-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Csrf #200
Csrf #200
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,6 +25,7 @@ | |
include 'core/lib/includeMain.lib.php'; | ||
include 'core/lib/generic.lib.php'; | ||
include 'core/lib/timesheet.lib.php'; | ||
$token = getToken(); | ||
require_once DOL_DOCUMENT_ROOT .'/core/lib/functions.lib.php'; | ||
require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; | ||
require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php'; | ||
|
@@ -105,6 +106,8 @@ | |
$Form .= '<input type = "hidden" name = "socid" value = "'.$socid.'">'; | ||
$Form .= '<input type = "hidden" name = "invoicingMethod" value = "'.$mode.'">'; | ||
$Form .= '<input type = "hidden" name = "ts2Invoice" value = "'.$ts2Invoice.'">'; | ||
$Form .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 100 characters |
||
|
||
$resql = $db->query($sql); | ||
$num = 0; | ||
$resArray = array(); | ||
|
@@ -492,6 +495,7 @@ | |
// $sqlTailWhere .= ' AND fk_socpeople = \''.$userid.'\' and t.fk_statut = \'1\''; | ||
//} | ||
$Form = '<form name = "settings" action="?step=2" method = "POST" >'."\n\t"; | ||
$Form .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 100 characters |
||
$Form .= '<table class = "noborder" width = "100%">'."\n\t\t"; | ||
$Form .= '<tr class = "liste_titre" width = "100%" ><th colspan = "2">' | ||
.$langs->trans('generalInvoiceProjectParam').'</th></tr>'; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -228,6 +228,9 @@ | |
<td></td> | ||
</tr> | ||
<tr >'; | ||
$token = getToken(); | ||
$form_output .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 95 characters |
||
|
||
|
||
if($hidetab == 1){ | ||
$form_output .='<td><select name = "projectSelected">'; | ||
|
@@ -295,19 +298,19 @@ | |
.dol_print_date($dateStart, 'dayxcard').'&dateEnd=' | ||
.dol_print_date($dateEnd, 'dayxcard').'&projectSelected=' | ||
.$projectSelectedId.'&mode='.$mode.'&invoicabletaskOnly='.$invoicabletaskOnly | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('TimesheetPDF').'</a>'; | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('TimesheetPDF').'</a>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 107 characters |
||
if (!empty($querryRes) && $conf->global->MAIN_MODULE_EXPORT)$form_output .= | ||
'<a class = "butAction" href="?action=getExport&dateStart=' | ||
.dol_print_date($dateStart, 'dayxcard').'&dateEnd=' | ||
.dol_print_date($dateEnd, 'dayxcard').'&projectSelected='.$projectSelectedId | ||
.'&mode='.$mode.'&model='.$model.'&invoicabletaskOnly='.$invoicabletaskOnly | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('Export').'</a>'; | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('Export').'</a>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 101 characters |
||
if (!empty($querryRes))$form_output .= | ||
'<a class = "butAction" href="?action=reportproject&dateStart=' | ||
.dol_print_date($dateStart, 'dayxcard').'&dateEnd=' | ||
.dol_print_date($dateEnd, 'dayxcard').'&projectSelected='.$projectSelectedId | ||
.'&mode='.$mode.'&invoicabletaskOnly='.$invoicabletaskOnly | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'" >'.$langs->trans('Refresh').'</a>'; | ||
."&hidetab=".$hidetab.'&ungroup='.$ungroup.'&token='.$token.'" >'.$langs->trans('Refresh').'</a>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 102 characters |
||
$form_output .= '</form>'; | ||
if (!($optioncss != '' && !empty($_POST['userSelected']))) echo $form_output; | ||
echo $querryRes; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -163,6 +163,9 @@ | |
<tr > | ||
<td> | ||
'; | ||
$token = getToken(); | ||
$form_output .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 95 characters |
||
|
||
if($admin){ | ||
$form_output .= $form->select_dolusers($userIdSelected, 'userSelected'); | ||
|
||
|
@@ -237,7 +240,7 @@ | |
.'&invoicabletaskOnly=' . $invoicabletaskOnly | ||
.'&ungroup=' . $ungroup | ||
.'&showAll=' . $show_all | ||
. '" >' . $langs->trans( 'Export' ) . '</a>'; | ||
