-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Csrf #200
Conversation
@@ -515,6 +515,8 @@ function init_myfunc() | |||
dol_print_error($db); | |||
} | |||
print '</table>'."\n"; | |||
print '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 89 characters
@@ -492,6 +495,7 @@ | |||
// $sqlTailWhere .= ' AND fk_socpeople = \''.$userid.'\' and t.fk_statut = \'1\''; | |||
//} | |||
$Form = '<form name = "settings" action="?step=2" method = "POST" >'."\n\t"; | |||
$Form .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 100 characters
@@ -105,6 +106,8 @@ | |||
$Form .= '<input type = "hidden" name = "socid" value = "'.$socid.'">'; | |||
$Form .= '<input type = "hidden" name = "invoicingMethod" value = "'.$mode.'">'; | |||
$Form .= '<input type = "hidden" name = "ts2Invoice" value = "'.$ts2Invoice.'">'; | |||
$Form .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 100 characters
if (!empty($querryRes))$form_output .= | ||
'<a class = "butAction" href="?action=reportproject&dateStart=' | ||
.dol_print_date($dateStart, 'dayxcard').'&dateEnd=' | ||
.dol_print_date($dateEnd, 'dayxcard').'&projectSelected='.$projectSelectedId | ||
.'&mode='.$mode.'&invoicabletaskOnly='.$invoicabletaskOnly | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('Refresh').'</a>'; | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('Refresh').'</a>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 102 characters
if (!empty($querryRes) && $conf->global->MAIN_MODULE_EXPORT)$form_output .= | ||
'<a class = "butAction" href="?action=getExport&dateStart=' | ||
.dol_print_date($dateStart, 'dayxcard').'&dateEnd=' | ||
.dol_print_date($dateEnd, 'dayxcard').'&projectSelected='.$projectSelectedId | ||
.'&mode='.$mode.'&model='.$model.'&invoicabletaskOnly='.$invoicabletaskOnly | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('Export').'</a>'; | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('Export').'</a>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 101 characters
@@ -556,6 +556,7 @@ function init_myfunc() | |||
//print_barre_liste function defined in /core/lib/function.lib.php, possible to add a picto | |||
print_barre_liste($langs->trans("Timesheetuser"), $page, $PHP_SELF, $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords); | |||
print '<form method = "POST" action = "'.$_SERVER["PHP_SELF"].'">'; | |||
print '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 97 characters
Line indented incorrectly; expected at least 16 spaces, found 12
@@ -758,6 +758,9 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin) | |||
$HTML .= $form->select_dolusers($selected, 'userid'); | |||
} | |||
$HTML .= '<input type = "submit" value = "'.$langs->trans('Submit').'"/></form> '; | |||
//FIXME should take token as input | |||
$token = getToken(); | |||
$HTML .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 92 characters
Line indented incorrectly; expected at least 8 spaces, found 4
@@ -758,6 +758,9 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin) | |||
$HTML .= $form->select_dolusers($selected, 'userid'); | |||
} | |||
$HTML .= '<input type = "submit" value = "'.$langs->trans('Submit').'"/></form> '; | |||
//FIXME should take token as input | |||
$token = getToken(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line indented incorrectly; expected at least 8 spaces, found 4
@@ -758,6 +758,9 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin) | |||
$HTML .= $form->select_dolusers($selected, 'userid'); | |||
} | |||
$HTML .= '<input type = "submit" value = "'.$langs->trans('Submit').'"/></form> '; | |||
//FIXME should take token as input |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line indented incorrectly; expected at least 8 spaces, found 4
@@ -1155,7 +1147,12 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin) | |||
} else{ | |||
$HTML .= $form->select_dolusers($selected, 'userid'); | |||
} | |||
//FIXME should take token as input | |||
$token = getToken(); | |||
$HTML .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 96 characters
//} else{ | ||
$Nav .= '<a href="?dateStart='.getStartDate($this->date_start, 1).$tail; | ||
//} | ||
$Nav .= '<a href="?dateStart='.getStartDate($this->date_start, 1).$tail; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line indented incorrectly; expected at least 8 spaces, found 4
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; | ||
//FIXME should take token as input | ||
$token = getToken(); | ||
$Nav .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 91 characters
Line indented incorrectly; expected at least 8 spaces, found 4
//} | ||
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; | ||
//FIXME should take token as input | ||
$token = getToken(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line indented incorrectly; expected at least 8 spaces, found 4
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; | ||
//} | ||
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; | ||
//FIXME should take token as input |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line indented incorrectly; expected at least 8 spaces, found 4
//} else{ | ||
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; | ||
//} | ||
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 102 characters
Line indented incorrectly; expected at least 8 spaces, found 4
$sqlweek = "SELECT SUM(pt.task_duration)/3600 as duration, TO_CHAR(generate_series, 'YYYYWW') as week, u.weeklyhours | ||
FROM generate_series(DATE_TRUNC('week', (now() - INTERVAL '".$conf->global->TIMESHEET_OVERTIME_CHECK_WEEKS." week'))::timestamp, DATE_TRUNC('week', (now() - INTERVAL '1 WEEK' ))::timestamp, interval '1 week') | ||
LEFT JOIN llx_projet_task_time pt ON (generate_series = DATE_TRUNC('week',pt.task_date)) | ||
LEFT JOIN llx_user u on (pt.fk_user = ".$userid.") WHERE pt.fk_user = ".$userid." OR pt.fk_user is null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 120 characters
GROUP BY generate_series;"; | ||
$sqlweek = "SELECT SUM(pt.task_duration)/3600 as duration, TO_CHAR(generate_series, 'YYYYWW') as week, u.weeklyhours | ||
FROM generate_series(DATE_TRUNC('week', (now() - INTERVAL '".$conf->global->TIMESHEET_OVERTIME_CHECK_WEEKS." week'))::timestamp, DATE_TRUNC('week', (now() - INTERVAL '1 WEEK' ))::timestamp, interval '1 week') | ||
LEFT JOIN llx_projet_task_time pt ON (generate_series = DATE_TRUNC('week',pt.task_date)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 105 characters
WHERE pt.fk_user = ".$userid." OR pt.fk_user is null | ||
GROUP BY generate_series;"; | ||
$sqlweek = "SELECT SUM(pt.task_duration)/3600 as duration, TO_CHAR(generate_series, 'YYYYWW') as week, u.weeklyhours | ||
FROM generate_series(DATE_TRUNC('week', (now() - INTERVAL '".$conf->global->TIMESHEET_OVERTIME_CHECK_WEEKS." week'))::timestamp, DATE_TRUNC('week', (now() - INTERVAL '1 WEEK' ))::timestamp, interval '1 week') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 225 characters
LEFT JOIN llx_user u on pt.fk_user = ".$userid." | ||
WHERE pt.fk_user = ".$userid." OR pt.fk_user is null | ||
GROUP BY generate_series;"; | ||
$sqlweek = "SELECT SUM(pt.task_duration)/3600 as duration, TO_CHAR(generate_series, 'YYYYWW') as week, u.weeklyhours |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 133 characters
No description provided.