X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fui%2Fui_controls.inc;h=ddef1bddf3491d083918f0ed8f03ef8433b0add8;hb=927ebef2443b6dda544056e33ec84b71d2bdb6c2;hp=d6533f901722f5999ef7d81386932fea61d954df;hpb=46c5f7a65a7659a44ae8254c63152074363d3987;p=fa-stable.git

diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc
index d6533f90..ddef1bdd 100644
--- a/includes/ui/ui_controls.inc
+++ b/includes/ui/ui_controls.inc
@@ -32,10 +32,15 @@ function get_post($name, $dflt='')
 				((!isset($_POST[$name]) || $_POST[$name] === '') ? $dflt : $_POST[$name]);
 }
 //---------------------------------------------------------------------------------
+$form_nested = -1;
 
 function start_form($multi=false, $dummy=false, $action="", $name="")
 {
 	// $dummy - leaved for compatibility with 2.0 API
+	global $form_nested;
+
+	if (++$form_nested) return;
+
 
 	if ($name != "")
 		$name = "name='$name'";
@@ -53,11 +58,29 @@ function start_form($multi=false, $dummy=false, $action="", $name="")
 
 function end_form($breaks=0)
 {
+	global $Ajax, $form_nested;
+
+	if ($form_nested-- > 0) return;
+
+	$_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true));
 	if ($breaks)
 		br($breaks);
-	echo "<input type=\"hidden\" name=\"_focus\" value=\"".get_post('_focus')."\">\n";
-	echo "<input type=\"hidden\" name=\"_modified\" value=\"".get_post('_modified', 0)."\">\n";
+	hidden('_focus');
+	hidden('_modified', get_post('_modified', 0));
+	hidden('_token', $_SESSION['csrf_token']);
 	echo "</form>\n";
+	$Ajax->activate('_token');
+}
+
+function check_csrf_token()
+{
+	if ($_SESSION['csrf_token'] != @$_POST['_token'])
+	{
+		display_error(_("Request from outside of this page is forbidden."));
+		error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')');
+		return false;
+	}
+	return true;
 }
 
 function start_table($class=false, $extra="", $padding='2', $spacing='0')
@@ -116,10 +139,10 @@ function vertical_space($params='')
 	echo "</td></tr><tr><td valign=center $params>";
 }
 
-function meta_forward($forward_to, $params="")
+function meta_forward($forward_to, $params="", $timeout=0)
 {
     global $Ajax;
-	echo "<meta http-equiv='Refresh' content='0; url=$forward_to?$params'>\n";
+	echo "<meta http-equiv='Refresh' content='".$timeout."; url=$forward_to?$params'>\n";
 	echo "<center><br>" . _("You should automatically be forwarded.");
 	echo " " . _("If this does not happen") . " " . "<a href='$forward_to?$params'>" . _("click here") . "</a> " . _("to continue") . ".<br><br></center>\n";
 	if ($params !='') $params = '?'.$params;
@@ -150,7 +173,7 @@ function access_string($label, $clean=false)
 	return $clean ? $label : array($label, $access);
 }
 
-function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0)
+function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0, $final=false)
 {
 	global $path_to_root;
 
@@ -161,17 +184,17 @@ function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0)
 	{
 		include_once($path_to_root."/admin/db/attachments_db.inc");
 		$id = has_attachment($type_no, $trans_no);
-	}
+		$attach = get_attachment_string($type_no, $trans_no);
+    	echo $attach;	
+    }
 	$width = ($id != 0 ? "30%" : "20%");	
 	start_table(false, "width=$width");
 	start_row();
 	if ($no_menu)
 	{
-		if ($id != 0)
-			echo "<td align=center><a href='$path_to_root/admin/attachments.php?vw=$id' target='blanc_'>"._("View Attachment")."</a></td>\n";
 		echo "<td align=center><a href='javascript:window.print();'>"._("Print")."</a></td>\n";
-	}	
-	echo "<td align=center><a href='javascript:goBack();'>".($no_menu ? _("Close") : _("Back"))."</a></td>\n";
+	}
+	echo "<td align=center><a href='javascript:goBack(".($final ? '-2' : '').");'>".($no_menu ? _("Close") : _("Back"))."</a></td>\n";
 	end_row();
 	end_table();
 	if ($center)
@@ -290,18 +313,20 @@ function hyperlink_params_separate_td($target, $label, $params)
 
 //--------------------------------------------------------------------------------------------------
 
-function alt_table_row_color(&$k)
+function alt_table_row_color(&$k, $extra_class=null)
 {
+	$classes = $extra_class ? array($extra_class) : array();
 	if ($k == 1)
 	{
-		echo "<tr class='oddrow'>\n";
+		array_push($classes, 'oddrow');
 		$k = 0;
 	}
 	else
 	{
-		echo "<tr class='evenrow'>\n";
+		array_push($classes, 'evenrow');
 		$k++;
 	}
+	echo "<tr class='".implode(' ', $classes)."'>\n";
 }
 
 function table_section_title($msg, $colspan=2)
@@ -415,6 +440,15 @@ function tabbed_content_end() {
 	div_end(); // tabs widget
 }
 
+function tab_changed($name)
+{
+	$to = find_submit("{$name}_", false);
+	if (!$to) return null;
+
+	return array('from' => $from = get_post("_{$name}_sel"),
+		'to' => $to);
+}
+
 /* Table editor interfaces. Key is editor type
 	0 => url of editor page
 	1 => hotkey code
@@ -422,13 +456,13 @@ function tabbed_content_end() {
 */
 $popup_editors = array(
 	'customer' => array('/sales/manage/customers.php?debtor_no=', 
-		113,	_("Customers")),
+		113,	_("Customers"), 900, 500),
 	'branch' => array('/sales/manage/customer_branches.php?SelectedBranch=', 
-		114, _("Branches")),
+		114, _("Branches"), 900, 700),
 	'supplier' => array('/purchasing/manage/suppliers.php?supplier_id=', 
-		113, _("Suppliers")),
+		113, _("Suppliers"), 900, 700),
 	'item' => array('/inventory/manage/items.php?stock_id=', 
-		115, _("Items"))
+		115, _("Items"), 800, 600)
 );
 /*
 	Bind editors for various selectors.
@@ -443,8 +477,9 @@ function set_editor($type, $input, $caller=true)
 
 	$key = $caller===true ? $popup_editors[$type][1] : $caller;
 
-	$Editors[$key] = array( $path_to_root . $popup_editors[$type][0], $input);
-	
+	$Editors[$key] = array( $path_to_root . $popup_editors[$type][0], $input, 
+		$popup_editors[$type][3], $popup_editors[$type][4]);
+
 	$help = 'F' . ($key - 111) . ' - ';
 	$help .= $popup_editors[$type][2];
 	$Pagehelp[] = $help;
@@ -593,4 +628,3 @@ function page_modified($status = true)
 		add_js_source($js);
 }
 
-?>
\ No newline at end of file