       Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -22,6 +23,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -47,17 +50,23 @@
 <tr <?php echo $GLOBALS['bc'][$var]; ?> ><td>
 	<a href="<?php echo DOL_URL_ROOT.'/commande/fiche.php?id='.$object->id ?>"><?php echo img_object($langs->trans("ShowOrder"),"order").' '.$object->ref; ?></a></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->commande->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="2"><?php echo $langs->trans('TotalHT'); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->commande->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>

htdocs/compta/bank/account.php

@@ -5,7 +5,7 @@
  * Copyright (C) 2004      Christophe Combelles <ccomb@free.fr>
  * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
  * Copyright (C) 2010-2011 Juanjo Menent        <jmenent@@2byte.es>
- * Copyright (C) 2012      Marcos García        <marcosgdf@gmail.com>
+ * Copyright (C) 2012-2014 Marcos García        <marcosgdf@gmail.com>
  * Copyright (C) 2011-2014 Alexandre Spangaro   <alexandre.spangaro@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -268,17 +268,22 @@
 	//Total pages
 	$totalPages = ceil($total_lines/$viewline);
 
-	if ($page > 0)
-	{
-		$limitsql = ($totalPages - $page) * $viewline;
-		if ($limitsql < $viewline) $limitsql = $viewline;
-		$nbline = $limitsql;
-	}
-	else
-	{
+	if ($totalPages == 0) {
 		$page = 0;
-		$limitsql = $nbline;
+	} else {
+
+		if ($page > 0) {
+			$limitsql = ($totalPages - $page) * $viewline;
+			if ($limitsql < $viewline) {
+				$limitsql = $viewline;
+			}
+			$nbline = $limitsql;
+		} else {
+			$page = 0;
+			$limitsql = $nbline;
+		}
 	}
+
 	//print $limitsql.'-'.$page.'-'.$viewline;
 
 	// Onglets
@@ -474,7 +479,7 @@
 		// VAT
 		$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu2 ON bu2.fk_bank = b.rowid AND bu2.type='payment_vat'";
 		$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."tva as t ON bu2.url_id = t.rowid";
-		
+
 		// Salary payment
 		$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu3 ON bu3.fk_bank = b.rowid AND bu3.type='payment_salary'";
 		$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."payment_salary as sal ON bu3.url_id = sal.rowid";

htdocs/compta/bank/bankid_fr.php

@@ -34,7 +34,7 @@
 $langs->load("bills");
 
 $action=GETPOST('action');
-$id=GETPOST('id');
+$id=GETPOST('id','int');
 $ref=GETPOST('ref');
 
 // Security check

htdocs/compta/facture/tpl/linkedobjectblock.tpl.php

@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2010-2011	Regis Houssin <regis.houssin@capnetworks.com>
  * Copyright (C) 2013		Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2014       Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -22,6 +23,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -47,16 +50,22 @@
 <tr <?php echo $GLOBALS['bc'][$var]; ?> ><td>
 	<a href="<?php echo DOL_URL_ROOT.'/compta/facture.php?facid='.$object->id ?>"><?php echo img_object($langs->trans("ShowBill"),"bill").' '.$object->ref; ?></a></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->facture->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="2"><?php echo $langs->trans("TotalHT"); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->facture->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>

htdocs/compta/prelevement/class/bonprelevement.class.php

@@ -914,7 +914,7 @@ function Create($banque=0, $agence=0, $mode='real')
                 $sql = "INSERT INTO ".MAIN_DB_PREFIX."prelevement_bons (";
                 $sql.= " ref, entity, datec";
                 $sql.= ") VALUES (";
-                $sql.= "'".$ref."'";
+                $sql.= "'".$this->db->escape($ref)."'";
                 $sql.= ", ".$conf->entity;
                 $sql.= ", '".$this->db->idate($now)."'";
                 $sql.= ")";