Merge branch 'Dolibarr:19.0' into 19.0

ChangeLog

@@ -2,6 +2,72 @@
 English Dolibarr ChangeLog
 --------------------------------------------------------------
 
+***** ChangeLog for 18.0.5 compared to 18.0.4 *****
+FIX: 17.0: deprecated field should only be a fallback
+FIX: 17.0 - php8 warnings: test for $field existence before checking if it is null or empty
+FIX: #24185: v18: display of the merged pdf lists
+FIX: #26416 BOM_SUB_BOM blank page
+FIX: #27166
+FIX: #27262 Recurrent invoice - user to string conversion
+FIX: #27970 #26283 #27970
+FIX: Accountancy - Level 3 of binding not working on supplier side (#27462)
+FIX: Accounting files export - Use th instead of td on all title columns (#28003)
+FIX: add action update_extras to don card
+FIX: Adding hooks init
+FIX: Adding the $encode parameter to recursive _replaceHtmlWithOdtTag() utilisation
+FIX: add new hook context for mo production card (#28037)
+FIX: avoid from re-initializing result on nested hook getEntity (#27799)
+FIX: avoid sql error (issue #26342)
+FIX: bad accountancy code autoselection for supplier ventilation
+FIX: Bad visible status of proposal after reopen
+FIX: Barcode header cell not well displayed
+FIX: BarCode Header not well displayed
+FIX: Bar code verification should be done by entity because generation does (#28087)
+FIX: can edit reminders on past events
+FIX: check parameter socid before cloning a customer proposal (#28085)
+FIX: crabe PDF is generating in conf->entity instead of object->entity
+FIX: CVE-2024-23817 (#28089)
+FIX: disable pointer events on jQuery-UI tooltips to prevent a glitch (fast-blinking tooltip)
+FIX: Error on emailreminder not reported
+FIX: Fatal error converting object of class User to string (php8)
+FIX: filter by entity on contact is missing
+FIX: Fix supplier invoice security check
+FIX: format of color in manifest is wrong when using a custom color
+FIX: #GHSA-7947-48q7-cp5m
+FIX: HTML injection vulnerability in Dolibarr Application Home Page
+FIX: invoice add line save devise
+FIX: Keep a link to enable a 'always_enabled' module to solve pb.
+FIX: label
+FIX: line special_code never saved (#28051)
+FIX: link to print when there is a search on multiselect fields
+FIX: Menu Create of project no working on smartphone with no top menu.
+FIX: missing $search_sale var (backport from v19)
+FIX: Missing begin transaction when updating supplier recurring invoice
+FIX: missing entity filter for check if period exists
+FIX: more correctly parse the select part to be replaced in sql queries
+FIX: MouvementStock::origin is not an object
+FIX: notification information on intervention validated confirmation message (v17+)
+FIX: not load all contacts by default when creating an event
+FIX: port in Docker MailDev
+FIX: propal use devise changes
+FIX: public user photo not visible if $dolibarr_main_instance_unique_id
+FIX: remove DISTINCT (backport from v19)
+FIX: remove specific name from v19
+FIX: Retours PR
+FIX: Return a better error message when token is not valid
+FIX: search by ref & rowid in don list
+FIX: search by thirdparty in don list
+FIX: several names for one const THIRDPARTY_CAN_HAVE_CUSTOMER_CATEGORY_EVEN_IF_NOT_CUSTOMER_PROSPECT
+FIX: SQL concatenation error
+FIX: [TAKEPOS] display prices with or without taxes depending on setup (TAKEPOS_CHANGE_PRICE_HT)
+FIX: Ternary operator condition is always true/false
+FIX: too long output
+FIX: Undefined property: Task::$fk_parent
+FIX: uniformization to use "intervention"
+FIX: Update loan.class.php (#27971)
+FIX: update price extrafield on propal card
+FIX: user filter in per user view of event list (#28049)
+FIX: use the currency for propal signature page
 
