dolibarr 24.0.0-beta
saveinplace.php
Go to the documentation of this file.
1<?php
2/* Copyright (C) 2011-2025 Regis Houssin <regis.houssin@inodbox.com>
3 * Copyright (C) 2024-2025 MDW <mdeweerd@users.noreply.github.com>
4 * Copyright (C) 2024-2026 Frédéric France <frederic.france@free.fr>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <https://www.gnu.org/licenses/>.
18 */
19
26if (!defined('NOTOKENRENEWAL')) {
27 define('NOTOKENRENEWAL', '1'); // Disables token renewal
28}
29if (!defined('NOREQUIREMENU')) {
30 define('NOREQUIREMENU', '1');
31}
32if (!defined('NOREQUIREAJAX')) {
33 define('NOREQUIREAJAX', '1');
34}
35if (!defined('NOREQUIRESOC')) {
36 define('NOREQUIRESOC', '1');
37}
38
39// Load Dolibarr environment
40require '../../main.inc.php';
48require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
49
50$field = GETPOST('field', 'alpha', 2);
51$element = GETPOST('element', 'alpha', 2);
52$table_element = GETPOST('table_element', 'alpha', 2);
53$fk_element = GETPOST('fk_element', 'alpha', 2);
54$id = $fk_element;
55
56/* Example:
57field:editval_ref_customer (8 first chars will removed to know name of property)
58element:contrat
59table_element:contrat
60fk_element:4
61type:string
62value:aaa
63loadmethod:
64savemethod:
65savemethodname:
66*/
67
68print 'field='.$field.' - element='.$element.' - table_element='.$table_element.' - id/fk_element='.$fk_element."\n";
69
70// Load object according to $id and $element
71$element_ref = '';
72if (is_numeric($fk_element)) {
73 $id = (int) $fk_element;
74} else {
75 $element_ref = $fk_element;
76 $id = 0;
77}
78$object = fetchObjectByElement($id, $element, $element_ref);
79if (!is_object($object)) {
80 httponly_accessforbidden('Not allowed, bad combination of parameters for fetchObjectByElement');
81}
82
83$module = $object->module;
84$element = $object->element;
85$usesublevelpermission = ($module != $element ? $element : '');
86if ($usesublevelpermission && !$user->hasRight($module, $element)) { // There is no permission on object defined, we will check permission on module directly
87 $usesublevelpermission = '';
88}
89print 'object->id='.$object->id.' - object->module='.$object->module.' - object->element='.$object->element.' - object->table_element='.$object->table_element.' - usesublevelpermission='.$usesublevelpermission."\n";
90
91// Security check
92$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return
93if (!$result) {
94 httponly_accessforbidden('Not allowed by restrictArea');
95}
96
97if (!getDolGlobalString('MAIN_USE_EDIT_IN_PLACE')) {
98 httponly_accessforbidden('Can be used only when option MAIN_USE_EDIT_IN_PLACE is set');
99}
100
101
102/*
103 * View
104 */
105
106top_httphead();
107
108//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
109//print_r($_POST);
110
111// Load original field value
112if (!empty($field) && !empty($element) && !empty($table_element) && !empty($fk_element)) {
113 $field = preg_replace('/^editval_/', '', $field); // remove prefix "editval_"
114
115 $type = GETPOST('type', 'alpha', 2); // type string by default
116
117 $value = ($type == 'ckeditor' ? GETPOST('value', '', 2) : GETPOST('value', 'alpha', 2));
118
119 //$ext_element = GETPOST('ext_element', 'alpha', 2);
120 $ext_element = 'notused';
121
122 //$savemethod = GETPOST('savemethod', 'alpha', 2);
123 //$savemethodname = (!empty($savemethod) ? $savemethod : 'setValueFrom');
124
125 $newelement = $element;
126 $subelement = null;
127
128 $format = 'text';
129 $return = array();
130 $error = 0;
131
132 $regs = array();
133 if ($element != 'order_supplier' && $element != 'invoice_supplier' && preg_match('/^([^_]+)_([^_]+)/i', $element, $regs)) {
134 $element = $regs[1];
135 $subelement = $regs[2];
136 }
137
138 if ($element == 'propal') {
139 $newelement = 'propale';
140 } elseif ($element == 'fichinter') {
141 $newelement = 'ficheinter';
142 } elseif ($element == 'product') {
143 $newelement = 'produit';
144 } elseif ($element == 'member') {
