From 67b3e3da99cbcbcc974f08bb240b31dee3d7d2b0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 23 May 2017 15:51:39 +0200
Subject: [PATCH] FIX #6784

---
 htdocs/core/lib/ajax.lib.php       | 6 +++---
 htdocs/opensurvey/card.php         | 4 ++--
 htdocs/public/opensurvey/studs.php | 3 +++
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php
index 9ba57abf302..d278f29b897 100644
--- a/htdocs/core/lib/ajax.lib.php
+++ b/htdocs/core/lib/ajax.lib.php
@@ -354,9 +354,9 @@ function ajax_dialog($title,$message,$w=350,$h=150)
  * Make content of an input box selected when we click into input field.
  * 
  * @param string	$htmlname	Id of html object 
- * @param int		$addlink	Add a link to after
+ * @param string	$addlink	Add a 'link to' after
  */
-function ajax_autoselect($htmlname, $addlink=0)
+function ajax_autoselect($htmlname, $addlink='')
 {
 	global $langs;
 	$out = '<script type="text/javascript">
@@ -364,7 +364,7 @@ function ajax_autoselect($htmlname, $addlink=0)
 				    jQuery("#'.$htmlname.'").click(function() { jQuery(this).select(); } );
 				});
 		    </script>';
-	if ($addlink) $out.=' <a href="'.$url.'" target="_blank">'.$langs->trans("Link").'</a>';
+	if ($addlink) $out.=' <a href="'.$addlink.'" target="_blank">'.$langs->trans("Link").'</a>';
 	return $out;
 }
 
diff --git a/htdocs/opensurvey/card.php b/htdocs/opensurvey/card.php
index 707af9f7115..18326321a4b 100644
--- a/htdocs/opensurvey/card.php
+++ b/htdocs/opensurvey/card.php
@@ -332,9 +332,9 @@ $urlwithouturlroot=preg_replace('/'.preg_quote(DOL_URL_ROOT,'/').'$/i','',trim($
 $urlwithroot=$urlwithouturlroot.DOL_URL_ROOT;		// This is to use external domain name found into config file
 //$urlwithroot=DOL_MAIN_URL_ROOT;					// This is to use same domain name than current
 
-$url=$urlwithouturlroot.dol_buildpath('/public/opensurvey/studs.php',1).'?sondage='.$object->id_sondage;
+$url=$urlwithroot.'/public/opensurvey/studs.php?sondage='.$object->id_sondage;
 print '<input type="text" style="width: 60%" '.($action == 'edit' ? 'disabled' : '').' id="opensurveyurl" name="opensurveyurl" value="'.$url.'">';
-if ($action != 'edit') print ajax_autoselect("opensurveyurl", 1);
+if ($action != 'edit') print ajax_autoselect("opensurveyurl", $url);
 
 print '</td></tr>';
 
diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php
index 98d267fdd72..8e769452ec1 100644
--- a/htdocs/public/opensurvey/studs.php
+++ b/htdocs/public/opensurvey/studs.php
@@ -47,6 +47,9 @@ $nblignes=$object->fetch_lines();
 //If the survey has not yet finished, then it can be modified
 $canbemodified = ((empty($object->date_fin) || $object->date_fin > dol_now()) && $object->status != Opensurveysondage::STATUS_CLOSED);
 
+// Security check
+if (empty($conf->opensurvey->enabled)) accessforbidden('',0,0,1);
+
 
 /*
  * Actions
-- 
GitLab