浏览代码

Merge remote-tracking branch 'upstream/develop' into ecm_extrafields

Frédéric FRANCE 4 年之前
父节点
当前提交
7afb62c55d
共有 100 个文件被更改,包括 619 次插入361 次删除
  1. 7 6
      ChangeLog
  2. 4 4
      README.md
  3. 2 2
      htdocs/accountancy/admin/account.php
  4. 2 2
      htdocs/accountancy/admin/accountmodel.php
  5. 2 2
      htdocs/accountancy/admin/card.php
  6. 1 1
      htdocs/accountancy/admin/categories.php
  7. 0 16
      htdocs/accountancy/admin/defaultaccounts.php
  8. 2 2
      htdocs/accountancy/admin/fiscalyear_card.php
  9. 5 5
      htdocs/accountancy/journal/bankjournal.php
  10. 1 1
      htdocs/adherents/card.php
  11. 2 2
      htdocs/adherents/subscription/card.php
  12. 1 1
      htdocs/adherents/type.php
  13. 2 2
      htdocs/adherents/type_translation.php
  14. 1 1
      htdocs/admin/boxes.php
  15. 1 1
      htdocs/admin/const.php
  16. 2 2
      htdocs/admin/defaultvalues.php
  17. 2 2
      htdocs/admin/dict.php
  18. 2 2
      htdocs/admin/emailcollector_card.php
  19. 2 2
      htdocs/admin/expensereport_ik.php
  20. 2 2
      htdocs/admin/expensereport_rules.php
  21. 1 1
      htdocs/admin/mails_senderprofile_list.php
  22. 2 2
      htdocs/admin/mails_templates.php
  23. 9 9
      htdocs/admin/menus/index.php
  24. 2 2
      htdocs/admin/oauthlogintokens.php
  25. 1 1
      htdocs/admin/paymentbybanktransfer.php
  26. 1 1
      htdocs/admin/prelevement.php
  27. 2 2
      htdocs/admin/receiptprinter.php
  28. 2 2
      htdocs/admin/translation.php
  29. 2 2
      htdocs/admin/website.php
  30. 1 1
      htdocs/asset/card.php
  31. 1 1
      htdocs/asset/type.php
  32. 1 1
      htdocs/bom/bom_card.php
  33. 1 1
      htdocs/bom/tpl/objectline_view.tpl.php
  34. 2 2
      htdocs/bookmarks/card.php
  35. 2 2
      htdocs/bookmarks/list.php
  36. 1 1
      htdocs/categories/photos.php
  37. 1 1
      htdocs/categories/traduction.php
  38. 1 1
      htdocs/categories/viewcat.php
  39. 1 1
      htdocs/comm/action/card.php
  40. 1 1
      htdocs/comm/action/class/actioncomm.class.php
  41. 1 3
      htdocs/comm/card.php
  42. 1 1
      htdocs/comm/mailing/card.php
  43. 1 1
      htdocs/comm/mailing/cibles.php
  44. 2 2
      htdocs/comm/propal/card.php
  45. 1 1
      htdocs/commande/card.php
  46. 1 1
      htdocs/commande/customer.php
  47. 12 2
      htdocs/commande/list.php
  48. 1 1
      htdocs/compta/bank/bankentries_list.php
  49. 2 2
      htdocs/compta/bank/card.php
  50. 2 2
      htdocs/compta/bank/categ.php
  51. 1 1
      htdocs/compta/bank/various_payment/card.php
  52. 1 1
      htdocs/compta/deplacement/card.php
  53. 3 3
      htdocs/compta/facture/card.php
  54. 1 1
      htdocs/compta/facture/prelevement.php
  55. 1 1
      htdocs/compta/localtax/card.php
  56. 2 2
      htdocs/compta/paiement/cheque/card.php
  57. 1 1
      htdocs/compta/payment_sc/card.php
  58. 5 5
      htdocs/compta/sociales/card.php
  59. 1 1
      htdocs/compta/tva/card.php
  60. 1 1
      htdocs/contact/canvas/default/tpl/contactcard_view.tpl.php
  61. 1 1
      htdocs/contact/card.php
  62. 64 35
      htdocs/contact/class/contact.class.php
  63. 47 44
      htdocs/contact/list.php
  64. 2 2
      htdocs/contrat/card.php
  65. 3 3
      htdocs/core/actions_massactions.inc.php
  66. 2 2
      htdocs/core/class/commonobject.class.php
  67. 8 10
      htdocs/core/class/html.form.class.php
  68. 3 3
      htdocs/core/class/html.formfile.class.php
  69. 1 0
      htdocs/core/filemanagerdol/browser/default/frmupload.php
  70. 9 7
      htdocs/core/lib/functions2.lib.php
  71. 3 3
      htdocs/core/modules/dons/html_cerfafr.modules.php
  72. 169 0
      htdocs/core/modules/modPropale.class.php
  73. 2 2
      htdocs/core/modules/printing/printgcp.modules.php
  74. 2 2
      htdocs/core/tpl/admin_extrafields_view.tpl.php
  75. 2 2
      htdocs/core/tpl/bloc_comment.tpl.php
  76. 3 3
      htdocs/core/tpl/contacts.tpl.php
  77. 2 2
      htdocs/core/tpl/resource_view.tpl.php
  78. 1 1
      htdocs/cron/card.php
  79. 2 2
      htdocs/cron/list.php
  80. 1 1
      htdocs/don/card.php
  81. 1 1
      htdocs/don/payment/card.php
  82. 1 1
      htdocs/ecm/dir_add_card.php
  83. 1 1
      htdocs/ecm/dir_card.php
  84. 1 1
      htdocs/ecm/file_card.php
  85. 2 2
      htdocs/expedition/card.php
  86. 2 2
      htdocs/expensereport/card.php
  87. 1 1
      htdocs/expensereport/payment/card.php
  88. 1 1
      htdocs/exports/class/export.class.php
  89. 2 2
      htdocs/fichinter/card-rec.php
  90. 1 1
      htdocs/fichinter/card.php
  91. 2 2
      htdocs/fichinter/class/fichinter.class.php
  92. 1 1
      htdocs/fourn/card.php
  93. 9 4
      htdocs/fourn/class/fournisseur.facture.class.php
  94. 1 1
      htdocs/fourn/commande/card.php
  95. 137 79
      htdocs/fourn/commande/list.php
  96. 3 3
      htdocs/fourn/facture/card.php
  97. 1 1
      htdocs/fourn/paiement/card.php
  98. 4 4
      htdocs/ftp/index.php
  99. 1 1
      htdocs/holiday/card.php
  100. 1 1
      htdocs/hrm/establishment/card.php

+ 7 - 6
ChangeLog

@@ -13,16 +13,17 @@ WARNING:
 
 Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
 * Properties ->contactid has been renamed into ->contact_id
-* Property $paiementid in API api_supplier_invoices has been renamed into into $payment_mode_id (english)
+* Property $paiementid in API 'api_supplier_invoices.php' has been renamed into into $payment_mode_id (english)
 * The deprecated subsitution key __SIGNATURE__ has been removed. Replace with __USER_SIGNATURE__ if you used the old syntax in
   your email templates. 
 * The hidden option HOLIDAY_MORE_PUBLIC_HOLIDAYS has been removed. Use instead the dictionary table if you need to define custom
   days of holiday.
-* Property num_paiement has been renamed num_payment everywhere for better code consistency.
-* If you build a class that implement CommonObject to use the incoterm properties or method (->fk_incoterm, ->label_incoterm, ->location_incoterm),
-  you must now also include declaration of the Trait CommonIncoterm in your class. All incoterm functions were moved into this Trait. 
-* The GETPOST(..., 'alpha') has now the same behaviour than GETPOST(..., 'alphanohtml');
-
+* Property 'num_paiement' has been renamed 'num_payment' everywhere for better code consistency.
+* If you build a class that implement CommonObject to use the incoterm properties or methods (->fk_incoterm, ->label_incoterm, ->location_incoterm),
+  you must now also include declaration of the Trait 'CommonIncoterm' in your class. All incoterm functions were moved into this Trait. 
+* The GETPOST(..., 'alpha') has now the same behaviour than GETPOST(..., 'alphanohtml') so no html will be allowed. Use GETPOST(..., 'restricthtml') to accept HTML.
+* If you have links in your code with '&action=delete' as a parameter, you must also add '&token='.newToken() as another parameter to avoid CSRF protection errors.
+ 
 
 ***** ChangeLog for 12.0.3 compared to 12.0.2 *****
 FIX: 10.0 - when the mime file name is different from the filesystem name, the attachment name should be the mime filename

+ 4 - 4
README.md

@@ -29,8 +29,8 @@ Other licenses apply for some included dependencies. See [COPYRIGHT](https://git
 
 If you have low technical skills and you're looking to install Dolibarr ERP/CRM in just a few clicks, you can use one of the packaged versions:
 
-- [DoliWamp for Windows](https://wiki.dolibarr.org/index.php/Dolibarr_for_Windows_(DoliWamp)
-- [DoliDeb for Debian](https://wiki.dolibarr.org/index.php/Dolibarr_for_Ubuntu_or_Debian
+- [DoliWamp for Windows](https://wiki.dolibarr.org/index.php/Dolibarr_for_Windows_DoliWamp)
+- [DoliDeb for Debian](https://wiki.dolibarr.org/index.php/Dolibarr_for_Ubuntu_or_Debian)
 - DoliRpm for Redhat, Fedora, OpenSuse, Mandriva or Mageia
 
 Releases can be downloaded from [official website](https://www.dolibarr.org/).
@@ -77,8 +77,8 @@ If you don't have time to install it yourself, you can try some commercial 'read
 ## UPGRADING
 
 Dolibarr supports upgrading usually wihtout the need for any (commercial) support (depending on if you use any commercial extensions) and supports upgrading all the way from any version after 2.8 without breakage. This is unique in the ERP ecosystem and a benefit our users highly appreciate!
-
-- At first make a backup of your Dolibarr files & than see https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#Upgrade_Dolibarr
+ 
+- At first make a backup of your Dolibarr files & than [see](https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#Upgrade_Dolibarr)
 - Check that your installed PHP version is supported by the new version [see PHP support](./doc/phpmatrix.md).
 - Overwrite all old files from 'dolibarr' directory with files provided into the new version's package.
 - At first next access, Dolibarr will redirect you to the "install/" page to follow the upgrade process.

+ 2 - 2
htdocs/accountancy/admin/account.php

@@ -481,11 +481,11 @@ if ($resql)
 		// Action
 		print '<td class="center">';
 		if ($user->rights->accounting->chartofaccount) {
-			print '<a class="editfielda" href="./card.php?action=update&id='.$obj->rowid.'&backtopage='.urlencode($_SERVER["PHP_SELF"].'?chartofaccounts='.$object->id).'">';
+			print '<a class="editfielda" href="./card.php?action=update&token='.newToken().'&id='.$obj->rowid.'&backtopage='.urlencode($_SERVER["PHP_SELF"].'?chartofaccounts='.$object->id).'">';
 			print img_edit();
 			print '</a>';
 			print '&nbsp;';
-			print '<a class="marginleftonly" href="./card.php?action=delete&id='.$obj->rowid.'&backtopage='.urlencode($_SERVER["PHP_SELF"].'?chartofaccounts='.$object->id).'">';
+			print '<a class="marginleftonly" href="./card.php?action=delete&token='.newToken().'&id='.$obj->rowid.'&backtopage='.urlencode($_SERVER["PHP_SELF"].'?chartofaccounts='.$object->id).'">';
 			print img_delete();
 			print '</a>';
 		}

+ 2 - 2
htdocs/accountancy/admin/accountmodel.php

@@ -669,11 +669,11 @@ if ($id)
 					print "</td>";
 
 					// Modify link
-					if ($canbemodified) print '<td class="center"><a class="reposition editfielda" href="'.$url.'action=edit">'.img_edit().'</a></td>';
+					if ($canbemodified) print '<td class="center"><a class="reposition editfielda" href="'.$url.'action=edit&token='.newToken().'">'.img_edit().'</a></td>';
 					else print '<td>&nbsp;</td>';
 
 					// Delete link
-					if ($iserasable) print '<td class="center"><a href="'.$url.'action=delete">'.img_delete().'</a></td>';
+					if ($iserasable) print '<td class="center"><a href="'.$url.'action=delete&token='.newToken().'">'.img_delete().'</a></td>';
 					else print '<td>&nbsp;</td>';
 
 					print "</tr>\n";

+ 2 - 2
htdocs/accountancy/admin/card.php

@@ -372,13 +372,13 @@ if ($action == 'create') {
 			print '<div class="tabsAction">';
 
 			if (!empty($user->rights->accounting->chartofaccount)) {
-				print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=update&id='.$id.'">'.$langs->trans('Modify').'</a>';
+				print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=update&token='.newToken().'&id='.$id.'">'.$langs->trans('Modify').'</a>';
 			} else {
 				print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("NotAllowed")).'">'.$langs->trans('Modify').'</a>';
 			}
 
 			if (!empty($user->rights->accounting->chartofaccount)) {
-				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&id='.$id.'">'.$langs->trans('Delete').'</a>';
+				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&id='.$id.'">'.$langs->trans('Delete').'</a>';
 			} else {
 				print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("NotAllowed")).'">'.$langs->trans('Delete').'</a>';
 			}

+ 1 - 1
htdocs/accountancy/admin/categories.php

@@ -170,7 +170,7 @@ if ($action == 'display' || $action == 'delete') {
 				print '<td>'.length_accountg($cpt->account_number).'</td>';
 				print '<td>'.$cpt->label.'</td>';
 				print '<td class="right">';
-				print "<a href= '".$_SERVER['PHP_SELF']."?action=delete&account_category=".$cat_id."&cptid=".$cpt->rowid."'>";
+				print '<a href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&account_category='.$cat_id.'&cptid='.$cpt->rowid.'">';
 				print $langs->trans("DeleteFromCat");
 				print img_picto($langs->trans("DeleteFromCat"), 'unlink');
 				print "</a>";

+ 0 - 16
htdocs/accountancy/admin/defaultaccounts.php

@@ -101,22 +101,6 @@ if ($conf->societe->enabled) {
 /*
  * Actions
  */
-
-$accounting_mode = empty($conf->global->ACCOUNTING_MODE) ? 'RECETTES-DEPENSES' : $conf->global->ACCOUNTING_MODE;
-
-if (GETPOST('change_chart', 'alpha'))
-{
-    $chartofaccounts = GETPOST('chartofaccounts', 'int');
-
-    if (!empty($chartofaccounts)) {
-        if (!dolibarr_set_const($db, 'CHARTOFACCOUNTS', $chartofaccounts, 'chaine', 0, '', $conf->entity)) {
-            $error++;
-        }
-    } else {
-        $error++;
-    }
-}
-
 if ($action == 'update') {
 	$error = 0;
 

+ 2 - 2
htdocs/accountancy/admin/fiscalyear_card.php

@@ -305,9 +305,9 @@ if ($action == 'create')
     			 */
     			print '<div class="tabsAction">';
 
-    			print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id='.$id.'">'.$langs->trans('Modify').'</a>';
+    			print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&token='.newToken().'&id='.$id.'">'.$langs->trans('Modify').'</a>';
 
-    			// print '<a class="butActionDelete" href="' . $_SERVER["PHP_SELF"] . '?action=delete&id=' . $id . '">' . $langs->trans('Delete') . '</a>';
+    			// print '<a class="butActionDelete" href="' . $_SERVER["PHP_SELF"] . '?action=delete&token='.newToken().'&id=' . $id . '">' . $langs->trans('Delete') . '</a>';
 
     			print '</div>';
 			}

+ 5 - 5
htdocs/accountancy/journal/bankjournal.php

@@ -180,10 +180,10 @@ if ($result) {
 	$account_supplier			= (($conf->global->ACCOUNTING_ACCOUNT_SUPPLIER != "") ? $conf->global->ACCOUNTING_ACCOUNT_SUPPLIER : 'NotDefined'); // NotDefined is a reserved word
 	$account_customer			= (($conf->global->ACCOUNTING_ACCOUNT_CUSTOMER != "") ? $conf->global->ACCOUNTING_ACCOUNT_CUSTOMER : 'NotDefined'); // NotDefined is a reserved word
 	$account_employee			= (!empty($conf->global->SALARIES_ACCOUNTING_ACCOUNT_PAYMENT) ? $conf->global->SALARIES_ACCOUNTING_ACCOUNT_PAYMENT : 'NotDefined'); // NotDefined is a reserved word
-	$account_pay_vat = (!empty($conf->global->ACCOUNTING_VAT_PAY_ACCOUNT) ? $conf->global->ACCOUNTING_VAT_PAY_ACCOUNT : 'NotDefined'); // NotDefined is a reserved word
-	$account_pay_donation = (!empty($conf->global->DONATION_ACCOUNTINGACCOUNT) ? $conf->global->DONATION_ACCOUNTINGACCOUNT : 'NotDefined'); // NotDefined is a reserved word
-	$account_pay_subscription = (!empty($conf->global->ADHERENT_SUBSCRIPTION_ACCOUNTINGACCOUNT) ? $conf->global->ADHERENT_SUBSCRIPTION_ACCOUNTINGACCOUNT : 'NotDefined'); // NotDefined is a reserved word
-	$account_transfer = (!empty($conf->global->ACCOUNTING_ACCOUNT_TRANSFER_CASH) ? $conf->global->ACCOUNTING_ACCOUNT_TRANSFER_CASH : 'NotDefined'); // NotDefined is a reserved word
+	$account_pay_vat			= (!empty($conf->global->ACCOUNTING_VAT_PAY_ACCOUNT) ? $conf->global->ACCOUNTING_VAT_PAY_ACCOUNT : 'NotDefined'); // NotDefined is a reserved word
+	$account_pay_donation		= (!empty($conf->global->DONATION_ACCOUNTINGACCOUNT) ? $conf->global->DONATION_ACCOUNTINGACCOUNT : 'NotDefined'); // NotDefined is a reserved word
+	$account_pay_subscription	= (!empty($conf->global->ADHERENT_SUBSCRIPTION_ACCOUNTINGACCOUNT) ? $conf->global->ADHERENT_SUBSCRIPTION_ACCOUNTINGACCOUNT : 'NotDefined'); // NotDefined is a reserved word
+	$account_transfer			= (!empty($conf->global->ACCOUNTING_ACCOUNT_TRANSFER_CASH) ? $conf->global->ACCOUNTING_ACCOUNT_TRANSFER_CASH : 'NotDefined'); // NotDefined is a reserved word
 
 	$tabcompany = array();
 	$tabuser = array();
@@ -237,7 +237,7 @@ if ($result) {
 		);
 
 		// Set accountancy code for user
-		$compta_user = (!empty($obj->accountancy_code) ? $obj->accountancy_code : $account_employee);
+		$compta_user = (!empty($obj->accountancy_code) ? $obj->accountancy_code : '');
 
 		$tabuser[$obj->rowid] = array(
 				'id' => $obj->userid,

+ 1 - 1
htdocs/adherents/card.php

@@ -1694,7 +1694,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) {
 
 				// Delete
 				if ($user->rights->adherent->supprimer) {
-					print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?rowid='.$object->id.'&action=delete">'.$langs->trans("Delete")."</a></div>\n";
+					print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?rowid='.$object->id.'&action=delete&token='.newToken().'">'.$langs->trans("Delete")."</a></div>\n";
 				} else {
 					print '<div class="inline-block divButAction"><font class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("NotEnoughPermissions")).'">'.$langs->trans("Delete")."</font></div>";
 				}

+ 2 - 2
htdocs/adherents/subscription/card.php

@@ -345,7 +345,7 @@ if ($rowid && $action != 'edit') {
 
     if ($user->rights->adherent->cotisation->creer) {
 		if (!$bankline->rappro) {
-			print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER["PHP_SELF"]."?rowid=".$object->id."&action=edit\">".$langs->trans("Modify")."</a></div>";
+			print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER["PHP_SELF"]."?rowid=".$object->id.'&action=edit&token='.newToken().'">'.$langs->trans("Modify")."</a></div>";
 		} else {
 			print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" title="'.$langs->trans("BankLineConciliated")."\" href=\"#\">".$langs->trans("Modify")."</a></div>";
 		}
@@ -353,7 +353,7 @@ if ($rowid && $action != 'edit') {
 
     // Delete
     if ($user->rights->adherent->cotisation->creer) {
-        print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"]."?rowid=".$object->id."&action=delete\">".$langs->trans("Delete")."</a></div>\n";
+        print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"]."?rowid=".$object->id.'&action=delete&token='.newToken().'">'.$langs->trans("Delete")."</a></div>\n";
     }
 
     print '</div>';

