diff --git a/Api/V8/JsonApi/Helper/AttributeObjectHelper.php b/Api/V8/JsonApi/Helper/AttributeObjectHelper.php
index d44bb5317a6..d6315572191 100644
--- a/Api/V8/JsonApi/Helper/AttributeObjectHelper.php
+++ b/Api/V8/JsonApi/Helper/AttributeObjectHelper.php
@@ -29,6 +29,24 @@ public function getAttributes(\SugarBean $bean, $fields = null)
{
$bean->fixUpFormatting();
+ $allowedField = [];
+
+ $fieldsToParse = $fields;
+ if (empty($fields)) {
+ $fieldsToParse = array_keys($bean->field_defs);
+ }
+
+ foreach ($fieldsToParse ?? [] as $index => $field) {
+ $isSensitive = isTrue($bean->field_defs[$field]['sensitive'] ?? false);
+ $notApiVisible = isFalse($bean->field_defs[$field]['api-visible'] ?? true);
+
+ if ($isSensitive || $notApiVisible){
+ continue;
+ }
+
+ $allowedField[$index] = $field;
+ }
+
// using the ISO 8601 format for dates
$attributes = array_map(function ($value) {
return is_string($value)
@@ -38,8 +56,8 @@ public function getAttributes(\SugarBean $bean, $fields = null)
: $value;
}, $bean->toArray());
- if ($fields !== null) {
- $attributes = array_intersect_key($attributes, array_flip($fields));
+ if ($allowedField !== null) {
+ $attributes = array_intersect_key($attributes, array_flip($allowedField));
}
unset($attributes['id']);
diff --git a/README.md b/README.md
index 49d148bcd11..114d8a6e5f5 100755
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
-# SuiteCRM 7.12.8
+# SuiteCRM 7.12.9
[](https://travis-ci.org/salesagility/SuiteCRM)
[](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)
diff --git a/data/BeanFactory.php b/data/BeanFactory.php
index e145e3d9e92..4fc0e37f075 100755
--- a/data/BeanFactory.php
+++ b/data/BeanFactory.php
@@ -151,6 +151,51 @@ public static function getBean($module, $id = null, $params = [], $deleted = tru
return $bean;
}
+ /**
+ * Returns a SugarBean object by id.
+ *
+ * @static
+ *
+ * @param string $module
+ * @param string $id
+ * @param array $params
+ * A name/value array of parameters. Names: encode, deleted.
+ * If $params is boolean we revert to the old arguments (encode, deleted), and use $params as $encode.
+ * This will be changed to using only $params in later versions.
+ * @param bool $deleted
+ * @see SugarBean::retrieve
+ *
+ * @return SugarBean|bool
+ */
+ public static function getReloadedBean($module, $id = null, $params = [], $deleted = true)
+ {
+ $params = self::convertParams($params);
+ $encode = self::hasEncodeFlag($params);
+ $deleted = self::hasDeletedFlag($params, $deleted);
+
+ $beanClass = self::getBeanClass($module);
+
+ if (!self::loadBeanFile($module)) {
+ return false;
+ }
+
+ if (empty($id)) {
+ return new $beanClass();
+ }
+
+ /* @var SugarBean $bean */
+ $bean = new $beanClass();
+
+ $result = $bean->retrieve($id, $encode, $deleted);
+
+ if ($result === null) {
+ return false;
+ }
+
+ return $bean;
+ }
+
+
/**
* Shallow beans are created by SugarBean during the fill_in_relationship_fields method, and they differ from
* 'complete' bean in that they do not have their own relate fields completed.
diff --git a/files.md5 b/files.md5
index eee6f26dc02..e6fed77013a 100755
--- a/files.md5
+++ b/files.md5
@@ -1,5 +1,5 @@
'69a1e7b3d7755a2a63499a16ddae81cf',
'./Api/Core/Config/slim.php' => 'b134e68765e6a1403577e2a5a06322b8',
@@ -37,7 +37,7 @@ $md5_string = array (
'./Api/V8/Helper/ModuleListProvider.php' => 'a6f9b90116408bd7d708801b0cd04001',
'./Api/V8/Helper/OsHelper.php' => '3fa3a69441695035a66e877fbfd0d6c2',
'./Api/V8/Helper/VarDefHelper.php' => '986916d5e675667e5f5e89da6d8fc081',
- './Api/V8/JsonApi/Helper/AttributeObjectHelper.php' => '8c2e2f889cefdc7912fd62da3e6a6f71',
+ './Api/V8/JsonApi/Helper/AttributeObjectHelper.php' => '3336452c51560f9a40c107d0ace78165',
'./Api/V8/JsonApi/Helper/PaginationObjectHelper.php' => 'dbeb8f36cc7b70ff9459443c26bdfb70',
'./Api/V8/JsonApi/Helper/RelationshipObjectHelper.php' => '6681a3fc26e420f12875d4239532946e',
'./Api/V8/JsonApi/Repository/Filter.php' => '21279c505e18aacd9f6aea51cc62a3bc',
@@ -116,7 +116,7 @@ $md5_string = array (
'./ModuleInstall/PackageManager/tpls/PackageManagerLicense.tpl' => 'df5e267d1df5ce08fb9406e42d5b4816',
'./ModuleInstall/PackageManager/tpls/PackageManagerScripts.tpl' => '98e396c0aa57329731fda19c790fffb2',
'./ModuleInstall/extensions.php' => '094f4650261f6efbab1b90b119829388',
- './README.md' => '76ec8409ea1fa360d1255f693dfd5a40',
+ './README.md' => '01f0f8317b743d7d0318251b7d65ac3a',
'./RoboFile.php' => '045b82c1df69553824d0e4ffcce6e03c',
'./SugarSecurity.php' => '47e316b2d408e8c5192c8ea4a4f921b3',
'./TreeData.php' => '32873e20cb5fd33f9d1cdaf18c3cac5c',
@@ -511,7 +511,7 @@ $md5_string = array (
'./composer.lock' => '060badb951dc9a03fe4f77d748a56b12',
'./cron.php' => '0b8b6bd839a2232a8da074b31feaa708',
'./crossdomain.xml' => '24b7711640c652b21aa89c9d83d6ec13',
- './data/BeanFactory.php' => '84b7c36b6a59ea8c5c4069659cc72950',
+ './data/BeanFactory.php' => '3007bf65ebc77baa76c338ce6a068790',
'./data/Link.php' => '6a1f4a706142e6231f8ee46f261341c0',
'./data/Link2.php' => '1e2ee0bfd94ff12c0a3b9323059a47ed',
'./data/Relationships/EmailAddressRelationship.php' => 'e2d4f642961cf992c931e57d02e0d122',
@@ -550,7 +550,7 @@ $md5_string = array (
'./include/DetailView/header.tpl' => '79e5e7385483e4486ac1f20d739d8cd5',
'./include/EditView/EditView.php' => '6bd1f5815f5c674416efd1e71a67bd65',
'./include/EditView/EditView.tpl' => '4458f5584adfdb8d54e74b8e867e048c',
- './include/EditView/EditView2.php' => 'b2684fe27ec214563d935d5080dd9742',
+ './include/EditView/EditView2.php' => '7ad84a44d52c2d5ae9a7e51d170a0efc',
'./include/EditView/Panels.js' => '580266b80716d8e7003807189565e557',
'./include/EditView/PopupQuickCreate.php' => '09b22d51578ba228a89ba6a7e5f403c8',
'./include/EditView/QuickCreate.php' => 'dbd2c8b5be42047ada748e073b87ff90',
@@ -595,7 +595,7 @@ $md5_string = array (
