Skip to content
Snippets Groups Projects
Commit befaf655 authored by Laurent Destailleur's avatar Laurent Destailleur
Browse files

Fix: Disable feature by default. Need option MAIN_SOCIETE_UNSUBSCRIBE to 

enable because feature is a security hole.
parent 66b00165
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
htdocs/comm/mailing/fiche.php
+ 40
21
View file @ befaf655
......@@ -47,8 +47,6 @@ $object=new Mailing($db);
$substitutionarray=array(
'__ID__' => 'IdRecord',
'__EMAIL__' => 'EMail',
'__CHECK_READ__' => 'CheckMail',
'__UNSUSCRIBE__' => 'Unsuscribe',
'__LASTNAME__' => 'Lastname',
'__FIRSTNAME__' => 'Firstname',
'__OTHER1__' => 'Other1',
......@@ -59,11 +57,20 @@ $substitutionarray=array(
'__SIGNATURE__' => 'Signature',
'__PERSONALIZED__' => 'Personalized'
);
if ($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)
{
$substitutionarray=array_merge(
$substitutionarray,
array(
'__CHECK_READ__' => 'CheckMail',
'__UNSUSCRIBE__' => 'Unsuscribe'
)
);
}
$substitutionarrayfortest=array(
'__ID__' => 'TESTIdRecord',
'__EMAIL__' => 'TESTEMail',
'__CHECK_READ__' => 'TESTCheckMail',
'__UNSUSCRIBE__' => 'TESTUnsuscribe',
'__LASTNAME__' => 'TESTLastname',
'__FIRSTNAME__' => 'TESTFirstname',
'__OTHER1__' => 'TESTOther1',
......@@ -74,7 +81,16 @@ $substitutionarrayfortest=array(
'__SIGNATURE__' => 'TESTSignature',
'__PERSONALIZED__' => 'TESTPersonalized'
);
if ($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)
{
$substitutionarray=array_merge(
$substitutionarray,
array(
'__CHECK_READ__' => 'TESTCheckMail',
'__UNSUSCRIBE__' => 'TESTCheckMail'
)
);
}
// Action clone object
if ($action == 'confirm_clone' && $confirm == 'yes')
......@@ -158,7 +174,7 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
if ($num)
{
dol_syslog("comm/mailing/fiche.php: nb of targets = ".$num, LOG_DEBUG);
$now=dol_now();
// Positionne date debut envoi
......@@ -191,9 +207,9 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
$tmpfield=explode('=',$other[4],2); $other5=(isset($tmpfield[1])?$tmpfield[1]:$tmpfield[0]);
$substitutionarray=array(
'__ID__' => $obj->source_id,
'__EMAIL__' => '<a href="mailto:'.$obj->email.'">'.$obj->email.'</a>',
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$obj->tag.'" width="0" height="0" style="width:0px;height:0px" border="0"/>',
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-usubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
'__EMAIL__' => $obj->email,
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$obj->tag.'" width="0" height="0" style="width:0px;height:0px" border="0"/>',
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
'__LASTNAME__' => $obj->nom,
'__FIRSTNAME__' => $obj->prenom,
'__OTHER1__' => $other1,
......@@ -270,11 +286,11 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
{
dol_print_error($db);
}
//Update status communication of contact prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=2 WHERE rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.rowid=".$obj->rowid." AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
dol_syslog("fiche.php: set prospect contact status sql=".$sql, LOG_DEBUG);
$resql2=$db->query($sql);
if (! $resql2)
{
......@@ -282,8 +298,8 @@ if ($action == 'sendallconfirmed' && $confirm == 'yes')
}
}
}
//test if CHECK READ change statut prospect contact
}
else
......@@ -531,11 +547,11 @@ if ($action == 'update' && empty($_POST["removedfile"]) && empty($_POST["cancel"
// Action confirmation validation
if ($action == 'confirm_valid' && $confirm == 'yes')
{
{
if ($object->fetch($id) >= 0)
{
$object->valid($user);
Header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
exit;
}
......@@ -547,17 +563,17 @@ if ($action == 'confirm_valid' && $confirm == 'yes')
// Resend
if ($action == 'confirm_reset' && $confirm == 'yes')
{
{
if ($object->fetch($id) >= 0)
{
$db->begin();
$result=$object->valid($user);
if ($result > 0)
{
$result=$object->reset_targets_status($user);
}
if ($result > 0)
{
$db->commit();
......@@ -580,7 +596,7 @@ if ($action == 'confirm_reset' && $confirm == 'yes')
if ($action == 'confirm_delete' && $confirm == 'yes')
{
$object->fetch($id);
if ($object->delete($object->id))
{
Header("Location: liste.php");
......@@ -1027,8 +1043,11 @@ else
print '<br><i>'.$langs->trans("CommonSubstitutions").':<br>';
print '__ID__ = '.$langs->trans("IdRecord").'<br>';
print '__EMAIL__ = '.$langs->trans("EMail").'<br>';
print '__CHECK_READ__ = '.$langs->trans("CheckRead").'<br>';
print '__UNSUSCRIBE__ = '.$langs->trans("MailUnsubcribe").'<br>';
if ($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)
{
print '__CHECK_READ__ = '.$langs->trans("CheckRead").'<br>';
print '__UNSUSCRIBE__ = '.$langs->trans("MailUnsubcribe").'<br>';
}
print '__LASTNAME__ = '.$langs->trans("Lastname").'<br>';
print '__FIRSTNAME__ = '.$langs->trans("Firstname").'<br>';
print '__OTHER1__ = '.$langs->trans("Other").'1<br>';
......