+ 1 - 1
htdocs/adherents/type.php

@@ -455,7 +455,7 @@ if ($rowid > 0) {
 
 		// Delete
 		if ($user->rights->adherent->configurer) {
-			print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&rowid='.$object->id.'">'.$langs->trans("DeleteType").'</a></div>';
+			print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&rowid='.$object->id.'">'.$langs->trans("DeleteType").'</a></div>';
 		}
 
 		print "</div>";

+ 2 - 2
htdocs/adherents/type_translation.php

@@ -201,7 +201,7 @@ if ($action == 'edit') {
 	if (!empty($object->multilangs)) {
 		foreach ($object->multilangs as $key => $value) {
 			$s = picto_from_langcode($key);
-			print "<br>".($s ? $s.' ' : '')." <b>".$langs->trans('Language_'.$key).":</b> ".'<a href="'.$_SERVER["PHP_SELF"].'?rowid='.$object->id.'&action=delete&langtodelete='.$key.'">'.img_delete('', 'class="valigntextbottom"')."</a><br>";
+			print '<br>'.($s ? $s.' ' : '').' <b>'.$langs->trans('Language_'.$key).':</b> <a href="'.$_SERVER["PHP_SELF"].'?rowid='.$object->id.'&action=delete&token='.newToken().'&langtodelete='.$key.'">'.img_delete('', 'class="valigntextbottom"')."</a><br>";
 
 			print '<div class="underbanner clearboth"></div>';
 			print '<table class="border centpercent">';
@@ -228,7 +228,7 @@ if ($action == 'edit') {
 	if (!empty($object->multilangs)) {
 		foreach ($object->multilangs as $key => $value) {
 			$s = picto_from_langcode($key);
-			print ($s ? $s.' ' : '')." <b>".$langs->trans('Language_'.$key).":</b> ".'<a href="'.$_SERVER["PHP_SELF"].'?rowid='.$object->id.'&action=delete&langtodelete='.$key.'">'.img_delete('', 'class="valigntextbottom"').'</a>';
+			print ($s ? $s.' ' : '')." <b>".$langs->trans('Language_'.$key).":</b> ".'<a href="'.$_SERVER["PHP_SELF"].'?rowid='.$object->id.'&action=delete&token='.newToken().'&langtodelete='.$key.'">'.img_delete('', 'class="valigntextbottom"').'</a>';
 
 			print '<div class="fichecenter">';
 			print '<div class="underbanner clearboth"></div>';

+ 1 - 1
htdocs/admin/boxes.php

@@ -429,7 +429,7 @@ foreach ($boxactivated as $key => $box)
 	print ($hasprevious ? '<a href="boxes.php?action=switch&amp;switchfrom='.$box->rowid.'&amp;switchto='.$boxactivated[$key - 1]->rowid.'">'.img_up().'</a>' : '');
 	print '</td>';
 	print '<td class="center">';
-	print '<a href="boxes.php?rowid='.$box->rowid.'&amp;action=delete">'.img_delete().'</a>';
+	print '<a href="boxes.php?rowid='.$box->rowid.'&action=delete&token='.newToken().'">'.img_delete().'</a>';
 	print '</td>';
 
 	print '</tr>'."\n";

+ 1 - 1
htdocs/admin/const.php

@@ -299,7 +299,7 @@ if ($result)
 		{
 			print '<input type="checkbox" class="flat checkboxfordelete" id="check_'.$i.'" name="const['.$i.'][check]" value="1">';
 		} else {
-			print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&action=delete'.((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_delete().'</a>';
+			print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&action=delete&token='.newToken().((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_delete().'</a>';
 		}
 
 		print "</td></tr>\n";

+ 2 - 2
htdocs/admin/defaultvalues.php

@@ -378,9 +378,9 @@ if ($result)
 		print '<td class="center">';
 		if ($action != 'edit' || GETPOST('rowid') != $obj->rowid)
 		{
-    		print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&mode='.$mode.'&action=edit'.((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_edit().'</a>';
+    		print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&mode='.$mode.'&action=edit&token='.newToken().((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_edit().'</a>';
     		print ' &nbsp; ';
-    		print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&mode='.$mode.'&action=delete'.((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_delete().'</a>';
+    		print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&mode='.$mode.'&action=delete&token='.newToken().((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_delete().'</a>';
 		} else {
 		    print '<input type="hidden" name="page" value="'.$page.'">';
 		    print '<input type="hidden" name="rowid" value="'.$id.'">';

+ 2 - 2
htdocs/admin/dict.php

@@ -1671,14 +1671,14 @@ if ($id)
                     print "</td>";
 
                     // Modify link
-                    if ($canbemodified) print '<td align="center"><a class="reposition editfielda" href="'.$url.'action=edit">'.img_edit().'</a></td>';
+                    if ($canbemodified) print '<td align="center"><a class="reposition editfielda" href="'.$url.'action=edit&token='.newToken().'">'.img_edit().'</a></td>';
                     else print '<td>&nbsp;</td>';
 
                     // Delete link
                     if ($iserasable)
                     {
                         print '<td class="center">';
-                        if ($user->admin) print '<a href="'.$url.'action=delete">'.img_delete().'</a>';
+                        if ($user->admin) print '<a href="'.$url.'action=delete&token='.newToken().'">'.img_delete().'</a>';
                         //else print '<a href="#">'.img_delete().'</a>';    // Some dictionary can be edited by other profile than admin
                         print '</td>';
                     } else print '<td>&nbsp;</td>';

+ 2 - 2
htdocs/admin/emailcollector_card.php

@@ -540,7 +540,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
 		print '</td>';
 		print '<td>'.$rulefilter['rulevalue'].'</td>';
 		print '<td class="right">';
-		print ' <a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deletefilter&filterid='.$rulefilter['id'].'&token='.urlencode(newToken()).'">'.img_delete().'</a>';
+		print ' <a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deletefilter&token='.urlencode(newToken()).'&filterid='.$rulefilter['id'].'">'.img_delete().'</a>';
 		print '</td>';
 		print '</tr>';
 	}
@@ -632,7 +632,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
 		// Delete
 		print '<td class="right nowraponall">';
 		print '<a class="editfielda marginrightonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=editoperation&operationid='.$ruleaction['id'].'">'.img_edit().'</a>';
-		print ' <a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deleteoperation&operationid='.$ruleaction['id'].'&token='.urlencode(newToken()).'">'.img_delete().'</a>';
+		print ' <a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deleteoperation&token='.newToken().'&operationid='.$ruleaction['id'].'">'.img_delete().'</a>';
 		print '</td>';
 		print '</tr>';
 		$i++;

+ 2 - 2
htdocs/admin/expensereport_ik.php

@@ -166,8 +166,8 @@ foreach ($rangesbycateg as $fk_c_exp_tax_cat => $Tab)
 				echo '<input id="" class="button" name="save" value="'.$langs->trans('Save').'" type="submit" />';
 				echo '<input class="button" value="'.$langs->trans('Cancel').'" onclick="javascript:history.go(-1)" type="button" />';
 			} else {
-				echo '<a class="editfielda marginrightonly paddingleft paddingright" href="'.$_SERVER['PHP_SELF'].'?action=edit&id='.$range->ik->id.'&fk_c_exp_tax_cat='.$range->fk_c_exp_tax_cat.'&fk_range='.$range->rowid.'">'.img_edit().'</a>';
-				if (!empty($range->ik->id)) echo '<a class="paddingleft paddingright" href="'.$_SERVER['PHP_SELF'].'?action=delete&id='.$range->ik->id.'">'.img_delete().'</a>';
+				echo '<a class="editfielda marginrightonly paddingleft paddingright" href="'.$_SERVER['PHP_SELF'].'?action=edit&token='.newToken().'&id='.$range->ik->id.'&fk_c_exp_tax_cat='.$range->fk_c_exp_tax_cat.'&fk_range='.$range->rowid.'">'.img_edit().'</a>';
+				if (!empty($range->ik->id)) echo '<a class="paddingleft paddingright" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&id='.$range->ik->id.'">'.img_delete().'</a>';
 				// TODO add delete link
 			}
 		}

+ 2 - 2
htdocs/admin/expensereport_rules.php

@@ -305,8 +305,8 @@ foreach ($rules as $rule)
 	echo '<td class="center">';
 	if ($object->id != $rule->id)
 	{
-		echo '<a class="editfielda paddingright paddingleft" href="'.$_SERVER['PHP_SELF'].'?action=edit&id='.$rule->id.'">'.img_edit().'</a>&nbsp;';
-		echo '<a class="paddingright paddingleft" href="'.$_SERVER['PHP_SELF'].'?action=delete&id='.$rule->id.'">'.img_delete().'</a>';
+		echo '<a class="editfielda paddingright paddingleft" href="'.$_SERVER['PHP_SELF'].'?action=edit&token='.newToken().'&id='.$rule->id.'">'.img_edit().'</a>&nbsp;';
+		echo '<a class="paddingright paddingleft" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&id='.$rule->id.'">'.img_delete().'</a>';
 	} else {
 		echo '<input type="submit" class="button" value="'.$langs->trans('Update').'" />&nbsp;';
 		echo '<a href="'.$_SERVER['PHP_SELF'].'" class="button">'.$langs->trans('Cancel').'</a>';

+ 1 - 1
htdocs/admin/mails_senderprofile_list.php

@@ -587,7 +587,7 @@ while ($i < ($limit ? min($num, $limit) : $num))
 	if ($sortorder) $url .= '&page='.urlencode($sortorder);
 	print '<a class="editfielda reposition marginrightonly marginleftonly" href="'.$url.'&action=edit&rowid='.$obj->rowid.'">'.img_edit().'</a>';
 	//print ' &nbsp; ';
-	print '<a class=" marginrightonly marginleftonly" href="'.$url.'&action=delete">'.img_delete().'</a>  &nbsp; ';
+	print '<a class=" marginrightonly marginleftonly" href="'.$url.'&action=delete&token='.newToken().'">'.img_delete().'</a>  &nbsp; ';
 	if ($massactionbutton || $massaction)   // If we are in select mode (massactionbutton defined) or if we have already selected and sent an action ($massaction) defined
 	{
 		$selected = 0;

+ 2 - 2
htdocs/admin/mails_templates.php

@@ -889,10 +889,10 @@ if ($resql)
 
 				// Modify link / Delete link
 				print '<td class="center nowraponall" width="64">';
-				if ($canbemodified) print '<a class="reposition editfielda" href="'.$url.'action=edit">'.img_edit().'</a>';
+				if ($canbemodified) print '<a class="reposition editfielda" href="'.$url.'action=edit&token='.newToken().'">'.img_edit().'</a>';
 				if ($iserasable)
 				{
-					print '<a class="marginleftonly" href="'.$url.'action=delete">'.img_delete().'</a>';
+					print '<a class="marginleftonly" href="'.$url.'action=delete&token='.newToken().'">'.img_delete().'</a>';
 					//else print '<a href="#">'.img_delete().'</a>';    // Some dictionary can be edited by other profile than admin
 				}
 				print '</td>';

+ 9 - 9
htdocs/admin/menus/index.php

@@ -320,20 +320,20 @@ if ($conf->use_javascript_ajax)
 			$titre = $langs->trans($menu['titre']);
 
 			$entry = '<table class="nobordernopadding centpercent"><tr><td>';
-			$entry .= '<strong> &nbsp; <a href="edit.php?menu_handler='.$menu_handler_to_search.'&action=edit&menuId='.$menu['rowid'].'">'.$titre.'</a></strong>';
+			$entry .= '<strong> &nbsp; <a href="edit.php?menu_handler='.$menu_handler_to_search.'&action=edit&token='.newToken().'&menuId='.$menu['rowid'].'">'.$titre.'</a></strong>';
 			$entry .= '</td><td class="right">';
-			$entry .= '<a class="editfielda marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=edit&menuId='.$menu['rowid'].'">'.img_edit('default', 0, 'class="menuEdit" id="edit'.$menu['rowid'].'"').'</a> ';
-			$entry .= '<a class="marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=create&menuId='.$menu['rowid'].'">'.img_edit_add('default').'</a> ';
-			$entry .= '<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=delete&menuId='.$menu['rowid'].'">'.img_delete('default').'</a> ';
+			$entry .= '<a class="editfielda marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=edit&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_edit('default', 0, 'class="menuEdit" id="edit'.$menu['rowid'].'"').'</a> ';
+			$entry .= '<a class="marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=create&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_edit_add('default').'</a> ';
+			$entry .= '<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=delete&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_delete('default').'</a> ';
 			$entry .= '&nbsp; &nbsp; &nbsp;';
-			$entry .= '<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=up&menuId='.$menu['rowid'].'">'.img_picto("Up", "1uparrow").'</a><a href="index.php?menu_handler='.$menu_handler_to_search.'&action=down&menuId='.$menu['rowid'].'">'.img_picto("Down", "1downarrow").'</a>';
+			$entry .= '<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=up&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_picto("Up", "1uparrow").'</a><a href="index.php?menu_handler='.$menu_handler_to_search.'&action=down&menuId='.$menu['rowid'].'">'.img_picto("Down", "1downarrow").'</a>';
 			$entry .= '</td></tr></table>';
 
-			$buttons = '<a class="editfielda marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=edit&menuId='.$menu['rowid'].'">'.img_edit('default', 0, 'class="menuEdit" id="edit'.$menu['rowid'].'"').'</a> ';
-			$buttons .=	'<a class="marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=create&menuId='.$menu['rowid'].'">'.img_edit_add('default').'</a> ';
-			$buttons .=	'<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=delete&menuId='.$menu['rowid'].'">'.img_delete('default').'</a> ';
+			$buttons = '<a class="editfielda marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=edit&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_edit('default', 0, 'class="menuEdit" id="edit'.$menu['rowid'].'"').'</a> ';
+			$buttons .=	'<a class="marginleftonly marginrightonly" href="edit.php?menu_handler='.$menu_handler_to_search.'&action=create&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_edit_add('default').'</a> ';
+			$buttons .=	'<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=delete&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_delete('default').'</a> ';
 			$buttons .=	'&nbsp; &nbsp; &nbsp;';
-			$buttons .=	'<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=up&menuId='.$menu['rowid'].'">'.img_picto("Up", "1uparrow").'</a><a href="index.php?menu_handler='.$menu_handler_to_search.'&action=down&menuId='.$menu['rowid'].'">'.img_picto("Down", "1downarrow").'</a>';
+			$buttons .=	'<a class="marginleftonly marginrightonly" href="index.php?menu_handler='.$menu_handler_to_search.'&action=up&token='.newToken().'&menuId='.$menu['rowid'].'">'.img_picto("Up", "1uparrow").'</a><a href="index.php?menu_handler='.$menu_handler_to_search.'&action=down&menuId='.$menu['rowid'].'">'.img_picto("Down", "1downarrow").'</a>';
 
 			$data[] = array(
 				'rowid'=>$menu['rowid'],

+ 2 - 2
htdocs/admin/oauthlogintokens.php

@@ -148,7 +148,7 @@ if ($mode == 'setup' && $user->admin)
             // We pass this param list in to 'state' because we need it before and after the redirect.
             $shortscope = 'user,public_repo';
             $urltorenew = $urlwithroot.'/core/modules/oauth/github_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
-            $urltodelete = $urlwithroot.'/core/modules/oauth/github_oauthcallback.php?action=delete&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
+            $urltodelete = $urlwithroot.'/core/modules/oauth/github_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
             $urltocheckperms = 'https://github.com/settings/applications/';
         } elseif ($key[0] == 'OAUTH_GOOGLE_NAME')
         {
@@ -161,7 +161,7 @@ if ($mode == 'setup' && $user->admin)
 			}
             //$scope.=',gmail_full';
             $urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
-            $urltodelete = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
+            $urltodelete = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
             $urltocheckperms = 'https://security.google.com/settings/security/permissions';
         } elseif ($key[0] == 'OAUTH_STRIPE_TEST_NAME')
         {

+ 1 - 1
htdocs/admin/paymentbybanktransfer.php

@@ -465,7 +465,7 @@ if (! empty($conf->global->MAIN_MODULE_NOTIFICATION))
 	        print '<td>'.dolGetFirstLastname($obj->firstname,$obj->lastname).'</td>';
 	        $label=($langs->trans("Notify_".$obj->code)!="Notify_".$obj->code?$langs->trans("Notify_".$obj->code):$obj->label);
 	        print '<td>'.$label.'</td>';
-	        print '<td class="right"><a href="'.$_SERVER["PHP_SELF"].'?action=deletenotif&amp;notif='.$obj->rowid.'">'.img_delete().'</a></td>';
+	        print '<td class="right"><a href="'.$_SERVER["PHP_SELF"].'?action=deletenotif&token='.newToken().'&notif='.$obj->rowid.'">'.img_delete().'</a></td>';
 	        print '</tr>';
 	        $i++;
 	    }

+ 1 - 1
htdocs/admin/prelevement.php

@@ -472,7 +472,7 @@ if (! empty($conf->global->MAIN_MODULE_NOTIFICATION))
 	        print '<td>'.dolGetFirstLastname($obj->firstname,$obj->lastname).'</td>';
 	        $label=($langs->trans("Notify_".$obj->code)!="Notify_".$obj->code?$langs->trans("Notify_".$obj->code):$obj->label);
 	        print '<td>'.$label.'</td>';
-	        print '<td class="right"><a href="'.$_SERVER["PHP_SELF"].'?action=deletenotif&amp;notif='.$obj->rowid.'">'.img_delete().'</a></td>';
+	        print '<td class="right"><a href="'.$_SERVER["PHP_SELF"].'?action=deletenotif&token='.newToken().'&notif='.$obj->rowid.'">'.img_delete().'</a></td>';
 	        print '</tr>';
 	        $i++;
 	    }

+ 2 - 2
htdocs/admin/receiptprinter.php

@@ -340,11 +340,11 @@ if ($mode == 'config' && $user->admin) {
                 print img_picto($langs->trans("Edit"), 'edit');
                 print '</a>';
                 // delete icon
-                print '<a class="marginrightonly" href="'.$_SERVER['PHP_SELF'].'?mode=config&amp;action=deleteprinter&amp;printerid='.$printer->listprinters[$line]['rowid'].'&amp;printername='.$printer->listprinters[$line]['name'].'">';
+                print '<a class="marginrightonly" href="'.$_SERVER['PHP_SELF'].'?mode=config&amp;action=deleteprinter&amp;token='.newToken().'&amp;printerid='.$printer->listprinters[$line]['rowid'].'&amp;printername='.$printer->listprinters[$line]['name'].'">';
                 print img_picto($langs->trans("Delete"), 'delete');
                 print '</a>';
                 // test icon
-                print '<a class="marginrightonly" href="'.$_SERVER['PHP_SELF'].'?mode=config&amp;action=testprinter&amp;printerid='.$printer->listprinters[$line]['rowid'].'&amp;printername='.$printer->listprinters[$line]['name'].'">';
+                print '<a class="marginrightonly" href="'.$_SERVER['PHP_SELF'].'?mode=config&amp;action=testprinter&amp;token='.newToken().'&amp;printerid='.$printer->listprinters[$line]['rowid'].'&amp;printername='.$printer->listprinters[$line]['name'].'">';
                 print img_picto($langs->trans("TestPrinter"), 'printer');
                 print '</a></td>';
                 print '</tr>';

+ 2 - 2
htdocs/admin/translation.php

@@ -350,7 +350,7 @@ if ($mode == 'overwrite')
     		} else {
     			print '<a class="reposition editfielda paddingrightonly" href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&action=edit'.((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_edit().'</a>';
 				print ' &nbsp; ';
-    			print '<a class="reposition" href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&action=delete'.((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_delete().'</a>';
+    			print '<a class="reposition" href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$obj->entity.'&action=delete&token='.newToken().((empty($user->entity) && $debug) ? '&debug=1' : '').'">'.img_delete().'</a>';
     		}
     		print '</td>';
 
@@ -514,7 +514,7 @@ if ($mode == 'searchkey')
                 }
                 print '<a class="editfielda reposition paddingrightonly" href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$conf->entity.'&action=edit">'.img_edit().'</a>';
                 print ' ';
-                print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$conf->entity.'&action=delete">'.img_delete().'</a>';
+                print '<a href="'.$_SERVER['PHP_SELF'].'?rowid='.$obj->rowid.'&entity='.$conf->entity.'&action=delete&token='.newToken().'">'.img_delete().'</a>';
                 print '&nbsp;&nbsp;';
                 $htmltext = $langs->trans("OriginalValueWas", '<i>'.$newlangfileonly->tab_translate[$key].'</i>');
                 print $form->textwithpicto('', $htmltext, 1, 'info');

+ 2 - 2
htdocs/admin/website.php

@@ -601,10 +601,10 @@ if ($id)
                     print "</td>";
 
