Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

2025-05-14 05:31:42 +00:00 · 2021-01-25 10:09:47 +01:00 · 2021-01-25 10:09:47 +01:00 · 590a93525c
commit 590a93525c
parent 518eecde18 4b91c390c3
25 changed files with 165 additions and 57 deletions
--- a/1
+++ b/1
@ -192,6 +192,7 @@
  meta data
 - fix potential clickjacking attack with manipulated email address of a user
 - loading more items on ViewFolder page obeys sort order
 - fix possible csrf attacks due to missing form token
 --------------------------------------------------------------------------------
                     Changes in version 5.1.21
--- a/op/op.AddDocumentLink.php
+++ b/op/op.AddDocumentLink.php
@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('adddocumentlink', 'GET')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.AddEvent.php
+++ b/op/op.AddEvent.php
@ -34,6 +34,11 @@ if ($user->isGuest()) {
 	UI::exitError(getMLText("edit_event"),getMLText("access_denied"));
 }
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('addevent')) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_POST["from"]) && !(isset($_POST["frommonth"]) && isset($_POST["fromday"]) && isset($_POST["fromyear"])) ) {
 	UI::exitError(getMLText("add_event"),getMLText("error_occured"));
 }
--- a/op/op.ChangePassword.php
+++ b/op/op.ChangePassword.php
@ -38,6 +38,11 @@ function _printMessage($heading, $message) {
 	return;
 }
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('changepassword')) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (isset($_POST["hash"])) {
 	$hash = $_POST["hash"];
 }
--- a/op/op.EditDocument.php
+++ b/op/op.EditDocument.php
@ -32,6 +32,11 @@ include("../inc/inc.Authentication.php");
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('editdocument')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.EditFolder.php
+++ b/op/op.EditFolder.php
@ -32,6 +32,11 @@ include("../inc/inc.Authentication.php");
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('editfolder')) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_POST["folderid"]) || !is_numeric($_POST["folderid"]) || intval($_POST["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
--- a/op/op.EditUserData.php
+++ b/op/op.EditUserData.php
@ -37,6 +37,11 @@ if (!$user->isAdmin() && ($settings->_disableSelfEdit)) {
 	UI::exitError(getMLText("edit_user_details"),getMLText("access_denied"));
 }
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('edituserdata')) {
 	UI::exitError(getMLText("edit_user_details"),getMLText("invalid_request_token"));
 }
 $fullname = $_POST["fullname"];
 $email    = $_POST["email"];
 $comment  = $_POST["comment"];
--- a/op/op.MoveDocument.php
+++ b/op/op.MoveDocument.php
@ -20,6 +20,7 @@
 include("../inc/inc.Settings.php");
 include("../inc/inc.LogInit.php");
 include("../inc/inc.Utils.php");
 include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('movedocument', 'GET')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
@ -62,15 +68,18 @@ if($document->isLocked()) {
 	}
 }
 if ($targetid == $oldFolder->getID()) {
 	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("target_equals_source_folder"));
 }
 /* Check if name already exists in the folder */
 if(!$settings->_enableDuplicateDocNames) {
 	if($targetFolder->hasDocumentByName($document->getName())) {
-		UI::exitError(getMLText("folder_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
+		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
 	}
 }
-if ($targetid != $oldFolder->getID()) {
+if ($document->setFolder($targetFolder)) {
 	if ($document->setFolder($targetFolder)) {
 	// Send notification to subscribers.
 	if($notifier) {
 		$nl1 = $oldFolder->getNotifyList();
@ -99,9 +108,8 @@ if ($targetid != $oldFolder->getID()) {
 //				$notifier->toIndividual($user, $document->getOwner(), $subject, $message, $params);
 	}
-	} else {
+} else {
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
 	}
 }
 add_log_line();
--- a/op/op.MoveFolder.php
+++ b/op/op.MoveFolder.php
@ -20,6 +20,7 @@
 include("../inc/inc.Settings.php");
 include("../inc/inc.LogInit.php");
 include("../inc/inc.Utils.php");
 include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('movefolder', 'GET')) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
@ -52,6 +58,11 @@ if (!is_object($targetFolder)) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
 $oldFolder = $folder->getParent();
 if ($targetid == $oldFolder->getID()) {
 	UI::exitError(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))),getMLText("target_equals_source_folder"));
 }
 if($folder->isSubFolder($targetFolder)) {
 	UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("invalid_target_folder"));
 }
@ -67,7 +78,6 @@ if(!$settings->_enableDuplicateSubFolderNames) {
 	}
 }
 $oldFolder = $folder->getParent();
 if ($folder->setParent($targetFolder)) {
 	// Send notification to subscribers.