'./include/Imap/ImapTestSettingsEntryHandler.php' => '3292a309c3331e60ab13f48c56e672c8',
'./include/Imap.php' => '0f93494ddbae70f85acdcbac5e92dbc5',
'./include/ImapInterface.php' => '1cc17060f7768a0e299fafdd66410baa',
- './include/InlineEditing/InlineEditing.php' => '556f91cf67cb17620fb42a5bd607b7a6',
+ './include/InlineEditing/InlineEditing.php' => '981e9c7c35b0f2aefa192ebf46eb3c44',
'./include/InlineEditing/inlineEditing.js' => 'ebc8c66cf49a2bcc77265461a120fe3c',
'./include/JSON.php' => '7cff996ad7e96ff1583e0837f5070f29',
'./include/JsonApiErrorObject.php' => 'bd82e5413b53492f73cb66fa0fe35316',
@@ -666,7 +666,7 @@ $md5_string = array (
'./include/MVC/preDispatch.php' => 'f1720fa7dea86c02e0663227c2c08203',
'./include/MassUpdate.php' => 'e1e7bb76e9479209bc9fdb54411eae97',
'./include/MySugar/DashletsDialog/DashletsDialog.php' => '0b7c1af1bb21b3af9b735178de2f3a89',
- './include/MySugar/MySugar.php' => 'c047f36230f6e720537e546ab32e4190',
+ './include/MySugar/MySugar.php' => 'eaffdea2231df9ec4a457fb57d499ca4',
'./include/MySugar/dashboardstyle.css' => '4cce65e52281263e484140a1d4b8d2e2',
'./include/MySugar/javascript/AddRemoveDashboardPages.js' => '6baf925bfcaa6c4ac01326af22c8e7c6',
'./include/MySugar/javascript/MySugar.js' => 'f6162f9799abadfdef9c5ea2668808e7',
@@ -1209,7 +1209,7 @@ $md5_string = array (
'./include/SugarTheme/SugarThemeRegistry.php' => '437a775ba6ef36dc87cb59d5ae1a3b14',
'./include/SugarTheme/cssmin.php' => 'ff649bb50d5dafcce509ed9d340b6d06',
'./include/SugarTheme/getImage.php' => 'd7963d20b0365d62c7d1c84ea3faf3ed',
- './include/SugarTinyMCE.php' => '3e1df6fa7bcbb9e3caf75d97e1d8924b',
+ './include/SugarTinyMCE.php' => '9be7450638b50efe57ccc33bfbb35eb0',
'./include/Sugar_Smarty.php' => '9ce2f82df09600f42ccd1eee7bf78294',
'./include/Sugarpdf/FontManager.php' => '4f3e178b643571961d9f2590122342cc',
'./include/Sugarpdf/Sugarpdf.php' => '10f553017faf60a1ba027c96dea2d43d',
@@ -1336,7 +1336,7 @@ $md5_string = array (
'./include/database/FreeTDSManager.php' => '23ec109e38260e0ffa2a1676d486fd62',
'./include/database/MssqlManager.php' => '8ec8ad4bd3df1c19aa96b228f3b356a7',
'./include/database/MysqlManager.php' => 'e291bd0e38fde596a8bd1f6c75688eaa',
- './include/database/MysqliManager.php' => '31cf1de8eba53e933ea116870129da12',
+ './include/database/MysqliManager.php' => '19025de16a37f6bb8ffb1b8c4e0ab34d',
'./include/database/SqlsrvManager.php' => 'ad3f8e07dce347f8cf1906e7e91ec776',
'./include/dir_inc.php' => '4ec954313ef7c8b164ec1232a1ec1bd7',
'./include/entryPoint.php' => '6c03ccc488eae94ac702743421951115',
@@ -2280,7 +2280,7 @@ $md5_string = array (
'./include/javascript/yui/build/yuitest/yuitest_core.js' => 'ed5230a0f4a885d8ea51c2fe78895d07',
'./include/javascript/yui/ygDDList.js' => '0cd9051a220de7e8c79bf5b9cccce10f',
'./include/json_config.php' => 'ba7fb6f2fb1df51bc367835406ef7ba5',
- './include/language/en_us.lang.php' => '6963637150f1b221f9f70dd45d63bf87',
+ './include/language/en_us.lang.php' => 'aad6885d43921e1228b124d4c8b6222c',
'./include/language/en_us.notify_template.html' => 'c6a897ace7af46a44889dfab1a9d44c5',
'./include/language/getJSLanguage.php' => '1bc910bd5a9953fbf443d3d97fddbffa',
'./include/language/jsLanguage.php' => '3d27819dc00f2fe5426f72733a7edca1',
@@ -2391,7 +2391,7 @@ $md5_string = array (
'./include/utils/recaptcha_utils.php' => '73f5eddf707788c1dff4b7d07dc82656',
'./include/utils/security_utils.php' => 'e953d0b673df3df313ecf1ac975e8f57',
'./include/utils/sugar_file_utils.php' => '1c1915cad8c88feb0edbf5bbaee106c4',
- './include/utils.php' => '55b02dfc0dc39c73996597a598b96264',
+ './include/utils.php' => '6107d7454bb0720ac43e498aca5e9e74',
'./include/vCard.php' => '44052bbedcdaba3fdf67cfc10a112e75',
'./include/ytree/ExtNode.php' => '000d4ccbdb6e0a7628c636128781b5e3',
'./include/ytree/JQueryTree.php' => '3712d2224b93818b990b876f8405b745',
@@ -2482,7 +2482,7 @@ $md5_string = array (
'./install/installSystemCheck.php' => 'd5f666ece13475386610cb7915ae3c93',
'./install/installType.php' => '7acf23c138ceafad2ce0393bd3c116f0',
'./install/install_defaults.php' => 'd25503407f0db14fa875b295d0f34ae5',
- './install/install_utils.php' => '9910d3f9f63ac7fafd1ed474f8a773b1',
+ './install/install_utils.php' => '4a8c2ea13fcd9c5902f13a8660fc6263',
'./install/lang.config.php' => 'cb3e68fdb0600481497dcd60f0746aca',
'./install/language/en_us.lang.php' => '443a21c6c24b089d6dc085a3ebb588d8',
'./install/license.js' => '305c727ac2bd20adb6c169bf07b18a8e',
@@ -2668,7 +2668,7 @@ $md5_string = array (
'./lib/API/JsonApi/v1/Resource/Relationship.php' => '84cfef872f4c87f30844b784126a8c9e',
'./lib/API/JsonApi/v1/Resource/Resource.php' => '92ca69094721558c4c985642aa1e2b1d',
'./lib/API/JsonApi/v1/Resource/ResourceIdentifier.php' => 'b970064d6e903d3986b1e709b2ed14ca',
- './lib/API/JsonApi/v1/Resource/SuiteBeanResource.php' => '70039bac401d7af441505cd9f78a9dd9',
+ './lib/API/JsonApi/v1/Resource/SuiteBeanResource.php' => '896c39fb5fdd461dfb87c092d220143d',
'./lib/API/JsonApi/v1/schema.json' => '1fe1aa9365e189712bedc71ee875bfd7',
'./lib/API/OAuth2/.htaccess' => '4fe6db46ff1074349c8ffbb840c30de9',
'./lib/API/OAuth2/Entities/AccessTokenEntity.php' => '7ae1d3fb58d93978e8802c6107c9b593',
@@ -2791,9 +2791,9 @@ $md5_string = array (
'./lib/Search/AOD/LuceneSearchEngine.php' => '7a589c07fae355ad81ba1893e40e1bb9',
'./lib/Search/BasicSearch/BasicSearchEngine.php' => '1f6ecd5faa8a58cd6d2e06da6ca35cd3',
'./lib/Search/ElasticSearch/ElasticSearchClientBuilder.php' => '4743c29fa00cb5d4025c974af7b79156',
- './lib/Search/ElasticSearch/ElasticSearchEngine.php' => '89b2b27ef2c5dd8e7482360a8e499bfc',
+ './lib/Search/ElasticSearch/ElasticSearchEngine.php' => '728d22251a99bf9606170fc1b48279ef',
'./lib/Search/ElasticSearch/ElasticSearchHooks.php' => '8898cc8d7cec43f13352397be9397f3e',
