Merge branch 'develop' into fix-warnings-and-trad-not-showing

.github/workflows/phpstan.yml

@@ -9,8 +9,7 @@ concurrency:
     cancel-in-progress: true
 
 env:
-  CACHE_KEY_PART: ${{ github.event_name == 'pull_request' && format('{0}-{1}', 
-github.base_ref, github.head_ref) || github.ref_name }}
+  CACHE_KEY_PART: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.base_ref, github.head_ref) || github.ref_name }}
   GITHUB_JSON: ${{ toJSON(github) }} # Helps in debugging Github Action
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -57,7 +56,8 @@ jobs:
       # Run PHPStan
       - name: Run PHPStan
         id: phpstan
-        run: phpstan -vvv analyse --error-format=checkstyle --memory-limit 4G -a build/phpstan/bootstrap_action.php -c phpstan.neon | tee _stan.xml | cs2pr --graceful-warnings
+        run: |
+          phpstan -vvv analyse --error-format=checkstyle --memory-limit 7G -a build/phpstan/bootstrap_action.php | tee _stan.xml | cs2pr --graceful-warnings
         # continue-on-error: true
 
       # Save cache

.github/workflows/windows-ci.yaml

@@ -114,7 +114,7 @@ jobs:
           curl "http://${{ env.PHPSERVER_DOMAIN_PORT }}"
         shell: powershell
       - name: Run PHPUnit tests
-        continue-on-error: true
+        # continue-on-error: true
         shell: cmd
         # setting up php.ini, starting the php server are currently in this step
         run: |-
@@ -143,7 +143,7 @@ jobs:
           cat htdocs/conf/conf.php
           curl "http://${{ env.PHPSERVER_DOMAIN_PORT }}"
           REM 'DOSKEY' USED to recover error code (no pipefile equivalent in windows?)
-          ( php "%PHPROOT%\phpunit" -d memory_limit=-1 -c %CD%\test\phpunit\phpunittest.xml "test\phpunit\AllTests.php" & call doskey /exename=err err=%%^^errorlevel%% ) | "${{ env.TEE }}" "${{ env.PHPUNIT_LOG }}"
+          ( php "%PHPROOT%\phpunit" -d memory_limit=-1 -c %CD%\test\phpunit\phpunittest.xml "test\phpunit\AllTests.php" --exclude-group WindowsWaitingForFix & call doskey /exename=err err=%%^^errorlevel%% ) | "${{ env.TEE }}" "${{ env.PHPUNIT_LOG }}"
           for /f "tokens=2 delims==" %%A in ('doskey /m:err') do EXIT /B %%A
       - name: Convert Raw Log to Annotations
         uses: mdeweerd/[email protected]

.gitignore

@@ -66,12 +66,26 @@ doc/install.lock
 /composer.json
 /composer.lock
 
-# to execute pre-commit
-local.sh
+# Local script, executed during pre-commit
+/local.sh
+
+# Local phpstan configuration
+/phpstan.neon
+/phpstan-baseline.neon
+
+# Logs
+/*.log
+
+# Vim swap files
+*.sw?
+
+# Generated by PHPUNIT.BAT
+/INI_PHPUNIT
 
 # ignore cache builds
 /build/phpstan/phpstan
 /build/phpstan/bootstrap_custom.php
 phpstan_custom.neon
 /.php-cs-fixer.cache
 /.php_cs.cache
+/.cache

ChangeLog

@@ -30,6 +30,9 @@ The following changes may create regressions for some external modules, but were
 * The signature for all ->delete() method has been modified to match the modulebuilder template (so first paramis now always $user), except
   the delete for thirdparty (still accept the id of thirdparty to delete as first parameter). Will probably be modified into another version.
 * Route for API /thirdparties/gateways has been renamed into /thirdparties/accounts
+* The $userdoneid in actioncomm class is deprecated. Please use $userownerid instead.
+* The field fk_user_done in actioncomm table is deprecated. Please use fk_user_action instead.
+* The AGENDA_ENABLE_DONEBY hidden option is deprecated.
 