. '&token='.$token.'" >' . $langs->trans( 'Export' ) . '</a>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Expected 0 spaces before closing bracket; 1 found |
||
} | ||
if ( ! empty( $querryRes ) ) { | ||
$form_output .= '<a class = "butAction" href="?action=getpdf&dateStart=' | ||
|
@@ -248,7 +251,7 @@ | |
. '&invoicabletaskOnly=' . $invoicabletaskOnly | ||
. '&ungroup=' . $ungroup | ||
. '&showAll=' . $show_all | ||
. '" >' . $langs->trans( 'PDF' ) . '</a>'; | ||
. '&token='.$token.'" >' . $langs->trans( 'PDF' ) . '</a>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Expected 0 spaces before closing bracket; 1 found |
||
} | ||
$form_output .= '</div></div></form>'; | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -297,7 +297,7 @@ function getTStobeApproved($level, $offset, $role, $subId) | |
$sql .= ' ORDER BY YEAR(date_start) DESC, MONTH(date_start) DESC, fk_userid DESC'; | ||
} else { | ||
$sql .= ' ORDER BY date_part(\'year\', date_start) DESC, ' | ||
.'ate_part(\'month\', date_start) DESC, fk_userid DESC'; | ||
.'date_part(\'month\', date_start) DESC, fk_userid DESC'; | ||
} | ||
} | ||
$sql .= ' LIMIT '.$level; | ||
|
@@ -365,6 +365,8 @@ function getHTMLNavigation($optioncss, $selectList, $current = 0) | |
} | ||
$Nav .= "</th>\n\t\t<th>\n\t\t\t"; | ||
$Nav .= '<form name = "goTo" action="?action=goTo" method = "POST" >'."\n\t\t\t"; | ||
$Nav .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 91 characters |
||
|
||
$Nav .= $langs->trans("GoTo").': '.$htmlSelect."\n\t\t\t";; | ||
$Nav .= '<input type = "submit" value = "Go" /></form>'."\n\t\t</th>\n\t\t<th>\n\t\t\t"; | ||
if ($current<count($selectList)) { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -556,6 +556,7 @@ function init_myfunc() | |
//print_barre_liste function defined in /core/lib/function.lib.php, possible to add a picto | ||
print_barre_liste($langs->trans("Timesheetuser"), $page, $PHP_SELF, $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords); | ||
print '<form method = "POST" action = "'.$_SERVER["PHP_SELF"].'">'; | ||
print '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 97 characters |
||
print '<table class = "liste" style = "border-collapse:separate;" width = "100%">'."\n"; | ||
//TITLE | ||
print '<tr class = "liste_titre">'; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -758,6 +758,9 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin) | |
$HTML .= $form->select_dolusers($selected, 'userid'); | ||
} | ||
$HTML .= '<input type = "submit" value = "'.$langs->trans('Submit').'"/></form> '; | ||
//FIXME should take token as input | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line indented incorrectly; expected at least 8 spaces, found 4 |
||
$token = getToken(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line indented incorrectly; expected at least 8 spaces, found 4 |
||
$HTML .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 92 characters |
||
|
||
return $HTML; | ||
} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1061,33 +1061,25 @@ public function getHTMLNavigation($optioncss, $ajax = false) | |
global $langs, $conf; | ||
$form = new Form($this->db); | ||
$tail = ''; | ||
//$tail = '&wlm='.$this->whitelistmode; | ||
if (isset($conf->global->TIMESHEET_ADD_FOR_OTHER) | ||
&& $conf->global->TIMESHEET_ADD_FOR_OTHER == 1){ | ||
$tail = '&userid='.$this->userId; | ||
} | ||
$Nav = '<table class = "noborder" width = "50%">'."\n\t".'<tr>'."\n\t\t".'<th>'."\n\t\t\t"; | ||
if ($ajax) { | ||
// $Nav .= '<a id = "navPrev" onClick = "loadXMLTimesheet(\''.getStartDate($this->date_start, -1).'\', 0);'; | ||
} else{ | ||
$Nav .= '<a href="?dateStart='.getStartDate($this->date_start, -1).$tail; | ||
} | ||
if ($optioncss != '')$Nav .= '&optioncss='.$optioncss; | ||
$Nav .= '"> <<'.$langs->trans("Previous").' </a>'."\n\t\t</th>\n\t\t<th>\n\t\t\t"; | ||
// if ($ajax) | ||
// { | ||
// $Nav .= '<form name = "goToDate" onsubmit = "return toDateHandler();" action="?action=goToDate&wlm='.$this->whitelistmode.'" method = "POST">'."\n\t\t\t"; | ||
//} else{ | ||
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; | ||