- './lib/Search/ElasticSearch/ElasticSearchIndexer.php' => '580d41b2ebfb016fff416f9cea38dd57',
+ './lib/Search/ElasticSearch/ElasticSearchIndexer.php' => '3775a9343fb6e0323a35a592c5b94f87',
'./lib/Search/ElasticSearch/ElasticSearchModuleDataPuller.php' => 'ad1144c9e9f58af496714d6dcdbdbaa5',
'./lib/Search/ElasticSearch/elasticsearch.example.json' => 'cd776b60993b4521cd5cfd79db95af46',
'./lib/Search/Exceptions/SearchEngineNotFoundException.php' => '4f83830aea088643ee87f82bd173d96d',
@@ -2811,7 +2811,7 @@ $md5_string = array (
'./lib/Search/SearchConfigurator.php' => '3da51dc9e7b6d9b8fcbd45c0a8db5759',
'./lib/Search/SearchEngine.php' => '92775fe01a004fb58f1bf6edcc9f3dc8',
'./lib/Search/SearchModules.php' => '5261f4a9ab7a7d690618aefa08c6ca76',
- './lib/Search/SearchQuery.php' => 'ccc5b48e33c5bd4c1cc51be8f5889466',
+ './lib/Search/SearchQuery.php' => '523292cc81871ec25ac17a7ab96bc888',
'./lib/Search/SearchResults.php' => 'bdcdd0018e1fa375dc9c0344dd00b14e',
'./lib/Search/SearchWrapper.php' => '2aaaa78656373bbdb2f0187a208d60eb',
'./lib/Search/SqlSearch/SimpleSqlSearchEngine.php' => 'db160c7c333582c7028a59f2bed03fcb',
@@ -2819,7 +2819,7 @@ $md5_string = array (
'./lib/Search/UI/MVC/View.php' => '060017bf23671e429cca7187b72ddd2a',
'./lib/Search/UI/SearchFormController.php' => '2cf159703562da6348ece57ef68313b4',
'./lib/Search/UI/SearchFormView.php' => '15662e4bd9237044fe1b74f41632660d',
- './lib/Search/UI/SearchResultsController.php' => '4670567daea7e976e25cd215150f79ed',
+ './lib/Search/UI/SearchResultsController.php' => '788728a30dc77334a9682e49ff9f0307',
'./lib/Search/UI/SearchResultsView.php' => 'ce2615a6390cfe62924d44fdfc7a18fa',
'./lib/Search/UI/SearchThrowableHandler.php' => '14cd2232a5a73df32a755e85a52cd7fd',
'./lib/Search/UI/templates/search.form.tpl' => '8a03f27dd8860270f7c91d64c211fffe',
@@ -2829,7 +2829,7 @@ $md5_string = array (
'./lib/Utility/AntiMalware/Providers/ClamTCP.php' => 'f5eab54f8e3bcaa605a036a69bbb99b1',
'./lib/Utility/AntiMalware/Providers/Sophos.php' => '6edbdf87006927ea647395bc945238f5',
'./lib/Utility/ApplicationLanguage.php' => '5bc996ea12af48ba0f167a50f699483a',
- './lib/Utility/ArrayMapper.php' => '128538045d9530d999a46b90ed14c3c1',
+ './lib/Utility/ArrayMapper.php' => '03c31accfe841c560daafe3d2d86c672',
'./lib/Utility/BeanJsonSerializer.php' => 'f12bad930b18f23e5270139f46966733',
'./lib/Utility/BeanJsonSerializer.yml' => 'c9f6e3dae78a0061d5ed1612eb50c02d',
'./lib/Utility/Configuration.php' => '97f895c91d3f247b6fe7be7f063efbfa',
@@ -3475,7 +3475,7 @@ $md5_string = array (
'./modules/AOS_Product_Categories/metadata/subpanels/default.php' => '99ad7a758b45868e9fd9b8ff47a0cb5a',
'./modules/AOS_Product_Categories/vardefs.php' => '61d4bb3451abc9b6670a568b639f4673',
'./modules/AOS_Product_Categories/views/view.edit.php' => 'a8d92ffd0a368d1a25a7649d29228293',
- './modules/AOS_Products/AOS_Products.php' => 'fe7e5ab6086a37067f029cbf80d55caf',
+ './modules/AOS_Products/AOS_Products.php' => '0f4f0237cd42e4cdece3d894a53ea9c1',
'./modules/AOS_Products/AOS_Products_sugar.php' => '6769da40aa102583900b9d4d32492906',
'./modules/AOS_Products/Dashlets/AOS_ProductsDashlet/AOS_ProductsDashlet.meta.php' => 'b7812541758289ffbefcf59e976a3f7e',
'./modules/AOS_Products/Dashlets/AOS_ProductsDashlet/AOS_ProductsDashlet.php' => 'ee6d24e58a380e0978c7e84c7cdd7005',
@@ -3692,7 +3692,7 @@ $md5_string = array (
'./modules/Administration/PasswordManager.php' => 'e997d11ecfbfe0352f863a814176efe9',
'./modules/Administration/PasswordManager.tpl' => '88d1898cf0bae5d3e053eb21ffc34ade',
'./modules/Administration/PasswordManagerSecurity.tpl' => '5010789c306f4c665e0ebe0466c9f50d',
- './modules/Administration/QuickRepairAndRebuild.php' => '44b428d870c178243326bbf1d51cb6dd',
+ './modules/Administration/QuickRepairAndRebuild.php' => '14a4e14865732a12f4cbda21add1c8cc',
'./modules/Administration/RebuildAudit.php' => '7b1c137ae149d763e44053ae542a4432',
'./modules/Administration/RebuildConfig.php' => 'd1b925885ca4b6da62add9d26548c35c',
'./modules/Administration/RebuildDashlets.php' => 'e549bd62a92ffac96744a113a50835f0',
@@ -3741,7 +3741,7 @@ $md5_string = array (
'./modules/Administration/UpgradeFields.php' => 'd74cb90a6a24cae3c0b96a97a74d4d62',
'./modules/Administration/UpgradeHistory.php' => '14ba994d7b1d5eccfc4520855a0c4036',
'./modules/Administration/UpgradeIISAccess.php' => 'e5b6fce25e81a6a0d3e807c6fea6350e',
- './modules/Administration/UpgradeWizard.php' => 'b4324887e5715f94d06fdc2c0f91ec1f',
+ './modules/Administration/UpgradeWizard.php' => 'd114a8c831c909d1a4c48b0afac7b8a0',
'./modules/Administration/UpgradeWizardCommon.php' => '92f7113707f3de797deb6b894ce81c6f',
'./modules/Administration/UpgradeWizard_commit.php' => '1fe823dac079bc5548debb7ecabcd625',
'./modules/Administration/UpgradeWizard_prepare.php' => 'dac1ff9e81b849f21af62a786be04836',
@@ -4072,7 +4072,7 @@ $md5_string = array (
'./modules/Campaigns/WebToLeadFormBuilder.php' => 'b3b054b279d69dd964fba557df665be1',
'./modules/Campaigns/WebToLeadFormBuilderOptInCheckbox.tpl' => '9fd68c7d266560b82eb7667f96792779',
'./modules/Campaigns/WebToLeadFormSave.php' => 'b2596e14bbfdfd9fd75a9a40dac243f6',
- './modules/Campaigns/WebToPersonCapture.php' => '27e24a36a16897c8a4fac043c8b85516',
+ './modules/Campaigns/WebToPersonCapture.php' => 'c74104628b33fc9b2a31f2d46bf3809f',
'./modules/Campaigns/WizardCampaignSave.php' => 'f7a73bc932dcf289d4d5d94eee3ad138',
'./modules/Campaigns/WizardEmailSetup.html' => 'bdf9ae5e62512fba93fc6660ecc9bf64',
'./modules/Campaigns/WizardEmailSetup.php' => '5f7a49cf10fa319d90c32310a76fdce9',
@@ -4111,7 +4111,7 @@ $md5_string = array (
'./modules/Campaigns/tpls/WizardNewsletter.tpl' => '168198cad6b844c66c1f1b7bc0c0d7e3',
'./modules/Campaigns/tpls/campaign-inactive.tpl' => 'fa6ad86dabbbb0350649cdd48bda9801',
'./modules/Campaigns/tpls/progressStepsStyle.html' => '188a9323131c1665062b361e1a26df10',