                     // Modify link
-                    print '<td align="center"><a class="reposition" href="'.$url.'action=edit">'.img_edit().'</a></td>';
+                    print '<td align="center"><a class="reposition" href="'.$url.'action=edit&token='.newToken().'">'.img_edit().'</a></td>';
 
                     // Delete link
-                    if ($iserasable) print '<td align="center"><a class="reposition" href="'.$url.'action=delete">'.img_delete().'</a></td>';
+                    if ($iserasable) print '<td align="center"><a class="reposition" href="'.$url.'action=delete&token='.newToken().'">'.img_delete().'</a></td>';
                     else print '<td class="center">'.img_delete($langs->trans("DisableSiteFirst"), 'class="opacitymedium"').'</td>';
 
                     print "</tr>\n";

+ 1 - 1
htdocs/asset/card.php

@@ -323,7 +323,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
 
 			if ($user->rights->asset->delete)
 			{
-				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>'."\n";
+				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&token='.newToken().'">'.$langs->trans('Delete').'</a>'."\n";
 			} else {
 				print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("NotEnoughPermissions")).'">'.$langs->trans('Delete').'</a>'."\n";
 			}

+ 1 - 1
htdocs/asset/type.php

@@ -507,7 +507,7 @@ if ($rowid > 0)
 		// Delete
 		if ($user->rights->asset->write)
 		{
-			print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&rowid='.$object->id.'">'.$langs->trans("DeleteType").'</a></div>';
+			print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&rowid='.$object->id.'">'.$langs->trans("DeleteType").'</a></div>';
 		}
 
 		print "</div>";

+ 1 - 1
htdocs/bom/bom_card.php

@@ -683,7 +683,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
 
 			if ($permissiontodelete)
 			{
-				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>'."\n";
+				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a>'."\n";
 			} else {
 				print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("NotEnoughPermissions")).'">'.$langs->trans('Delete').'</a>'."\n";
 			}

+ 1 - 1
htdocs/bom/tpl/objectline_view.tpl.php

@@ -121,7 +121,7 @@ if ($this->status == 0 && ($object_rights->write) && $action != 'selectlines') {
     $coldisplay++;
     if (($line->fk_prev_id == null) && empty($disableremove)) {
         //La suppression n'est autorisée que si il n'y a pas de ligne dans une précédente situation
-        print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$this->id.'&amp;action=deleteline&amp;lineid='.$line->id.'">';
+        print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$this->id.'&amp;action=deleteline&amp;token='.newToken().'&amp;lineid='.$line->id.'">';
         print img_delete();
         print '</a>';
     }

+ 2 - 2
htdocs/bookmarks/card.php

@@ -311,13 +311,13 @@ if ($id > 0 && !preg_match('/^add/i', $action))
 	// Edit
 	if ($user->rights->bookmark->creer && $action != 'edit')
 	{
-		print "  <a class=\"butAction\" href=\"".$_SERVER["PHP_SELF"]."?id=".$object->id."&amp;action=edit\">".$langs->trans("Edit")."</a>\n";
+		print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=edit&amp;token='.newToken().'">'.$langs->trans("Edit").'</a>'."\n";
 	}
 
 	// Remove
 	if ($user->rights->bookmark->supprimer && $action != 'edit')
 	{
-		print "  <a class=\"butActionDelete\" href=\"list.php?bid=".$object->id."&amp;action=delete\">".$langs->trans("Delete")."</a>\n";
+		print '<a class="butActionDelete" href="list.php?bid='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans("Delete").'</a>'."\n";
 	}
 
 	print '</div>';

+ 2 - 2
htdocs/bookmarks/list.php

@@ -241,11 +241,11 @@ while ($i < min($num, $limit))
 	print '<td class="nowrap right">';
 	if ($user->rights->bookmark->creer)
 	{
-		print '<a class="editfielda" href="'.DOL_URL_ROOT."/bookmarks/card.php?action=edit&id=".$obj->rowid."&backtopage=".urlencode($_SERVER["PHP_SELF"]).'">'.img_edit()."</a>";
+		print '<a class="editfielda" href="'.DOL_URL_ROOT."/bookmarks/card.php?action=edit&token='.newToken().'&id=".$obj->rowid."&backtopage=".urlencode($_SERVER["PHP_SELF"]).'">'.img_edit()."</a>";
 	}
 	if ($user->rights->bookmark->supprimer)
 	{
-		print '<a class="marginleftonly" href="'.$_SERVER["PHP_SELF"].'?action=delete&id='.$obj->rowid.'">'.img_delete().'</a>';
+		print '<a class="marginleftonly" href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&id='.$obj->rowid.'">'.img_delete().'</a>';
 	} else {
 		print "&nbsp;";
 	}

+ 1 - 1
htdocs/categories/photos.php

@@ -254,7 +254,7 @@ if ($object->id)
     			}
     			if ($user->rights->categorie->creer)
     			{
-    				print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;type='.$type.'&amp;file='.urlencode($pdir.$viewfilename).'">';
+    				print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'&amp;type='.$type.'&amp;file='.urlencode($pdir.$viewfilename).'">';
     				print img_delete().'</a>';
     			}
     			if ($nbbyrow) print '</td>';

+ 1 - 1
htdocs/categories/traduction.php

@@ -301,7 +301,7 @@ if ($action == 'edit')
 		{
 		    $s = picto_from_langcode($key);
 			print '<table class="border centpercent">';
-			print '<tr class="liste_titre"><td colspan="2">'.($s ? $s.' ' : '')." <b>".$langs->trans('Language_'.$key).":</b> ".'<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=delete&langtodelete='.$key.'&type='.$type.'">'.img_delete('', '').'</a></td></tr>';
+			print '<tr class="liste_titre"><td colspan="2">'.($s ? $s.' ' : '')." <b>".$langs->trans('Language_'.$key).":</b> ".'<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=delete&token='.newToken().'&langtodelete='.$key.'&type='.$type.'">'.img_delete('', '').'</a></td></tr>';
 			print '<tr><td class="titlefield">'.$langs->trans('Label').'</td><td>'.$object->multilangs[$key]["label"].'</td></tr>';
 			print '<tr><td>'.$langs->trans('Description').'</td><td>'.$object->multilangs[$key]["description"].'</td></tr>';
 			if (!empty($conf->global->CATEGORY_USE_OTHER_FIELD_IN_TRANSLATION))

+ 1 - 1
htdocs/categories/viewcat.php

@@ -266,7 +266,7 @@ if ($user->rights->categorie->creer)
 
 if ($user->rights->categorie->supprimer)
 {
-	print "<a class='butActionDelete' href='".DOL_URL_ROOT."/categories/viewcat.php?action=delete&amp;id=".$object->id."&amp;type=".$type."'>".$langs->trans("Delete")."</a>";
+	print "<a class='butActionDelete' href='".DOL_URL_ROOT."/categories/viewcat.php?action=delete&amp;token='.newToken().'&amp;id=".$object->id."&amp;type=".$type."'>".$langs->trans("Delete")."</a>";
 }
 
 print "</div>";

+ 1 - 1
htdocs/comm/action/card.php

@@ -2139,7 +2139,7 @@ if ($id > 0)
 			if ($user->rights->agenda->allactions->delete ||
 			   (($object->authorid == $user->id || $object->userownerid == $user->id) && $user->rights->agenda->myactions->delete))
 			{
-				print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?action=delete&id='.$object->id.'">'.$langs->trans("Delete").'</a></div>';
+				print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?action=delete&token='.newToken().'&id='.$object->id.'">'.$langs->trans("Delete").'</a></div>';
 			} else {
 				print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("NotAllowed").'">'.$langs->trans("Delete").'</a></div>';
 			}

+ 1 - 1
htdocs/comm/action/class/actioncomm.class.php

@@ -495,7 +495,7 @@ class ActionComm extends CommonObject
 		$sql .= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '') ? "'".$this->db->escape($this->durationp)."'" : "null").", "; // deprecated
 		$sql .= (isset($this->type_id) ? $this->type_id : "null").",";
 		$sql .= ($code ? ("'".$this->db->escape($code)."'") : "null").", ";
-		$sql .= ($this->ref_ext ? ("'".$this->db->idate($this->ref_ext)."'") : "null").", ";
+		$sql .= (!empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null").", ";
 		$sql .= ((isset($this->socid) && $this->socid > 0) ? $this->socid : "null").", ";
 		$sql .= ((isset($this->fk_project) && $this->fk_project > 0) ? $this->fk_project : "null").", ";
 		$sql .= " '".$this->db->escape($this->note_private)."', ";

+ 1 - 3
htdocs/comm/card.php

@@ -777,8 +777,6 @@ if ($object->id > 0)
 				print '<tr class="liste_titre">';
 				print '<td colspan="4"><table width="100%" class="nobordernopadding"><tr><td>'.$langs->trans("LastCustomerOrders", ($num <= $MAXLIST ? "" : $MAXLIST)).'</td><td class="right"><a class="notasortlink" href="'.DOL_URL_ROOT.'/commande/list.php?socid='.$object->id.'">'.$langs->trans("AllOrders").'<span class="badge marginleftonlyshort">'.$num.'</span></a></td>';
 				print '<td width="20px" class="right"><a href="'.DOL_URL_ROOT.'/commande/stats/index.php?socid='.$object->id.'">'.img_picto($langs->trans("Statistics"), 'stats').'</a></td>';
-				//if($num2 > 0) print '<td width="20px" class="right"><a href="'.DOL_URL_ROOT.'/commande/orderstoinvoice.php?socid='.$object->id.'">'.img_picto($langs->trans("CreateInvoiceForThisCustomer"),'object_bill').'</a></td>';
-				//else print '<td width="20px" class="right"><a href="#">'.img_picto($langs->trans("NoOrdersToInvoice"),'object_bill').'</a></td>';
 				print '</tr></table></td>';
 				print '</tr>';
 			}
@@ -1283,7 +1281,7 @@ if ($object->id > 0)
     				{
     				    if ($object->client != 0 && $object->client != 2)
     				    {
-    					    if (!empty($orders2invoice) && $orders2invoice > 0) print '<div class="inline-block divButAction"><a class="butAction" href="'.DOL_URL_ROOT.'/commande/orderstoinvoice.php?socid='.$object->id.'">'.$langs->trans("CreateInvoiceForThisCustomer").'</a></div>';
+    					    if (!empty($orders2invoice) && $orders2invoice > 0) print '<div class="inline-block divButAction"><a class="butAction" href="'.DOL_URL_ROOT.'/commande/list.php?socid='.$object->id.'&search_billed=0&autoselectall=1">'.$langs->trans("CreateInvoiceForThisCustomer").'</a></div>';
     					    else print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" title="'.dol_escape_js($langs->trans("NoOrdersToInvoice")).'" href="#">'.$langs->trans("CreateInvoiceForThisCustomer").'</a></div>';
     				    } else print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" title="'.dol_escape_js($langs->trans("ThirdPartyMustBeEditAsCustomer")).'" href="#">'.$langs->trans("AddBill").'</a></div>';
     				}

+ 1 - 1
htdocs/comm/mailing/card.php

@@ -1014,7 +1014,7 @@ if ($action == 'create')
 					{
 						print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->transnoentitiesnoconv("NotEnoughPermissions")).'">'.$langs->trans("DeleteMailing").'</a>';
 					} else {
-						print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&amp;id='.$object->id.(!empty($urlfrom) ? '&urlfrom='.$urlfrom : '').'">'.$langs->trans("DeleteMailing").'</a>';
+						print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&amp;token='.newToken().'&amp;id='.$object->id.(!empty($urlfrom) ? '&urlfrom='.$urlfrom : '').'">'.$langs->trans("DeleteMailing").'</a>';
 					}
 				}
 

+ 1 - 1
htdocs/comm/mailing/cibles.php

@@ -665,7 +665,7 @@ if ($object->fetch($id) >= 0)
 				if ($obj->statut == 0)	// Not sent yet
 				{
 					if ($user->rights->mailing->creer && $allowaddtarget) {
-						print '<a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=delete&rowid='.$obj->rowid.$param.'">'.img_delete($langs->trans("RemoveRecipient")).'</a>';
+						print '<a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&rowid='.$obj->rowid.$param.'">'.img_delete($langs->trans("RemoveRecipient")).'</a>';
 					}
 				}
 				/*if ($obj->statut == -1)	// Sent with error

+ 2 - 2
htdocs/comm/propal/card.php

@@ -2491,12 +2491,12 @@ if ($action == 'create')
 
 				// Clone
 				if ($usercancreate) {
-					print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;socid='.$object->socid.'&amp;action=clone&amp;object='.$object->element.'">'.$langs->trans("ToClone").'</a>';
+					print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;socid='.$object->socid.'&amp;action=clone&amp;token='.newToken().'&amp;object='.$object->element.'">'.$langs->trans("ToClone").'</a>';
 				}
 
 				// Delete
 				if ($usercandelete) {
-					print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete"';
+					print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'"';
 					print '>'.$langs->trans('Delete').'</a>';
 				}
 			}

+ 1 - 1
htdocs/commande/card.php

@@ -2602,7 +2602,7 @@ if ($action == 'create' && $usercancreate)
 				// Delete order
 				if ($usercandelete) {
 					if ($numshipping == 0) {
-						print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a></div>';
+						print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a></div>';
 					} else {
 						print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("ShippingExist").'">'.$langs->trans("Delete").'</a></div>';
 					}

+ 1 - 1
htdocs/commande/customer.php

@@ -164,7 +164,7 @@ if ($resql)
 
 		$result = '';
 		$link = $linkend = '';
-		$link = '<a href="'.dol_buildpath('/commande/orderstoinvoice.php', 1).'?socid='.$obj->rowid.'">';
+		$link = '<a href="'.DOL_URL_ROOT.'/commande/list.php?socid='.$obj->rowid.'">';
 		$linkend = '</a>';
 		$name = $obj->name;
 		$result .= ($link.img_object($langs->trans("ShowCompany").': '.$name, 'company').$linkend);

+ 12 - 2
htdocs/commande/list.php

@@ -624,6 +624,16 @@ if ($resql)
 	$selectedfields = $form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields
 	$selectedfields .= $form->showCheckAddButtons('checkforselect', 1);
 
+	if (GETPOST('autoselectall', 'int')) {
+		$selectedfields .= '<script>';
+		$selectedfields .= '   $(document).ready(function() {';
+		$selectedfields .= '        console.log("Autoclick on checkforselects");';
+		$selectedfields .= '   		$("#checkforselects").click();';
+		$selectedfields .= '        $("#massaction").val("createbills").change();';
+		$selectedfields .= '   });';
+		$selectedfields .= '</script>';
+	}
+
 	print '<div class="div-table-responsive">';
 	print '<table class="tagtable liste'.($moreforfilter ? " listwithfilterbefore" : "").'">'."\n";
 
@@ -1092,7 +1102,7 @@ if ($resql)
 				{
 					if (($obj->fk_statut > 0 && $obj->fk_statut < 3) || ($obj->fk_statut == 3 && $obj->billed == 0))
 					{
-						print '&nbsp;<a href="'.DOL_URL_ROOT.'/commande/orderstoinvoice.php?socid='.$companystatic->id.'">';
+						print '&nbsp;<a href="'.DOL_URL_ROOT.'/commande/list.php?socid='.$companystatic->id.'&search_billed=0&autoselectall=1">';
 						print img_picto($langs->trans("CreateInvoiceForThisCustomer").' : '.$companystatic->name, 'object_bill', 'hideonsmartphone').'</a>';
 					}
 				}
@@ -1289,7 +1299,7 @@ if ($resql)
 		}
 
 		// Action column
-		print '<td class="nowrap" align="center">';
+		print '<td class="nowrap center">';
 		if ($massactionbutton || $massaction)   // If we are in select mode (massactionbutton defined) or if we have already selected and sent an action ($massaction) defined
 		{
 			$selected = 0;

+ 1 - 1
htdocs/compta/bank/bankentries_list.php

@@ -1490,7 +1490,7 @@ if ($resql)
     	    }
     	    if ($user->rights->banque->modifier)
     	    {
-    	        print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete&amp;rowid='.$objp->rowid.'&amp;id='.$objp->bankid.'&amp;page='.$page.'">';
+    	        print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete&amp;token='.newToken().'&amp;rowid='.$objp->rowid.'&amp;id='.$objp->bankid.'&amp;page='.$page.'">';
     	        print img_delete('', 'class="marginleftonly"');
     	        print '</a>';
     	    }

+ 2 - 2
htdocs/compta/bank/card.php

@@ -761,13 +761,13 @@ if ($action == 'create')
 
 		if ($user->rights->banque->configurer)
 		{
-			print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id='.$object->id.'">'.$langs->trans("Modify").'</a>';
+			print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&token='.newToken().'&id='.$object->id.'">'.$langs->trans("Modify").'</a>';
 		}
 
 		$canbedeleted = $object->can_be_deleted(); // Renvoi vrai si compte sans mouvements
 		if ($user->rights->banque->configurer && $canbedeleted)
 		{
-			print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&id='.$object->id.'">'.$langs->trans("Delete").'</a>';
+			print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&id='.$object->id.'">'.$langs->trans("Delete").'</a>';
 		}
 
 		print '</div>';

+ 2 - 2
htdocs/compta/bank/categ.php

@@ -135,8 +135,8 @@ if ($result)
 		} else {
 			print "<td >".$objp->label."</td>";
 			print '<td class="center">';
-			print '<a class="editfielda reposition marginleftonly marginrightonly" href="'.$_SERVER["PHP_SELF"].'?categid='.$objp->rowid.'&amp;action=edit">'.img_edit().'</a>';
-			print '<a class="marginleftonly" href="'.$_SERVER["PHP_SELF"].'?categid='.$objp->rowid.'&amp;action=delete">'.img_delete().'</a>';
+			print '<a class="editfielda reposition marginleftonly marginrightonly" href="'.$_SERVER["PHP_SELF"].'?categid='.$objp->rowid.'&amp;action=edit&amp;token='.newToken().'">'.img_edit().'</a>';
+			print '<a class="marginleftonly" href="'.$_SERVER["PHP_SELF"].'?categid='.$objp->rowid.'&amp;action=delete&amp;token='.newToken().'">'.img_delete().'</a>';
 			print '</td>';
 		}
 		print "</tr>";

+ 1 - 1
htdocs/compta/bank/various_payment/card.php

@@ -550,7 +550,7 @@ if ($id)
 			if ($alreadyaccounted) {
 				print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("Accounted").'">'.$langs->trans("Delete").'</a></div>';
 			} else {
-				print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?id='.$object->id.'&action=delete">'.$langs->trans("Delete").'</a></div>';
+				print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?id='.$object->id.'&action=delete&token='.newToken().'">'.$langs->trans("Delete").'</a></div>';
 			}
 		} else {
 			print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.(dol_escape_htmltag($langs->trans("NotAllowed"))).'">'.$langs->trans("Delete").'</a></div>';

+ 1 - 1
htdocs/compta/deplacement/card.php

@@ -521,7 +521,7 @@ if ($action == 'create')
 
             if ($user->rights->deplacement->supprimer)
             {
-                print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&id='.$id.'">'.$langs->trans('Delete').'</a>';
+                print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&id='.$id.'">'.$langs->trans('Delete').'</a>';
             } else {
                 print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("NotAllowed")).'">'.$langs->trans('Delete').'</a>';
             }

+ 3 - 3
htdocs/compta/facture/card.php

@@ -3935,7 +3935,7 @@ if ($action == 'create')
 		}
 	}
 
-	if ($action == 'deletepaiement')
+	if ($action == 'deletepayment')
 	{
 		$payment_id = GETPOST('paiement_id');
 		$formconfirm = $form->formconfirm($_SERVER["PHP_SELF"].'?id='.$object->id.'&paiement_id='.$payment_id, $langs->trans('DeletePayment'), $langs->trans('ConfirmDeletePayment'), 'confirm_delete_paiement', '', 'no', 1);
@@ -4743,7 +4743,7 @@ if ($action == 'create')
 				print '<td class="center">';
 				if ($object->statut == Facture::STATUS_VALIDATED && $object->paye == 0 && $user->socid == 0)
 				{
-					print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deletepaiement&paiement_id='.$objp->rowid.'">';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deletepayment&token='.newToken().'&paiement_id='.$objp->rowid.'">';
 					print img_delete();
 					print '</a>';
 				}
@@ -5286,7 +5286,7 @@ if ($action == 'create')
 				{
 					print '<a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("DisabledBecauseReplacedInvoice").'">'.$langs->trans('Delete').'</a>';
 				} else {
-					print '<a class="butActionDelete'.($conf->use_javascript_ajax ? ' reposition' : '').'" href="'.$_SERVER["PHP_SELF"].'?facid='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
+					print '<a class="butActionDelete'.($conf->use_javascript_ajax ? ' reposition' : '').'" href="'.$_SERVER["PHP_SELF"].'?facid='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a>';
 				}
 			} else {
 				print '<a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("NotAllowed").'">'.$langs->trans('Delete').'</a>';

