diff --git a/htdocs/comm/askpricesupplier/card.php b/htdocs/comm/askpricesupplier/card.php
index 51368cb09a71e61fb12729e255eaa514dce9db49..22732c1a19ddd45d808918ec6ae77acd55533795 100644
--- a/htdocs/comm/askpricesupplier/card.php
+++ b/htdocs/comm/askpricesupplier/card.php
@@ -1664,7 +1664,7 @@ if ($action == 'create')
// Create an order
if (! empty($conf->commande->enabled) && $object->statut == 2) {
- if ($user->rights->commande->creer) {
+ if ($user->rights->fournisseur->commande->creer) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . DOL_URL_ROOT . '/fourn/commande/card.php?action=create&origin=' . $object->element . '&originid=' . $object->id . '&socid=' . $object->socid . '">' . $langs->trans("AddOrder") . '</a></div>';
}
}
diff --git a/htdocs/comm/mailing/list.php b/htdocs/comm/mailing/list.php
index 43441306e34e741c46b8b72d33188ebde1f2c93a..8ca6b88931018508b093303c49fad378959a5100 100644
--- a/htdocs/comm/mailing/list.php
+++ b/htdocs/comm/mailing/list.php
@@ -40,10 +40,9 @@ $pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="m.date_creat";
-$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
-$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
-
-$filteremail=$_REQUEST["filteremail"]?$_REQUEST["filteremail"]:'';
+$sall=GETPOST("sall","alpha");
+$sref=GETPOST("sref","alpha");
+$filteremail=GETPOST('filteremail','alpha');
@@ -62,8 +61,8 @@ if ($filteremail)
$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m, ".MAIN_DB_PREFIX."mailing_cibles as mc";
$sql.= " WHERE m.rowid = mc.fk_mailing AND m.entity = ".$conf->entity;
$sql.= " AND mc.email = '".$db->escape($filteremail)."'";
- if ($sref) $sql.= " AND m.rowid = '".$sref."'";
- if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')";
+ if ($sref) $sql.= " AND m.rowid = '".$db->escape($sref)."'";
+ if ($sall) $sql.= " AND (m.titre like '%".$db->escape($sall)."%' OR m.sujet like '%".$db->escape($sall)."%' OR m.body like '%".$db->escape($sall)."%')";
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="m.rowid";
$sql.= $db->order($sortfield,$sortorder);
@@ -74,8 +73,8 @@ else
$sql = "SELECT m.rowid, m.titre, m.nbemail, m.statut, m.date_creat as datec, m.date_envoi as date_envoi";
$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m";
$sql.= " WHERE m.entity = ".$conf->entity;
- if ($sref) $sql.= " AND m.rowid = '".$sref."'";
- if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')";
+ if ($sref) $sql.= " AND m.rowid = '".$db->escape($sref)."'";
+ if ($sall) $sql.= " AND (m.titre like '%".$db->escape($sall)."%' OR m.sujet like '%".$db->escape($sall)."%' OR m.body like '%".$db->escape($sall)."%')";
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="m.rowid";
$sql.= $db->order($sortfield,$sortorder);
@@ -94,7 +93,7 @@ if ($result)
$i = 0;
- $param = "&sall=".$sall;
+ $param = "&sall=".urlencode($sall);
if ($filteremail) $param.='&filteremail='.urlencode($filteremail);
print '<form method="GET" action="'.$_SERVER["PHP_SELF"].'">';
@@ -111,11 +110,11 @@ if ($result)
print '<tr class="liste_titre">';
print '<td class="liste_titre">';
- print '<input type="text" class="flat" name="sref" value="'.$sref.'" size="6">';
+ print '<input type="text" class="flat" name="sref" value="'.dol_escape_htmltag($sref).'" size="6">';
print '</td>';
// Title
print '<td class="liste_titre">';
- print '<input type="text" class="flat" name="sall" value="'.$sall.'" size="40">';
+ print '<input type="text" class="flat" name="sall" value="'.dol_escape_htmltag($sall).'" size="40">';
print '</td>';
print '<td class="liste_titre"> </td>';
if (! $filteremail) print '<td class="liste_titre"> </td>';
diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php
index 3dc1d555d2805593641fd095c4ec85c73df0d7ec..edd8aa0cd39b34a6a9f7daafd6e7b30525e787f3 100644
--- a/htdocs/expedition/class/expedition.class.php
+++ b/htdocs/expedition/class/expedition.class.php
@@ -643,7 +643,15 @@ class Expedition extends CommonObject
for ($i = 0; $i < $cpt; $i++)
{
$obj = $this->db->fetch_object($resql);
- if ($obj->qty <= 0) continue;
+ if (empty($obj->edbrowid))
+ {
+ $qty = $obj->qty;
+ }
+ else
+ {
+ $qty = $obj->edbqty;
+ }
+ if ($qty <= 0) continue;
dol_syslog(get_class($this)."::valid movement index ".$i." ed.rowid=".$obj->rowid." edb.rowid=".$obj->edbrowid);
//var_dump($this->lines[$i]);
@@ -655,7 +663,7 @@ class Expedition extends CommonObject
// line without batch detail
// We decrement stock of product (and sub-products) -> update table llx_product_stock (key of this table is fk_product+fk_entrepot) and add a movement record
- $result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $obj->qty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref));
+ $result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $qty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref));
if ($result < 0) {
$error++; break;
}
@@ -665,15 +673,16 @@ class Expedition extends CommonObject
// line with batch detail
// We decrement stock of product (and sub-products) -> update table llx_product_stock (key of this table is fk_product+fk_entrepot) and add a movement record
- $result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $obj->edbqty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref), '', $obj->eatby, $obj->sellby, $obj->batch);
+ $result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $qty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref), '', $obj->eatby, $obj->sellby, $obj->batch);
if ($result < 0) {
$error++; break;
}
// We update content of table llx_product_batch (will be rename into llx_product_stock_batch inantoher version)
+ // We can set livraison_batch to deprecated and adapt livraison to handle batch too (mouvS->_create also calls mouvS->_create_batch)
if (! empty($conf->productbatch->enabled))
{
- $result=$mouvS->livraison_batch($obj->fk_origin_stock, $obj->qty); // ->fk_origin_stock = id into table llx_product_batch (will be rename into llx_product_stock_batch in another version)
+ $result=$mouvS->livraison_batch($obj->fk_origin_stock, $qty); // ->fk_origin_stock = id into table llx_product_batch (will be rename into llx_product_stock_batch in another version)
if ($result < 0) { $error++; $this->errors[]=$mouvS->error; break; }
}
}
diff --git a/htdocs/livraison/card.php b/htdocs/livraison/card.php
index 7ea9920d65b2ac4225faf0f48c463f40f90f9a1e..54e45080efbf8a68d822ef12ebd85b7290974d9e 100644
--- a/htdocs/livraison/card.php
+++ b/htdocs/livraison/card.php
@@ -744,9 +744,13 @@ else
{
print '<div class="tabsAction">';
- if ($object->statut == 0 && $user->rights->expedition->livraison->valider && $num_prod > 0)
+ if ($object->statut == 0 && $num_prod > 0)
{
- print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=valid">'.$langs->trans("Validate").'</a>';
+ if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->expedition->livraison->creer))
+ || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->expedition->livraison_advance->validate)))
+ {
+ print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=valid">'.$langs->trans("Validate").'</a>';
+ }
}
if ($user->rights->expedition->livraison->supprimer)