- './modules/Campaigns/utils.php' => 'ec1404fdd8f9051b132b776b08472854',
+ './modules/Campaigns/utils.php' => 'e923cf376d1da33da2230f332f9c1baa',
'./modules/Campaigns/vardefs.php' => '3356dc662190231795ec344641c886ab',
'./modules/Campaigns/views/view.classic.php' => 'd3dd10e40e7e6a9d5d0168996c80792f',
'./modules/Campaigns/views/view.detail.php' => '21ab18453038a4f2ee5458eea0a94ed9',
@@ -4269,7 +4269,7 @@ $md5_string = array (
'./modules/Contacts/Address_picker.html' => 'e5878e0dbf0eae9778916326c5065652',
'./modules/Contacts/Contact.js' => 'a10eea4494b774e047252eee82d9ea1c',
'./modules/Contacts/Contact.php' => 'a982bef94fd8e4b5a6d293f72edd428a',
- './modules/Contacts/ContactFormBase.php' => '093d97d4d6020217c3d41d38136f78bc',
+ './modules/Contacts/ContactFormBase.php' => '4aa3fc8f820d2877c4840ea445ac60c4',
'./modules/Contacts/ContactOpportunityRelationship.php' => 'cb54d0dcae9e58cd49ea6e81fced4396',
'./modules/Contacts/ContactOpportunityRelationshipEdit.html' => '028042fe42f810730e817de72ec1e25f',
'./modules/Contacts/ContactOpportunityRelationshipEdit.php' => '3450ef1a5ce8e62769b6df6a4c55819a',
@@ -4531,7 +4531,7 @@ $md5_string = array (
'./modules/EmailMarketing/metadata/subpanels/default.php' => '63ed3aea960b881a004b988dec956b77',
'./modules/EmailMarketing/subpanels/default.php' => '7f0e18d1e0c7aee65734a6160264aef3',
'./modules/EmailMarketing/vardefs.php' => '6987d2c54c785fff2ac2acefff0cc01d',
- './modules/EmailTemplates/AttachFiles.php' => '89b77bcfe0184454af0af2b6888d3f44',
+ './modules/EmailTemplates/AttachFiles.php' => '38b7dbce86a3bb85986f1001ae22b765',
'./modules/EmailTemplates/CheckDeletable.php' => 'af2ff708cf350fc5a506997907ca01db',
'./modules/EmailTemplates/Delete.php' => '669a71b4d7d39d10e29e50491d3a665c',
'./modules/EmailTemplates/DetailView.html' => 'a9b5cb480845b50a3b8a72e75a9ce31b',
@@ -4599,7 +4599,7 @@ $md5_string = array (
'./modules/Emails/controller.php' => '65d6d5ad5e977930403a2b89cb15004a',
'./modules/Emails/field_arrays.php' => 'f8ad985446f13141ea7365aa8565c500',
'./modules/Emails/include/ComposeView/ComposeView.php' => '45b1a69671ca5c5f2a8ab1455e9f730c',
- './modules/Emails/include/ComposeView/ComposeView.tpl' => 'aee5736e992aecc485afbb5973d9e535',
+ './modules/Emails/include/ComposeView/ComposeView.tpl' => '02a1b64bfde0a319fcac90b1b9ebda13',
'./modules/Emails/include/ComposeView/ComposeViewBlank.tpl' => '22365ce6727ffb560e5ad3fc187f13f2',
'./modules/Emails/include/ComposeView/ComposeViewToolbar.tpl' => '656b26827857375278124e4610b9ff06',
'./modules/Emails/include/ComposeView/EmailsComposeView.js' => '0d361ec6c5e31920da6b2078bf2d0506',
@@ -4713,7 +4713,7 @@ $md5_string = array (
'./modules/Emails/views/view.popup.php' => '4ff1e52f105970c29fed966e2f058dd3',
'./modules/Emails/views/view.savedraftemail.php' => '000c8d786c87e0ad997fc5de443d9b2c',
'./modules/Emails/views/view.sendemail.php' => '78784b11ddb5257b0f3f5c59c9db17a1',
- './modules/Employees/Employee.php' => '54eaa8f299aa57e555f316b80e71eaab',
+ './modules/Employees/Employee.php' => 'acf053a95024ad9d06d55457fc641d6f',
'./modules/Employees/EmployeeStatus.php' => 'a2be5cfeb49ef4f8deec01de9686edb9',
'./modules/Employees/EmployeesSearchForm.php' => '0437d91e2221d02c38e0db6830fef057',
'./modules/Employees/EmployeesStudioModule.php' => '5b71bea7b6e7b7a77bc5a48d4fb10a55',
@@ -4976,7 +4976,7 @@ $md5_string = array (
'./modules/Leads/Dashlets/MyLeadsDashlet/MyLeadsDashlet.php' => 'be81a158e3df10a2f27cca07ce5c12f7',
'./modules/Leads/Lead.js' => 'b52ff138ccdb1b4bb79a0ff9870d6feb',
'./modules/Leads/Lead.php' => '85d8e4016282c0f3f1cd893dde8a3170',
- './modules/Leads/LeadFormBase.php' => 'ad656b689844598451098ad61f43ab87',
+ './modules/Leads/LeadFormBase.php' => '2c1645940849161817ce36e836c6f028',
'./modules/Leads/LeadsJjwg_MapsLogicHook.php' => '453c9c2a0bcc6f4b28d0c4e477b09fa5',
'./modules/Leads/LeadsListViewSmarty.php' => '15081edc09444a603f3dc5c7d0107cae',
'./modules/Leads/LeadsQuickCreate.php' => '6b00e0ce840f11b87a9235be6a4568f8',
@@ -5522,7 +5522,7 @@ $md5_string = array (
'./modules/Prospects/Menu.php' => '0af2124f64e4563183672100b6f8911e',
'./modules/Prospects/Popup_picker.html' => 'a56ae077172b05ac9e95cb3218fd6615',
'./modules/Prospects/Prospect.php' => '8c6bcbc1b442b43354da6ad6a445f285',
- './modules/Prospects/ProspectFormBase.php' => 'b48c69d3a1f89a43ac79fbd6febb0f1f',
+ './modules/Prospects/ProspectFormBase.php' => '0fd6256da04924ebd8968edb2723bc34',
'./modules/Prospects/ProspectsJjwg_MapsLogicHook.php' => '24a7bb2a9708bfc07dbc732f69ceae85',
'./modules/Prospects/ProspectsListViewSmarty.php' => '87d98922c2a470620706ccb69f817c43',
'./modules/Prospects/Save.php' => '8d48a85c6b8db36d63fe554573196a9f',
@@ -5712,7 +5712,7 @@ $md5_string = array (
'./modules/Studio/TabGroups.php' => '0b53258e874bf76af6ba4e698fe1faf2',
'./modules/Studio/config.php' => 'ffcfb2aaf49f4c2735abdbd8116db4b3',
'./modules/Studio/language/en_us.lang.php' => 'e5d8138b1cb0465f26e362de69a02b51',
- './modules/Studio/parsers/StudioParser.php' => '3df803d50e322cea269673d0f6c5470d',
+ './modules/Studio/parsers/StudioParser.php' => 'dbd08a554f38f79d34a44e36c6477dc8',
'./modules/Studio/studio.js' => '4fb625bbde873e47be7230e1fd1bb067',
'./modules/Studio/studiodd.js' => '88e575cd322889b4d300152eb11bc3ee',
'./modules/Studio/studiotabgroups.js' => '612e25ce77d7bb265511698814e7f03c',
@@ -5827,7 +5827,7 @@ $md5_string = array (
'./modules/Surveys/Entry/SurveySubmit.php' => '973c1a318b9a9d95d72d56037b68c04f',
'./modules/Surveys/Entry/Thanks.php' => '6eff234e04438f049e4e4b9d8758f633',
'./modules/Surveys/Lines/Lines.php' => '0332378d16368686f29d959eac1842ed',
- './modules/Surveys/Menu.php' => 'ecfbb08b99bb8e379eecd436b4922856',
+ './modules/Surveys/Menu.php' => 'ba18e736af4a1d2a261fbf67d3f174b2',
'./modules/Surveys/Surveys.php' => 'e9d5c639799ac830281414c7f38d1272',