 	if($notifier) {
--- a/op/op.OverrideContentStatus.php
+++ b/op/op.OverrideContentStatus.php
@ -34,6 +34,12 @@ $accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 if(!$accessop->check_controller_access($tmp[1] /*$controller*/)) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
 }
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('overridecontentstatus')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.SetExpires.php
+++ b/op/op.SetExpires.php
@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('setexpires')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.Settings.php
+++ b/op/op.Settings.php
@ -44,6 +44,11 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('savesettings')) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 if (isset($_POST["action"])) $action=$_POST["action"];
 else if (isset($_GET["action"])) $action=$_GET["action"];
 else $action=NULL;
--- a/views/bootstrap/class.AddEvent.php
+++ b/views/bootstrap/class.AddEvent.php
@ -84,6 +84,7 @@ $(document).ready(function() {
 ?>
 <form class="form-horizontal" action="../op/op.AddEvent.php" id="form1" name="form1" method="post">
 		<?php echo createHiddenFieldWithKey('addevent'); ?>
 <?php
 		$this->formField(
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@ -2486,6 +2486,21 @@ $(function() {
 		return '';
 	} /* }}} */
 	function printAccessButton($object, $return=false) { /* {{{ */
 		$content = '';
 		$objid = $object->getId();
 		if($object->isType('document')) {
 			$content .= '<a class="access-document-btn" href="../out/out.DocumentAccess.php?documentid='.$objid.'" title="'.getMLText('edit_document_access').'"><i class="fa fa-bolt"></i></a>';
 		} elseif($object->isType('folder')) {
 			$content .= '<a class="access-folder-btn" href="../out/out.FolderAccess.php?folderid='.$objid.'" title="'.getMLText('edit_folder_access').'"><i class="fa fa-bolt"></i></a>';
 		}
 		if($return)
 			return $content;
 		else
 			echo $content;
 		return '';
 	} /* }}} */
 	/**
 	 * Output left-arrow with link which takes over a number of ids into
 	 * a select box.
@ -2936,6 +2951,9 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 			if($document->getAccessMode($user) >= M_READWRITE) {
 				$content .= $this->printLockButton($document, 'splash_document_locked', 'splash_document_unlocked', true);
 			}
 			if($document->getAccessMode($user) >= M_READWRITE) {
 				$content .= $this->printAccessButton($document, true);
 			}
 			if($enableClipboard) {
 				$content .= '<a class="addtoclipboard" rel="D'.$docID.'" msg="'.getMLText('splash_added_to_clipboard').'" title="'.getMLText("add_to_clipboard").'"><i class="fa fa-copy"></i></a>';
 			}
@ -3065,6 +3083,9 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 		} else {
 			$content .= '<span style="padding: 2px; color: #CCC;"><i class="fa fa-edit"></i></span>';
 		}
 		if($subFolderAccessMode >= M_READWRITE) {
 			$content .= $this->printAccessButton($subFolder, true);
 		}
 		if($enableClipboard) {
 			$content .= '<a class="addtoclipboard" rel="F'.$subFolder->getID().'" msg="'.getMLText('splash_added_to_clipboard').'" title="'.getMLText("add_to_clipboard").'"><i class="fa fa-copy"></i></a>';
 		}
--- a/views/bootstrap/class.ChangePassword.php
+++ b/views/bootstrap/class.ChangePassword.php
@ -51,6 +51,7 @@ document.form1.newpassword.focus();
 		$this->contentContainerStart();
 ?>
 <form class="form-horizontal" action="../op/op.ChangePassword.php" method="post" name="form1">
 	<?php echo createHiddenFieldWithKey('changepassword'); ?>
 <?php
 		if ($referuri) {