htdocs/public/emailing/mailing-read.php
+ 10
7
View file @ befaf655
......@@ -24,7 +24,7 @@
* \ingroup mailing
* \brief Script use to update mail status if destinaries read it (if images during mail read are display)
*/
define("NOLOGIN",1); // This means this output page does not require to be logged.
define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
......@@ -32,31 +32,34 @@ require("../../main.inc.php");
$id=GETPOST('tag');
if (empty($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)) accessforbidden('Option not enabled');
/*
* Actions
*/
if ($id!='')
{
$statut='2';
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE tag='".$id."'";
dol_syslog("public/emailing/mailing-read.php : Mail read : ".$sql, LOG_DEBUG);
$resql=$db->query($sql);
//Update status communication of thirdparty prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE rowid IN (SELECT source_id FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE tag='".$id."' AND source_type='thirdparty' AND source_id is not null)";
dol_syslog("public/emailing/mailing-read.php : Mail read thirdparty : ".$sql, LOG_DEBUG);
$resql=$db->query($sql);
//Update status communication of contact prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=3 WHERE rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.tag = '".$id."' AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
dol_syslog("public/emailing/mailing-read.php : Mail read contact : ".$sql, LOG_DEBUG);
$resql=$db->query($sql);
}
$db->close();
?>
htdocs/public/emailing/mailing-usubscribe.php
+ 15
11
View file @ befaf655
......@@ -20,11 +20,11 @@
/**
* \file scripts/emailings/mailing-usubscribe.php
* \file scripts/emailings/mailing-unsubscribe.php
* \ingroup mailing
* \brief Script use to update unsubcribe contact to prospect mailing list
*/
define("NOLOGIN",1); // This means this output page does not require to be logged.
define("NOCSRFCHECK",1); // We accept to go on this page from external web site.
......@@ -39,26 +39,32 @@ $langs->load("mails");
$id=GETPOST('tag');
$unsuscrib=GETPOST('unsuscrib');
if (empty($conf->global->MAIN_SOCIETE_UNSUBSCRIBE)) accessforbidden('Option not enabled');
/*
* Actions
*/
if (($id!='') && ($unsuscrib=='1'))
{
//Udate status of mail in Destinaries maling list
$statut='3';
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE tag='".$id."'";
dol_syslog("public/emailing/mailing-usubscribe.php : Mail unsubcribe : ".$sql, LOG_DEBUG);
dol_syslog("public/emailing/mailing-unsubscribe.php : Mail unsubcribe : ".$sql, LOG_DEBUG);
$resql=$db->query($sql);
//Update status communication of thirdparty prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=-1 WHERE rowid IN (SELECT source_id FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE tag='".$id."' AND source_type='thirdparty' AND source_id is not null)";
dol_syslog("public/emailing/mailing-unsubscribe.php : Mail unsubcribe thirdparty : ".$sql, LOG_DEBUG);
$resql=$db->query($sql);
//Update status communication of contact prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=-1 WHERE rowid IN (SELECT fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.tag = '".$id."' AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
dol_syslog("public/emailing/mailing-unsubscribe.php : Mail unsubcribe contact : ".$sql, LOG_DEBUG);
$resql=$db->query($sql);
$sql = "SELECT mc.email";
......@@ -66,9 +72,9 @@ if (($id!='') && ($unsuscrib=='1'))
$sql .= " WHERE mc.tag='".$id."'";
$resql=$db->query($sql);
$obj = $db->fetch_object($resql);
header("Content-type: text/html; charset=".$conf->file->character_set_client);
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
......@@ -92,8 +98,6 @@ if (($id!='') && ($unsuscrib=='1'))
print '</td></tr></table>';
print "</body>\n";
print "</html>\n";
}
$db->close();
......
scripts/emailings/mailing-send.php
+ 8
5
View file @ befaf655
......@@ -106,8 +106,11 @@ if ($resql)
{
dol_syslog("nb of targets = ".$num, LOG_DEBUG);
$now=dol_now();
// Positionne date debut envoi
$sql="UPDATE ".MAIN_DB_PREFIX."mailing SET date_envoi=SYSDATE() WHERE rowid=".$id;
$sql="UPDATE ".MAIN_DB_PREFIX."mailing SET date_envoi='".$db->idate($now)."' WHERE rowid=".$id;
$resql2=$db->query($sql);
if (! $resql2)
{
......@@ -135,9 +138,9 @@ if ($resql)
$other5=$other[4];
$substitutionarray=array(
'__ID__' => $obj->source_id,
'__EMAIL__' => '<a href="mailto:'.$obj->email.'">'.$obj->email.'</a>',
'__EMAIL__' => $obj->email,
'__CHECK_READ__' => '<img src="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-read.php?tag='.$obj->tag.'" width="0" height="0" style="width:0px;height:0px" border="0"/>',
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-usubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
'__UNSUSCRIBE__' => '<a href="'.DOL_MAIN_URL_ROOT.'/public/emailing/mailing-unsubscribe.php?tag='.$obj->tag.'&unsuscrib=1" target="_blank">'.$langs->trans("MailUnsubcribe").'</a>',
'__LASTNAME__' => $obj->lastname,
'__FIRSTNAME__' => $obj->firstname,
'__OTHER1__' => $other1,
......@@ -212,11 +215,11 @@ if ($resql)
{
dol_print_error($db);
}
//Update status communication of contact prospect
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm=2 WHERE rowid IN (SELECT sc.fk_soc FROM ".MAIN_DB_PREFIX."socpeople AS sc INNER JOIN ".MAIN_DB_PREFIX."mailing_cibles AS mc ON mc.rowid=".$obj->rowid." AND mc.source_type = 'contact' AND mc.source_id = sc.rowid)";
dol_syslog("fiche.php: set prospect contact status sql=".$sql, LOG_DEBUG);
$resql2=$db->query($sql);
if (! $resql2)
{
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment