Merge branch 'develop' of https://github.com/Dolibarr/dolibarr into d…

…ev_28554

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -19,20 +19,9 @@ body:
   - type: input
     id: environment-version
     attributes:
-      label: Environment Version
+      label: Dolibarr Version
       description: Affected Dolibarr version(s)
-
-  - type: input
-    id: environment-os
-    attributes:
-      label: Environment OS
-      description: Server OS type and version
-
-  - type: input
-    id: environment-webserver
-    attributes:
-      label: Environment Web server
-      description: Webserver type and version
+      placeholder: 19.0, develop, ...
 
   - type: input
     id: environment-php
@@ -46,22 +35,10 @@ body:
       label: Environment Database
       description: Database type and version
 
-  - type: input
-    id: environment-urls
-    attributes:
-      label: Environment URL(s)
-      description: Affected URL(s)
-
-  - type: textarea
-    id: expected-behaviour
-    attributes:
-      label: Expected and actual behavior
-      description: Verbose description
-
   - type: textarea
     id: reproduce
     attributes:
-      label: Steps to reproduce the behavior
+      label: Steps to reproduce the behavior and expected behavior
       description: Verbose description
 
   - type: textarea

.github/workflows/cache-clean-pr.yml

@@ -0,0 +1,36 @@
+---
+name: Cleanup caches of a closed branch
+# See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#force-deletion-of-caches-overriding-default-cache-eviction-policy
+on:
+  pull_request:
+    types: [closed]
+  workflow_dispatch:
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    permissions:
+      # `actions:write` permission is required to delete caches
+      #   See also: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#delete-a-github-actions-cache-for-a-repository-using-a-cache-id
+      actions: write
+      contents: read
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Cleanup
+        run: |
+          gh extension install actions/gh-actions-cache
+          REPO=${{ github.repository }}
+          BRANCH=refs/pull/${{ github.event.pull_request.number }}/merge
+          echo "Fetching list of cache key"
+          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )
+
+          ## Setting this to not fail the workflow while deleting cache keys. 
+          set +e
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeysForPR
+          do
+              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+          done
+          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/phpstan.yml

@@ -9,9 +9,7 @@ concurrency:
     cancel-in-progress: true
 
 env:
-  CACHE_KEY_PART: >
-    ${{ ( github.event_name == 'pull_request' ) && github.base_ref
-     }}${{ ( github.event_name == 'pull_request' ) && '-' }}${{ github.head_ref }}
+  CACHE_KEY_PART: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.base_ref, github.head_ref) || github.ref_name }}
   GITHUB_JSON: ${{ toJSON(github) }} # Helps in debugging Github Action
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -58,7 +56,8 @@ jobs:
       # Run PHPStan
       - name: Run PHPStan
         id: phpstan
-        run: phpstan -vvv analyse --error-format=checkstyle --memory-limit 4G -a build/phpstan/bootstrap_action.php -c phpstan.neon | cs2pr --graceful-warnings
+        run: |
+          phpstan -vvv analyse --error-format=checkstyle --memory-limit 7G -a build/phpstan/bootstrap_action.php | tee _stan.xml | cs2pr --graceful-warnings
         # continue-on-error: true
 
       # Save cache
@@ -68,3 +67,10 @@ jobs:
         with:
           path: ./.github/tmp
           key: phpstan-cache-${{ matrix.php-version }}-${{ env.CACHE_KEY_PART }}-${{ github.run_id }}
+      - name: Provide phpstan log as artifact
+        uses: actions/upload-artifact@v4
+        if: ${{ always() }}
+        with:
+          name: phpstan-srcrt
+          path: ${{ github.workspace }}/_stan.xml
+          retention-days: 2