 
 ***** ChangeLog for 19.0.1 compared to 19.0.0 *****

SECURITY.md

@@ -104,3 +104,5 @@ Scope is the web application (backoffice) and the APIs.
 * SSL/TLS best practices
 * Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
 * Physical or social engineering attempts or issues that require physical access to a victim’s computer/device
+* Vulnerabilities of type XSS exploited by using javascript into a website page (with permission to edit website pages) or by using php code into a website page
+  using the permission to edit php code are not qualified, except if this allow to get higher privileges (being able to set javascript or php code is the expected behaviour).

dev/tools/codespell/codespell-ignore.txt

@@ -57,3 +57,4 @@ dur
 fonction
 espace
 methode
+datee

dev/tools/github_commits_byversion.sh

@@ -4,7 +4,7 @@
 #
 # shellcheck disable=1113,2002,2006,2086,2164,2219
 
-Releases=("3.9" "4.0" "5.0" "6.0" "7.0" "8.0" "9.0" "10.0" "11.0" "12.0" "13.0" "14.0" "15.0" "16.0" "17.0" "18.0" "develop")
+Releases=("3.9" "4.0" "5.0" "6.0" "7.0" "8.0" "9.0" "10.0" "11.0" "12.0" "13.0" "14.0" "15.0" "16.0" "17.0" "18.0" "19.0" "develop")
 let "counter = 0"
 
 echo "Copy script into /tmp/github_commits_byversion.sh"
@@ -49,4 +49,3 @@ do
 	echo
 	let "counter +=1"
 done
-

dev/tools/phan/baseline.txt

@@ -10,13 +10,11 @@
 return [
     // # Issue statistics:
     // PhanPluginSuspiciousParamPosition : 45+ occurrences
-    // PhanPluginDuplicateIfStatements : 30+ occurrences
     // PhanParamSignatureMismatch : 25+ occurrences
     // PhanUndeclaredConstant : 15+ occurrences
     // PhanPluginDuplicateExpressionBinaryOp : 10+ occurrences
     // PhanTypeArraySuspiciousNull : 10+ occurrences
     // PhanTypeInvalidUnaryOperandNumeric : 8 occurrences
-    // PhanPluginDuplicateIfCondition : 6 occurrences
     // PhanRedefineFunctionInternal : 6 occurrences
     // PhanPluginUnsafeEval : 5 occurrences
     // PhanParamSuspiciousOrder : 4 occurrences
@@ -32,34 +30,26 @@ return [
 
     // Currently, file_suppressions and directory_suppressions are the only supported suppressions
     'file_suppressions' => [
-        'htdocs/adherents/card.php' => ['PhanPluginDuplicateIfStatements'],
         'htdocs/adherents/stats/geo.php' => ['PhanTypeArraySuspiciousNull'],
         'htdocs/adherents/type.php' => ['PhanPluginDuplicateExpressionBinaryOp'],
         'htdocs/admin/receiptprinter.php' => ['PhanRedefineFunctionInternal'],
         'htdocs/admin/translation.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/api/class/api_documents.class.php' => ['PhanPluginDuplicateExpressionBinaryOp'],
         'htdocs/barcode/printsheet.php' => ['PhanPluginDuplicateExpressionBinaryOp'],
-        'htdocs/bom/bom_list.php' => ['PhanPluginDuplicateIfStatements'],
         'htdocs/categories/class/api_categories.class.php' => ['PhanAccessMethodProtected'],
         'htdocs/categories/viewcat.php' => ['PhanPluginDuplicateExpressionBinaryOp'],
         'htdocs/collab/index.php' => ['PhanParamTooMany'],
-        'htdocs/comm/action/card.php' => ['PhanPluginDuplicateIfStatements'],
         'htdocs/comm/action/index.php' => ['PhanPluginSuspiciousParamPosition', 'PhanTypeArraySuspiciousNull', 'PhanTypeInvalidUnaryOperandNumeric'],
-        'htdocs/comm/action/pertype.php' => ['PhanPluginDuplicateIfStatements'],
-        'htdocs/comm/action/peruser.php' => ['PhanPluginDuplicateIfStatements'],
-        'htdocs/comm/mailing/card.php' => ['PhanPluginDuplicateIfStatements', 'PhanPluginSuspiciousParamPosition'],
+        'htdocs/comm/mailing/card.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/comm/mailing/cibles.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/comm/mailing/info.php' => ['PhanPluginSuspiciousParamPosition'],
-        'htdocs/comm/propal/list.php' => ['PhanPluginDuplicateIfStatements'],
-        'htdocs/commande/list.php' => ['PhanPluginDuplicateIfStatements'],
         'htdocs/compta/accounting-files.php' => ['PhanTypeInvalidUnaryOperandNumeric'],
         'htdocs/compta/bank/various_payment/card.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/compta/bank/various_payment/document.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/compta/bank/various_payment/info.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/compta/cashcontrol/cashcontrol_card.php' => ['PhanPluginDuplicateExpressionBinaryOp'],
         'htdocs/compta/facture/agenda-rec.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/compta/facture/card-rec.php' => ['PhanPluginSuspiciousParamPosition'],
-        'htdocs/compta/facture/list.php' => ['PhanPluginDuplicateIfCondition'],
         'htdocs/compta/prelevement/class/bonprelevement.class.php' => ['PhanParamTooMany'],
         'htdocs/compta/prelevement/create.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/compta/sociales/class/paymentsocialcontribution.class.php' => ['PhanTypeInvalidUnaryOperandNumeric'],
@@ -68,38 +58,33 @@ return [
         'htdocs/compta/sociales/note.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/compta/tva/class/paymentvat.class.php' => ['PhanTypeInvalidUnaryOperandNumeric'],
         'htdocs/compta/tva/document.php' => ['PhanPluginSuspiciousParamPosition'],
-        'htdocs/core/actions_massactions.inc.php' => ['PhanPluginDuplicateIfStatements', 'PhanPluginSuspiciousParamOrder'],
+        'htdocs/core/actions_massactions.inc.php' => ['PhanPluginSuspiciousParamOrder'],
         'htdocs/core/class/commondocgenerator.class.php' => ['PhanTypeArraySuspiciousNull'],
-        'htdocs/core/class/commonobject.class.php' => ['PhanPluginDuplicateIfCondition', 'PhanPluginDuplicateIfStatements', 'PhanPluginSuspiciousParamPosition'],
+        'htdocs/core/class/commonobject.class.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/core/class/evalmath.class.php' => ['PhanPluginUnsafeEval'],
-        'htdocs/core/class/html.form.class.php' => ['PhanPluginDuplicateIfStatements', 'PhanPluginSuspiciousParamPosition'],
+        'htdocs/core/class/html.form.class.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/core/class/html.formmail.class.php' => ['PhanNoopArray'],
-        'htdocs/core/class/rssparser.class.php' => ['PhanPluginDuplicateIfStatements', 'PhanUndeclaredFunctionInCallable'],
-        'htdocs/core/db/mysqli.class.php' => ['PhanParamSignatureMismatch', 'PhanPluginDuplicateIfStatements'],
+        'htdocs/core/class/rssparser.class.php' => ['PhanUndeclaredFunctionInCallable'],
+        'htdocs/core/db/mysqli.class.php' => ['PhanParamSignatureMismatch'],
         'htdocs/core/db/pgsql.class.php' => ['PhanParamSignatureMismatch'],
         'htdocs/core/db/sqlite3.class.php' => ['PhanParamSignatureMismatch'],
         'htdocs/core/filemanagerdol/connectors/php/connector.lib.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/core/get_info.php' => ['PhanPluginSuspiciousParamPosition'],
-        'htdocs/core/lib/files.lib.php' => ['PhanPluginDuplicateExpressionBinaryOp', 'PhanPluginDuplicateIfCondition'],
-        'htdocs/core/lib/ftp.lib.php' => ['PhanPluginDuplicateIfStatements'],
-        'htdocs/core/lib/functions.lib.php' => ['PhanParamTooMany', 'PhanPluginAlwaysReturnFunction', 'PhanPluginDuplicateIfCondition', 'PhanPluginUnsafeEval', 'PhanRedefineFunctionInternal'],
+        'htdocs/core/lib/files.lib.php' => ['PhanPluginDuplicateExpressionBinaryOp'],
+        'htdocs/core/lib/functions.lib.php' => ['PhanParamTooMany', 'PhanPluginAlwaysReturnFunction', 'PhanPluginUnsafeEval', 'PhanRedefineFunctionInternal'],
         'htdocs/core/lib/price.lib.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/core/lib/usergroups.lib.php' => ['PhanNoopArrayAccess'],
-        'htdocs/core/menus/standard/auguria_menu.php' => ['PhanParamSuspiciousOrder', 'PhanPluginDuplicateIfStatements'],
-        'htdocs/core/menus/standard/eldy_menu.php' => ['PhanParamSuspiciousOrder', 'PhanPluginDuplicateIfStatements'],
-        'htdocs/core/menus/standard/empty.php' => ['PhanParamSuspiciousOrder', 'PhanPluginDuplicateIfStatements'],
+        'htdocs/core/menus/standard/auguria_menu.php' => ['PhanParamSuspiciousOrder'],
+        'htdocs/core/menus/standard/eldy_menu.php' => ['PhanParamSuspiciousOrder'],
+        'htdocs/core/menus/standard/empty.php' => ['PhanParamSuspiciousOrder'],
         'htdocs/core/modules/barcode/mod_barcode_thirdparty_standard.php' => ['PhanParamSignatureMismatch'],
         'htdocs/core/modules/import/import_xlsx.modules.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/core/modules/member/doc/pdf_standard.class.php' => ['PhanParamSignatureMismatch'],
         'htdocs/core/modules/movement/doc/pdf_standard.modules.php' => ['PhanPluginDuplicateExpressionBinaryOp'],
         'htdocs/core/modules/mrp/doc/pdf_vinci.modules.php' => ['PhanTypeArraySuspiciousNull'],
-        'htdocs/core/modules/societe/mod_codecompta_aquarium.php' => ['PhanPluginDuplicateIfStatements'],
-        'htdocs/core/modules/societe/modules_societe.class.php' => ['PhanPluginDuplicateIfCondition'],
         'htdocs/core/modules/syslog/mod_syslog_file.php' => ['PhanParamSignatureMismatch', 'PhanParamSuspiciousOrder'],
         'htdocs/core/modules/syslog/mod_syslog_syslog.php' => ['PhanParamSignatureMismatch'],
         'htdocs/don/class/don.class.php' => ['PhanParamTooMany'],
-        'htdocs/ecm/index_auto.php' => ['PhanPluginDuplicateIfStatements'],
-        'htdocs/expensereport/card.php' => ['PhanPluginDuplicateIfStatements'],
         'htdocs/expensereport/class/paymentexpensereport.class.php' => ['PhanTypeInvalidUnaryOperandNumeric'],
         'htdocs/fourn/class/api_supplier_invoices.class.php' => ['PhanPluginSuspiciousParamOrder'],
         'htdocs/fourn/facture/card-rec.php' => ['PhanPluginSuspiciousParamPosition'],
@@ -114,8 +99,6 @@ return [
         'htdocs/mrp/class/mo.class.php' => ['PhanParamSignatureMismatch'],
         'htdocs/product/admin/product_tools.php' => ['PhanNoopStringLiteral'],
         'htdocs/product/card.php' => ['PhanPluginSuspiciousParamPosition'],
-        'htdocs/product/popuprop.php' => ['PhanPluginDuplicateIfStatements'],
-        'htdocs/product/stats/card.php' => ['PhanPluginDuplicateIfStatements'],
         'htdocs/projet/tasks/list.php' => ['PhanTypeArraySuspiciousNull'],
         'htdocs/public/bookcal/index.php' => ['PhanTypeInvalidUnaryOperandNumeric'],
         'htdocs/public/opensurvey/index.php' => ['PhanPluginSuspiciousParamOrder'],
@@ -126,7 +109,6 @@ return [
         'htdocs/takepos/invoice.php' => ['PhanPluginSuspiciousParamPosition'],
         'htdocs/user/class/user.class.php' => ['PhanParamSignatureMismatch'],
         'htdocs/variants/class/ProductCombination.class.php' => ['PhanPluginSuspiciousParamPosition'],
-        'htdocs/webportal/class/html.formwebportal.class.php' => ['PhanPluginSuspiciousParamPosition'],
         'internal' => ['PhanUndeclaredConstant'],
     ],
     // 'directory_suppressions' => ['src/directory_name' => ['PhanIssueName1', 'PhanIssueName2']] can be manually added if needed.