Dolibarr/sendrecurringinvoicebymail
1
0
Fork 0
Code Issues Pull requests Releases 6 Activity Actions

Execute the hook only for customer invoices

Browse source 
With the introduction of supplier invoice templates in Dolibarr 16, with the
same hook but different table, this module tried to load the customer invoice
having the same id than the supplier invoice template being treated. This could
result in severe information disclosure.

Fixes gh-10
This commit is contained in:
Chl 2024-03-13 01:05:50 +01:00
parent d3bac76b2e
commit a7532db483
3 changed files with 19 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
class/actions_sendrecurringinvoicebymail.class.php
View file

@ -84,6 +84,14 @@ class Actionssendrecurringinvoicebymail
$error = 0; // Error counter
$facturerec = $parameters['facturerec'];
// Since Dolibarr 16, this hook is also used for the FactureFournisseurRec class.
if (! $facturerec instanceof FactureRec) {
return 0;
}
// Load our own object, linked to this facture
// (if it doesn't exist in database, fetch(,,true) will fill the object
// from the global mail template)
$mailObject = new SRIBMCustomMailInfo($this->db);
if ($mailObject->fetch(null, $facturerec->id, true) != 1) {
dol_syslog("Error loading SRIBMCustomMailInfo for facture rec " . (isset($facturerec->id) ? $facturerec->id : "(facturerec->id not set ??)"));