'./modules/Surveys/Utils/utils.php' => 'a83853c0fe095b0c2d6b2296a0d9ab42',
'./modules/Surveys/controller.php' => '0dd5f1a9f4feca78ee0d64f124f47285',
@@ -5995,7 +5995,7 @@ $md5_string = array (
'./modules/Users/SetTimezone.tpl' => 'f0fb5ed64fae81a5657ebc8f167967c9',
'./modules/Users/UpdateTourStatus.php' => 'cc111e28e6df1d96b98678661dd42490',
'./modules/Users/User.js' => '351f8d8e74bd1bd0a56dcc2bae31b147',
- './modules/Users/User.php' => 'a75ad79197349bc156f9365ef3830b9c',
+ './modules/Users/User.php' => '5edd56612b566c0d8b6199f6e2973575',
'./modules/Users/UserEditView.js' => '421e1c38f1ee78933134b987b7c3c251',
'./modules/Users/UserEmailOptions.tpl' => '96b848efbf7f6d4fee7b6bf13a1a1aee',
'./modules/Users/UserEmailSettings.tpl' => '5d9ff3379f63dcf7c5efbbcc3e88d8ed',
@@ -6054,7 +6054,7 @@ $md5_string = array (
'./modules/Users/password_utils.php' => 'c445ba371decfae7afb76ad09c060e8a',
'./modules/Users/reassignUserRecords.php' => '0db6428f348ea8ab23a1bd88a5725339',
'./modules/Users/tpls/DetailView.tpl' => '2b5edc433a18eab9e1dc24f55c015ced',
- './modules/Users/tpls/EditViewFooter.tpl' => '3468ee673ada79bdb8129aeca2a739b6',
+ './modules/Users/tpls/EditViewFooter.tpl' => '09e287fec2fef683c1aedd71598e52e5',
'./modules/Users/tpls/EditViewGroup.tpl' => '97bbb48546d0b13a60dac111abb8358a',
'./modules/Users/tpls/EditViewHeader.tpl' => '099f5e4896d623b64d44f243c33941b2',
'./modules/Users/tpls/QuickEditFooter.tpl' => 'b7a9c930f9e885fcc51b7da358411c31',
@@ -6282,7 +6282,7 @@ $md5_string = array (
'./soap.php' => 'e28988c2e0b8e2c484587b537a710525',
'./sugar_version.json' => 'bdfbcefae2f9af559bef6a36367df7bb',
'./sugar_version.php' => 'db7b6c8d51f87879fce1e6172eedfbed',
- './suitecrm_version.php' => '1b607bcbe64dcc887e9f205ef6d22071',
+ './suitecrm_version.php' => '4ef3194ff974804a8f3481681fcfc7ff',
'./themes/SuiteP/css/Dawn/color-palette.scss' => 'e64677d79e1d68c069bdc2dc661c4f99',
'./themes/SuiteP/css/Dawn/icons.scss' => 'd59f8c5855e7a8df09542a663835a196',
'./themes/SuiteP/css/Dawn/select.ico' => '22393ad23f16c3f1462455bae8f20279',
@@ -7691,7 +7691,7 @@ $md5_string = array (
'./themes/SuiteP/images/wizmenu/right-empty.png' => 'd3037d7c75385e7d5a5708092e8cb94c',
'./themes/SuiteP/images/wizmenu/right-full.png' => '2f6f9936252b8c9dfd7bb71b140061e5',
'./themes/SuiteP/include/Dashlets/DashletHeader.tpl' => '09e4767d1ff01a830c0de2706e833a11',
- './themes/SuiteP/include/DetailView/DetailView.tpl' => 'ff62ab3dc8d5b6e91a4c1041c043592e',
+ './themes/SuiteP/include/DetailView/DetailView.tpl' => 'ca729f1cf4e16c84566d69d5d471bdfb',
'./themes/SuiteP/include/DetailView/actions_buttons.tpl' => '8a6fff7933b92178c28f5a58feddef75',
'./themes/SuiteP/include/DetailView/actions_menu.tpl' => '43988446570fc2820b7b0fb3da42e199',
'./themes/SuiteP/include/DetailView/footer.tpl' => '74cd1da7edd3386ee51db3e8ba8bb53b',
@@ -9208,4 +9208,4 @@ $md5_string = array (
'./themes/default/less/wells.less' => '07cc7d04d7f7f344742f23886cbe5683',
'./vCard.php' => '3f5273501c464563e5b1247be28b69de',
'./vcal_server.php' => 'ce4752597ba62a99f791c467339d2500',
-);
+);
\ No newline at end of file
diff --git a/include/InlineEditing/InlineEditing.php b/include/InlineEditing/InlineEditing.php
index 72fbc9aae34..398e5e1ea93 100755
--- a/include/InlineEditing/InlineEditing.php
+++ b/include/InlineEditing/InlineEditing.php
@@ -52,6 +52,11 @@ function getEditFieldHTML($module, $fieldname, $aow_field, $view = 'EditView', $
return false;
}
+ $vardef = $bean->getFieldDefinition($fieldname);
+
+ if (isTrue($vardef['sensitive'] ?? false) || isFalse($vardef['api-visible'] ?? true)){
+ return false;
+ }
$value = getFieldValueFromModule($fieldname, $module, $id);
// use the mod_strings for this module
@@ -126,7 +131,7 @@ function getEditFieldHTML($module, $fieldname, $aow_field, $view = 'EditView', $
if (isset($vardef['name']) && ($vardef['name'] == 'date_modified')) {
$vardef['name'] = 'aow_temp_date';
}
-
+
if (isset($vardef['help'])) {
$vardef['help'] = htmlspecialchars($vardef['help'],ENT_QUOTES);
}
diff --git a/include/MySugar/MySugar.php b/include/MySugar/MySugar.php
index 05584272711..733eba19257 100755
--- a/include/MySugar/MySugar.php
+++ b/include/MySugar/MySugar.php
@@ -95,6 +95,11 @@ public function addDashlet()
$dashlets = $current_user->getPreference('dashlets', $this->type);
+ if (!empty($_POST['type_module']) && stripos($_POST['type_module'], 'phar://') !== false) {
+ LoggerManager::getLogger()->security('MySugar:addDashlet unsecure type_module received: ' . $_POST['type_module']);
+ throw new RuntimeException('Invalid type_module');
+ }
+
$guid = create_guid();
$options = array();
if (isset($_POST['type'], $_POST['type_module']) && $_POST['type'] == 'web') {
diff --git a/include/utils.php b/include/utils.php
index 46c9709cee0..13c321e57a8 100755
--- a/include/utils.php
+++ b/include/utils.php
@@ -206,6 +206,9 @@ function make_sugar_config(&$sugar_config)
'php3',
'php4',
'php5',
+ 'php6',
+ 'php7',
+ 'php8',
'pl',
'cgi',
'py',
@@ -468,6 +471,9 @@ function get_sugar_config_defaults(): array
'php3',
'php4',
'php5',
+ 'php6',
+ 'php7',
+ 'php8',
'pl',
'cgi',
'py',
@@ -485,7 +491,8 @@ function get_sugar_config_defaults(): array
'png',
'jpg',
'jpeg',
- 'svg'
+ 'svg',
+ 'bmp'
],
'allowed_preview' => [
'pdf',
@@ -1351,7 +1358,7 @@ function return_module_language($language, $module, $refresh = false)
global $currentModule;
// Jenny - Bug 8119: Need to check if $module is not empty
- if (empty($module)) {
+ if (empty($module) || !isAllowedModuleName($module)) {
$GLOBALS['log']->warn('Variable module is not in return_module_language, see more info: debug_backtrace()');
return array();
@@ -6025,3 +6032,22 @@ function get_id_validation_pattern(): string {
return $pattern;
}
+
+/**
+ * Check if is string is an allowed module name
+ * @param string $value
+ * @return bool
+ */
+function isAllowedModuleName(string $value): bool {
+ if (empty($value)) {
+ return false;
+ }
+
+ $result = preg_match("/^[\w\-\_\.]+$/", $value);
+
+ if (!empty($result)) {
+ return true;
+ }
+
+ return false;
+}
diff --git a/install/install_utils.php b/install/install_utils.php
index ff930082dc5..bfdfd362abe 100755
--- a/install/install_utils.php
+++ b/install/install_utils.php
@@ -994,7 +994,7 @@ function handleHtaccess()
$restrict_str .= <<id = 1;
diff --git a/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php b/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php
index 1ab79698fbc..7252625cdf7 100644
--- a/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php
+++ b/lib/API/JsonApi/v1/Resource/SuiteBeanResource.php
@@ -115,6 +115,13 @@ public function fromSugarBean($sugarBean, $source = ResourceEnum::DEFAULT_SOURCE
throw $exception;
}
+ $isSensitive = isTrue($definition['sensitive'] ?? false);
+ $notApiVisible = isFalse($definition['api-visible'] ?? true);
+
+ if ($isSensitive || $notApiVisible){
+ continue;
+ }
+
if ($definition['type'] === 'datetime' && isset($sugarBean->$fieldName)) {
// Convert to DB date
$datetime = $dateTimeConverter->fromUser($sugarBean->$fieldName);
diff --git a/modules/AOS_Products/AOS_Products.php b/modules/AOS_Products/AOS_Products.php
index 54e276ce135..07ee4080d03 100755
--- a/modules/AOS_Products/AOS_Products.php
+++ b/modules/AOS_Products/AOS_Products.php
@@ -64,6 +64,12 @@ public function save($check_notify = false)
require_once('include/upload_file.php');
$GLOBALS['log']->debug('UPLOADING PRODUCT IMAGE');
+ $imageFileName = $_FILES['uploadimage']['name'] ?? '';
+ if (!has_valid_image_extension('AOS_Products Uploaded image file: ' . $imageFileName , $imageFileName)) {
+ LoggerManager::getLogger()->fatal("AOS_Products save - Invalid image file ext : '$imageFileName'.");
+ throw new RuntimeException('Invalid request');
+ }
+
if (!empty($_FILES['uploadimage']['tmp_name']) && verify_uploaded_image($_FILES['uploadimage']['tmp_name'])) {
if ($_FILES['uploadimage']['size'] > $sugar_config['upload_maxsize']) {
die($mod_strings['LBL_IMAGE_UPLOAD_FAIL'] . $sugar_config['upload_maxsize']);
diff --git a/modules/Administration/UpgradeWizard.php b/modules/Administration/UpgradeWizard.php
index 4229efb46ff..a6e138a0226 100755
--- a/modules/Administration/UpgradeWizard.php
+++ b/modules/Administration/UpgradeWizard.php
@@ -106,9 +106,15 @@ function unlinkTempFiles()
$perform = true;
$base_filename = urldecode($tempFile);
} elseif (!empty($_REQUEST['load_module_from_dir'])) {
- $moduleDir = $_REQUEST['load_module_from_dir'];
- if (strpos($moduleDir, 'phar://') !== false) {
- die();
+ $moduleDir = $_REQUEST['load_module_from_dir'] ?? '';
+ if (stripos($moduleDir, 'phar://') !== false) {
+ LoggerManager::getLogger()->fatal("UpgradeWizard - invalid load_module_from_dir: " . $moduleDir);
+ throw new RuntimeException('Invalid request');
+ }
+
+ if (strtolower(pathinfo(urldecode($_REQUEST['upgrade_zip_escaped'] ?? ''), PATHINFO_EXTENSION)) !== 'zip'){
+ LoggerManager::getLogger()->fatal("UpgradeWizard - invalid upgrade_zip_escaped: " . $_REQUEST['upgrade_zip_escaped'] ?? '');
+ throw new RuntimeException("Invalid request");
}
//copy file to proper location then call performSetup
copy($moduleDir . '/' . $_REQUEST['upgrade_zip_escaped'], "upload://" . $_REQUEST['upgrade_zip_escaped']);
diff --git a/modules/Campaigns/WebToPersonCapture.php b/modules/Campaigns/WebToPersonCapture.php
index 2014ca2d179..e73e50a0616 100644
--- a/modules/Campaigns/WebToPersonCapture.php
+++ b/modules/Campaigns/WebToPersonCapture.php
@@ -54,6 +54,11 @@
die('Not a valid module directory');
}
+if (!isValidWebToPersonModule($moduleDir)) {
+ LoggerManager::getLogger()->fatal('Trying to run WepToPersonCapture for invalid module: ' . $moduleDir);
+ throw new RuntimeException('Not a valid module');
+}
+
global $app_strings, $sugar_config, $timedate, $current_user;
$mod_strings = return_module_language($sugar_config['default_language'], $moduleDir);
@@ -120,7 +125,7 @@
//As form base items are not necessarily in place for the custom classes that extend Person, cannot use
//the hendleSave method of the formbase
-
+
$optInEmailFields = array();
$optInPrefix = 'opt_in_';
@@ -209,8 +214,8 @@
$sea->AddUpdateEmailAddress($person->email2, 0, 1);
}
}
-
-
+
+
if (!empty($optInEmailFields)) {
// Look for opted out
$optedOut = array();
@@ -342,7 +347,7 @@
$log = LoggerManager::getLogger();
$log->error('Success but some error occurred: ' . implode(', ', $errors));
}
-
+
//If the custom module does not have a LBL_THANKS_FOR_SUBMITTING label, default to this general one
echo $app_strings['LBL_THANKS_FOR_SUBMITTING'];
}
diff --git a/modules/Campaigns/utils.php b/modules/Campaigns/utils.php
index ca66c5ebeb8..a2c7687fc04 100755
--- a/modules/Campaigns/utils.php
+++ b/modules/Campaigns/utils.php
@@ -54,7 +54,7 @@
*name and list of all prospects associated with this campaign..
*
*/
-function get_message_scope_dom($campaign_id, $campaign_name, $db=null, $mod_strings=array())
+function get_message_scope_dom($campaign_id, $campaign_name, $db = null, $mod_strings = array())
{
if (empty($db)) {
$db = DBManagerFactory::getInstance();
@@ -65,7 +65,7 @@ function get_message_scope_dom($campaign_id, $campaign_name, $db=null, $mod_stri
}
//find prospect list attached to this campaign..
- $query = "SELECT prospect_list_id, prospect_lists.name ";
+ $query = "SELECT prospect_list_id, prospect_lists.name ";
$query .= "FROM prospect_list_campaigns ";
$query .= "INNER join prospect_lists on prospect_lists.id = prospect_list_campaigns.prospect_list_id ";
$query .= "WHERE prospect_lists.deleted = 0 ";
@@ -297,7 +297,7 @@ function log_campaign_activity($identifier, $activity, $update = true, $clicked_
//values for return array..
