Skip to content
Permalink
Browse files
Fix CSRF protection for all massactions
  • Loading branch information
eldy committed Sep 18, 2021
1 parent bc63c62 commit 89e8f24e1509de7c37f7d225a05ac93e1d900622
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 8 deletions.
@@ -316,13 +316,14 @@
if ($tmpproposal->fetch($checked)) {
if ($tmpproposal->statut == 0) {
if ($tmpproposal->valid($user)) {
setEventMessage($tmpproposal->ref." ".$langs->trans('PassedInOpenStatus'), 'mesgs');
setEventMessage($langs->trans('hasBeenValidated', $tmpproposal->ref), 'mesgs');
} else {
setEventMessage($langs->trans('CantBeValidated'), 'errors');
$error++;
}
} else {
setEventMessage($tmpproposal->ref." ".$langs->trans('IsNotADraft'), 'errors');
$langs->load("errors");
setEventMessage($langs->trans('ErrorIsNotADraft', $tmpproposal->ref), 'errors');
$error++;
}
} else {
@@ -309,13 +309,14 @@
$idwarehouse = 0;
}
if ($objecttmp->valid($user, $idwarehouse)) {
setEventMessage($objecttmp->ref." ".$langs->trans('PassedInOpenStatus'), 'mesgs');
setEventMessage($langs->trans('hasBeenValidated', $objecttmp->ref), 'mesgs');
} else {
setEventMessage($langs->trans('CantBeValidated'), 'errors');
$error++;
}
} else {
setEventMessage($objecttmp->ref." ".$langs->trans('IsNotADraft'), 'errors');
$langs->load("errors");
setEventMessage($langs->trans('ErrorIsNotADraft', $objecttmp->ref), 'errors');
$error++;
}
} else {
@@ -339,13 +340,14 @@
if ($objecttmp->fetch($checked)) {
if ($objecttmp->statut == 1) {
if ($objecttmp->cloture($user)) {
setEventMessage($objecttmp->ref." ".$langs->trans('PassedInOpenStatus'), 'mesgs');
setEventMessage($langs->trans('PassedInClosedStatus', $objecttmp->ref), 'mesgs');
} else {
setEventMessage($langs->trans('CantBeValidated'), 'errors');
setEventMessage($langs->trans('CantBeClosed'), 'errors');
$error++;
}
} else {
setEventMessage($objecttmp->ref." ".$langs->trans('IsNotADraft'), 'errors');
$langs->load("errors");
setEventMessage($langs->trans('ErrorIsNotADraft', $objecttmp->ref), 'errors');
$error++;
}
} else {
@@ -270,6 +270,7 @@ ErrorActionCommBadType=Selected event type (id: %n, code: %s) do not exist in Ev
CheckVersionFail=Version check fail
ErrorWrongFileName=Name of the file cannot have __SOMETHING__ in it
ErrorNotInDictionaryPaymentConditions=Not in Payment Terms Dictionary, please modify.
ErrorIsNotADraft=%s is not a draft

# Warnings
WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup.
@@ -1155,3 +1155,4 @@ ConfirmMassLeaveApproval=Mass leave approval confirmation
RecordAproved=Record approved
RecordsApproved=%s Record(s) approved
Properties=Properties
hasBeenValidated=%s has been validated
@@ -482,7 +482,8 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
if (
$_SERVER['REQUEST_METHOD'] == 'POST' ||
$sensitiveget ||
((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN'))
GETPOSTISSET('massaction') ||
((GETPOSTISSET('actionlogin') || GETPOSTISSET('action')) && defined('CSRFCHECK_WITH_TOKEN'))
) {
// If token is not provided or empty, error (we are in case it is mandatory)
if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {

0 comments on commit 89e8f24

Please sign in to comment.