 			echo "<input type='hidden' name='referuri' value='".$referuri."'/>";
--- a/views/bootstrap/class.EditDocument.php
+++ b/views/bootstrap/class.EditDocument.php
@ -90,6 +90,7 @@ $(document).ready( function() {
 			$expdate = '';
 ?>
 <form class="form-horizontal" action="../op/op.EditDocument.php" name="form1" id="form1" method="post">
 		<?php echo createHiddenFieldWithKey('editdocument'); ?>
 	<input type="hidden" name="documentid" value="<?php echo $document->getID() ?>">
 <?php
 		$this->formField(
--- a/views/bootstrap/class.EditFolder.php
+++ b/views/bootstrap/class.EditFolder.php
@ -81,6 +81,7 @@ $(document).ready(function() {
 		$this->contentContainerStart();
 ?>
 <form class="form-horizontal" action="../op/op.EditFolder.php" id="form1" name="form1" method="post">
 		<?php echo createHiddenFieldWithKey('editfolder'); ?>
 		<input type="hidden" name="folderid" value="<?php print $folder->getID();?>">
 		<input type="hidden" name="showtree" value="<?php echo showtree();?>">
 <?php
--- a/views/bootstrap/class.EditUserData.php
+++ b/views/bootstrap/class.EditUserData.php
@ -103,6 +103,7 @@ $(document).ready( function() {
 		$this->contentContainerStart();
 ?>
 <form class="form-horizontal" action="../op/op.EditUserData.php" enctype="multipart/form-data" method="post" id="form">
 	<?php echo createHiddenFieldWithKey('edituserdata'); ?>
 <?php
 		$this->formField(
 			getMLText("current_password"),
--- a/views/bootstrap/class.ForcePasswordChange.php
+++ b/views/bootstrap/class.ForcePasswordChange.php
@ -77,31 +77,42 @@ $(document).ready( function() {
 		echo "<div class=\"alert\">".getMLText('password_expiration_text')."</div>";
 		$this->contentContainerStart();
 ?>
-<form action="../op/op.EditUserData.php" method="post" id="form" name="form1">
+<form class="form-horizontal" action="../op/op.EditUserData.php" method="post" id="form" name="form1">
-<table>
+	<?php echo createHiddenFieldWithKey('edituserdata'); ?>
-	<tr>
+<?php
-		<td><?php printMLText("current_password");?>:</td>
+		$this->formField(
-		<td><input id="currentpwd" type="Password" name="currentpwd" size="30"></td>
+			getMLText("current_password"),
-	</tr>
+			array(
-	<tr>
+				'element'=>'input',
-		<td><?php printMLText("password");?>:</td>
+				'type'=>'password',
-		<td><input id="pwd" class="pwd" type="Password" rel="strengthbar" name="pwd" size="30"></td>
+				'id'=>'currentpwd',
-	</tr>
+				'name'=>'currentpwd',
-		<tr>
+				'autocomplete'=>'off',
-			<td><?php printMLText("password_strength");?>:</td>
+				'required'=>true
-			<td>
+			)
-				<div id="strengthbar" class="progress" style="width: 220px; height: 30px; margin-bottom: 8px;"><div class="bar bar-danger" style="width: 0%;"></div></div>
+		);
-			</td>
+		$this->formField(
-		</tr>
+			getMLText("new_password"),
-	<tr>
+			'<input class="pwd" type="password" rel="strengthbar" id="pwd" name="pwd" size="30">'
-		<td><?php printMLText("confirm_pwd");?>:</td>
+		);
-		<td><input id="pwdconf" type="Password" name="pwdconf" size="30"></td>
+		if($passwordstrength) {
-	</tr>
+			$this->formField(
-	<tr>
+				getMLText("password_strength"),
-		<td></td>
+				'<div id="strengthbar" class="progress" style="width: 220px; height: 30px; margin-bottom: 8px;"><div class="bar bar-danger" style="width: 0%;"></div></div>'
-		<td><input class="btn" type="submit" value="<?php printMLText("submit_userinfo") ?>"></td>
+			);
-	</tr>
+		}
-</table>
+		$this->formField(
 			getMLText("confirm_pwd"),
 			array(
 				'element'=>'input',
 				'type'=>'password',
 				'id'=>'pwdconf',
 				'name'=>'pwdconf',
 				'autocomplete'=>'off',
 			)
 		);
 		$this->formSubmit("<i class=\"fa fa-save\"></i> ".getMLText('submit_password'));
 ?>
 <input type="hidden" name="fullname" value="<?php print htmlspecialchars($user->getFullName());?>" />
 <input type="hidden" name="email" value="<?php print htmlspecialchars($user->getEmail());?>" />
 <input type="hidden" name="comment" value="<?php print htmlspecialchars($user->getComment());?>" />
--- a/views/bootstrap/class.MoveDocument.php
+++ b/views/bootstrap/class.MoveDocument.php
@ -52,6 +52,7 @@ class SeedDMS_View_MoveDocument extends SeedDMS_Bootstrap_Style {
 		$this->contentContainerStart('warning');
 ?>
 <form class="form-horizontal" action="../op/op.MoveDocument.php" name="form1">
 	<?php echo createHiddenFieldWithKey('movedocument'); ?>
 	<input type="hidden" name="documentid" value="<?php print $document->getID();?>">
 <?php
 		$this->formField(getMLText("choose_target_folder"), $this->getFolderChooserHtml("form1", M_READWRITE, -1, $target));
--- a/views/bootstrap/class.MoveFolder.php
+++ b/views/bootstrap/class.MoveFolder.php
@ -52,6 +52,7 @@ class SeedDMS_View_MoveFolder extends SeedDMS_Bootstrap_Style {
 ?>
 <form class="form-horizontal" action="../op/op.MoveFolder.php" name="form1">
 	<?php echo createHiddenFieldWithKey('movefolder'); ?>
 	<input type="hidden" name="folderid" value="<?php print $folder->getID();?>">
 	<input type="hidden" name="showtree" value="<?php echo showtree();?>">
 <?php
--- a/views/bootstrap/class.OverrideContentStatus.php
+++ b/views/bootstrap/class.OverrideContentStatus.php
@ -85,6 +85,7 @@ $(document).ready(function() {
 // Display the Review form.
 ?>
 <form class="form-horizontal" method="post" action="../op/op.OverrideContentStatus.php" id="form1" name="form1">
 	<?php echo createHiddenFieldWithKey('overridecontentstatus'); ?>
 	<input type='hidden' name='documentid' value='<?php echo $document->getID() ?>'/>
 	<input type='hidden' name='version' value='<?php echo $content->getVersion() ?>'/>
 <?php
--- a/views/bootstrap/class.SetExpires.php
+++ b/views/bootstrap/class.SetExpires.php
@ -66,6 +66,7 @@ $(document).ready( function() {
 <form class="form-horizontal" action="../op/op.SetExpires.php" method="post">
 <input type="hidden" name="documentid" value="<?php print $document->getID();?>">
 	<?php echo createHiddenFieldWithKey('setexpires'); ?>
 <?php
 		$options = array();
 		$options[] = array('never', getMLText('does_not_expire'));
--- a/views/bootstrap/class.Settings.php
+++ b/views/bootstrap/class.Settings.php
@ -256,6 +256,7 @@ class SeedDMS_View_Settings extends SeedDMS_Bootstrap_Style {
 ?>
  <form action="../op/op.Settings.php" method="post" enctype="multipart/form-data" name="form0" >
 	<?php echo createHiddenFieldWithKey('savesettings'); ?>
  <input type="hidden" name="action" value="saveSettings" />
 	<input type="hidden" id="currenttab" name="currenttab" value="<?php echo $currenttab ? $currenttab : 'site'; ?>" />
 <?php
--- a/views/bootstrap/class.ViewDocument.php
+++ b/views/bootstrap/class.ViewDocument.php
@ -1810,6 +1810,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
 			<br>
 			<form action="../op/op.AddDocumentLink.php" name="form1" class="form-horizontal">
 			<input type="hidden" name="documentid" value="<?php print $documentid;?>">
 			<?php echo createHiddenFieldWithKey('adddocumentlink'); ?>
 			<?php $this->formField(getMLText("add_document_link"), $this->getDocumentChooserHtml("form1")); ?>
 			<?php
 			if ($document->getAccessMode($user) >= M_READWRITE) {