 ***** ChangeLog for 19.0.0 compared to 18.0.0 *****
 
@@ -157,7 +223,6 @@ NEW: Website: Support of js into the Dolibarr server preview
 NEW: TakePOS - add constant to check qty asked is available (#24820)
 NEW: TakePOS - add constant to choose contact instead of customer (#24807)
 NEW: TakePOS - amount label with or without tax in free product (#24829)
-NEW: TakePOS compatibility with lots and serials
 NEW: TakePOS compatibility with lots and serials (#26426)
 NEW: Top menu support picto of modules that are font awesome picto.
 NEW: updating by adding massactions for delete projects in societe tab
@@ -648,13 +713,13 @@ WARNING:
 
 Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
 * Minimal PHP version is now PHP 7.1 instead of PHP 7.0
-* Sensitive datas like keys in setup pages, that need encyption (for example the API keys of users, the CRON security key, the keys into the Stripe module, or 
+* Sensitive datas like keys in setup pages, that need encyption (for example the API keys of users, the CRON security key, the keys into the Stripe module, or
 external modules setup pages that store sensitive keys or password), are using the $dolibarr_main_instance_unique_id as part of the key for encryption. So,
-if you restore or duplicate the data from another instance dump, you must also update this parameter in ther conf.php file to allow decryption in the new instance, or 
+if you restore or duplicate the data from another instance dump, you must also update this parameter in ther conf.php file to allow decryption in the new instance, or
 better, you must reenter the sensitive data into the setup pages of the new instance to resave them correctly.
-Note that to find all the parameters that are encrypted into the setup database, you can do a "SELECT * FROM llx_const WHERE value LIKE '%dolcrypt%';"  
+Note that to find all the parameters that are encrypted into the setup database, you can do a "SELECT * FROM llx_const WHERE value LIKE '%dolcrypt%';"
 * The deprecated method "escapeunderscore()" of database handlers has been removed. You must use "escapeforlike()" instead.
-* The method "nb_expedition()" has been renamed into "countNbOfShipments()" 
+* The method "nb_expedition()" has been renamed into "countNbOfShipments()"
 * Revert default type of hooks. Default is now 'addreplace' hooks (and exception become 'output' hooks, that become deprecated).
 * Deprecated property libelle removed from entrepot class.
 * The type 'text' in ->fields property does not accept html content anymore. Use the type 'html' for that.
@@ -663,6 +728,117 @@ Note that to find all the parameters that are encrypted into the setup database,
 * The method getCheckOption() and deleteCPUser() of class Holiday has been removed (it was not used)
 