$return_array['target_id'] = $row['target_id'];
$return_array['target_type'] = $row['target_type'];
-
+
// quote variable first
$dataArrayKeys = array_keys($data);
$dataArrayKeysQuoted = array();
@@ -305,13 +305,13 @@ function log_campaign_activity($identifier, $activity, $update = true, $clicked_
$dataArrayKeysQuoted[] = $db->quote($dataArrayKey);
}
$dataArrayKeysQuotedImplode = implode(', ', $dataArrayKeysQuoted);
-
+
$insert_query = "INSERT into campaign_log (" . $dataArrayKeysQuotedImplode . ")";
-
+
$dataArrayValuesQuotedImplode = implode(', ', array_values($data));
-
+
$insert_query .= " VALUES (" . $dataArrayValuesQuotedImplode . ")";
-
+
$db->query($insert_query);
}
} else {
@@ -331,7 +331,7 @@ function log_campaign_activity($identifier, $activity, $update = true, $clicked_
$rowCampaignIdQuoted = $db->quote($row['campaign_id']);
$query = "SELECT campaigns.* FROM campaigns WHERE campaigns.id = '" . $rowCampaignIdQuoted . "' ";
$result = $db->query($query);
-
+
if (!empty($result)) {
$c_row = $db->fetchByAssoc($result);
@@ -1160,3 +1160,33 @@ function filterFieldsFromBeans($beans)
}
return $formattedBeans;
}
+
+/**
+ * Get valid web to person modules
+ * @return array
+ */
+function getValidWebToPersonModules(): array
+{
+ $superclass = 'Person';
+ $modules = [];
+ foreach ($GLOBALS['moduleList'] as $mod) {
+ $item = BeanFactory::getBean($mod);
+ if ($item && is_subclass_of($item, $superclass)) {
+ $modules[] = $item->module_name;
+ }
+ }
+
+ return $modules;
+}
+
+/**
+ * Check if it is a valid WebToPerson module
+ * @param string $module
+ * @return bool
+ */
+function isValidWebToPersonModule(string $module): bool
+{
+ $validModules = getValidWebToPersonModules();
+
+ return in_array($module, $validModules, true);
+}
diff --git a/modules/Contacts/ContactFormBase.php b/modules/Contacts/ContactFormBase.php
index 11ecbe0d96a..b9dffc451bd 100755
--- a/modules/Contacts/ContactFormBase.php
+++ b/modules/Contacts/ContactFormBase.php
@@ -73,15 +73,21 @@ public function getDuplicateQuery($focus, $prefix='')
// Bug #46427 : Records from other Teams shown on Potential Duplicate Contacts screen during Lead Conversion
// add team security
+ $dbManager = DBManagerFactory::getInstance();
+
$query .= ' where contacts.deleted = 0 AND ';
if (isset($_POST[$prefix.'first_name']) && strlen($_POST[$prefix.'first_name']) != 0 && isset($_POST[$prefix.'last_name']) && strlen($_POST[$prefix.'last_name']) != 0) {
- $query .= " contacts.first_name LIKE '". $_POST[$prefix.'first_name'] . "%' AND contacts.last_name = '". $_POST[$prefix.'last_name'] ."'";
+ $firstName = $dbManager->quote($_POST[$prefix.'first_name' ?? '']);
+ $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']);
+ $query .= " contacts.first_name LIKE '". $firstName . "%' AND contacts.last_name = '". $lastName ."'";
} else {
- $query .= " contacts.last_name = '". $_POST[$prefix.'last_name'] ."'";
+ $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']);
+ $query .= " contacts.last_name = '". $lastName ."'";
}
if (!empty($_POST[$prefix.'record'])) {
- $query .= " AND contacts.id != '". $_POST[$prefix.'record'] ."'";
+ $record = $dbManager->quote($_POST[$prefix.'record' ?? '']);
+ $query .= " AND contacts.id != '". $record ."'";
}
return $query;
}
diff --git a/modules/EmailTemplates/AttachFiles.php b/modules/EmailTemplates/AttachFiles.php
index d725cee178c..fdd09762919 100755
--- a/modules/EmailTemplates/AttachFiles.php
+++ b/modules/EmailTemplates/AttachFiles.php
@@ -61,6 +61,13 @@
foreach ($_FILES as $k => $file) {
if (in_array(strtolower($_FILES[$k]['type']), $imgType) && $_FILES[$k]['size'] > 0) {
+ $fileName = $_FILES[$k]['name'] ?? '';
+
+ if (!has_valid_image_extension('Attach Files Uploaded file: ' . $fileName , $fileName)) {
+ LoggerManager::getLogger()->fatal("EmailTemplates AttachFiles - Invalid file ext : '$fileName'.");
+ throw new RuntimeException('Invalid request');
+ }
+
$upload_file = new UploadFile($k);
// check the file
if ($upload_file->confirm_upload()) {
diff --git a/modules/Emails/include/ComposeView/ComposeView.tpl b/modules/Emails/include/ComposeView/ComposeView.tpl
index d38319acfd9..87808e14a8d 100644
--- a/modules/Emails/include/ComposeView/ComposeView.tpl
+++ b/modules/Emails/include/ComposeView/ComposeView.tpl
@@ -256,8 +256,8 @@
$(document).ready(function() {ldelim}
$('#ComposeView').EmailsComposeView({if $RETURN_MODULE != 'Emails' && $RETURN_ID}{ldelim}
'attachment': {ldelim}
- 'module': '{$RETURN_MODULE}',
- 'id': '{$RETURN_ID}'
+ 'module': '{$RETURN_MODULE|escape:'javascript'}',
+ 'id': '{$RETURN_ID|escape:'javascript'}'
{rdelim}
{rdelim}{/if});
{rdelim});
diff --git a/modules/Employees/Employee.php b/modules/Employees/Employee.php
index 214a12ba5b2..80bb010e040 100755
--- a/modules/Employees/Employee.php
+++ b/modules/Employees/Employee.php
@@ -318,6 +318,9 @@ public function save($check_notify = false)
throw new RuntimeException('Not authorized');
}
+ // If the current user is not an admin, reset the admin flag to the original value.