//} | ||
$Nav .= '<form name = "goToDate" action="?action=goToDate'.$tail.'" method = "POST" >'."\n\t\t\t"; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 102 characters |
||
//FIXME should take token as input | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line indented incorrectly; expected at least 8 spaces, found 4 |
||
$token = getToken(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line indented incorrectly; expected at least 8 spaces, found 4 |
||
$Nav .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 91 characters |
||
|
||
$Nav .= $langs->trans("GoTo").': '.$form->select_date(-1, 'toDate', 0, 0, 0, "", 1, 1, 1)."\n\t\t\t";; | ||
$Nav .= '<input type = "submit" value = "Go" /></form>'."\n\t\t</th>\n\t\t<th>\n\t\t\t"; | ||
//if ($ajax) | ||
// { | ||
// $Nav .= '<a id = "navNext" onClick = "loadXMLTimesheet(\''.getStartDate($this->date_start, 1).'\', 0);'; | ||
//} else{ | ||
$Nav .= '<a href="?dateStart='.getStartDate($this->date_start, 1).$tail; | ||
//} | ||
$Nav .= '<a href="?dateStart='.getStartDate($this->date_start, 1).$tail; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line indented incorrectly; expected at least 8 spaces, found 4 |
||
if ($optioncss != '') $Nav .= '&optioncss='.$optioncss; | ||
$Nav .= '">'.$langs->trans("Next").' >></a>'."\n\t\t</th>\n\t</tr>\n </table>\n"; | ||
return $Nav; | ||
|
@@ -1155,7 +1147,12 @@ public function getHTMLGetOtherUserTs($idsList, $selected, $admin) | |
} else{ | ||
$HTML .= $form->select_dolusers($selected, 'userid'); | ||
} | ||
//FIXME should take token as input | ||
$token = getToken(); | ||
$HTML .= '<input type = "hidden" id="csrf-token" name = "token" value = "'.$token.'"/>'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 96 characters |
||
|
||
$HTML .= '<input type = "submit" value = "'.$langs->trans('Submit').'"/></form> '; | ||
|
||
return $HTML; | ||
} | ||
/** | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -59,7 +59,7 @@ public function loadBox($max = 5) | |
if ($this->db->type!='pgsql') { | ||
$sqlweek = " | ||
with digit as ( | ||
select 0 as d union all | ||
select 0 union all | ||
select 1 union all select 2 union all select 3 union all | ||
select 4 union all select 5 union all select 6 union all | ||
select 7 union all select 8 union all select 9 | ||
|
@@ -87,13 +87,11 @@ public function loadBox($max = 5) | |
GROUP BY w.week;"; | ||
}else { | ||
// to be validated | ||
$sqlweek = " SELECT SUM(pt.task_duration)/3600 as duration, | ||
TO_CHAR(generate_series, 'YYYYWW') week, u.weeklyhours | ||
FROM (generate_series(DATE_TRUNC('week', NOW() - INTERVAL '".$conf->global->TIMESHEET_OVERTIME_CHECK_WEEKS." WEEK'), DATE_TRUNC('week',NOW()) - INTERVAL 1 WEEK' )) | ||
LEFT JOIN llx_projet_task_time pt ON generate_series = DATE_TRUNC('week',pt.task_date) | ||
LEFT JOIN llx_user u on pt.fk_user = ".$userid." | ||
WHERE pt.fk_user = ".$userid." OR pt.fk_user is null | ||
GROUP BY generate_series;"; | ||
$sqlweek = "SELECT SUM(pt.task_duration)/3600 as duration, TO_CHAR(generate_series, 'YYYYWW') as week, u.weeklyhours | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 133 characters |
||
FROM generate_series(DATE_TRUNC('week', (now() - INTERVAL '".$conf->global->TIMESHEET_OVERTIME_CHECK_WEEKS." week'))::timestamp, DATE_TRUNC('week', (now() - INTERVAL '1 WEEK' ))::timestamp, interval '1 week') | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 225 characters |
||
LEFT JOIN llx_projet_task_time pt ON (generate_series = DATE_TRUNC('week',pt.task_date)) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 105 characters |
||
LEFT JOIN llx_user u on (pt.fk_user = ".$userid.") WHERE pt.fk_user = ".$userid." OR pt.fk_user is null | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Line exceeds 85 characters; contains 120 characters |
||
GROUP BY generate_series, u.weeklyhours;"; | ||
} | ||
$result = $db->query($sqlweek); | ||
$delta = array(); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line exceeds 85 characters; contains 89 characters