 
+***** ChangeLog for 17.0.4 compared to 17.0.3 *****
+FIX: $this->newref already exists and could have been modified by trigger but we still use a local variable for the filesystem-based renaming
+FIX: 16.0 only, backport fix for SQL error on global search product
+FIX: 17.0: deprecated field should only be a fallback
+FIX: 17.0 PHP8: supplier invoice class:
+FIX: 17.0 - php8 warnings: test for $field existence before checking is_null
+FIX: #25399 (#26694)
+FIX: #25458 intervention localizations (backport v17) (#26757)
+FIX: #25580 install/step1.php - wrong command line argument used for $main_dir (#25581)
+FIX: #25919
+FIX: #25934 #25929
+FIX: #26100 - Ticket - On edit, list of closed project must be excluded (#26223)
+FIX: #26195 - Various payment - List of project excluded those assigned to third parties (#26222)
+FIX: #26735 FIX: #26994
+FIX: #27262 Recurrent invoice - user to string conversion
+FIX: Accountancy - Possibility to write in bookkeeping expense report operation with some line not bound (#26545)
+FIX: Accountancy - Update Quadra export format
+FIX: add action update_extras to don card
+FIX: add_customer_ref_on_linked_shipment (#26349)
+FIX: add display of an error when attempting to delete a committed transaction (#26573)
+FIX: Adding the $encode parameter to recursive _replaceHtmlWithOdtTag() utilisation
+FIX: add warning in the changelog
+FIX: avoid php8 warnings (#25596)
+FIX: avoid warning : Cannot use a scalar value as an array (#26437)
+FIX: Backport memory fix for fatal error when +100000 products
+FIX: backport SQL error on global search product
+FIX: bad accountancy code autoselection for supplier ventilation
+FIX: Bad calculation of localtax when price_base_type not defined.
+FIX: bad check return for sendfile
+FIX: bad from and to
+FIX: Bad value of accounting account shown in list. Edit fails.
+FIX: Barcode header cell not well displayed
+FIX: Bar code verification should be done by entity because generation does (#28087)
+FIX: # Bug Estimated Stock at date value in V14 (#26479)
+FIX: Can't access to rec supplier invoice card
+FIX: Can't delete a fourn commande row if a commande ligne is linked
+FIX: check tva_tx before comparing price_min_ttc (#25220)
+FIX: commande context (#26497)
+FIX: compare the result of the send mail file function
+FIX: could not delete a fourn commande row if a commande ligne is linked
+FIX: count cronjob list differs of lines shown nb
+FIX: crabe PDF is generating in conf->entity instead of object->entity
+FIX: creation of invoice from contract with discount lines
+FIX: CVE-2024-23817 (#28089)
+FIX: dir output path for ODT models on reception card
+FIX: disable pointer events on jQuery-UI tooltips to prevent a glitch (fast-blinking tooltip)
+FIX: Error handling for computed values on import (#24897)
+FIX: escape HTML tags in return value of getFullName() (#26735)
+FIX: export FEC
+FIX: Fatal error converting object of class User to string (php8)
+FIX: fatal error with bad definition of dictionaries
+FIX: filter by entity on contact is missing
+FIX: Fix supplier invoice security check
+FIX: HTML in ODT templates (#26181)
+FIX: include
+FIX: label
+FIX: line special_code never saved (#28051)
+FIX: link to create purchase order from sale order
+FIX: menu auguria
+FIX: message order in ticket public view is not coherent with tickets events tab
+FIX: Missing begin transaction when updating supplier recurring invoice
+FIX: missing contact_id for the trigger
+FIX: Missing error message on CommandeFourn creation
+FIX: missing fk_account situation invoice
+FIX: missing project entity filter (Issue #26243) (#26247)
+FIX: modification of complementary attributes in commercial proposals
+FIX: modification of complementary attributes in invoices (#26180)
+FIX: more correctly parse the select part to be replaced in sql queries
+FIX: not create/update extrafields for visibility 0,2 and 5
+FIX: notification information on intervention validated confirmation message (v17+)
+FIX: payment card: misleading message when delete button disabled
+FIX: payment : language is not propagated to following pages
+FIX: pdf cornas page head multicell width (backport v17)
+FIX: possible inconsistency between llx_ecm_files and file system when BILL_SUPPLIER_VALIDATES changes ref
+FIX: Prices visible on TakePOS KO with multiprices support
+FIX: product list accounting length
+FIX: propal list : warning if product module is not enabled (#25583)
+FIX: Propal's negative quantities
+FIX: Quick search Intervention redirect to wrong page
+FIX: reception odt dir output path
+FIX: regression on rounding stocks fields on product list
+FIX_reload_linked_objects_on_propal_closeas
+FIX: Return right content type
+FIX: right access on salary card and tabs
+FIX: rights paymentsc paiementcharge
+FIX: same broken feature as v18 (Multicompany)
+FIX: Save user modif id when changing a contact status
+FIX: search by ref & rowid in don list
+FIX: search by thirdparty in don list
+FIX: special_code update line keep old value. (#26819)
+FIX: SQL concatenation error
+FIX: SQL request parenthesis
+FIX: substitute project variables in invoice documents (#26445)
+FIX: Suppliers addlines never have VAT if buyprice for this supplier
+FIX: [TAKEPOS] display prices with or without taxes depending on setup (TAKEPOS_CHANGE_PRICE_HT)
+FIX: TakePOS receipt preview in admin #25648
+FIX: template invoice list extrafield filters (backport v17) (#26227)
+FIX: thirdparty object in proposal card is not loaded
+FIX: too long output
+FIX: translation button
+FIX: use event.key instead event.which to avoid keyboard difference
+FIX: Use of line->insert instead of line->create
+FIX: user creation when LDAP is configured (#26332)
+FIX: Use the wrong logo size on PDF
+FIX: v17: Param $notrigger in $societe->create() causes method to return true regardless of actual result of database functions (#26499)
+FIX: warning param $lineID getSpecialCode is negatif (#26826)
+FIX: warning php8.2 undefined_array_key (#26830)
+FIX: warning when Workboard Responses display non numeric strings
+FIX: Wrong backtopage given for the stocktransfer button from the stocktransfer list (#26271)
+FIX: wrong place of trigger delete
+
 ***** ChangeLog for 17.0.3 compared to 17.0.2 *****
 FIX: #20304 propaldates update
 FIX: #24508 Label not reported when creating a supplier invoice template (#25340)
@@ -1056,7 +1232,7 @@ WARNING:
 Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
 * Minimal PHP version is now PHP 7.0 instead of PHP 5.6
 * Core has introduced a Universal Filter Syntax for seach criteria. Example: ((((field1:=:value1) OR (field2:in:1,2,3)) AND ...). In rare case, some filters
-  could be provided by URL parameters. For such cases (societe/ajax/company.php), use of Universal Filter Syntax become mandatory. 
+  could be provided by URL parameters. For such cases (societe/ajax/company.php), use of Universal Filter Syntax become mandatory.
 * The signature of method getNomUrl() of class ProductFournisseur has been modified to match the signature of method Product->getNomUrl()
 * Trigger ORDER_SUPPLIER_DISPATCH is removed, use ORDER_SUPPLIER_RECEIVE and/or LINEORDER_SUPPLIER_DISPATCH instead.
 * All functions fetch_all() have been set to deprecated for naming consitency, use fetchAll() instead.
@@ -1134,7 +1310,7 @@ FIX: #23019 Impossible to add task times to an existing draft invoice
 FIX: #23072
 FIX: #23075
 FIX: #23087
-FIX: #23115 
+FIX: #23115
 FIX: #23116
 FIX: #23117
 FIX: #23281

dev/setup/codesniffer/ruleset.xml

@@ -5,20 +5,20 @@
 	<arg name="tab-width" value="4"/>
 	<arg name="extensions" value="php" />
 
-	<exclude-pattern type="relative">build/html</exclude-pattern>
-	<exclude-pattern type="relative">build/aps</exclude-pattern>
-	<exclude-pattern type="relative">dev/tools/test/namespacemig</exclude-pattern>
-	<!-- <exclude-pattern type="relative">dev/initdata/dbf/includes</exclude-pattern> -->
-	<exclude-pattern type="relative">documents</exclude-pattern>
-	<exclude-pattern type="relative">htdocs/core/class/lessc.class.php</exclude-pattern>
-	<exclude-pattern type="relative">htdocs/custom</exclude-pattern>
-	<exclude-pattern type="relative">htdocs/includes</exclude-pattern>
-	<exclude-pattern type="relative">htdocs/install/doctemplates/websites</exclude-pattern>
-	<exclude-pattern type="relative">htdocs/conf.php</exclude-pattern>
-	<exclude-pattern type="relative">*/nltechno*</exclude-pattern>
-	<exclude-pattern type="relative">source</exclude-pattern>
-	<exclude-pattern type="relative">.git</exclude-pattern>
-	<exclude-pattern type="relative">.cache</exclude-pattern>
+	<!-- info: '*' is replaced with '.*', so better use '+' in some cases -->
+	<!-- info: 'relative' paths are relative to the examined file, so not ok. -->
+	<exclude-pattern>/build/(html|aps)/</exclude-pattern>
+	<exclude-pattern>/dev/tools/test/namespacemig/</exclude-pattern>
+	<!-- <exclude-pattern>dev/initdata/dbf/includes</exclude-pattern> -->
+	<exclude-pattern>/documents/</exclude-pattern>
+	<exclude-pattern>/htdocs/core/class/lessc\.class\.php</exclude-pattern>
+	<exclude-pattern>/htdocs/(custom|includes)/</exclude-pattern>
+	<exclude-pattern>/htdocs/install/doctemplates/websites</exclude-pattern>
+	<exclude-pattern>/htdocs/([^/]+/)?conf\.php</exclude-pattern>
+	<exclude-pattern>*/nltechno*</exclude-pattern>
+	<exclude-pattern>/source/</exclude-pattern>
+	<exclude-pattern>/\.git/</exclude-pattern>
+	<exclude-pattern>/\.cache/</exclude-pattern>
 