+ 1 - 1
htdocs/compta/facture/prelevement.php

@@ -752,7 +752,7 @@ if ($object->id > 0)
 			print '<td class="center">'.$langs->trans("OrderWaiting").'</td>';
 
 			print '<td class="right">';
-			print '<a href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=delete&did='.$obj->rowid.'&type='.$type.'">';
+			print '<a href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=delete&token='.newToken().'&did='.$obj->rowid.'&type='.$type.'">';
 			print img_delete();
 			print '</a></td>';
 

+ 1 - 1
htdocs/compta/localtax/card.php

@@ -280,7 +280,7 @@ if ($id)
 	print "<div class=\"tabsAction\">\n";
 	if ($object->rappro == 0)
 	{
-		print '<a class="butActionDelete" href="card.php?id='.$object->id.'&action=delete">'.$langs->trans("Delete").'</a>';
+		print '<a class="butActionDelete" href="card.php?id='.$object->id.'&action=delete&token='.newToken().'">'.$langs->trans("Delete").'</a>';
 	} else {
 		print '<a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("LinkedToAConcialitedTransaction").'">'.$langs->trans("Delete").'</a>';
 	}

+ 2 - 2
htdocs/compta/paiement/cheque/card.php

@@ -734,12 +734,12 @@ print '<div class="tabsAction">';
 
 if ($user->socid == 0 && !empty($object->id) && $object->statut == 0 && $user->rights->banque->cheque)
 {
-	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=valide&amp;sortfield='.$sortfield.'&amp;sortorder='.$sortorder.'">'.$langs->trans('Validate').'</a>';
+	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=valide&amp;token='.newToken().'&amp;sortfield='.$sortfield.'&amp;sortorder='.$sortorder.'">'.$langs->trans('Validate').'</a>';
 }
 
 if ($user->socid == 0 && !empty($object->id) && $user->rights->banque->cheque)
 {
-	print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;sortfield='.$sortfield.'&amp;sortorder='.$sortorder.'">'.$langs->trans('Delete').'</a>';
+	print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'&amp;sortfield='.$sortfield.'&amp;sortorder='.$sortorder.'">'.$langs->trans('Delete').'</a>';
 }
 print '</div>';
 

+ 1 - 1
htdocs/compta/payment_sc/card.php

@@ -311,7 +311,7 @@ if ($action == '')
 	{
 		if (!$disable_delete)
 		{
-			print '<a class="butActionDelete" href="card.php?id='.$_GET['id'].'&amp;action=delete">'.$langs->trans('Delete').'</a>';
+			print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.GETPOST('id', 'int').'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a>';
 		} else {
 			print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("CantRemovePaymentWithOneInvoicePaid")).'">'.$langs->trans('Delete').'</a>';
 		}

+ 5 - 5
htdocs/compta/sociales/card.php

@@ -706,13 +706,13 @@ if ($id > 0)
 			// Reopen
 			if ($object->paye && $user->rights->tax->charges->creer)
 			{
-				print "<div class=\"inline-block divButAction\"><a class=\"butAction\" href=\"".dol_buildpath("/compta/sociales/card.php", 1)."?id=$object->id&amp;action=reopen\">".$langs->trans("ReOpen")."</a></div>";
+				print '<div class="inline-block divButAction"><a class="butAction" href="'.dol_buildpath("/compta/sociales/card.php", 1).'?id='.$object->id.'&amp;action=reopen">'.$langs->trans("ReOpen").'</a></div>';
 			}
 
 			// Edit
 			if ($object->paye == 0 && $user->rights->tax->charges->creer)
 			{
-				print "<div class=\"inline-block divButAction\"><a class=\"butAction\" href=\"".DOL_URL_ROOT."/compta/sociales/card.php?id=$object->id&amp;action=edit\">".$langs->trans("Modify")."</a></div>";
+				print '<div class="inline-block divButAction"><a class="butAction" href="'.DOL_URL_ROOT.'/compta/sociales/card.php?id='.$object->id.'&amp;action=edit">'.$langs->trans("Modify").'</a></div>';
 			}
 
 			// Emit payment
@@ -724,19 +724,19 @@ if ($id > 0)
 			// Classify 'paid'
 			if ($object->paye == 0 && round($resteapayer) <= 0 && $user->rights->tax->charges->creer)
 			{
-				print "<div class=\"inline-block divButAction\"><a class=\"butAction\" href=\"".DOL_URL_ROOT."/compta/sociales/card.php?id=$object->id&amp;action=paid\">".$langs->trans("ClassifyPaid")."</a></div>";
+				print '<div class="inline-block divButAction"><a class="butAction" href="'.DOL_URL_ROOT.'/compta/sociales/card.php?id='.$object->id.'&amp;action=paid&amp;token='.newToken().'">'.$langs->trans("ClassifyPaid").'</a></div>';
 			}
 
 			// Clone
 			if ($user->rights->tax->charges->creer)
 			{
-				print "<div class=\"inline-block divButAction\"><a class=\"butAction\" href=\"".dol_buildpath("/compta/sociales/card.php", 1)."?id=$object->id&amp;action=clone\">".$langs->trans("ToClone")."</a></div>";
+				print '<div class="inline-block divButAction"><a class="butAction" href="'.dol_buildpath("/compta/sociales/card.php", 1).'?id='.$object->id.'&amp;action=clone">'.$langs->trans("ToClone")."</a></div>";
 			}
 
 			// Delete
 			if ($user->rights->tax->charges->supprimer)
 			{
-				print "<div class=\"inline-block divButAction\"><a class=\"butActionDelete\" href=\"".DOL_URL_ROOT."/compta/sociales/card.php?id=$object->id&amp;action=delete\">".$langs->trans("Delete")."</a></div>";
+				print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.DOL_URL_ROOT.'/compta/sociales/card.php?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans("Delete").'</a></div>';
 			}
 
 			print "</div>";

+ 1 - 1
htdocs/compta/tva/card.php

@@ -379,7 +379,7 @@ if ($id)
 	{
 		if (!empty($user->rights->tax->charges->supprimer))
 		{
-			print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?id='.$object->id.'&action=delete">'.$langs->trans("Delete").'</a></div>';
+			print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?id='.$object->id.'&action=delete&token='.newToken().'">'.$langs->trans("Delete").'</a></div>';
 		} else {
 			print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.(dol_escape_htmltag($langs->trans("NotAllowed"))).'">'.$langs->trans("Delete").'</a></div>';
 		}

+ 1 - 1
htdocs/contact/canvas/default/tpl/contactcard_view.tpl.php

@@ -144,7 +144,7 @@ if (empty($user->socid)) {
 	}
 
 	if ($user->rights->societe->contact->supprimer) {
-		print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$this->control->tpl['id'].'&amp;action=delete&amp;canvas='.$canvas.'">'.$langs->trans('Delete').'</a>';
+		print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$this->control->tpl['id'].'&amp;action=delete&amp;token='.newToken().'&amp;canvas='.$canvas.'">'.$langs->trans('Delete').'</a>';
 	}
 
 	print '</div><br>';

+ 1 - 1
htdocs/contact/card.php

@@ -1526,7 +1526,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action))
 			// Delete
 			if ($user->rights->societe->contact->supprimer)
 			{
-				print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=delete'.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.$langs->trans('Delete').'</a>';
+				print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=delete&token='.newToken().''.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.$langs->trans('Delete').'</a>';
 			}
 		}
 

+ 64 - 35
htdocs/contact/class/contact.class.php

@@ -60,6 +60,29 @@ class Contact extends CommonObject
 	 */
 	public $picto = 'contact';
 
+	/**
+	 *  'type' if the field format ('integer', 'integer:ObjectClass:PathToClass[:AddCreateButtonOrNot[:Filter]]', 'varchar(x)', 'double(24,8)', 'real', 'price', 'text', 'html', 'date', 'datetime', 'timestamp', 'duration', 'mail', 'phone', 'url', 'password')
+	 *         Note: Filter can be a string like "(t.ref:like:'SO-%') or (t.date_creation:<:'20160101') or (t.nature:is:NULL)"
+	 *  'label' the translation key.
+	 *  'enabled' is a condition when the field must be managed.
+	 *  'position' is the sort order of field.
+	 *  'notnull' is set to 1 if not null in database. Set to -1 if we must set data to null if empty ('' or 0).
+	 *  'visible' says if field is visible in list (Examples: 0=Not visible, 1=Visible on list and create/update/view forms, 2=Visible on list only, 3=Visible on create/update/view form only (not list), 4=Visible on list and update/view form only (not create). 5=Visible on list and view only (not create/not update). Using a negative value means field is not shown by default on list but can be selected for viewing)
+	 *  'noteditable' says if field is not editable (1 or 0)
+	 *  'default' is a default value for creation (can still be overwrote by the Setup of Default Values if field is editable in creation form). Note: If default is set to '(PROV)' and field is 'ref', the default value will be set to '(PROVid)' where id is rowid when a new record is created.
+	 *  'index' if we want an index in database.
+	 *  'foreignkey'=>'tablename.field' if the field is a foreign key (it is recommanded to name the field fk_...).
+	 *  'searchall' is 1 if we want to search in this field when making a search from the quick search button.
+	 *  'isameasure' must be set to 1 if you want to have a total on list for this field. Field type must be summable like integer or double(24,8).
+	 *  'css' is the CSS style to use on field. For example: 'maxwidth200'
+	 *  'help' is a string visible as a tooltip on field
+	 *  'showoncombobox' if value of the field must be visible into the label of the combobox that list record
+	 *  'disabled' is 1 if we want to have the field locked by a 'disabled' attribute. In most cases, this is never set into the definition of $fields into class, but is set dynamically by some part of code.
+	 *  'arraykeyval' to set list of value if type is a list of predefined values. For example: array("0"=>"Draft","1"=>"Active","-1"=>"Cancel")
+	 *  'comment' is not used. You can store here any text of your choice. It is not used by application.
+	 *
+	 *  Note: To have value dynamic, you can set value to 0 in definition and edit the value on the fly into the constructor.
+	 */
 
 	// BEGIN MODULEBUILDER PROPERTIES
 	/**
@@ -69,38 +92,38 @@ class Contact extends CommonObject
 		'rowid' =>array('type'=>'integer', 'label'=>'TechnicalID', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>10),
 		'datec' =>array('type'=>'datetime', 'label'=>'DateCreation', 'enabled'=>1, 'visible'=>-1, 'position'=>15),
 		'tms' =>array('type'=>'timestamp', 'label'=>'DateModification', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>20),
-		'fk_soc' =>array('type'=>'integer', 'label'=>'ThirdParty', 'enabled'=>1, 'visible'=>-1, 'position'=>25),
-		'entity' =>array('type'=>'integer', 'label'=>'Entity', 'default'=>1, 'enabled'=>1, 'visible'=>0, 'notnull'=>1, 'position'=>30, 'index'=>1),
-		'ref_ext' =>array('type'=>'varchar(255)', 'label'=>'Ref ext', 'enabled'=>1, 'visible'=>0, 'position'=>35),
-		'civility' =>array('type'=>'varchar(6)', 'label'=>'Civility', 'enabled'=>1, 'visible'=>-1, 'position'=>40),
-		'lastname' =>array('type'=>'varchar(50)', 'label'=>'Lastname', 'enabled'=>1, 'visible'=>-1, 'position'=>45, 'showoncombobox'=>1),
-		'firstname' =>array('type'=>'varchar(50)', 'label'=>'Firstname', 'enabled'=>1, 'visible'=>-1, 'position'=>50, 'showoncombobox'=>1),
+		'fk_soc' =>array('type'=>'integer', 'label'=>'ThirdParty', 'enabled'=>1, 'visible'=>1, 'position'=>25, 'searchall'=>1),
+		'entity' =>array('type'=>'integer', 'label'=>'Entity', 'default'=>1, 'enabled'=>1, 'visible'=>3, 'notnull'=>1, 'position'=>30, 'index'=>1),
+		'ref_ext' =>array('type'=>'varchar(255)', 'label'=>'Ref ext', 'enabled'=>1, 'visible'=>3, 'position'=>35),
+		'civility' =>array('type'=>'varchar(6)', 'label'=>'Civility', 'enabled'=>1, 'visible'=>3, 'position'=>40),
+		'lastname' =>array('type'=>'varchar(50)', 'label'=>'Lastname', 'enabled'=>1, 'visible'=>1, 'position'=>45, 'showoncombobox'=>1, 'searchall'=>1),
+		'firstname' =>array('type'=>'varchar(50)', 'label'=>'Firstname', 'enabled'=>1, 'visible'=>1, 'position'=>50, 'showoncombobox'=>1, 'searchall'=>1),
 		'address' =>array('type'=>'varchar(255)', 'label'=>'Address', 'enabled'=>1, 'visible'=>-1, 'position'=>55),
-		'zip' =>array('type'=>'varchar(25)', 'label'=>'Zip', 'enabled'=>1, 'visible'=>-1, 'position'=>60),
-		'town' =>array('type'=>'text', 'label'=>'Town', 'enabled'=>1, 'visible'=>-1, 'position'=>65),
-		'fk_departement' =>array('type'=>'integer', 'label'=>'Fk departement', 'enabled'=>1, 'visible'=>-1, 'position'=>70),
-		'fk_pays' =>array('type'=>'integer', 'label'=>'Fk pays', 'enabled'=>1, 'visible'=>-1, 'position'=>75),
-		'birthday' =>array('type'=>'date', 'label'=>'Birthday', 'enabled'=>1, 'visible'=>-1, 'position'=>80),
+		'zip' =>array('type'=>'varchar(25)', 'label'=>'Zip', 'enabled'=>1, 'visible'=>1, 'position'=>60),
+		'town' =>array('type'=>'text', 'label'=>'Town', 'enabled'=>1, 'visible'=>1, 'position'=>65),
+		'fk_departement' =>array('type'=>'integer', 'label'=>'Fk departement', 'enabled'=>1, 'visible'=>3, 'position'=>70),
+		'fk_pays' =>array('type'=>'integer', 'label'=>'Fk pays', 'enabled'=>1, 'visible'=>3, 'position'=>75),
+		'birthday' =>array('type'=>'date', 'label'=>'Birthday', 'enabled'=>1, 'visible'=>3, 'position'=>80),
 		'poste' =>array('type'=>'varchar(80)', 'label'=>'PostOrFunction', 'enabled'=>1, 'visible'=>-1, 'position'=>85),
-		'phone' =>array('type'=>'varchar(30)', 'label'=>'Phone', 'enabled'=>1, 'visible'=>-1, 'position'=>90),
-		'phone_perso' =>array('type'=>'varchar(30)', 'label'=>'Phone perso', 'enabled'=>1, 'visible'=>-1, 'position'=>95),
-		'phone_mobile' =>array('type'=>'varchar(30)', 'label'=>'Phone mobile', 'enabled'=>1, 'visible'=>-1, 'position'=>100),
-		'fax' =>array('type'=>'varchar(30)', 'label'=>'Fax', 'enabled'=>1, 'visible'=>-1, 'position'=>105),
-		'email' =>array('type'=>'varchar(255)', 'label'=>'Email', 'enabled'=>1, 'visible'=>-1, 'position'=>110),
-		'socialnetworks' =>array('type'=>'text', 'label'=>'SocialNetworks', 'enabled'=>1, 'visible'=>-1, 'position'=>115),
-		'photo' =>array('type'=>'varchar(255)', 'label'=>'Photo', 'enabled'=>1, 'visible'=>-1, 'position'=>170),
-		'priv' =>array('type'=>'smallint(6)', 'label'=>'Private', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>175),
-		'fk_stcomm' =>array('type'=>'integer', 'label'=>'Fk stcommcontact', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>220),
+		'phone' =>array('type'=>'varchar(30)', 'label'=>'Phone', 'enabled'=>1, 'visible'=>1, 'position'=>90, 'searchall'=>1),
+		'phone_perso' =>array('type'=>'varchar(30)', 'label'=>'PhonePerso', 'enabled'=>1, 'visible'=>1, 'position'=>95, 'searchall'=>1),
+		'phone_mobile' =>array('type'=>'varchar(30)', 'label'=>'PhoneMobile', 'enabled'=>1, 'visible'=>1, 'position'=>100, 'searchall'=>1),
+		'fax' =>array('type'=>'varchar(30)', 'label'=>'Fax', 'enabled'=>1, 'visible'=>1, 'position'=>105, 'searchall'=>1),
+		'email' =>array('type'=>'varchar(255)', 'label'=>'Email', 'enabled'=>1, 'visible'=>1, 'position'=>110, 'searchall'=>1),
+		'socialnetworks' =>array('type'=>'text', 'label'=>'SocialNetworks', 'enabled'=>1, 'visible'=>3, 'position'=>115),
+		'photo' =>array('type'=>'varchar(255)', 'label'=>'Photo', 'enabled'=>1, 'visible'=>3, 'position'=>170),
+		'priv' =>array('type'=>'smallint(6)', 'label'=>'ContactVisibility', 'enabled'=>1, 'visible'=>1, 'notnull'=>1, 'position'=>175),
+		'fk_stcommcontact' =>array('type'=>'integer', 'label'=>'Fk stcommcontact', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>220),
 		'fk_prospectlevel' =>array('type'=>'varchar(12)', 'label'=>'ProspectLevel', 'enabled'=>1, 'visible'=>-1, 'position'=>255),
-		'no_email' =>array('type'=>'smallint(6)', 'label'=>'No email', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>180),
-		'fk_user_creat' =>array('type'=>'integer', 'label'=>'UserAuthor', 'enabled'=>1, 'visible'=>-1, 'position'=>185),
-		'fk_user_modif' =>array('type'=>'integer', 'label'=>'UserModif', 'enabled'=>1, 'visible'=>-1, 'position'=>190),
-		'note_private' =>array('type'=>'text', 'label'=>'NotePrivate', 'enabled'=>1, 'visible'=>0, 'position'=>195),
-		'note_public' =>array('type'=>'text', 'label'=>'NotePublic', 'enabled'=>1, 'visible'=>0, 'position'=>200),
-		'default_lang' =>array('type'=>'varchar(6)', 'label'=>'Default lang', 'enabled'=>1, 'visible'=>-1, 'position'=>205),
-		'canvas' =>array('type'=>'varchar(32)', 'label'=>'Canvas', 'enabled'=>1, 'visible'=>-1, 'position'=>210),
-		'statut' =>array('type'=>'tinyint(4)', 'label'=>'Statut', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>500),
-		'import_key' =>array('type'=>'varchar(14)', 'label'=>'ImportId', 'enabled'=>1, 'visible'=>-2, 'position'=>1000),
+		'no_email' =>array('type'=>'smallint(6)', 'label'=>'No_Email', 'enabled'=>1, 'visible'=>-1, 'notnull'=>1, 'position'=>180),
+		'fk_user_creat' =>array('type'=>'integer', 'label'=>'UserAuthor', 'enabled'=>1, 'visible'=>3, 'position'=>185),
+		'fk_user_modif' =>array('type'=>'integer', 'label'=>'UserModif', 'enabled'=>1, 'visible'=>3, 'position'=>190),
+		'note_private' =>array('type'=>'text', 'label'=>'NotePrivate', 'enabled'=>1, 'visible'=>3, 'position'=>195, 'searchall'=>1),
+		'note_public' =>array('type'=>'text', 'label'=>'NotePublic', 'enabled'=>1, 'visible'=>3, 'position'=>200, 'searchall'=>1),
+		'default_lang' =>array('type'=>'varchar(6)', 'label'=>'Default lang', 'enabled'=>1, 'visible'=>3, 'position'=>205),
+		'canvas' =>array('type'=>'varchar(32)', 'label'=>'Canvas', 'enabled'=>1, 'visible'=>3, 'position'=>210),
+		'statut' =>array('type'=>'tinyint(4)', 'label'=>'Status', 'enabled'=>1, 'visible'=>1, 'notnull'=>1, 'position'=>500),
+		'import_key' =>array('type'=>'varchar(14)', 'label'=>'ImportId', 'enabled'=>1, 'visible'=>-1, 'position'=>1000),
 	);
 
 	public $civility_id; // In fact we store civility_code
@@ -228,15 +251,21 @@ class Contact extends CommonObject
 		global $conf, $langs;
 
 		$this->db = $db;
+		$this->statut = 1; // By default, status is enabled
+
+		if (empty($conf->global->MAIN_SHOW_TECHNICAL_ID))		$this->fields['rowid']['visible'] = 0;
+		if (empty($conf->mailing->enabled))						$this->fields['no_email']['enabled'] = 0;
+
+		// typical ['s.nom'] is used for third-parties
+		if (empty($conf->global->SOCIETE_DISABLE_CONTACTS)) {
+			$this->fields['fk_soc']['enabled'] = 0;
+			$this->fields['fk_soc']['searchall'] = 0;
+		}
 
-		if (empty($conf->global->MAIN_SHOW_TECHNICAL_ID) && isset($this->fields['rowid'])) $this->fields['rowid']['visible'] = 0;
-		if (empty($conf->mailing->enabled)) $this->fields['no_email']['enabled'] = 0;
-		if (!empty($conf->global->SOCIETE_DISABLE_CONTACTS)) $this->fields['thirdparty']['enabled'] = 0;
 		if (empty($conf->global->THIRDPARTY_ENABLE_PROSPECTION_ON_ALTERNATIVE_ADRESSES)) {	// Default behaviour
-			$this->field['fk_stcomm']['enabled'] = 0;
-			$this->field['fk_prospectlevel']['enabled'] = 0;
+			$this->field['fk_stcommcontact']['enabled'] = 0;
+			$this->field['fk_prospectcontactlevel']['enabled'] = 0;
 		}
-		$this->statut = 1; // By default, status is enabled
 
 		// Unset fields that are disabled
 		foreach ($this->fields as $key => $val)

+ 47 - 44
htdocs/contact/list.php

@@ -149,44 +149,45 @@ $extrafields->fetch_name_optionals_label($object->table_element);
 $search_array_options = $extrafields->getOptionalsFromPost($object->table_element, '', 'search_');
 
 // List of fields to search into when doing a "search in all"
-$fieldstosearchall = array(
-	'p.lastname'=>'Lastname',
-	'p.firstname'=>'Firstname',
-	'p.email'=>'EMail',
-	's.nom'=>"ThirdParty",
-	'p.phone'=>"Phone",
-	'p.phone_perso'=>"PhonePerso",
-	'p.phone_mobile'=>"PhoneMobile",
-	'p.fax'=>"Fax",
-	'p.note_public'=>"NotePublic",
-	'p.note_private'=>"NotePrivate",
-);
+$fieldstosearchall = array();
+foreach ($object->fields as $key => $val)
+{
+	// don't allow search in private notes for external users when doing "search in all"
+	if (!empty($user->socid) && $key == "note_private") {
+		continue;
+	}
+
+	if (empty($val['searchall'])) {
+		continue;
+	}
+
+	$fieldstosearchall['p.'.$key] = $val['label'];
+}
+
+// Add none object fields for "search in all"
+if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))	{
+	$fieldstosearchall['s.nom'] = "ThirdParty";
+}
 
 // Definition of fields for list
-$arrayfields = array(
-	'p.rowid'=>array('label'=>"TechnicalID", 'position'=>1, 'checked'=>($conf->global->MAIN_SHOW_TECHNICAL_ID ? 1 : 0), 'enabled'=>($conf->global->MAIN_SHOW_TECHNICAL_ID ? 1 : 0)),
-	'p.lastname'=>array('label'=>"Lastname", 'position'=>2, 'checked'=>1),
-	'p.firstname'=>array('label'=>"Firstname", 'position'=>3, 'checked'=>1),
-	'p.poste'=>array('label'=>"PostOrFunction", 'position'=>10, 'checked'=>1),
-	'p.town'=>array('label'=>"Town", 'position'=>20, 'checked'=>0),
-	'p.zip'=>array('label'=>"Zip", 'position'=>21, 'checked'=>0),
-	'country.code_iso'=>array('label'=>"Country", 'position'=>22, 'checked'=>0),
-	'p.phone'=>array('label'=>"Phone", 'position'=>30, 'checked'=>1),
-	'p.phone_perso'=>array('label'=>"PhonePerso", 'position'=>31, 'checked'=>0),
-	'p.phone_mobile'=>array('label'=>"PhoneMobile", 'position'=>32, 'checked'=>1),
-	'p.fax'=>array('label'=>"Fax", 'position'=>33, 'checked'=>0),
-	'p.email'=>array('label'=>"EMail", 'position'=>40, 'checked'=>1),
-	'p.no_email'=>array('label'=>"No_Email", 'position'=>41, 'checked'=>0, 'enabled'=>(!empty($conf->mailing->enabled))),
-	'p.thirdparty'=>array('label'=>"ThirdParty", 'position'=>50, 'checked'=>1, 'enabled'=>empty($conf->global->SOCIETE_DISABLE_CONTACTS)),
-	'p.priv'=>array('label'=>"ContactVisibility", 'checked'=>1, 'position'=>200),
-	'p.datec'=>array('label'=>"DateCreationShort", 'checked'=>0, 'position'=>500),
-	'p.tms'=>array('label'=>"DateModificationShort", 'checked'=>0, 'position'=>500),
-	'p.statut'=>array('label'=>"Status", 'checked'=>1, 'position'=>1000),
-	'p.import_key'=>array('label'=>"ImportId", 'checked'=>0, 'position'=>1100),
-);
-if (!empty($conf->global->THIRDPARTY_ENABLE_PROSPECTION_ON_ALTERNATIVE_ADRESSES)) {
-	$arrayfields['p.fk_prospectcontactlevel'] = array('label'=>"ProspectLevelShort", 'checked'=>1, 'position'=>210);
-	$arrayfields['p.fk_stcommcontact'] = array('label'=>"StatusProsp", 'checked'=>1, 'position'=>215);
+$arrayfields = array();
+foreach ($object->fields as $key => $val) {
+	// If $val['visible']==0, then we never show the field
+	if (empty($val['visible'])) {
+		continue;
+	}
+
+	$arrayfields['p.'.$key] = array(
+		'label'=>$val['label'],
+		'checked'=>(($val['visible'] < 0) ? 0 : 1),
+		'enabled'=>($val['enabled'] && ($val['visible'] != 3)),
+		'position'=>$val['position']);
+}
+
+// Add none object fields to fields for list
+$arrayfields['country.code_iso'] = array('label'=>"Country", 'position'=>22, 'checked'=>0);
+if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))	{
+	$arrayfields['s.nom'] = array('label'=>"ThirdParty", 'position'=>25, 'checked'=>1);
 }
 
 if (!empty($conf->socialnetworks->enabled)) {
@@ -200,6 +201,7 @@ if (!empty($conf->socialnetworks->enabled)) {
 		}
 	}
 }
+
 // Extra fields
 if (is_array($extrafields->attributes[$object->table_element]['label']) && count($extrafields->attributes[$object->table_element]['label']) > 0)
 {
@@ -395,10 +397,10 @@ if (strlen($search_phone))          $sql .= natural_search(array('p.phone', 'p.p
 if (strlen($search_cti))            $sql .= natural_search(array('p.phone', 'p.phone_perso', 'p.phone_mobile'), $search_cti);
 if (strlen($search_firstlast_only)) $sql .= natural_search(array('p.lastname', 'p.firstname'), $search_firstlast_only);
 
-if ($search_id > 0)                 $sql .= natural_search("p.rowid", $search_id, 1);
+if ($search_id > 0)                 $sql .= natural_search('p.rowid', $search_id, 1);
 if ($search_lastname)               $sql .= natural_search('p.lastname', $search_lastname);
 if ($search_firstname)              $sql .= natural_search('p.firstname', $search_firstname);
-if ($search_societe)                $sql .= natural_search('s.nom', $search_societe);
+if ($search_societe)                $sql .= natural_search(empty($conf->global->SOCIETE_DISABLE_CONTACTS) ? 's.nom' : 'p.fk_soc', $search_societe);
 if ($search_country)                $sql .= " AND p.fk_pays IN (".$search_country.')';
 if (strlen($search_poste))          $sql .= natural_search('p.poste', $search_poste);
 if (strlen($search_phone_perso))    $sql .= natural_search('p.phone_perso', $search_phone_perso);
@@ -721,7 +723,7 @@ if (!empty($conf->socialnetworks->enabled)) {
 		}
 	}
 }
-if (!empty($arrayfields['p.thirdparty']['checked']))
+if (!empty($arrayfields['p.fk_soc']['checked']) || !empty($arrayfields['s.nom']['checked']))
 {
 	print '<td class="liste_titre">';
 	print '<input class="flat" type="text" name="search_societe" size="8" value="'.dol_escape_htmltag($search_societe).'">';
@@ -819,10 +821,11 @@ if (!empty($conf->socialnetworks->enabled)) {
 		}
 	}
 }
-if (!empty($arrayfields['p.thirdparty']['checked']))          print_liste_field_titre($arrayfields['p.thirdparty']['label'], $_SERVER["PHP_SELF"], "s.nom", $begin, $param, '', $sortfield, $sortorder);
-if (!empty($arrayfields['p.priv']['checked']))                print_liste_field_titre($arrayfields['p.priv']['label'], $_SERVER["PHP_SELF"], "p.priv", $begin, $param, '', $sortfield, $sortorder, 'center ');
-if (!empty($arrayfields['p.fk_prospectcontactlevel']['checked'])) 	print_liste_field_titre($arrayfields['p.fk_prospectcontactlevel']['label'], $_SERVER["PHP_SELF"], "p.fk_prospectcontactlevel", "", $param, '', $sortfield, $sortorder, 'center ');
-if (!empty($arrayfields['p.fk_stcommcontact']['checked'])) 			print_liste_field_titre($arrayfields['p.fk_stcommcontact']['label'], $_SERVER["PHP_SELF"], "p.fk_stcommcontact", "", $param, '', $sortfield, $sortorder, 'center ');
+if (!empty($arrayfields['p.fk_soc']['checked']))					print_liste_field_titre($arrayfields['p.fk_soc']['label'], $_SERVER["PHP_SELF"], "p.fk_soc", $begin, $param, '', $sortfield, $sortorder);
+if (!empty($arrayfields['s.nom']['checked']))						print_liste_field_titre($arrayfields['s.nom']['label'], $_SERVER["PHP_SELF"], "s.nom", $begin, $param, '', $sortfield, $sortorder);
+if (!empty($arrayfields['p.priv']['checked']))						print_liste_field_titre($arrayfields['p.priv']['label'], $_SERVER["PHP_SELF"], "p.priv", $begin, $param, '', $sortfield, $sortorder, 'center ');
+if (!empty($arrayfields['p.fk_prospectcontactlevel']['checked']))	print_liste_field_titre($arrayfields['p.fk_prospectcontactlevel']['label'], $_SERVER["PHP_SELF"], "p.fk_prospectcontactlevel", "", $param, '', $sortfield, $sortorder, 'center ');
+if (!empty($arrayfields['p.fk_stcommcontact']['checked']))			print_liste_field_titre($arrayfields['p.fk_stcommcontact']['label'], $_SERVER["PHP_SELF"], "p.fk_stcommcontact", "", $param, '', $sortfield, $sortorder, 'center ');
 // Extra fields
 include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_title.tpl.php';
 // Hook fields
@@ -983,7 +986,7 @@ while ($i < min($num, $limit))
 		}
 	}
 	// Company
-	if (!empty($arrayfields['p.thirdparty']['checked']))
+	if (!empty($arrayfields['p.fk_soc']['checked']) || !empty($arrayfields['s.nom']['checked']))
 	{
 		print '<td>';
 		if ($obj->socid)

+ 2 - 2
htdocs/contrat/card.php

@@ -1567,7 +1567,7 @@ if ($action == 'create')
 					}
 					if ($user->rights->contrat->creer && ($object->statut >= 0))
 					{
-						print '<a class="reposition marginrightonly" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=deleteline&amp;rowid='.$objp->rowid.'">';
+						print '<a class="reposition marginrightonly" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=deleteline&amp;token='.newToken().'&amp;rowid='.$objp->rowid.'">';
 						print img_delete();
 						print '</a>';
 					}
@@ -2108,7 +2108,7 @@ if ($action == 'create')
 				// - Droit de supprimer
 				if (($user->rights->contrat->creer && $object->statut == $object::STATUS_DRAFT) || $user->rights->contrat->supprimer)
 				{
-					print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans("Delete").'</a></div>';
+					print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans("Delete").'</a></div>';
 				} else {
 					print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("NotAllowed")).'">'.$langs->trans("Delete").'</a></div>';
 				}

+ 3 - 3
htdocs/core/actions_massactions.inc.php

@@ -3,7 +3,7 @@
  * Copyright (C) 2018	   Nicolas ZABOURI	<info@inovea-conseil.com>
  * Copyright (C) 2018 	   Juanjo Menent  <jmenent@2byte.es>
  * Copyright (C) 2019 	   Ferran Marcet  <fmarcet@2byte.es>
- * Copyright (C) 2019       Frédéric France         <frederic.france@netlogic.fr>
+ * Copyright (C) 2019      Frédéric France         <frederic.france@netlogic.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -615,7 +615,7 @@ if ($massaction == 'confirm_createbills')   // Create bills from orders
 			$cmd->fetch_optionals();
 
 			$objecttmp->socid = $cmd->socid;
-			$objecttmp->type = Facture::TYPE_STANDARD;
+			$objecttmp->type = $objecttmp::TYPE_STANDARD;
 			$objecttmp->cond_reglement_id	= $cmd->cond_reglement_id;
 			$objecttmp->mode_reglement_id	= $cmd->mode_reglement_id;
 			$objecttmp->fk_project = $cmd->fk_project;
@@ -742,7 +742,7 @@ if ($massaction == 'confirm_createbills')   // Create bills from orders
 							'HT',
 							0,
 							$product_type,
-							$ii,
+							$lines[$i]->rang,
 							$lines[$i]->special_code,
 							$objecttmp->origin,
 							$lines[$i]->rowid,

+ 2 - 2
htdocs/core/class/commonobject.class.php

@@ -7152,7 +7152,7 @@ abstract class CommonObject
 								$return .= '<a href="'.DOL_URL_ROOT.'/core/photos_resize.php?modulepart='.urlencode('produit|service').'&id='.$this->id.'&amp;file='.urlencode($pdir.$viewfilename).'" title="'.dol_escape_htmltag($langs->trans("Resize")).'">'.img_picto($langs->trans("Resize"), 'resize', '').'</a> &nbsp; ';
 
 								// Link to delete
-								$return .= '<a href="'.$_SERVER["PHP_SELF"].'?id='.$this->id.'&amp;action=delete&amp;file='.urlencode($pdir.$viewfilename).'">';
+								$return .= '<a href="'.$_SERVER["PHP_SELF"].'?id='.$this->id.'&amp;action=delete&amp;token='.newToken().'&amp;file='.urlencode($pdir.$viewfilename).'">';
 								$return .= img_delete().'</a>';
 							}
 						}
@@ -7178,7 +7178,7 @@ abstract class CommonObject
 								$return .= '<a href="'.DOL_URL_ROOT.'/core/photos_resize.php?modulepart='.urlencode('produit|service').'&id='.$this->id.'&amp;file='.urlencode($pdir.$viewfilename).'" title="'.dol_escape_htmltag($langs->trans("Resize")).'">'.img_picto($langs->trans("Resize"), 'resize', '').'</a> &nbsp; ';
 
 								// Link to delete
-								$return .= '<a href="'.$_SERVER["PHP_SELF"].'?id='.$this->id.'&amp;action=delete&amp;file='.urlencode($pdir.$viewfilename).'">';
+								$return .= '<a href="'.$_SERVER["PHP_SELF"].'?id='.$this->id.'&amp;action=delete&amp;token='.newToken().'&amp;file='.urlencode($pdir.$viewfilename).'">';
 								$return .= img_delete().'</a>';
 							}
 						}

+ 8 - 10
htdocs/core/class/html.form.class.php

@@ -647,7 +647,7 @@ class Form
 
 		$disabled = 0;
 		$ret = '<div class="centpercent center">';
-				$ret .= '<select class="flat'.(empty($conf->use_javascript_ajax) ? '' : ' hideobject').' '.$name.' '.$name.'select valignmiddle alignstart" name="'.$name.'"'.($disabled ? ' disabled="disabled"' : '').'>';
+		$ret .= '<select class="flat'.(empty($conf->use_javascript_ajax) ? '' : ' hideobject').' '.$name.' '.$name.'select valignmiddle alignstart" id="'.$name.'" name="'.$name.'"'.($disabled ? ' disabled="disabled"' : '').'>';
 
 		// Complete list with data from external modules. THe module can use $_SERVER['PHP_SELF'] to know on which page we are, or use the $parameters['currentcontext'] completed by executeHooks.
 		$parameters = array();
@@ -7552,8 +7552,8 @@ class Form
 		global $conf, $langs;
 
 		$out = '';
-		$id = uniqid();
-				if (!empty($conf->use_javascript_ajax)) $out .= '<div class="inline-block checkallactions"><input type="checkbox" id="'.$cssclass.'s" name="'.$cssclass.'s" class="checkallactions"></div>';
+
+		if (!empty($conf->use_javascript_ajax)) $out .= '<div class="inline-block checkallactions"><input type="checkbox" id="'.$cssclass.'s" name="'.$cssclass.'s" class="checkallactions"></div>';
 		$out .= '<script>
             $(document).ready(function() {
                 $("#' . $cssclass.'s").click(function() {
@@ -7568,13 +7568,11 @@ class Form
                     }'."\n";
 				if ($calljsfunction) $out .= 'if (typeof initCheckForSelect == \'function\') { initCheckForSelect(0, "'.$massactionname.'", "'.$cssclass.'"); } else { console.log("No function initCheckForSelect found. Call won\'t be done."); }';
 		$out .= '         });
-
-                $(".' . $cssclass.'").change(function() {
-				$(this).closest("tr").toggleClass("highlight", this.checked);
-			});
-
- 	});
-    </script>';
+        	        $(".' . $cssclass.'").change(function() {
+					$(this).closest("tr").toggleClass("highlight", this.checked);
+				});
+		 	});
+    	</script>';
 
 		return $out;
 	}

+ 3 - 3
htdocs/core/class/html.formfile.class.php

@@ -1337,7 +1337,7 @@ class FormFile
 							if (!empty($conf->dol_use_jmobile)) $useajax = 0;
 							if (empty($conf->use_javascript_ajax)) $useajax = 0;
 							if (!empty($conf->global->MAIN_ECM_DISABLE_JS)) $useajax = 0;
-							print '<a href="'.((($useinecm && $useinecm != 6) && $useajax) ? '#' : ($url.'?action=delete&urlfile='.urlencode($filepath).$param)).'" class="reposition deletefilelink" rel="'.$filepath.'">'.img_delete().'</a>';
+							print '<a href="'.((($useinecm && $useinecm != 6) && $useajax) ? '#' : ($url.'?action=delete&token='.newToken().'&urlfile='.urlencode($filepath).$param)).'" class="reposition deletefilelink" rel="'.$filepath.'">'.img_delete().'</a>';
 						}
 						print "</td>";
 
@@ -1645,7 +1645,7 @@ class FormFile
 				//if ($forcedownload) print '&attachment=1';
 				//print '&file='.urlencode($relativefile).'">';
 				//print img_view().'</a> &nbsp; ';
-				//if ($permissiontodelete) print '<a href="'.$url.'?id='.$object->id.'&section='.$_REQUEST["section"].'&action=delete&urlfile='.urlencode($file['name']).'">'.img_delete().'</a>';
+				//if ($permissiontodelete) print '<a href="'.$url.'?id='.$object->id.'&section='.$_REQUEST["section"].'&action=delete&token='.newToken().'&urlfile='.urlencode($file['name']).'">'.img_delete().'</a>';
 				//else print '&nbsp;';
 				print "</td></tr>\n";
 			}
@@ -1819,7 +1819,7 @@ class FormFile
 				print '<td class="right">';
 				print '<a href="'.$_SERVER['PHP_SELF'].'?action=update&linkid='.$link->id.$param.'" class="editfilelink editfielda reposition" >'.img_edit().'</a>'; // id= is included into $param
 				if ($permissiontodelete) {
-					print ' &nbsp; <a class="deletefilelink" href="'.$_SERVER['PHP_SELF'].'?action=delete&linkid='.$link->id.$param.'">'.img_delete().'</a>'; // id= is included into $param
+					print ' &nbsp; <a class="deletefilelink" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&linkid='.$link->id.$param.'">'.img_delete().'</a>'; // id= is included into $param
 				} else {
 					print '&nbsp;';
 				}

+ 1 - 0
htdocs/core/filemanagerdol/browser/default/frmupload.php

@@ -122,6 +122,7 @@ window.onload = function()
 	</head>
 	<body>
 		<form id="frmUpload" action="" target="frmUploadWorker" method="post" enctype="multipart/form-data" onsubmit="return OnSubmit();">
+			<input type="hidden" name="token" value="<?php echo newToken(); ?>" />
 			<table class="fullHeight" cellspacing="0" cellpadding="0" width="100%" border="0">
 				<tr>
 					<td class="nowrap">

+ 9 - 7
htdocs/core/lib/functions2.lib.php

@@ -383,19 +383,20 @@ function dol_print_object_info($object, $usetable = 0)
 	}
 
 	// User close
-	if (!empty($object->user_cloture))
+	if (!empty($object->user_cloture) || !empty($object->user_closing))
 	{
+		if (isset($object->user_cloture) && !empty($object->user_cloture)) $object->user_closing = $object->user_cloture;
 		if ($usetable) print '<tr><td class="titlefield">';
 		print $langs->trans("ClosedBy");
 		if ($usetable) print '</td><td>';
 		else print ': ';
-		if (is_object($object->user_cloture))
+		if (is_object($object->user_closing))
 		{
-			if ($object->user_cloture->id) print $object->user_cloture->getNomUrl(1, '', 0, 0, 0);
+			if ($object->user_closing->id) print $object->user_closing->getNomUrl(1, '', 0, 0, 0);
 			else print $langs->trans("Unknown");
 		} else {
 			$userstatic = new User($db);
-			$userstatic->fetch($object->user_cloture);
+			$userstatic->fetch($object->user_closing);
 			if ($userstatic->id) print $userstatic->getNomUrl(1, '', 0, 0, 0);
 			else print $langs->trans("Unknown");
 		}
@@ -404,14 +405,15 @@ function dol_print_object_info($object, $usetable = 0)
 	}
 
 	// Date close
-	if (!empty($object->date_cloture))
+	if (!empty($object->date_cloture) || !empty($object->date_closing))
 	{
+		if (isset($object->date_cloture) && !empty($object->date_cloture)) $object->date_closing = $object->date_cloture;
 		if ($usetable) print '<tr><td class="titlefield">';
 		print $langs->trans("DateClosing");
 		if ($usetable) print '</td><td>';
 		else print ': ';
-		print dol_print_date($object->date_cloture, 'dayhour');
-		if ($deltadateforuser) print ' '.$langs->trans("CurrentHour").' &nbsp; / &nbsp; '.dol_print_date($object->date_cloture + ($deltadateforuser * 3600), "dayhour").' &nbsp;'.$langs->trans("ClientHour");
+		print dol_print_date($object->date_closing, 'dayhour');
+		if ($deltadateforuser) print ' '.$langs->trans("CurrentHour").' &nbsp; / &nbsp; '.dol_print_date($object->date_closing + ($deltadateforuser * 3600), "dayhour").' &nbsp;'.$langs->trans("ClientHour");
 		if ($usetable) print '</td></tr>';
 		else print '<br>';
 	}

+ 3 - 3
htdocs/core/modules/dons/html_cerfafr.modules.php

@@ -205,7 +205,7 @@ class html_cerfafr extends ModeleDon
 				$form = str_replace('__FrenchEligibility__', $frencheligibility, $form);
 
 				$art200 = '';
-				if (preg_match('/fr/i', $outputlangs->defaultlang)) {
+				if ($mysoc->country_code == 'FR') {
 					if ($conf->global->DONATION_ART200 >= 1)
 					{
 						$art200 = '<input type="checkbox" disabled="true" checked="checked" >200 du CGI';
@@ -216,7 +216,7 @@ class html_cerfafr extends ModeleDon
 				$form = str_replace('__ARTICLE200__', $art200, $form);
 
 				$art238 = '';
-				if (preg_match('/fr/i', $outputlangs->defaultlang)) {
+				if ($mysoc->country_code == 'FR') {
 					if ($conf->global->DONATION_ART238 >= 1)
 					{
 						$art238 = '<input type="checkbox" disabled="true" checked="checked" >238 bis du CGI';
@@ -227,7 +227,7 @@ class html_cerfafr extends ModeleDon
 				$form = str_replace('__ARTICLE238__', $art238, $form);
 
 				$art978 = '';
-				if (preg_match('/fr/i', $outputlangs->defaultlang)) {
+				if ($mysoc->country_code == 'FR') {
 					if ($conf->global->DONATION_ART978 >= 1)
 					{
 						$art978 = '<input type="checkbox" disabled="true" checked="checked" >978 du CGI';

+ 169 - 0
htdocs/core/modules/modPropale.class.php

@@ -5,6 +5,7 @@
  * Copyright (C) 2004		Benoit Mortier			<benoit.mortier@opensides.be>
  * Copyright (C) 2005-2012	Regis Houssin			<regis.houssin@inodbox.com>
  * Copyright (C) 2012		Juanjo Menent			<jmenent@2byte.es>
+ * Copyright (C) 2020		Ahmad Jamaly Rabib		<rabib@metroworks.co.jp>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -254,6 +255,174 @@ class modPropale extends DolibarrModules
 		$this->export_sql_end[$r] .= ' WHERE c.fk_soc = s.rowid AND c.rowid = cd.fk_propal';
 		$this->export_sql_end[$r] .= ' AND c.entity IN ('.getEntity('propal').')';
 		if (!$user->rights->societe->client->voir) $this->export_sql_end[$r] .= ' AND sc.fk_user = '.$user->id;
+
+		// Imports
+		//--------
+		$r = 0;
+
+		$r++;
+		$this->import_code[$r] = $this->rights_class.'_'.$r;
+		$this->import_label[$r] = 'Proposals';	// Translation key
+		$this->import_icon[$r] = $this->picto;
+		$this->import_entities_array[$r] = [];		// We define here only fields that use another icon that the one defined into import_icon
+		$this->import_tables_array[$r] = ['c' => MAIN_DB_PREFIX . 'propal', 'extra' => MAIN_DB_PREFIX . 'propal_extrafields'];
+		$this->import_tables_creator_array[$r] = ['c'=>'fk_user_author'];	// Fields to store import user id
+		$this->import_fields_array[$r] = [
+			'c.ref' => 'Document Ref*',
+			'c.ref_client' => 'RefCustomer',
+			'c.fk_soc' => 'ThirdPartyName*',
+			'c.datec' => 'DateCreation',
+			'c.datep' => 'DatePropal',
+			'c.fin_validite' => 'DateEndPropal',
+			'c.remise_percent' => 'GlobalDiscount',
+			'c.total_ht' => 'TotalHT',
+			'c.total' => 'TotalTTC',
+			'c.fk_statut' => 'Status*',
+			'c.note_public' => 'Note',
+			'c.date_livraison' => 'DeliveryDate',
+			'c.fk_user_valid' => 'ValidatedById'
+		];
+		if (! empty($conf->multicurrency->enabled)) {
+			$this->import_fields_array[$r]['c.multicurrency_code'] = 'Currency';
+			$this->import_fields_array[$r]['c.multicurrency_tx'] = 'CurrencyRate';
+			$this->import_fields_array[$r]['c.multicurrency_total_ht'] = 'MulticurrencyAmountHT';
+			$this->import_fields_array[$r]['c.multicurrency_total_tva'] = 'MulticurrencyAmountVAT';
+			$this->import_fields_array[$r]['c.multicurrency_total_ttc'] = 'MulticurrencyAmountTTC';
+		}
+		// Add extra fields
+		$import_extrafield_sample = [];
+		$sql = "SELECT name, label, fieldrequired FROM " . MAIN_DB_PREFIX . "extrafields WHERE elementtype = 'propal' AND entity IN (0, " . $conf->entity . ")";
+		$resql = $this->db->query($sql);
+		if ($resql) {
+			while ($obj = $this->db->fetch_object($resql)) {
+				$fieldname = 'extra.' . $obj->name;
+				$fieldlabel = ucfirst($obj->label);
+				$this->import_fields_array[$r][$fieldname] = $fieldlabel . ($obj->fieldrequired ? '*' : '');
+				$import_extrafield_sample[$fieldname] = $fieldlabel;
+			}
+		}
+		// End add extra fields
+		$this->import_fieldshidden_array[$r] = ['extra.fk_object' => 'lastrowid-' . MAIN_DB_PREFIX . 'propal'];
+		$this->import_regex_array[$r] = ['c.ref' => '[^ ]'];
+		$import_sample = [
+			'c.ref' => 'PROV0077',
+			'c.ref_client' => 'Client1',
+			'c.fk_soc' => 'MyBigCompany',
+			'c.datec' => '2020-01-01',
+			'c.datep' => '2020-01-01',
+			'c.fin_validite' => '2020-01-01',
+			'c.remise_percent' => '',
+			'c.total_ht' => '0',
+			'c.total' => '0',
+			'c.fk_statut' => '1',
+			'c.note_public' => '',
+			'c.date_livraison' => '2020-01-01',
+			'c.fk_user_valid' => '1',
+			'c.multicurrency_code' => '',
+			'c.multicurrency_tx' => '1',
+			'c.multicurrency_total_ht' => '0',
+			'c.multicurrency_total_tva' => '0',
+			'c.multicurrency_total_ttc' => '0'
+		];
+		$this->import_examplevalues_array[$r] = array_merge($import_sample, $import_extrafield_sample);
+		$this->import_updatekeys_array[$r] = ['c.ref'=>'Ref'];
+		$this->import_convertvalue_array[$r] = [
+			'c.fk_soc' => [
+				'rule' => 'fetchidfromref',
+				'file' => '/societe/class/societe.class.php',
+				'class' => 'Societe',
+				'method' => 'fetch',
+				'element' => 'ThirdParty'
+			]
+		];
+
+		//Import Proposal Lines
+		$r++;
+		$this->import_code[$r] = $this->rights_class.'line_'.$r;
+		$this->import_label[$r] = "ProposalLine";	// Translation key
+		$this->import_icon[$r] = $this->picto;
+		$this->import_entities_array[$r] = [];		// We define here only fields that use another icon that the one defined into import_icon
+		$this->import_tables_array[$r] = [
+			'cd' => MAIN_DB_PREFIX . 'propaldet',
+			'extra' => MAIN_DB_PREFIX . 'propaldet_extrafields'
+		];
+		$this->import_fields_array[$r] = [
+			'cd.fk_propal' => 'Document Ref*',
+			'cd.fk_parent_line' => 'PrParentLine',
+			'cd.fk_product' => 'IdProduct',
+			'cd.label' => 'Label',
+			'cd.description' => 'LineDescription',
+			'cd.product_type' => 'TypeOfLineServiceOrProduct',
+			'cd.tva_tx' => 'LineVATRate',
+			'cd.qty' => 'LineQty',
+			'cd.remise_percent' => 'Reduc. Percent',
+			'cd.remise' => 'Reduc.',
+			'cd.price' => 'Price',
+			'cd.subprice' => 'Sub Price',
+			'cd.total_ht' => 'LineTotalHT',
+			'cd.total_tva' => 'LineTotalVAT',
+			'cd.total_ttc' => 'LineTotalTTC',
+			'cd.date_start' => 'Start Date',
+			'cd.date_end' => 'End Date',
+			'cd.buy_price_ht' => 'LineBuyPriceHT'
+		];
+		if (! empty($conf->multicurrency->enabled)) {
+			$this->import_fields_array[$r]['cd.multicurrency_code'] = 'Currency';
+			$this->import_fields_array[$r]['cd.multicurrency_subprice'] = 'CurrencyRate';
+			$this->import_fields_array[$r]['cd.multicurrency_total_ht'] = 'MulticurrencyAmountHT';
+			$this->import_fields_array[$r]['cd.multicurrency_total_tva'] = 'MulticurrencyAmountVAT';
+			$this->import_fields_array[$r]['cd.multicurrency_total_ttc'] = 'MulticurrencyAmountTTC';
+		}
+		// Add extra fields
+		$import_extrafield_sample = [];
+		$sql = "SELECT name, label, fieldrequired FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = 'propaldet' AND entity IN (0, ".$conf->entity.")";
+		$resql = $this->db->query($sql);
+		if ($resql) {
+			while ($obj = $this->db->fetch_object($resql)) {
+				$fieldname = 'extra.' . $obj->name;
+				$fieldlabel = ucfirst($obj->label);
+				$this->import_fields_array[$r][$fieldname] = $fieldlabel . ($obj->fieldrequired ? '*' : '');
+				$import_extrafield_sample[$fieldname] = $fieldlabel;
+			}
+		}
+		// End add extra fields
+		$this->import_fieldshidden_array[$r] = ['extra.fk_object' => 'lastrowid-' . MAIN_DB_PREFIX . 'propaldet'];
+		$this->import_regex_array[$r] = ['cd.product_type' => '[0|1]$'];
+		$import_sample = [
+			'cd.fk_propal' => 'PROV(0001)',
+			'cd.fk_parent_line' => '',
+			'cd.fk_product' => '',
+			'cd.label' => '',
+			'cd.description' => 'Line description',
+			'cd.product_type' => '1',
+			'cd.tva_tx' => '0',
+			'cd.qty' => '2',
+			'cd.remise_percent' => '0',
+			'cd.remise' => '0',
+			'cd.price' => '',
+			'cd.subprice' => '5000',
+			'cd.total_ht' => '10000',
+			'cd.total_tva' => '0',
+			'cd.total_ttc' => '10100',
+			'cd.date_start' => '',
+			'cd.date_end' => '',
+			'cd.buy_price_ht' => '7000',
+			'cd.multicurrency_code' => 'JPY',
+			'cd.multicurrency_tx' => '1',
+			'cd.multicurrency_total_ht' => '10000',
+			'cd.multicurrency_total_tva' => '0',
+			'cd.multicurrency_total_ttc' => '10100'
+		];
+		$this->import_examplevalues_array[$r] = array_merge($import_sample, $import_extrafield_sample);
+		$this->import_updatekeys_array[$r] = ['cd.fk_propal' => 'Quotation Id', 'cd.fk_product' => 'Product Id'];
+		$this->import_convertvalue_array[$r] = [
+			'cd.fk_propal' => [
+				'rule'=>'fetchidfromref',
+				'file'=>'/comm/propal/class/propal.class.php',
+				'class'=>'Propal',
+				'method'=>'fetch'
+			]
+		];
 	}
 
 

+ 2 - 2
htdocs/core/modules/printing/printgcp.modules.php

@@ -140,7 +140,7 @@ class printing_printgcp extends PrintingDriver
                     'info'=>$access,
                     'type'=>'info',
                     'renew'=>$urlwithroot.'/core/modules/oauth/google_oauthcallback.php?state=userinfo_email,userinfo_profile,cloud_print&backtourl='.urlencode(DOL_URL_ROOT.'/printing/admin/printing.php?mode=setup&driver=printgcp'),
-                    'delete'=>($storage->hasAccessToken($this->OAUTH_SERVICENAME_GOOGLE) ? $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&backtourl='.urlencode(DOL_URL_ROOT.'/printing/admin/printing.php?mode=setup&driver=printgcp') : '')
+                    'delete'=>($storage->hasAccessToken($this->OAUTH_SERVICENAME_GOOGLE) ? $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/printing/admin/printing.php?mode=setup&driver=printgcp') : '')
                 );
                 if ($token_ok) {
                     $expiredat = '';
@@ -166,7 +166,7 @@ class printing_printgcp extends PrintingDriver
                 /*
                 if ($storage->hasAccessToken($this->OAUTH_SERVICENAME_GOOGLE)) {
                     $this->conf[] = array('varname'=>'PRINTGCP_AUTHLINK', 'link'=>$urlwithroot.'/core/modules/oauth/google_oauthcallback.php?backtourl='.urlencode(DOL_URL_ROOT.'/printing/admin/printing.php?mode=setup&driver=printgcp'), 'type'=>'authlink');
-                    $this->conf[] = array('varname'=>'DELETE_TOKEN', 'link'=>$urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&backtourl='.urlencode(DOL_URL_ROOT.'/printing/admin/printing.php?mode=setup&driver=printgcp'), 'type'=>'delete');
+                    $this->conf[] = array('varname'=>'DELETE_TOKEN', 'link'=>$urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/printing/admin/printing.php?mode=setup&driver=printgcp'), 'type'=>'delete');
                 } else {
                     $this->conf[] = array('varname'=>'PRINTGCP_AUTHLINK', 'link'=>$urlwithroot.'/core/modules/oauth/google_oauthcallback.php?backtourl='.urlencode(DOL_URL_ROOT.'/printing/admin/printing.php?mode=setup&driver=printgcp'), 'type'=>'authlink');
                 }*/

+ 2 - 2
htdocs/core/tpl/admin_extrafields_view.tpl.php

@@ -112,8 +112,8 @@ if (is_array($extrafields->attributes[$elementtype]['type']) && count($extrafiel
 			}
 			print '</td>';
 		}
-		print '<td class="right nowraponall"><a class="editfielda" href="'.$_SERVER["PHP_SELF"].'?action=edit&attrname='.$key.'#formeditextrafield">'.img_edit().'</a>';
-		print '&nbsp; <a class="paddingleft" href="'.$_SERVER["PHP_SELF"].'?action=delete&attrname='.$key.'">'.img_delete().'</a></td>'."\n";
+		print '<td class="right nowraponall"><a class="editfielda" href="'.$_SERVER["PHP_SELF"].'?action=edit&token='.newToken().'&attrname='.$key.'#formeditextrafield">'.img_edit().'</a>';
+		print '&nbsp; <a class="paddingleft" href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&attrname='.$key.'">'.img_delete().'</a></td>'."\n";
 		print "</tr>";
 	}
 } else {

+ 2 - 2
htdocs/core/tpl/bloc_comment.tpl.php

@@ -125,12 +125,12 @@ if (!empty($object->comments))
         } else {
             if ($fk_user == $user->id || $user->admin == 1)
             {
-                print '<a class="comment-edit comment-cell" href="'.$varpage.'?action=editcomment&id='.$id.'&withproject=1&idcomment='.$comment->id.'#comment" title="'.$langs->trans('Edit').'">';
+                print '<a class="comment-edit comment-cell" href="'.$varpage.'?action=editcomment&token='.newToken().'&id='.$id.'&withproject=1&idcomment='.$comment->id.'#comment" title="'.$langs->trans('Edit').'">';
                 print img_picto('', 'edit.png');
                 print '</a>';
             }
             if (($first && $fk_user == $user->id) || $user->admin == 1) {
-                print '<a class="comment-delete comment-cell" href="'.$varpage.'?action=deletecomment&id='.$id.'&withproject=1&idcomment='.$comment->id.'" title="'.$langs->trans('Delete').'">';
+                print '<a class="comment-delete comment-cell" href="'.$varpage.'?action=deletecomment&token='.newToken().'&id='.$id.'&withproject=1&idcomment='.$comment->id.'" title="'.$langs->trans('Delete').'">';
                 print img_picto('', 'delete.png');
                 print '</a>';
             }

+ 3 - 3
htdocs/core/tpl/contacts.tpl.php

@@ -298,9 +298,9 @@ foreach ($list as $entry)
 	if ($permission)
 	{
 		$href = $_SERVER["PHP_SELF"];
-		$href .= "?id=".$object->id;
-		$href .= "&action=deletecontact";
-		$href .= "&lineid=".$entry->id;
+		$href .= '?id='.$object->id;
+		$href .= '&action=deletecontact&token='.newToken();
+		$href .= '&lineid='.$entry->id;
 
 		print "<td class='center'>";
 		print "<a href='$href'>";

+ 2 - 2
htdocs/core/tpl/resource_view.tpl.php

@@ -73,11 +73,11 @@ if ((array) $linked_resources && count($linked_resources) > 0)
 			print '</div>';
 
 			print '<div class="tagtd right">';
-			print '<a class="editfielda marginleftonly marginrightonly" href="'.$_SERVER['PHP_SELF'].'?mode=edit&resource_type='.$linked_resource['resource_type'].'&element='.$element.'&element_id='.$element_id.'&lineid='.$linked_resource['rowid'].'">';
+			print '<a class="editfielda marginleftonly marginrightonly" href="'.$_SERVER['PHP_SELF'].'?mode=edit&token='.newToken().'&resource_type='.$linked_resource['resource_type'].'&element='.$element.'&element_id='.$element_id.'&lineid='.$linked_resource['rowid'].'">';
 			print img_edit();
 			print '</a>';
 			print '&nbsp;';
-			print '<a class="marginleftonly marginrightonly" href="'.$_SERVER['PHP_SELF'].'?action=delete_resource&id='.$linked_resource['resource_id'].'&element='.$element.'&element_id='.$element_id.'&lineid='.$linked_resource['rowid'].'">';
+			print '<a class="marginleftonly marginrightonly" href="'.$_SERVER['PHP_SELF'].'?action=delete_resource&token='.newToken().'&id='.$linked_resource['resource_id'].'&element='.$element.'&element_id='.$element_id.'&lineid='.$linked_resource['rowid'].'">';
 			print img_picto($langs->trans("Unlink"), 'unlink');
 			print '</a>';
 			print '</div>';

+ 1 - 1
htdocs/cron/card.php

@@ -726,7 +726,7 @@ if (($action == "create") || ($action == "edit"))
 	if (!$user->rights->cron->delete) {
 		print '<a class="butActionDeleteRefused" href="#" title="'.dol_escape_htmltag($langs->transnoentitiesnoconv("NotEnoughPermissions")).'">'.$langs->trans("Delete").'</a>';
 	} else {
-		print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&id='.$object->id.'">'.$langs->trans("Delete").'</a>';
+		print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&id='.$object->id.'">'.$langs->trans("Delete").'</a>';
 	}
 	print '</div>';
 

+ 2 - 2
htdocs/cron/list.php

@@ -536,12 +536,12 @@ if ($num > 0)
 		$backtourl = urlencode($_SERVER["PHP_SELF"].'?'.$param.($sortfield ? '&sortfield='.$sortfield : '').($sortorder ? '&sortorder='.$sortorder : ''));
 		if ($user->rights->cron->create)
 		{
-			print '<a class="editfielda" href="'.DOL_URL_ROOT."/cron/card.php?id=".$obj->rowid."&action=edit".($sortfield ? '&sortfield='.$sortfield : '').($sortorder ? '&sortorder='.$sortorder : '').$param;
+			print '<a class="editfielda" href="'.DOL_URL_ROOT."/cron/card.php?id=".$obj->rowid.'&action=edit&token='.newToken().($sortfield ? '&sortfield='.$sortfield : '').($sortorder ? '&sortorder='.$sortorder : '').$param;
 			print "&backtourl=".$backtourl."\" title=\"".dol_escape_htmltag($langs->trans('Edit'))."\">".img_picto($langs->trans('Edit'), 'edit')."</a> &nbsp;";
 		}
 		if ($user->rights->cron->delete)
 		{
-			print '<a class="reposition" href="'.$_SERVER["PHP_SELF"]."?id=".$obj->rowid."&action=delete".($page ? '&page='.$page : '').($sortfield ? '&sortfield='.$sortfield : '').($sortorder ? '&sortorder='.$sortorder : '').$param;
+			print '<a class="reposition" href="'.$_SERVER["PHP_SELF"]."?id=".$obj->rowid.'&action=delete&token='.newToken().($page ? '&page='.$page : '').($sortfield ? '&sortfield='.$sortfield : '').($sortorder ? '&sortorder='.$sortorder : '').$param;
 			print "\" title=\"".dol_escape_htmltag($langs->trans('CronDelete'))."\">".img_picto($langs->trans('CronDelete'), 'delete', '', false, 0, 0, '', 'marginleftonly')."</a> &nbsp; ";
 		} else {
 			print "<a href=\"#\" title=\"".dol_escape_htmltag($langs->trans('NotEnoughPermissions'))."\">".img_picto($langs->trans('NotEnoughPermissions'), 'delete', '', false, 0, 0, '', 'marginleftonly')."</a> &nbsp; ";

+ 1 - 1
htdocs/don/card.php

@@ -817,7 +817,7 @@ if (!empty($id) && $action != 'edit')
 	{
 		if ($object->statut == -1 || $object->statut == 0)
 		{
-			print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?rowid='.$object->id.'&action=delete">'.$langs->trans("Delete")."</a></div>";
+			print '<div class="inline-block divButAction"><a class="butActionDelete" href="card.php?rowid='.$object->id.'&action=delete&token='.newToken().'">'.$langs->trans("Delete")."</a></div>";
 		} else {
 			print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#">'.$langs->trans("Delete")."</a></div>";
 		}

+ 1 - 1
htdocs/don/payment/card.php

@@ -268,7 +268,7 @@ if (empty($action))
 	{
 		if (!$disable_delete)
 		{
-			print '<a class="butActionDelete" href="card.php?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
+			print '<a class="butActionDelete" href="card.php?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a>';
 		} else {
 			print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($langs->trans("CantRemovePaymentWithOneInvoicePaid")).'">'.$langs->trans('Delete').'</a>';
 		}

+ 1 - 1
htdocs/ecm/dir_add_card.php

@@ -292,7 +292,7 @@ if (empty($action) || $action == 'delete_section')
 	print '<div class="tabsAction">';
 	if ($user->rights->ecm->setup)
 	{
-		print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?action=delete_section">'.$langs->trans('Delete').'</a>';
+		print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?action=delete_section&token='.newToken().'">'.$langs->trans('Delete').'</a>';
 	} else {
 		print '<a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("NotAllowed").'">'.$langs->trans('Delete').'</a>';
 	}

+ 1 - 1
htdocs/ecm/dir_card.php

@@ -473,7 +473,7 @@ if ($action != 'edit' && $action != 'delete')
 	//{
 	if ($permtoadd)
 	{
-		print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete_dir'.($module ? '&module='.$module : '').'&section='.$section.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.$langs->trans('Delete').'</a>';
+		print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete_dir&token='.newToken().($module ? '&module='.$module : '').'&section='.$section.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.$langs->trans('Delete').'</a>';
 	} else {
 		print '<a class="butActionDeleteRefused" href="#" title="'.$langs->trans("NotAllowed").'">'.$langs->trans('Delete').'</a>';
 	}

+ 1 - 1
htdocs/ecm/file_card.php

@@ -420,7 +420,7 @@ if ($action != 'edit')
     /*
 	if ($user->rights->ecm->setup)
 	{
-		print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?action=delete_file&section='.$section.'&urlfile='.urlencode($urlfile).'">'.$langs->trans('Delete').'</a>';
+		print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?action=delete_file&token='.newToken().'&section='.$section.'&urlfile='.urlencode($urlfile).'">'.$langs->trans('Delete').'</a>';
 	}
 	else
 	{

+ 2 - 2
htdocs/expedition/card.php

@@ -2360,7 +2360,7 @@ if ($action == 'create')
 					print '<a class="editfielda reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=editline&amp;lineid='.$lines[$i]->id.'">'.img_edit().'</a>';
 					print '</td>';
 					print '<td class="linecoldelete" width="10">';
-					print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=deleteline&amp;lineid='.$lines[$i]->id.'">'.img_delete().'</a>';
+					print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=deleteline&amp;token='.newToken().'&amp;lineid='.$lines[$i]->id.'">'.img_delete().'</a>';
 					print '</td>';
 
 					// Display lines extrafields
@@ -2499,7 +2499,7 @@ if ($action == 'create')
 			// Delete
 			if ($user->rights->expedition->supprimer)
 			{
-				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans("Delete").'</a>';
+				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans("Delete").'</a>';
 			}
 		}
 

+ 2 - 2
htdocs/expensereport/card.php

@@ -2199,10 +2199,10 @@ if ($action == 'create')
 							{
 								print '<td class="nowrap right">';
 
-								print '<a class="editfielda reposition paddingrightonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=editline&amp;rowid='.$line->rowid.'">';
+								print '<a class="editfielda reposition paddingrightonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=editline&amp;token='.newToken().'&amp;rowid='.$line->rowid.'">';
 								print img_edit();
 								print '</a> &nbsp; ';
-								print '<a class="paddingrightonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete_line&amp;rowid='.$line->rowid.'">';
+								print '<a class="paddingrightonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete_line&amp;token='.newToken().'&amp;rowid='.$line->rowid.'">';
 								print img_delete();
 								print '</a>';
 

+ 1 - 1
htdocs/expensereport/payment/card.php

@@ -293,7 +293,7 @@ if ($action == '')
 	{
 		if (!$disable_delete)
 		{
-			print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$id.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
+			print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a>';
 		} else {
 			print '<a class="butActionRefused classfortooltip" href="#" title="'.dol_escape_htmltag($title_button).'">'.$langs->trans('Delete').'</a>';
 		}

+ 1 - 1
htdocs/exports/class/export.class.php

@@ -845,7 +845,7 @@ class Export
 				}
 				// suppression de l'export
 				print '<td class="right">';
-				print '<a href="'.$_SERVER["PHP_SELF"].'?action=deleteprof&id='.$obj->rowid.'">';
+				print '<a href="'.$_SERVER["PHP_SELF"].'?action=deleteprof&token='.newToken().'&id='.$obj->rowid.'">';
 				print img_delete();
 				print '</a>';
 				print "</tr>";

+ 2 - 2
htdocs/fichinter/card-rec.php

@@ -714,14 +714,14 @@ if ($action == 'create') {
 
 			if ($user->rights->ficheinter->creer) {
 				print '<div class="inline-block divButAction">';
-				print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?action=createfrommodel';
+				print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?action=createfrommodel&token='.newToken().'';
 				print '&socid='.$object->thirdparty->id.'&id='.$object->id.'">';
 				print $langs->trans("CreateFichInter").'</a></div>';
 			}
 
 			if ($user->rights->ficheinter->supprimer) {
 				print '<div class="inline-block divButAction">';
-				print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&id='.$object->id.'">';
+				print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&id='.$object->id.'">';
 				print $langs->trans('Delete').'</a></div>';
 			}
 			print '</div>';

+ 1 - 1
htdocs/fichinter/card.php

@@ -1697,7 +1697,7 @@ if ($action == 'create')
 				// Delete
 				if (($object->statut == Fichinter::STATUS_DRAFT && $user->rights->ficheinter->creer) || $user->rights->ficheinter->supprimer)
 				{
-					print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete"';
+					print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'"';
 					print '>'.$langs->trans('Delete').'</a></div>';
 				}
 			}

+ 2 - 2
htdocs/fichinter/class/fichinter.class.php

@@ -4,7 +4,7 @@
  * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@inodbox.com>
  * Copyright (C) 2011-2020 Juanjo Menent        <jmenent@2byte.es>
  * Copyright (C) 2015      Marcos García        <marcosgdf@gmail.com>
- * Copyright (C) 2015      Charlie Benke        <charlie@patas-monkey.com>
+ * Copyright (C) 2015-2020 Charlene Benke       <charlie@patas-monkey.com>
  * Copyright (C) 2018      Nicolas ZABOURI	    <info@inovea-conseil.com>
  * Copyright (C) 2018-2019 Frédéric France      <frederic.france@netlogic.fr>
  *
@@ -810,7 +810,7 @@ class Fichinter extends CommonObject
 		$result .= $linkend;
 
 		global $action;
-		$hookmanager->initHooks(array('intervnetiondao'));
+		$hookmanager->initHooks(array('interventiondao'));
 		$parameters = array('id'=>$this->id, 'getnomurl'=>$result);
 		$reshook = $hookmanager->executeHooks('getNomUrl', $parameters, $this, $action); // Note that $action and $object may have been modified by some hooks
 		if ($reshook > 0) $result = $hookmanager->resPrint;

+ 1 - 1
htdocs/fourn/card.php

@@ -798,7 +798,7 @@ if ($object->id > 0)
 				if ($object->status == 1)
 				{
 					// Company is open
-					print '<div class="inline-block divButAction"><a class="butAction" href="'.DOL_URL_ROOT.'/fourn/commande/orderstoinvoice.php?socid='.$object->id.'">'.$langs->trans("CreateInvoiceForThisCustomer").'</a></div>';
+					print '<div class="inline-block divButAction"><a class="butAction" href="'.DOL_URL_ROOT.'/fourn/commande/list.php?socid='.$object->id.'&search_billed=0&autoselectall=1">'.$langs->trans("CreateInvoiceForThisSupplier").'</a></div>';
 				} else {
 					print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#">'.$langs->trans("CreateInvoiceForThisCustomer").'</a></div>';
 				}

+ 9 - 4
htdocs/fourn/class/fournisseur.facture.class.php

@@ -34,7 +34,7 @@
  *  \brief      File of class to manage suppliers invoices
  */
 
-include_once DOL_DOCUMENT_ROOT.'/core/class/commoninvoice.class.php';
+require_once DOL_DOCUMENT_ROOT.'/core/class/commoninvoice.class.php';
 require_once DOL_DOCUMENT_ROOT.'/multicurrency/class/multicurrency.class.php';
 require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
 
@@ -765,7 +765,7 @@ class FactureFournisseur extends CommonInvoice
 		$sql .= ', f.localtax1_tx, f.localtax2_tx, f.localtax1_type, f.localtax2_type, f.total_localtax1, f.total_localtax2, f.fk_facture_fourn ';
 		$sql .= ', f.total_ht, f.tva as total_tva, f.total_ttc, f.fk_product, f.product_type, f.info_bits, f.rang, f.special_code, f.fk_parent_line, f.fk_unit';
 		$sql .= ', p.rowid as product_id, p.ref as product_ref, p.label as label, p.description as product_desc';
-		$sql .= ', f.fk_multicurrency, f.multicurrency_code, f.multicurrency_subprice, f.multicurrency_total_ht, f.multicurrency_total_tva, f.multicurrency_total_ttc';
+		$sql .= ', fk_code_ventilation, f.fk_multicurrency, f.multicurrency_code, f.multicurrency_subprice, f.multicurrency_total_ht, f.multicurrency_total_tva, f.multicurrency_total_ttc';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.'facture_fourn_det as f';
 		$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON f.fk_product = p.rowid';
 		$sql .= ' WHERE fk_facture_fourn='.$this->id;
@@ -825,6 +825,10 @@ class FactureFournisseur extends CommonInvoice
 					$line->rang = $obj->rang;
 					$line->fk_unit          = $obj->fk_unit;
 
+					// Accountancy
+					$line->code_ventilation = $obj->fk_code_ventilation;
+					$line->fk_accounting_account	= $obj->fk_code_ventilation;
+
 					// Multicurrency
 					$line->fk_multicurrency = $obj->fk_multicurrency;
 					$line->multicurrency_code = $obj->multicurrency_code;
@@ -1597,9 +1601,10 @@ class FactureFournisseur extends CommonInvoice
 	 *  @param		double	$pu_ht_devise		Amount in currency
 	 *  @param		string	$ref_supplier		Supplier ref
 	 *  @param      string  $special_code       Special code
+	 *  @param		int		$fk_parent_line		Parent line id
 	 *	@return    	int             			>0 if OK, <0 if KO
 	 */
-	public function addline($desc, $pu, $txtva, $txlocaltax1, $txlocaltax2, $qty, $fk_product = 0, $remise_percent = 0, $date_start = '', $date_end = '', $ventil = 0, $info_bits = '', $price_base_type = 'HT', $type = 0, $rang = -1, $notrigger = false, $array_options = 0, $fk_unit = null, $origin_id = 0, $pu_ht_devise = 0, $ref_supplier = '', $special_code = '')
+	public function addline($desc, $pu, $txtva, $txlocaltax1, $txlocaltax2, $qty, $fk_product = 0, $remise_percent = 0, $date_start = '', $date_end = '', $ventil = 0, $info_bits = '', $price_base_type = 'HT', $type = 0, $rang = -1, $notrigger = false, $array_options = 0, $fk_unit = null, $origin_id = 0, $pu_ht_devise = 0, $ref_supplier = '', $special_code = '', $fk_parent_line = 0)
 	{
 		global $langs, $mysoc, $conf;
 
@@ -1773,7 +1778,7 @@ class FactureFournisseur extends CommonInvoice
 			$this->line->info_bits = $info_bits;
 
 			$this->line->special_code = ((string) $special_code != '' ? $special_code : $this->special_code);
-			$this->line->fk_parent_line = $this->fk_parent_line;
+			$this->line->fk_parent_line = $fk_parent_line;
 			$this->line->origin = $this->origin;
 			$this->line->origin_id = $origin_id;
 			$this->line->fk_unit = $fk_unit;

+ 1 - 1
htdocs/fourn/commande/card.php

@@ -2559,7 +2559,7 @@ if ($action == 'create')
 			// Delete
 			if (!empty($usercandelete) || ($object->statut == CommandeFournisseur::STATUS_DRAFT && !empty($usercancreate)))
 			{
-				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans("Delete").'</a>';
+				print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans("Delete").'</a>';
 			}
 		}
 

+ 137 - 79
htdocs/fourn/commande/list.php

@@ -35,6 +35,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.class.php';
 require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php';
+require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.facture.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formorder.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
@@ -130,6 +131,9 @@ $fieldstosearchall = array(
 	'cf.ref_supplier'=>'RefSupplierOrder',
 	'pd.description'=>'Description',
 	's.nom'=>"ThirdParty",
+	's.name_alias'=>"AliasNameShort",
+	's.zip'=>"Zip",
+	's.town'=>"Town",
 	'cf.note_public'=>'NotePublic',
 );
 if (empty($user->socid)) $fieldstosearchall["cf.note_private"] = "NotePrivate";
@@ -180,7 +184,7 @@ $arrayfields = dol_sort_array($arrayfields, 'position');
  */
 
 if (GETPOST('cancel', 'alpha')) { $action = 'list'; $massaction = ''; }
-if (!GETPOST('confirmmassaction', 'alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction = ''; }
+if (!GETPOST('confirmmassaction', 'alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createsupplierbills') { $massaction = ''; }
 
 $parameters = array('socid'=>$socid);
 $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
@@ -244,7 +248,7 @@ if (empty($reshook))
 	include DOL_DOCUMENT_ROOT.'/core/actions_massactions.inc.php';
 
 	// TODO Move this into mass action include
-	if ($massaction == 'confirm_createbills')
+	if ($massaction == 'confirm_createsupplierbills')
 	{
 		$orders = GETPOST('toselect', 'array');
 		$createbills_onebythird = GETPOST('createbills_onebythird', 'int');
@@ -258,34 +262,36 @@ if (empty($reshook))
 		$db->begin();
 
 		foreach ($orders as $id_order) {
-			$cmd = new Commande($db);
+			$cmd = new CommandeFournisseur($db);
 			if ($cmd->fetch($id_order) <= 0) continue;
 
-			$object = new Facture($db);
-			if (!empty($createbills_onebythird) && !empty($TFactThird[$cmd->socid])) $object = $TFactThird[$cmd->socid]; // If option "one bill per third" is set, we use already created order.
+			$objecttmp = new FactureFournisseur($db);
+			if (!empty($createbills_onebythird) && !empty($TFactThird[$cmd->socid])) $objecttmp = $TFactThird[$cmd->socid]; // If option "one bill per third" is set, we use already created order.
 			else {
-				$object->socid = $cmd->socid;
-				$object->type = Facture::TYPE_STANDARD;
-				$object->cond_reglement_id	= $cmd->cond_reglement_id;
-				$object->mode_reglement_id	= $cmd->mode_reglement_id;
-				$object->fk_project = $cmd->fk_project;
-
-				$datefacture = dol_mktime(12, 0, 0, $_POST['remonth'], $_POST['reday'], $_POST['reyear']);
+				$objecttmp->socid = $cmd->socid;
+				$objecttmp->type = $objecttmp::TYPE_STANDARD;
+				$objecttmp->cond_reglement_id	= $cmd->cond_reglement_id;
+				$objecttmp->mode_reglement_id	= $cmd->mode_reglement_id;
+				$objecttmp->fk_project = $cmd->fk_project;
+				$objecttmp->multicurrency_code = $cmd->multicurrency_code;
+				if (empty($createbills_onebythird)) $objecttmp->ref_client = $cmd->ref_client;
+
+				$datefacture = dol_mktime(12, 0, 0, GETPOST('remonth', 'int'), GETPOST('reday', 'int'), GETPOST('reyear', 'int'));
 				if (empty($datefacture))
 				{
-					$datefacture = dol_mktime(date("h"), date("M"), 0, date("m"), date("d"), date("Y"));
+					$datefacture = dol_now();
 				}
 
-				$object->date = $datefacture;
-				$object->origin    = 'commande';
-				$object->origin_id = $id_order;
+				$objecttmp->date = $datefacture;
+				$objecttmp->origin    = 'order_supplier';
+				$objecttmp->origin_id = $id_order;
 
-				$res = $object->create($user);
+				$res = $objecttmp->create($user);
 
 				if ($res > 0) $nb_bills_created++;
 			}
 
-			if ($object->id > 0)
+			if ($objecttmp->id > 0)
 			{
 				$sql = "INSERT INTO ".MAIN_DB_PREFIX."element_element (";
 				$sql .= "fk_source";
@@ -294,9 +300,9 @@ if (empty($reshook))
 				$sql .= ", targettype";
 				$sql .= ") VALUES (";
 				$sql .= $id_order;
-				$sql .= ", '".$db->escape($object->origin)."'";
-				$sql .= ", ".$object->id;
-				$sql .= ", '".$db->escape($object->element)."'";
+				$sql .= ", '".$db->escape($objecttmp->origin)."'";
+				$sql .= ", ".$objecttmp->id;
+				$sql .= ", '".$db->escape($objecttmp->element)."'";
 				$sql .= ")";
 
 				if (!$db->query($sql))
@@ -323,7 +329,7 @@ if (empty($reshook))
 						{
 							// Negative line, we create a discount line
 							$discount = new DiscountAbsolute($db);
-							$discount->fk_soc = $object->socid;
+							$discount->fk_soc = $objecttmp->socid;
 							$discount->amount_ht = abs($lines[$i]->total_ht);
 							$discount->amount_tva = abs($lines[$i]->total_tva);
 							$discount->amount_ttc = abs($lines[$i]->total_ttc);
@@ -333,7 +339,7 @@ if (empty($reshook))
 							$discountid = $discount->create($user);
 							if ($discountid > 0)
 							{
-								$result = $object->insert_discount($discountid);
+								$result = $objecttmp->insert_discount($discountid);
 								//$result=$discount->link_to_invoice($lineid,$id);
 							} else {
 								setEventMessages($discount->error, $discount->errors, 'errors');
@@ -358,32 +364,31 @@ if (empty($reshook))
 							{
 								$fk_parent_line = 0;
 							}
-                            $result = $object->addline(
+                            $result = $objecttmp->addline(
 								$desc,
 								$lines[$i]->subprice,
-								$lines[$i]->qty,
 								$lines[$i]->tva_tx,
 								$lines[$i]->localtax1_tx,
 								$lines[$i]->localtax2_tx,
-								$lines[$i]->fk_product,
+                            	$lines[$i]->qty,
+                            	$lines[$i]->fk_product,
 								$lines[$i]->remise_percent,
 								$date_start,
 								$date_end,
 								0,
 								$lines[$i]->info_bits,
-								$lines[$i]->fk_remise_except,
-								'HT',
-								0,
-								$product_type,
-								$ii,
-								$lines[$i]->special_code,
-								$object->origin,
-								$lines[$i]->rowid,
-								$fk_parent_line,
-								$lines[$i]->fk_fournprice,
-								$lines[$i]->pa_ht,
-								$lines[$i]->label
-								);
+                            	'HT',
+                            	$product_type,
+                            	$lines[$i]->rang,
+                            	false,
+                            	$lines[$i]->array_options,
+                            	$lines[$i]->fk_unit,
+                            	$objecttmp->origin_id,
+                            	$lines[$i]->pa_ht,
+                            	$lines[$i]->ref_supplier,
+                            	$lines[$i]->special_code,
+                            	$fk_parent_line
+							);
 							if ($result > 0)
 							{
 								$lineid = $result;
@@ -404,8 +409,8 @@ if (empty($reshook))
 
 			$cmd->classifyBilled($user); // TODO Move this in workflow like done for customer orders
 
-			if (!empty($createbills_onebythird) && empty($TFactThird[$cmd->socid])) $TFactThird[$cmd->socid] = $object;
-			else $TFact[$object->id] = $object;
+			if (!empty($createbills_onebythird) && empty($TFactThird[$cmd->socid])) $TFactThird[$cmd->socid] = $objecttmp;
+			else $TFact[$objecttmp->id] = $objecttmp;
 		}
 
 		// Build doc with all invoices
@@ -415,38 +420,67 @@ if (empty($reshook))
 		if (!$error && $validate_invoices) {
 			$massaction = $action = 'builddoc';
 
-			foreach ($TAllFact as &$object)
+			foreach ($TAllFact as &$objecttmp)
 			{
-				$object->validate($user);
+				$objecttmp->validate($user);
 				if ($result <= 0)
 				{
 					$error++;
-					setEventMessages($object->error, $object->errors, 'errors');
+					setEventMessages($objecttmp->error, $objecttmp->errors, 'errors');
 					break;
 				}
 
-				$id = $object->id; // For builddoc action
+				$id = $objecttmp->id; // For builddoc action
 
 				// Fac builddoc
 				$donotredirect = 1;
-				$upload_dir = $conf->facture->dir_output;
-				$permissiontoadd = $user->rights->facture->creer;
-				include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
+				$upload_dir = $conf->fournisseur->facture->dir_output;
+				$permissiontoadd = $user->rights->fournisseur->facture->creer;
+				//include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
 			}
 
-			$massaction = $action = 'confirm_createbills';
+			$massaction = $action = 'confirm_createsupplierbills';
 		}
 
 		if (!$error)
 		{
 			$db->commit();
 			setEventMessages($langs->trans('BillCreated', $nb_bills_created), null, 'mesgs');
+
+			// Make a redirect to avoid to bill twice if we make a refresh or back
+			$param = '';
+			if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage);
+			if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit);
+			if ($sall)					$param .= '&sall='.urlencode($sall);
+			if ($socid > 0)             $param .= '&socid='.urlencode($socid);
+			if ($search_status != '')      $param .= '&search_status='.urlencode($search_status);
+			if ($search_orderday)      		$param .= '&search_orderday='.urlencode($search_orderday);
+			if ($search_ordermonth)      		$param .= '&search_ordermonth='.urlencode($search_ordermonth);
+			if ($search_orderyear)       		$param .= '&search_orderyear='.urlencode($search_orderyear);
+			if ($search_deliveryday)   		$param .= '&search_deliveryday='.urlencode($search_deliveryday);
+			if ($search_deliverymonth)   		$param .= '&search_deliverymonth='.urlencode($search_deliverymonth);
+			if ($search_deliveryyear)    		$param .= '&search_deliveryyear='.urlencode($search_deliveryyear);
+			if ($search_ref)      		$param .= '&search_ref='.urlencode($search_ref);
+			if ($search_company)  		$param .= '&search_company='.urlencode($search_company);
+			if ($search_ref_customer)	$param .= '&search_ref_customer='.urlencode($search_ref_customer);
+			if ($search_user > 0) 		$param .= '&search_user='.urlencode($search_user);
+			if ($search_sale > 0) 		$param .= '&search_sale='.urlencode($search_sale);
+			if ($search_total_ht != '') $param .= '&search_total_ht='.urlencode($search_total_ht);
+			if ($search_total_vat != '') $param .= '&search_total_vat='.urlencode($search_total_vat);
+			if ($search_total_ttc != '') $param .= '&search_total_ttc='.urlencode($search_total_ttc);
+			if ($search_project_ref >= 0)  	$param .= "&search_project_ref=".urlencode($search_project_ref);
+			if ($show_files)            $param .= '&show_files='.urlencode($show_files);
+			if ($optioncss != '')       $param .= '&optioncss='.urlencode($optioncss);
+			if ($billed != '')			$param .= '&billed='.urlencode($billed);
+
+			header("Location: ".$_SERVER['PHP_SELF'].'?'.$param);
+			exit;
 		} else {
 			$db->rollback();
 			$action = 'create';
 			$_GET["origin"] = $_POST["origin"];
 			$_GET["originid"] = $_POST["originid"];
-			setEventMessages($object->error, $object->errors, 'errors');
+			setEventMessages("Error", null, 'errors');
 			$error++;
 		}
 	}
@@ -566,6 +600,7 @@ $sql .= $hookmanager->resPrint;
 
 $sql .= $db->order($sortfield, $sortorder);
 
+// Count total nb of records
 $nbtotalofrecords = '';
 if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST))
 {
@@ -579,6 +614,7 @@ if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST))
 }
 
 $sql .= $db->plimit($limit + 1, $offset);
+//print $sql;
 
 $resql = $db->query($sql);
 if ($resql)
@@ -607,23 +643,24 @@ if ($resql)
 	llxHeader('', $title, $help_url);
 
 	$param = '';
-	if ($socid > 0)             $param .= '&socid='.$socid;
-	if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage;
-	if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit;
-	if ($sall)					$param .= "&search_all=".$sall;
-	if ($search_orderday)      	$param .= '&search_orderday='.$search_orderday;
-	if ($search_ordermonth)     $param .= '&search_ordermonth='.$search_ordermonth;
-	if ($search_orderyear)      $param .= '&search_orderyear='.$search_orderyear;
-	if ($search_deliveryday)   	$param .= '&search_deliveryday='.$search_deliveryday;
-	if ($search_deliverymonth)  $param .= '&search_deliverymonth='.$search_deliverymonth;
-	if ($search_deliveryyear)   $param .= '&search_deliveryyear='.$search_deliveryyear;
-	if ($search_ref)      		$param .= '&search_ref='.$search_ref;
-	if ($search_company)  		$param .= '&search_company='.$search_company;
-	if ($search_user > 0) 		$param .= '&search_user='.$search_user;
-	if ($search_request_author) $param .= '&search_request_author='.$search_request_author;
-	if ($search_sale > 0) 		$param .= '&search_sale='.$search_sale;
-	if ($search_total_ht != '') $param .= '&search_total_ht='.$search_total_ht;
-	if ($search_total_ttc != '') $param .= "&search_total_ttc=".$search_total_ttc;
+	if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage);
+	if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit);
+	if ($sall)					$param .= '&sall='.urlencode($sall);
+	if ($socid > 0)             $param .= '&socid='.urlencode($socid);
+	if ($sall)					$param .= "&search_all=".urlencode($sall);
+	if ($search_orderday)      	$param .= '&search_orderday='.urlencode($search_orderday);
+	if ($search_ordermonth)     $param .= '&search_ordermonth='.urlencode($search_ordermonth);
+	if ($search_orderyear)      $param .= '&search_orderyear='.urlencode($search_orderyear);
+	if ($search_deliveryday)   	$param .= '&search_deliveryday='.urlencode($search_deliveryday);
+	if ($search_deliverymonth)  $param .= '&search_deliverymonth='.urlencode($search_deliverymonth);
+	if ($search_deliveryyear)   $param .= '&search_deliveryyear='.urlencode($search_deliveryyear);
+	if ($search_ref)      		$param .= '&search_ref='.urlencode($search_ref);
+	if ($search_company)  		$param .= '&search_company='.urlencode($search_company);
+	if ($search_user > 0) 		$param .= '&search_user='.urlencode($search_user);
+	if ($search_request_author) $param .= '&search_request_author='.urlencode($search_request_author);
+	if ($search_sale > 0) 		$param .= '&search_sale='.urlencode($search_sale);
+	if ($search_total_ht != '') $param .= '&search_total_ht='.urlencode($search_total_ht);
+	if ($search_total_ttc != '') $param .= "&search_total_ttc=".urlencode($search_total_ttc);
 	if ($search_multicurrency_code != '')  $param .= '&search_multicurrency_code='.urlencode($search_multicurrency_code);
 	if ($search_multicurrency_tx != '')  $param .= '&search_multicurrency_tx='.urlencode($search_multicurrency_tx);
 	if ($search_multicurrency_montant_ht != '')  $param .= '&search_multicurrency_montant_ht='.urlencode($search_multicurrency_montant_ht);
@@ -644,7 +681,7 @@ if ($resql)
 		'builddoc'=>$langs->trans("PDFMerge"),
 	    'presend'=>$langs->trans("SendByMail"),
 	);
-	//if($user->rights->fournisseur->facture->creer) $arrayofmassactions['createbills']=$langs->trans("CreateInvoiceForThisCustomer");
+	if ($user->rights->fournisseur->facture->creer) $arrayofmassactions['createbills'] = $langs->trans("CreateInvoiceForThisSupplier");
 	if ($user->rights->fournisseur->commande->supprimer) $arrayofmassactions['predelete'] = '<span class="fa fa-trash paddingrightonly"></span>'.$langs->trans("Delete");
 	if (in_array($massaction, array('presend', 'predelete', 'createbills'))) $arrayofmassactions = array();
 	$massactionbutton = $form->selectMassAction('', $arrayofmassactions);
@@ -653,15 +690,16 @@ if ($resql)
 	if (!empty($socid)) $url .= '&socid='.$socid;
 	$newcardbutton = dolGetButtonTitle($langs->trans('NewOrder'), '', 'fa fa-plus-circle', $url, '', $user->rights->fournisseur->commande->creer);
 
-	// Fields title search
-	print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">';
+	// Lines of title fields
+	print '<form method="POST" id="searchFormList" action="'.$_SERVER["PHP_SELF"].'">';
 	if ($optioncss != '') print '<input type="hidden" name="optioncss" value="'.$optioncss.'">';
 	print '<input type="hidden" name="token" value="'.newToken().'">';
 	print '<input type="hidden" name="formfilteraction" id="formfilteraction" value="list">';
 	print '<input type="hidden" name="action" value="list">';
-	print '<input type="hidden" name="contextpage" value="'.$contextpage.'">';
 	print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';
 	print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
+	print '<input type="hidden" name="contextpage" value="'.$contextpage.'">';
+	print '<input type="hidden" name="socid" value="'.$socid.'">';
 
 	print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'supplier_order', 0, $newcardbutton, '', $limit, 0, 0, 1);
 
@@ -674,11 +712,11 @@ if ($resql)
 	if ($massaction == 'createbills')
 	{
 		//var_dump($_REQUEST);
-		print '<input type="hidden" name="massaction" value="confirm_createbills">';
+		print '<input type="hidden" name="massaction" value="confirm_createsupplierbills">';
 
-		print '<table class="border" width="100%" >';
+		print '<table class="noborder" width="100%" >';
 		print '<tr>';
-		print '<td class="titlefieldmiddle">';
+		print '<td class="titlefield">';
 		print $langs->trans('DateInvoice');
 		print '</td>';
 		print '<td>';
@@ -760,7 +798,17 @@ if ($resql)
 
 	$varpage = empty($contextpage) ? $_SERVER["PHP_SELF"] : $contextpage;
 	$selectedfields = $form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields
-	if ($massactionbutton) $selectedfields .= $form->showCheckAddButtons('checkforselect', 1);
+	$selectedfields .= $form->showCheckAddButtons('checkforselect', 1);
+
+	if (GETPOST('autoselectall', 'int')) {
+		$selectedfields .= '<script>';
+		$selectedfields .= '   $(document).ready(function() {';
+		$selectedfields .= '        console.log("Autoclick on checkforselects");';
+		$selectedfields .= '   		$("#checkforselects").click();';
+		$selectedfields .= '        $("#massaction").val("createbills").change();';
+		$selectedfields .= '   });';
+		$selectedfields .= '</script>';
+	}
 
 	print '<div class="div-table-responsive">';
 	print '<table class="tagtable liste'.($moreforfilter ? " listwithfilterbefore" : "").'">'."\n";
@@ -933,6 +981,7 @@ if ($resql)
 
 	print "</tr>\n";
 
+	// Fields title
 	print '<tr class="liste_titre">';
 	if (!empty($arrayfields['cf.ref']['checked']))            print_liste_field_titre($arrayfields['cf.ref']['label'], $_SERVER["PHP_SELF"], "cf.ref", "", $param, '', $sortfield, $sortorder);
 	if (!empty($arrayfields['cf.ref_supplier']['checked']))   print_liste_field_titre($arrayfields['cf.ref_supplier']['label'], $_SERVER["PHP_SELF"], "cf.ref_supplier", "", $param, '', $sortfield, $sortorder, 'tdoverflowmax100imp ');
@@ -983,6 +1032,12 @@ if ($resql)
 	{
 		$obj = $db->fetch_object($resql);
 
+		$notshippable = 0;
+		$warning = 0;
+		$text_info = '';
+		$text_warning = '';
+		$nbprod = 0;
+
 		$objectstatic->id = $obj->rowid;
 		$objectstatic->ref = $obj->ref;
 		$objectstatic->ref_supplier = $obj->ref_supplier;
@@ -1220,22 +1275,25 @@ if ($resql)
 		if (!$i) $totalarray['nbfield']++;
 
 		print "</tr>\n";
+
+		$total += $obj->total_ht;
+		$subtotal += $obj->total_ht;
 		$i++;
 	}
 
 	// Show total line
 	include DOL_DOCUMENT_ROOT.'/core/tpl/list_print_total.tpl.php';
 
+	$db->free($resql);
 
     $parameters = array('arrayfields'=>$arrayfields, 'sql'=>$sql);
     $reshook = $hookmanager->executeHooks('printFieldListFooter', $parameters); // Note that $action and $object may have been modified by hook
     print $hookmanager->resPrint;
 
-	print "</table>\n";
-	print '</div>';
-	print "</form>\n";
+    print '</table>'."\n";
+    print '</div>';
 
-	$db->free($resql);
+    print '</form>'."\n";
 
 	$hidegeneratedfilelistifempty = 1;
 	if ($massaction == 'builddoc' || $action == 'remove_file' || $show_files) $hidegeneratedfilelistifempty = 0;

+ 3 - 3
htdocs/fourn/facture/card.php

@@ -2345,7 +2345,7 @@ if ($action == 'create')
 		{
 			$formconfirm = $form->formconfirm($_SERVER["PHP_SELF"].'?id='.$object->id, $langs->trans('DeleteBill'), $langs->trans('ConfirmDeleteBill'), 'confirm_delete', '', 0, 1);
 		}
-		if ($action == 'deletepaiement')
+		if ($action == 'deletepayment')
 		{
 			$payment_id = GETPOST('paiement_id');
 			$formconfirm = $form->formconfirm($_SERVER["PHP_SELF"].'?id='.$object->id.'&paiement_id='.$payment_id, $langs->trans('DeletePayment'), $langs->trans('ConfirmDeletePayment'), 'confirm_delete_paiement', '', 0, 1);
@@ -2789,7 +2789,7 @@ if ($action == 'create')
 					print '<td class="center">';
 					if ($object->statut == FactureFournisseur::STATUS_VALIDATED && $object->paye == 0 && $user->socid == 0)
 					{
-						print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deletepaiement&paiement_id='.$objp->rowid.'">';
+						print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=deletepayment&token='.newToken().'&paiement_id='.$objp->rowid.'">';
 						print img_delete();
 						print '</a>';
 					}
@@ -3178,7 +3178,7 @@ if ($action == 'create')
 	            	{
 	            		print '<div class="inline-block divButAction"><a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("DisabledBecauseNotErasable").'">'.$langs->trans('Delete').'</a></div>';
 	            	} else {
-    	                print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a></div>';
+    	                print '<div class="inline-block divButAction"><a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a></div>';
                     }
 	            }
 	            print '</div>';

+ 1 - 1
htdocs/fourn/paiement/card.php

@@ -345,7 +345,7 @@ if ($result > 0)
 		{
 			if ($allow_delete)
 			{
-				print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
+				print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=delete&amp;token='.newToken().'">'.$langs->trans('Delete').'</a>';
 			} else {
 				print '<a class="butActionRefused classfortooltip" href="#" title="'.$title_button.'">'.$langs->trans('Delete').'</a>';
 			}

+ 4 - 4
htdocs/ftp/index.php

@@ -598,19 +598,19 @@ if (!function_exists('ftp_connect'))
 				print '<td class="right nowrap" width="64">';
 				if ($is_directory)
 				{
-					if ($file != '..') print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete_section&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($file).'">'.img_delete().'</a>';
+					if ($file != '..') print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete_section&token='.newToken().'&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($file).'">'.img_delete().'</a>';
 					else print '&nbsp;';
 				} elseif ($is_link)
 				{
 					$newfile = $file;
 					$newfile = preg_replace('/ ->.*/', '', $newfile);
-					print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($newfile).'">'.img_delete().'</a>';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($newfile).'">'.img_delete().'</a>';
 				} else {
-					print '<a href="'.$_SERVER["PHP_SELF"].'?action=download&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($file).'">'.img_picto('', 'file').'</a>';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?action=download&token='.newToken().'&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($file).'">'.img_picto('', 'file').'</a>';
 					print ' &nbsp; ';
 					print '<input type="checkbox" class="flat checkboxfordelete" id="check_'.$i.'" name="const['.$i.'][check]" value="1">';
 					print ' &nbsp; ';
-					print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($file).'">'.img_delete().'</a>';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&numero_ftp='.$numero_ftp.'&section='.urlencode($section).'&file='.urlencode($file).'">'.img_delete().'</a>';
 					print '<input type="hidden" name="const['.$i.'][section]" value="'.$section.'">';
 					print '<input type="hidden" name="const['.$i.'][file]" value="'.$file.'">';
 				}

+ 1 - 1
htdocs/holiday/card.php

@@ -1470,7 +1470,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add')
 					}
 					if ($candelete && ($object->statut == Holiday::STATUS_DRAFT || $object->statut == Holiday::STATUS_CANCELED || $object->statut == Holiday::STATUS_REFUSED))	// If draft or canceled or refused
 					{
-						print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=delete" class="butActionDelete">'.$langs->trans("DeleteCP").'</a>';
+						print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=delete&token='.newToken().'" class="butActionDelete">'.$langs->trans("DeleteCP").'</a>';
 					}
 
 					print '</div>';

+ 1 - 1
htdocs/hrm/establishment/card.php

@@ -426,7 +426,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
 
 	print '<div class="tabsAction">';
 	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id='.$id.'">'.$langs->trans('Modify').'</a>';
-	print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&id='.$id.'">'.$langs->trans('Delete').'</a>';
+	print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=delete&token='.newToken().'&id='.$id.'">'.$langs->trans('Delete').'</a>';
 	print '</div>';
 }
 

部分文件因为文件数量过多而无法显示