[freeside-commits] branch master updated. 92a327b2bc09344a7e0db93f40e34b71547bf075
Jonathan Prykop
jonathan at 420.am
Wed Jan 28 17:40:14 PST 2015
The branch, master has been updated
via 92a327b2bc09344a7e0db93f40e34b71547bf075 (commit)
via 730a14abf09f1ed8854cfded6f432fee832ea7d8 (commit)
from 3ed9d0fa90662f037f3fb2f50632ccb34066a979 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 92a327b2bc09344a7e0db93f40e34b71547bf075
Merge: 730a14a 3ed9d0f
Author: Jonathan Prykop <jonathan at freeside.biz>
Date: Wed Jan 28 19:28:13 2015 -0600
Merge branch 'master' of git.freeside.biz:/home/git/freeside
3ed9d0fa90662f037f3fb2f50632ccb34066a979
diff --git a/FS/FS/Report/Tax.pm b/FS/FS/Report/Tax.pm
index f3f441d..23c1645 100644
--- a/FS/FS/Report/Tax.pm
+++ b/FS/FS/Report/Tax.pm
@@ -41,13 +41,9 @@ sub report_internal {
my ($taxname, $country, %breakdown);
- # purify taxname properly here, as we're going to include it in lots of
- # SQL statements using single quotes only
- if ( $opt{taxname} =~ /^([\w\s]+)$/ ) {
- $taxname = $1;
- } else {
- die "taxname required"; # UI prevents this
- }
+ # taxname can contain arbitrary punctuation; escape it properly and
+ # include $taxname unquoted elsewhere
+ $taxname = dbh->quote($opt{'taxname'});
if ( $opt{country} =~ /^(\w\w)$/ ) {
$country = $1;
@@ -103,7 +99,7 @@ sub report_internal {
GROUP BY billpkgnum, taxnum";
my $where = "WHERE cust_bill._date >= $beginning AND cust_bill._date <= $ending ".
- "AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname' ".
+ "AND COALESCE(cust_main_county.taxname,'Tax') = $taxname ".
"AND cust_main_county.country = '$country'";
# SELECT/GROUP clauses for first-level queries
my $select = "SELECT ";
@@ -370,14 +366,14 @@ sub report_internal {
SELECT 1 FROM cust_tax_exempt_pkg
JOIN cust_main_county USING (taxnum)
WHERE cust_tax_exempt_pkg.billpkgnum = cust_bill_pkg.billpkgnum
- AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+ AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
AND cust_tax_exempt_pkg.creditbillpkgnum IS NULL
)
AND NOT EXISTS(
SELECT 1 FROM cust_bill_pkg_tax_location
JOIN cust_main_county USING (taxnum)
WHERE cust_bill_pkg_tax_location.taxable_billpkgnum = cust_bill_pkg.billpkgnum
- AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+ AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
)
";
warn "\nOUTSIDE:\n$sql_outside\n" if $DEBUG;
diff --git a/httemplate/search/report_tax.cgi b/httemplate/search/report_tax.cgi
index 83f2fc5..491cd42 100644
--- a/httemplate/search/report_tax.cgi
+++ b/httemplate/search/report_tax.cgi
@@ -151,7 +151,7 @@ TD.rowhead { font-weight: bold; text-align: left; padding: 0px 3px }
<% emt('Out of taxable region') %>
</TD>
<TD STYLE="text-align: right">
- <A HREF="<% $saleslink %>;out=1;taxname=<% $params{taxname} %>">
+ <A HREF="<% $saleslink %>;out=1;taxname=<% encode_entities($params{'taxname'}) %>">
<% $money_sprintf->( $report->{outside } ) %>
</A>
</TD>
@@ -188,8 +188,9 @@ if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
$agentname = $agent->agentname;
}
-if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) {
- $params{taxname} = $1;
+# allow anything in here; FS::Report::Tax will treat it as unsafe
+if ( length($cgi->param('taxname')) ) {
+ $params{taxname} = $cgi->param('taxname');
} else {
die "taxname required";
}
commit 730a14abf09f1ed8854cfded6f432fee832ea7d8
Author: Jonathan Prykop <jonathan at freeside.biz>
Date: Wed Jan 28 19:15:33 2015 -0600
Ticket #32226: Disable bulk order link under provisioning link for svc_phone
diff --git a/httemplate/view/cust_main/packages/services.html b/httemplate/view/cust_main/packages/services.html
index fa193d6..d7644b7 100644
--- a/httemplate/view/cust_main/packages/services.html
+++ b/httemplate/view/cust_main/packages/services.html
@@ -97,20 +97,7 @@ function clearhint_search_cust_svc(obj, str) {
% local $opt{'num_avail'} = $part_svc->num_avail;
<BR><% svc_provision_link($cust_pkg, $part_svc, \%opt, $curuser) %>
% }
-% if (
-% qsearch({
-% 'table' => 'did_order',
-% 'hashref' => { 'custnum' => $cust_pkg->custnum },
-% 'extra_sql' => ' LIMIT 1'
-% })
-% ||
-% qsearch({
-% 'table' => 'did_order_item',
-% 'hashref' => { 'custnum' => $cust_pkg->custnum },
-% 'addl_from' => ' INNER JOIN did_order ON did_order_item.ordernum = did_order.ordernum',
-% 'extra_sql' => ' LIMIT 1'
-% })
-% ) {
+% if (browse_received_did_inventory($cust_pkg->custnum)) {
<BR><A HREF="<%$p%>browse/did_order.html?custnum=<%$cust_pkg->custnum%>"><% mt('Browse Received DID Inventory') |h %></A>
% }
% }
@@ -183,6 +170,21 @@ sub svc_provision_link {
$link;
}
+sub browse_received_did_inventory {
+ local($FS::Record::qsearch_qualify_columns) = 1;
+ qsearch({
+ 'table' => 'did_order',
+ 'hashref' => { 'custnum' => $_[0] },
+ 'extra_sql' => ' LIMIT 1'
+ }) ||
+ qsearch({
+ 'table' => 'did_order_item',
+ 'hashref' => { 'custnum' => $_[0] },
+ 'addl_from' => ' INNER JOIN did_order ON did_order_item.ordernum = did_order.ordernum',
+ 'extra_sql' => ' LIMIT 1'
+ });
+}
+
my %hints = (
svc_acct => emt('(user or email)'),
svc_domain => emt('(domain)'),
3ed9d0fa90662f037f3fb2f50632ccb34066a979
diff --git a/FS/FS/Report/Tax.pm b/FS/FS/Report/Tax.pm
index f3f441d..23c1645 100644
--- a/FS/FS/Report/Tax.pm
+++ b/FS/FS/Report/Tax.pm
@@ -41,13 +41,9 @@ sub report_internal {
my ($taxname, $country, %breakdown);
- # purify taxname properly here, as we're going to include it in lots of
- # SQL statements using single quotes only
- if ( $opt{taxname} =~ /^([\w\s]+)$/ ) {
- $taxname = $1;
- } else {
- die "taxname required"; # UI prevents this
- }
+ # taxname can contain arbitrary punctuation; escape it properly and
+ # include $taxname unquoted elsewhere
+ $taxname = dbh->quote($opt{'taxname'});
if ( $opt{country} =~ /^(\w\w)$/ ) {
$country = $1;
@@ -103,7 +99,7 @@ sub report_internal {
GROUP BY billpkgnum, taxnum";
my $where = "WHERE cust_bill._date >= $beginning AND cust_bill._date <= $ending ".
- "AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname' ".
+ "AND COALESCE(cust_main_county.taxname,'Tax') = $taxname ".
"AND cust_main_county.country = '$country'";
# SELECT/GROUP clauses for first-level queries
my $select = "SELECT ";
@@ -370,14 +366,14 @@ sub report_internal {
SELECT 1 FROM cust_tax_exempt_pkg
JOIN cust_main_county USING (taxnum)
WHERE cust_tax_exempt_pkg.billpkgnum = cust_bill_pkg.billpkgnum
- AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+ AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
AND cust_tax_exempt_pkg.creditbillpkgnum IS NULL
)
AND NOT EXISTS(
SELECT 1 FROM cust_bill_pkg_tax_location
JOIN cust_main_county USING (taxnum)
WHERE cust_bill_pkg_tax_location.taxable_billpkgnum = cust_bill_pkg.billpkgnum
- AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+ AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
)
";
warn "\nOUTSIDE:\n$sql_outside\n" if $DEBUG;
diff --git a/httemplate/search/report_tax.cgi b/httemplate/search/report_tax.cgi
index 83f2fc5..491cd42 100644
--- a/httemplate/search/report_tax.cgi
+++ b/httemplate/search/report_tax.cgi
@@ -151,7 +151,7 @@ TD.rowhead { font-weight: bold; text-align: left; padding: 0px 3px }
<% emt('Out of taxable region') %>
</TD>
<TD STYLE="text-align: right">
- <A HREF="<% $saleslink %>;out=1;taxname=<% $params{taxname} %>">
+ <A HREF="<% $saleslink %>;out=1;taxname=<% encode_entities($params{'taxname'}) %>">
<% $money_sprintf->( $report->{outside } ) %>
</A>
</TD>
@@ -188,8 +188,9 @@ if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
$agentname = $agent->agentname;
}
-if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) {
- $params{taxname} = $1;
+# allow anything in here; FS::Report::Tax will treat it as unsafe
+if ( length($cgi->param('taxname')) ) {
+ $params{taxname} = $cgi->param('taxname');
} else {
die "taxname required";
}
-----------------------------------------------------------------------
Summary of changes:
httemplate/view/cust_main/packages/services.html | 30 ++++++++++++----------
1 file changed, 16 insertions(+), 14 deletions(-)
More information about the freeside-commits
mailing list