+ $this->setIsAdmin();
+
return parent::save($check_notify);
}
@@ -341,4 +344,36 @@ protected function hasSaveAccess(): bool
return $sameUser || is_admin($current_user);
}
+
+ /**
+ * Reset is_admin if current user is not an admin user
+ * @return void
+ */
+ protected function setIsAdmin(): void
+ {
+ global $current_user;
+
+ if (!isset($this->is_admin)) {
+ return;
+ }
+
+ $originalIsAdminValue = $this->is_admin ?? false;
+ if ($this->isUpdate() && isset($this->fetched_row['is_admin'])) {
+ $originalIsAdminValue = isTrue($this->fetched_row['is_admin'] ?? false);
+ }
+
+ $currentUserReloaded = BeanFactory::getReloadedBean('Users', $current_user->id);
+ if (!is_admin($currentUserReloaded)) {
+ $this->is_admin = $originalIsAdminValue;
+ }
+
+ }
+
+ /**
+ * @return bool
+ */
+ protected function isUpdate(): bool
+ {
+ return !empty($this->id) && !$this->new_with_id;
+ }
}
diff --git a/modules/Leads/LeadFormBase.php b/modules/Leads/LeadFormBase.php
index 52c96ba7bd2..dffdb2c9799 100755
--- a/modules/Leads/LeadFormBase.php
+++ b/modules/Leads/LeadFormBase.php
@@ -67,11 +67,15 @@ public function getDuplicateQuery($focus, $prefix='')
$query .= " WHERE deleted != 1 AND (status <> 'Converted' OR status IS NULL) AND ";
+ $dbManager = DBManagerFactory::getInstance();
//Use the first and last name from the $_POST to filter. If only last name supplied use that
if (isset($_POST[$prefix.'first_name']) && strlen($_POST[$prefix.'first_name']) != 0 && isset($_POST[$prefix.'last_name']) && strlen($_POST[$prefix.'last_name']) != 0) {
- $query .= " (first_name='". $_POST[$prefix.'first_name'] . "' AND last_name = '". $_POST[$prefix.'last_name'] ."')";
+ $firstName = $dbManager->quote($_POST[$prefix.'first_name' ?? '']);
+ $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']);
+ $query .= " (first_name='". $firstName . "' AND last_name = '". $lastName ."')";
} else {
- $query .= " last_name = '". $_POST[$prefix.'last_name'] ."'";
+ $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']);
+ $query .= " last_name = '". $lastName ."'";
}
return $query;
}
diff --git a/modules/Prospects/ProspectFormBase.php b/modules/Prospects/ProspectFormBase.php
index bc0529e0263..204b56549e7 100755
--- a/modules/Prospects/ProspectFormBase.php
+++ b/modules/Prospects/ProspectFormBase.php
@@ -55,36 +55,44 @@ public function checkForDuplicates($prefix)
{
global $local_log;
require_once('include/formbase.php');
-
+
$focus = BeanFactory::newBean('Prospects');
if (!checkRequired($prefix, array_keys($focus->required_fields))) {
return null;
}
+
+ $dbManager = DBManagerFactory::getInstance();
+
$query = '';
$baseQuery = 'select id,first_name, last_name, title, email1, email2 from prospects where deleted!=1 and (';
if (!empty($_POST[$prefix.'first_name']) && !empty($_POST[$prefix.'last_name'])) {
- $query = $baseQuery ." (first_name like '". $_POST[$prefix.'first_name'] . "%' and last_name = '". $_POST[$prefix.'last_name'] ."')";
+ $firstName = $dbManager->quote($_POST[$prefix.'first_name' ?? '']);
+ $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']);
+ $query = $baseQuery ." (first_name like '". $firstName . "%' and last_name = '". $lastName ."')";
} else {
- $query = $baseQuery ." last_name = '". $_POST[$prefix.'last_name'] ."'";
+ $lastName = $dbManager->quote($_POST[$prefix.'last_name' ?? '']);
+ $query = $baseQuery ." last_name = '". $lastName ."'";
}
if (!empty($_POST[$prefix.'email1'])) {
+ $email1 = $dbManager->quote($_POST[$prefix.'email1' ?? '']);
if (empty($query)) {
- $query = $baseQuery. " email1='". $_POST[$prefix.'email1'] . "' or email2 = '". $_POST[$prefix.'email1'] ."'";
+ $query = $baseQuery. " email1='". $email1 . "' or email2 = '". $email1 ."'";
} else {
- $query .= "or email1='". $_POST[$prefix.'email1'] . "' or email2 = '". $_POST[$prefix.'email1'] ."'";
+ $query .= "or email1='". $email1 . "' or email2 = '". $email1 ."'";
}
}
if (!empty($_POST[$prefix.'email2'])) {
+ $email2 = $dbManager->quote($_POST[$prefix.'email2' ?? '']);
if (empty($query)) {
- $query = $baseQuery. " email1='". $_POST[$prefix.'email2'] . "' or email2 = '". $_POST[$prefix.'email2'] ."'";
+ $query = $baseQuery. " email1='". $email2 . "' or email2 = '". $email2 ."'";
} else {
- $query .= "or email1='". $_POST[$prefix.'email2'] . "' or email2 = '". $_POST[$prefix.'email2'] ."'";
+ $query .= "or email1='". $email2 . "' or email2 = '". $email2 ."'";
}
}
if (!empty($query)) {
$rows = array();
-
+
$db = DBManagerFactory::getInstance();
$result = $db->query($query.');');
while ($row = $db->fetchByAssoc($result)) {
@@ -138,7 +146,7 @@ public function buildTableForm($rows, $mod='')
if ($action != 'ShowDuplicates') {
$form .= "[${app_strings['LBL_SELECT_BUTTON_LABEL']}] | \n";
}
-
+
$wasSet = false;
foreach ($row as $key=>$value) {
@@ -172,7 +180,7 @@ public function getWideFormBody($prefix, $mod='', $formname='', $prospect = '')
if (!ACLController::checkAccess('Prospects', 'edit', true)) {
return '';
}
-
+
if (empty($prospect)) {
$prospect = BeanFactory::newBean('Prospects');
}
@@ -401,15 +409,15 @@ public function getForm($prefix, $mod='')
public function handleSave($prefix, $redirect=true, $useRequired=false)
{
global $theme;
-
-
-
-
+
+
+
+
require_once('include/formbase.php');
-
+
global $timedate;
-
-
+
+
$focus = BeanFactory::newBean('Prospects');
if ($useRequired && !checkRequired($prefix, array_keys($focus->required_fields))) {
return null;
@@ -421,14 +429,14 @@ public function handleSave($prefix, $redirect=true, $useRequired=false)
if (!isset($GLOBALS['check_notify'])) {
$GLOBALS['check_notify']=false;
}
-
+
if (!isset($_POST[$prefix.'email_opt_out'])) {
$focus->email_opt_out = 0;
}
if (!isset($_POST[$prefix.'do_not_call'])) {
$focus->do_not_call = 0;
}
-
+
if (empty($_POST['record']) && empty($_POST['dup_checked'])) {
/*
// we don't check dupes on Prospects - this is the dirtiest data in the system
@@ -479,7 +487,7 @@ public function handleSave($prefix, $redirect=true, $useRequired=false)
$focus->save($GLOBALS['check_notify']);
$return_id = $focus->id;
-
+
$GLOBALS['log']->debug("Saved record with id of ".$return_id);
if (isset($_POST['popup']) && $_POST['popup'] == 'true') {
$get = '&module=';
diff --git a/modules/Users/User.php b/modules/Users/User.php
index 6686cd90dde..085d7241551 100755
--- a/modules/Users/User.php
+++ b/modules/Users/User.php
@@ -612,7 +612,7 @@ public function save($check_notify = false)
$msg = '';
- $isUpdate = !empty($this->id) && !$this->new_with_id;
+ $isUpdate = $this->isUpdate();
//No SMTP server is set up Error.
$admin = BeanFactory::newBean('Administration');
@@ -664,17 +664,16 @@ public function save($check_notify = false)
// wp: do not save user_preferences in this table, see user_preferences module
$this->user_preferences = '';
+
+ // If the current user is not an admin, reset the admin flag to the original value.
+ $this->setIsAdmin();
+
// if this is an admin user, do not allow is_group or portal_only flag to be set.
if ($this->is_admin) {
$this->is_group = 0;
$this->portal_only = 0;
}
- // If the current user is not an admin, do not allow them to set the admin flag to true.
- if (!is_admin($current_user)) {
- $this->is_admin = 0;
- }
-
// set some default preferences when creating a new user
$setNewUserPreferences = empty($this->id) || !empty($this->new_with_id);
@@ -2467,4 +2466,36 @@ protected function hasSaveAccess(): bool
return $sameUser || is_admin($current_user);
}
+
+ /**
+ * Reset is_admin if current user is not an admin user
+ * @return void
+ */
+ protected function setIsAdmin(): void
+ {
+ global $current_user;
+ if (!isset($this->is_admin)) {
+ return;
+ }
+
+
+ $originalIsAdminValue = $this->is_admin ?? false;
+ if ($this->isUpdate() && isset($this->fetched_row['is_admin'])) {
+ $originalIsAdminValue = isTrue($this->fetched_row['is_admin'] ?? false);
+ }
+
+ $currentUserReloaded = BeanFactory::getReloadedBean('Users', $current_user->id);
+ if (!is_admin($currentUserReloaded)) {
+ $this->is_admin = $originalIsAdminValue;
+ }
+
+ }
+
+ /**
+ * @return bool
+ */
+ protected function isUpdate(): bool
+ {
+ return !empty($this->id) && !$this->new_with_id;
+ }
}
diff --git a/suitecrm_version.php b/suitecrm_version.php
index bcb93259c2f..0c1ebd04c3a 100755
--- a/suitecrm_version.php
+++ b/suitecrm_version.php
@@ -3,5 +3,5 @@
die('Not A Valid Entry Point');
}
-$suitecrm_version = '7.12.8';
-$suitecrm_timestamp = '2022-11-17 12:00:00';
+$suitecrm_version = '7.12.9';
+$suitecrm_timestamp = '2023-01-25 12:00:00';