 	<!-- List of all tests -->
 

htdocs/barcode/codeinit.php

@@ -108,6 +108,7 @@
 		$nbok = 0;
 		if (!empty($eraseallthirdpartybarcode)) {
 			$sql = "UPDATE ".MAIN_DB_PREFIX."societe";
+			$sql .= " AND entity IN (".getEntity('societe').")";
 			$sql .= " SET barcode = NULL";
 			$resql = $db->query($sql);
 			if ($resql) {
@@ -120,6 +121,7 @@
 			$sql = "SELECT rowid";
 			$sql .= " FROM ".MAIN_DB_PREFIX."societe";
 			$sql .= " WHERE barcode IS NULL or barcode = ''";
+			$sql .= " AND entity IN (".getEntity('societe').")";
 			$sql .= $db->order("datec", "ASC");
 			$sql .= $db->plimit($maxperinit);
 
@@ -212,6 +214,7 @@
 		if (!empty($eraseallproductbarcode)) {
 			$sql = "UPDATE ".MAIN_DB_PREFIX."product";
 			$sql .= " SET barcode = NULL";
+			$sql .= " WHERE entity IN (".getEntity('product').")";
 			$resql = $db->query($sql);
 			if ($resql) {
 				setEventMessages($langs->trans("AllBarcodeReset"), null, 'mesgs');
@@ -223,6 +226,7 @@
 			$sql = "SELECT rowid, ref, fk_product_type";
 			$sql .= " FROM ".MAIN_DB_PREFIX."product";
 			$sql .= " WHERE barcode IS NULL or barcode = ''";
+			$sql .= " AND entity IN (".getEntity('product').")";
 			$sql .= $db->order("datec", "ASC");
 			$sql .= $db->plimit($maxperinit);
 
@@ -324,6 +328,7 @@ function confirm_erase() {
 	}
 
 	$sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."societe";
+	$sql .= " WHERE entity IN (".getEntity('societe').")";
 	$resql = $db->query($sql);
 	if ($resql) {
 		$obj = $db->fetch_object($resql);
@@ -378,6 +383,7 @@ function confirm_erase() {
 	$sql = "SELECT count(rowid) as nb, fk_product_type, datec";
 	$sql .= " FROM ".MAIN_DB_PREFIX."product";
 	$sql .= " WHERE barcode IS NULL OR barcode = ''";
+	$sql .= " AND entity IN (".getEntity('product').")";
 	$sql .= " GROUP BY fk_product_type, datec";
 	$sql .= " ORDER BY datec";
 	$resql = $db->query($sql);
@@ -396,6 +402,7 @@ function confirm_erase() {
 	}
 
 	$sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product";
+	$sql .= " WHERE entity IN (".getEntity('product').")";
 	$resql = $db->query($sql);
 	if ($resql) {
 		$obj = $db->fetch_object($resql);

htdocs/bom/bom_card.php

@@ -731,7 +731,7 @@
 						print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=validate&amp;token='.newToken().'">'.$langs->trans("Validate").'</a>'."\n";
 					} else {
 						$langs->load("errors");
-						print '<a class="butActionRefused" href="" title="'.$langs->trans("ErrorAddAtLeastOneLineFirst").'">'.$langs->trans("Validate").'</a>'."\n";
+						print '<a class="butActionRefused classfortooltip" href="" title="'.$langs->trans("ErrorAddAtLeastOneLineFirst").'">'.$langs->trans("Validate").'</a>'."\n";
 					}
 				}
 			}