Index: src/include/lib/Garradin/Recherche.php ================================================================== --- src/include/lib/Garradin/Recherche.php +++ src/include/lib/Garradin/Recherche.php @@ -6,10 +6,11 @@ class Recherche { const TYPE_JSON = 'json'; const TYPE_SQL = 'sql'; + const TYPE_SQL_UNPROTECTED = 'sql_unprotected'; const TARGETS = [ 'membres', 'compta', ]; @@ -31,11 +32,13 @@ if (array_key_exists('id_membre', $data) && null !== $data['id_membre'] && !$db->test('membres', 'id = ?', $data['id_membre'])) { throw new \InvalidArgumentException('Numéro d\'utilisateur inconnu.'); } - if (array_key_exists('type', $data) && $data['type'] !== self::TYPE_SQL && $data['type'] !== self::TYPE_JSON) + static $types = [self::TYPE_SQL, self::TYPE_JSON, self::TYPE_SQL_UNPROTECTED]; + + if (array_key_exists('type', $data) && !in_array($data['type'], $types)) { throw new \InvalidArgumentException('Type de recherche inconnu.'); } if (array_key_exists('cible', $data) && !in_array($data['cible'], self::TARGETS, true)) @@ -165,18 +168,33 @@ $out = []; $columns = $this->getColumns($target); foreach (reset($result) as $key => $v) { + if (substr($key, 0, 1) == '_') { + continue; + } + + $label = null; + foreach ($columns as $ckey => $config) { if ($ckey == $key) { - $out[$key] = $config->label; + $label = $config->label; + break; } elseif (isset($config->alias) && $config->alias == $key) { - $out[$config->alias] = $config->label; + $key = $config->alias; + $label = $config->label; + break; } } + + if (!$label) { + $label = $key; + } + + $out[$key] = $label; } return $out; } @@ -243,11 +261,11 @@ $columns['t.id'] = (object) [ 'textMatch'=> false, 'label' => 'Numéro écriture', 'type' => 'integer', 'null' => false, - 'alias' => 'id', + 'alias' => 'transaction_id', ]; $columns['t.date'] = (object) [ 'textMatch'=> false, 'label' => 'Date', @@ -500,11 +518,11 @@ } // Ajout du champ identité si pas présent if ($target == 'membres') { - $query_columns = array_merge(['id', $config->get('champ_identite')], $query_columns); + $query_columns = array_merge([$config->get('champ_identite')], $query_columns); } // Ajout de champs compta si pas présents elseif ($target == 'compta') { $query_columns = array_merge(['t.id', 't.date', 't.label', 'l.debit', 'l.credit', 'a.code'], $query_columns); @@ -543,10 +561,14 @@ LEFT JOIN acc_accounts AS a2 ON l.id_analytical = a2.id WHERE %s GROUP BY t.id ORDER BY %s %s LIMIT %d;', $query_columns, $query_groups, $order, $desc, (int) $limit); $sql_query = preg_replace('/"(a|a2|l|t)\./', '"$1"."', $sql_query); } + else if ('membres' === $target) { + $sql_query = sprintf('SELECT id AS _user_id, %s FROM %s WHERE %s ORDER BY %s %s LIMIT %d;', + $query_columns, $target, $query_groups, $order, $desc, (int) $limit); + } else { $sql_query = sprintf('SELECT id, %s FROM %s WHERE %s ORDER BY %s %s LIMIT %d;', $query_columns, $target, $query_groups, $order, $desc, (int) $limit); } @@ -554,11 +576,11 @@ } /** * Lancer une recherche SQL */ - public function searchSQL($target, $query, array $force_select = null, $no_limit = false) + public function searchSQL(string $target, $query, array $force_select = null, bool $no_limit = false, bool $unprotected = false) { if (!in_array($target, self::TARGETS, true)) { throw new \InvalidArgumentException('Cible inconnue : ' . $target); } @@ -575,15 +597,22 @@ } try { $db = DB::getInstance(); static $allowed = [ - 'compta' => ['acc_transactions' => null, 'acc_transactions_lines' => null, 'acc_accounts' => null], - 'membres' => ['membres' => null], + 'compta' => ['acc_transactions' => null, 'acc_transactions_lines' => null, 'acc_accounts' => null, 'acc_charts' => null, 'acc_years' => null, 'acc_transactions_users' => null], + 'membres' => ['membres' => null, 'membres_categories' => null], ]; - $db->protectSelect($allowed[$target], $query); + if ($unprotected) { + $allowed_tables = null; + } + else { + $allowed_tables = $allowed[$target]; + } + + $db->protectSelect($allowed_tables, $query); return $db->get($query); } catch (\Exception $e) { $message = 'Erreur dans la requête : ' . $e->getMessage(); Index: src/templates/acc/search.tpl ================================================================== --- src/templates/acc/search.tpl +++ src/templates/acc/search.tpl @@ -28,11 +28,11 @@
{foreach from=$result item="row"}{$result|count} membres trouvés pour cette recherche.
{/if} - {foreach from=$result_header key="c" item="cfg"} - | {$cfg.title} | + {foreach from=$result_header item="label"} +{$label} | {/foreach}||
{input type="checkbox" name="selected[]" value=$row.id} | {/if} + {if $session->canAccess('membres', Membres::DROIT_ADMIN)}{if $row._user_id}{input type="checkbox" name="selected[]" value=$row._user_id}{/if} | {/if} {foreach from=$row key="key" item="value"} {if isset($result_header[$key])}- {if !$link} - - {/if} - - {$value|raw|display_champ_membre:$key} - - {if !$link} - - - {/if} + {if !$link && $row._user_id} + + {/if} + + {$value|raw|display_champ_membre:$key} + + {if !$link} + + + {/if} | + {elseif substr($key, 0, 1) != '_'} +{$value} | {/if} {/foreach}- {linkbutton shape="user" label="Fiche membre" href="!membres/fiche.php?id=%d"|args:$row.id} - {if $session->canAccess('membres', Membres::DROIT_ECRITURE)} - {linkbutton shape="edit" label="Modifier" href="!membres/modifier.php?id=%d"|args:$row.id} + {if $row._user_id} + {linkbutton shape="user" label="Fiche membre" href="!membres/fiche.php?id=%d"|args:$row.id} + {if $session->canAccess('membres', Membres::DROIT_ECRITURE)} + {linkbutton shape="edit" label="Modifier" href="!membres/modifier.php?id=%d"|args:$row.id} + {/if} {/if} |