Various fix (pre-commit, phpstan, usw.)

Dolibarr · Dec 11, 2024 · 4206dca · 4206dca
1 parent b2895d8
commit 4206dca
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 9 deletions.
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
@@ -3478,6 +3478,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 		if ($fuser->hasRight('ticket', $read)) {
 			$accessallowed = 1;
 		}
+		$email_split = explode('@', $_SESSION['email_customer']);
 		// include_once DOL_DOCUMENT_ROOT.'/ticket/class/ticket.class.php';
 		$sqlprotectagainstexternals = 'WITH tickets_roles (rowid) AS (SELECT rowid FROM '.MAIN_DB_PREFIX.'c_type_contact WHERE element = "ticket")';
 		$sqlprotectagainstexternals.= ' SELECT t.rowid, t.fk_soc FROM '.MAIN_DB_PREFIX.'ticket t';
@@ -3486,9 +3487,9 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 		$sqlprotectagainstexternals.= ' LEFT JOIN tickets_roles tr ON tr.rowid = ec.fk_c_type_contact';
 		$sqlprotectagainstexternals.= ' WHERE t.ref LIKE "'.$db->sanitize($refname).'"';
 		$sqlprotectagainstexternals.= ' AND (';
-		$sqlprotectagainstexternals.= ' (tr.rowid IS NOT NULL AND c.email = "'.$db->escape($_SESSION['email_customer']).'")';
+		$sqlprotectagainstexternals.= ' (tr.rowid IS NOT NULL AND c.email = "'.$db->sanitize($email_split[0]).'@'.$db->sanitize($email_split[1]).'")';
 		if (isset($_SESSION['email_customer'])) {
-			$sqlprotectagainstexternals.= ' OR t.origin_email = "'.$db->escape($_SESSION['email_customer']).'"';
+			$sqlprotectagainstexternals.= ' OR t.origin_email = "'.$db->sanitize($email_split[0]).'@'.$db->sanitize($email_split[1]).'"';
 		}
 		$sqlprotectagainstexternals.= ')';
 		$original_file = $conf->ticket->multidir_output[$entity].'/'.$original_file;

diff --git a/htdocs/document.php b/htdocs/document.php
@@ -266,7 +266,7 @@ function llxFooter()
 				}
 			}
 		}
-	} else if ($modulepart == 'ticket' && !getDolGlobalString('TICKET_EMAIL_MUST_EXISTS')) {
+	} elseif ($modulepart == 'ticket' && !getDolGlobalString('TICKET_EMAIL_MUST_EXISTS')) {
 		if ($sqlprotectagainstexternals) {
 			$resql = $db->query($sqlprotectagainstexternals);
 			if ($resql) {

diff --git a/htdocs/ecm/class/ecmfiles.class.php b/htdocs/ecm/class/ecmfiles.class.php
@@ -157,6 +157,11 @@ class EcmFiles extends CommonObject
 	 */
 	public $src_object_id;
 
+	/**
+	 * @var int ID of linked agenda event
+	 */
+	public $agenda_id;
+
 	/**
 	 * @var int section_id		ID of section = ID of EcmDirectory, directory of manual ECM (not stored into database)
 	 */
@@ -307,7 +312,7 @@ public function create(User $user, $notrigger = 0)
 			$this->entity = $conf->entity;
 		}
 		// Put here code to add control on parameters values
-		if (isset($this->agenda_id)) {
+		if (!empty($this->agenda_id)) {
 			$this->agenda_id = (int) $this->agenda_id;
 		}
 
@@ -361,7 +366,7 @@ public function create(User $user, $notrigger = 0)
 		$sql .= ' '.(!isset($this->acl) ? 'NULL' : "'".$this->db->escape($this->acl)."'").',';
 		$sql .= ' '.(!isset($this->src_object_type) ? 'NULL' : "'".$this->db->escape($this->src_object_type)."'").',';
 		$sql .= ' '.(!isset($this->src_object_id) ? 'NULL' : $this->src_object_id).',';
-		$sql .= ' '.(!isset($this->agenda_id) ? 'NULL' : (int) $this->agenda_id);
+		$sql .= ' '.(empty($this->agenda_id) ? 'NULL' : (int) $this->agenda_id);
 		$sql .= ')';
 
 		$this->db->begin();
@@ -750,7 +755,7 @@ public function update(User $user, $notrigger = 0)
 
 		// Check parameters
 		// Put here code to add a control on parameters values
-		if (isset($this->agenda_id)) {
+		if (!empty($this->agenda_id)) {
 			$this->agenda_id = (int) $this->agenda_id;
 		}
 

diff --git a/htdocs/ticket/class/actions_ticket.class.php b/htdocs/ticket/class/actions_ticket.class.php
@@ -346,8 +346,8 @@ public function viewTicketMessages($show_private, $show_user, $object)
 					$sql = 'SELECT ecm.rowid as id, ecm.src_object_type, ecm.src_object_id, ecm.agenda_id';
 					$sql .= ', ecm.filepath, ecm.filename, ecm.share';
 					$sql .= ' FROM '.MAIN_DB_PREFIX.'ecm_files ecm';
-					$sql .= " WHERE ecm.filepath = 'agenda/".$arraymsgs['id']."'";
-					$sql .= " OR (ecm.agenda_id = ".$arraymsgs['id']." AND ecm.src_object_type = 'ticket' AND ecm.src_object_id = ".$this->dao->id.")";
+					$sql .= " WHERE ecm.filepath = 'agenda/".(int) $arraymsgs['id']."'";
+					$sql .= " OR (ecm.agenda_id = ".(int) $arraymsgs['id']." AND ecm.src_object_type = 'ticket' AND ecm.src_object_id = ".(int) $this->dao->id.")";
 					$sql .= ' ORDER BY ecm.position ASC';
 
 					$resql = $this->db->query($sql);
@@ -381,10 +381,11 @@ public function viewTicketMessages($show_private, $show_user, $object)
 								$filePath = DOL_DATA_ROOT.'/'.$doc->filepath.'/'.$doc->filename;
 								$file_relative_path = $dir_ref.'/'.$doc->filename;
 								$mime = dol_mimetype($filePath);
+								$doclink = '';
 								if (!empty($doc->share)) {
 									$doclink = DOL_URL_ROOT.'/document.php?hashp='.urlencode($doc->share);
 								} elseif ($doc->src_object_type == 'ticket') {
-									$doclink = dol_buildpath('document.php', 1).'?modulepart='.$modulepart.'&attachment=0&file='.urlencode($file_relative_path).'&entity='.getentity('ticket', 0);
+									$doclink = dol_buildpath('document.php', 1).'?modulepart='.$modulepart.'&attachment=0&file='.urlencode($file_relative_path).'&entity='.getEntity('ticket', 0);
 								}
 
 								$mimeAttr = ' mime="'.$mime.'" ';