145 $newelement = 'adherent';
146 } elseif ($element == 'order_supplier') {
147 $newelement = 'fournisseur';
148 $subelement = 'commande';
149 } elseif ($element == 'invoice_supplier') {
150 $newelement = 'fournisseur';
151 $subelement = 'facture';
152 } else {
153 $newelement = $element;
154 }
155
156 $_POST['action'] = 'update'; // Keep this. It is a hack so restrictarea will test permissions on write too
157
158 $feature = $newelement;
159 $feature2 = $subelement;
160 $object_id = $fk_element;
161 if ($feature == 'expedition' || $feature == 'shipping') {
162 $feature = 'commande';
163 $object_id = 0;
164 }
165 if ($feature == 'shipping') {
166 $feature = 'commande';
167 }
168 if ($feature == 'payment') {
169 $feature = 'facture';
170 }
171 if ($feature == 'payment_supplier') {
172 $feature = 'fournisseur';
173 $feature2 = 'facture';
174 }
175 //var_dump(GETPOST('action','aZ09'));
176 //var_dump($newelement.'-'.$subelement."-".$feature."-".$object_id);
177 $check_access = restrictedArea($user, $feature, $object_id, '', (string) $feature2);
178 //var_dump($user->rights);
179
180 if ($check_access) {
181 // Clean parameters
182 $newvalue = trim($value);
183
184 if ($type == 'numeric') {
185 $newvalue = price2num($newvalue);
186
187 // Check parameters
188 if (!is_numeric($newvalue)) {
189 $error++;
190 $return['error'] = $langs->trans('ErrorBadValue');
191 }
192 } elseif ($type == 'datepicker') {
193 $timestamp = GETPOSTINT('timestamp', 2);
194 $format = 'date';
195 $newvalue = ($timestamp / 1000);
196 }
197
198 if (!$error && is_object($object)) { // @phpstan-ignore-line as object is already tested as object at the beginning
199 $ret = $object->setValueFrom($field, $newvalue, $object->table_element, (int) $fk_element, $format);
200 if ($ret > 0) {
201 if ($type == 'numeric') {
202 $value = price($newvalue);
203 } elseif ($type == 'textarea') {
204 $value = dol_nl2br($newvalue);
205 }
206
207 $return['value'] = $value;
208 } else {
209 $return['error'] = $object->error;
210 }
211 }
212
213 echo json_encode($return);
214 } else {
215 echo $langs->trans('NotEnoughPermissions');
216 }
217}
$id
$id
Support class for third parties, contacts, members, users or resources.
Definition account.php:47
$object
if(! $sortfield) if(! $sortorder) $object
Definition account.php:100
GETPOSTINT
GETPOSTINT($paramname, $method=0)
Return the value of a $_GET or $_POST supervariable, converted into integer.
Definition functions.lib.php:951
price2num
price2num($amount, $rounding='', $option=0)
Function that return a number with universal decimal format (decimal separator is '.
Definition functions.lib.php:7824
dol_nl2br
dol_nl2br($stringtoencode, $nl2brmode=0, $forxml=false)
Replace CRLF in string with a HTML BR tag.
Definition functions.lib.php:9506
price
price($amount, $form=0, $outlangs='', $trunc=1, $rounding=-1, $forcerounding=-1, $currency_code='')
Function to format a value into an amount for visual output Function used into PDF and HTML pages.
Definition functions.lib.php:7693
GETPOST
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
Definition functions.lib.php:1082
getDolGlobalString
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
Definition functions.lib.php:286
top_httphead
if(!defined( 'NOREQUIREMENU')) if(!empty(GETPOST('seteventmessages', 'alpha'))) if(!function_exists("llxHeader")) top_httphead($contenttype='text/html', $forcenocache=0)
Show HTTP header.
Definition main.inc.php:1512
httponly_accessforbidden
httponly_accessforbidden($message='1', $http_response_code=403, $stringalreadysanitized=0)
Show a message to say access is forbidden and stop program.
Definition security.lib.php:1070
restrictedArea
restrictedArea(User $user, $features, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $isdraft=0, $mode=0)
Check permissions of a user to show a page and an object.
Definition security.lib.php:180
Generated on Mon Jun 22 2026 21:04:38 for dolibarr by Doxygen 1.11.0