.github/workflows/windows-ci.yaml

@@ -1,41 +1,39 @@
 ---
 name: Win CI
+# yamllint disable-line rule:truthy
 on:
   push:
   pull_request:
   workflow_dispatch:
-
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref
+    }}
   cancel-in-progress: true
-
 env:
   PHPUNIT_LOG: phpunit_tests.log
   DOLIBARR_LOG: documents/dolibarr.log
   PHPSERVER_LOG: phpserver.log
-  PHPSERVER_DOMAIN_PORT: 127.0.0.1:8000 # could be 127.0.0.1:8000 if config modified
-  CACHE_KEY_PART: ${{ ( github.event_name == 'pull_request' ) && github.base_ref }}${{ ( github.event_name == 'pull_request' ) && '-' }}${{ github.head_ref }}
-  PHP_INI_SCAN_DIR: "C:\\myphpini"
+  PHPSERVER_DOMAIN_PORT: 127.0.0.1:8000  # could be 127.0.0.1:8000 if config modified
+  CACHE_KEY_PART: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.base_ref, github.head_ref) || github.ref_name }}
+  PHP_INI_SCAN_DIR: C:\myphpini
   CKEY: win-ci-2
-
+  GITHUB_JSON: ${{ toJSON(github) }} # Helps in debugging Github Action
 jobs:
   win-test:
     strategy:
       matrix:
         os: [windows-latest]
         # php_version: [7.4, 8.0]  # Add more versions if needed
-        php_version: [7.4] # Add more versions if needed
+        php_version: [7.4]  # Add more versions if needed
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Setup MariaDB
         uses: ankane/setup-mariadb@v1
         with:
           # mariadb-version: ${{ matrix.mariadb-version }}
-          database: travis # Specify your database name
-
+          database: travis  # Specify your database name
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
@@ -57,16 +55,18 @@ jobs:
         id: cache
         uses: actions/cache/restore@v4
         with:
+          # See https://github.com/actions/cache/issues/1275#issuecomment-1925217178
+          enableCrossOsArchive: true 
           path: |
             db_init.sql
             db_init.sql.md5
-          key: ${{ matrix.os }}-${{ env.ckey }}-${{ matrix.php_version }}-${{ env.CACHE_KEY_PART }}-${{ github.run_id }}
+          key: ${{ matrix.os }}-${{ env.ckey }}-${{ matrix.php_version }}-${{ env.CACHE_KEY_PART
+            }}-${{ github.run_id }}
           restore-keys: |
             ${{ matrix.os }}-${{ env.ckey }}-${{ matrix.php_version }}-${{ env.CACHE_KEY_PART }}-
             ${{ matrix.os }}-${{ env.ckey }}-${{ matrix.php_version }}-${{ github.head_ref }}-
             ${{ matrix.os }}-${{ env.ckey }}-${{ matrix.php_version }}-${{ github.base_ref }}-
             ${{ matrix.os }}-${{ env.ckey }}-${{ matrix.php_version }}-
-
       - name: Create local php.ini
         shell: cmd
         if: false
@@ -91,7 +91,6 @@ jobs:
           SET PHP_INI_SCAN_DIR=
           ECHO "==== Verify it is used by PHP ==="
           php --ini
-
       - name: Run Bash script
         # Note this is bash (MSYS) on Windows
         shell: bash
@@ -106,7 +105,6 @@ jobs:
           ls -l
           echo "TEE=$(cygpath -w "$(which tee)")" >> "$GITHUB_ENV"
           echo "BASEDIR=$(realpath .)" >> "$GITHUB_ENV"
-
       - name: Start web server
         id: server
         if: false
@@ -115,9 +113,8 @@ jobs:
           Start-Process -FilePath "php.exe" -WindowStyle Hidden -ArgumentList "-S ${{ env.PHPSERVER_DOMAIN_PORT }} -t htdocs > ${{ env.PHPSERVER_LOG }}" -PassThru
           curl "http://${{ env.PHPSERVER_DOMAIN_PORT }}"
         shell: powershell
-
       - name: Run PHPUnit tests
-        continue-on-error: true
+        # continue-on-error: true
         shell: cmd
         # setting up php.ini, starting the php server are currently in this step
         run: |-
@@ -146,15 +143,13 @@ jobs:
           cat htdocs/conf/conf.php
           curl "http://${{ env.PHPSERVER_DOMAIN_PORT }}"
           REM 'DOSKEY' USED to recover error code (no pipefile equivalent in windows?)
-          ( php "%PHPROOT%\phpunit" -d memory_limit=-1 -c %CD%\test\phpunit\phpunittest.xml "test\phpunit\AllTests.php" & call doskey /exename=err err=%%^^errorlevel%% ) | "${{ env.TEE }}" "${{ env.PHPUNIT_LOG }}"
+          ( php "%PHPROOT%\phpunit" -d memory_limit=-1 -c %CD%\test\phpunit\phpunittest.xml "test\phpunit\AllTests.php" --exclude-group WindowsWaitingForFix & call doskey /exename=err err=%%^^errorlevel%% ) | "${{ env.TEE }}" "${{ env.PHPUNIT_LOG }}"
           for /f "tokens=2 delims==" %%A in ('doskey /m:err') do EXIT /B %%A
-
       - name: Convert Raw Log to Annotations
         uses: mdeweerd/[email protected]
         if: ${{ failure() }}
         with:
           in: ${{ env.PHPUNIT_LOG }}
-
       - name: Provide dolibarr and phpunit logs as artifact
         uses: actions/upload-artifact@v4
         if: ${{ ! cancelled() }}
@@ -169,9 +164,11 @@ jobs:
           retention-days: 2
 
       # Save cache
-      - name: "Save cache"
+      - name: Save cache
         uses: actions/cache/save@v4
         if: ${{ ! cancelled() }}
         with:
+          # See https://github.com/actions/cache/issues/1275#issuecomment-1925217178
+          enableCrossOsArchive: true 
           key: ${{ steps.cache.outputs.cache-primary-key }}
           path: db_init.*

.gitignore

@@ -66,12 +66,26 @@ doc/install.lock
 /composer.json
 /composer.lock
 
-# to execute pre-commit
-local.sh
+# Local script, executed during pre-commit
+/local.sh
+
+# Local phpstan configuration
+/phpstan.neon
+/phpstan-baseline.neon
+
+# Logs
+/*.log
+
+# Vim swap files
+*.sw?
+
+# Generated by PHPUNIT.BAT
+/INI_PHPUNIT
 
 # ignore cache builds
 /build/phpstan/phpstan
 /build/phpstan/bootstrap_custom.php
 phpstan_custom.neon
 /.php-cs-fixer.cache
 /.php_cs.cache
+/.cache

ChangeLog

@@ -23,9 +23,66 @@ The following changes may create regressions for some external modules, but were
 * Some API HTTP return code were moved from 401 to 403 to better follow REST specification.
 * dolibarrtriggers class VERSION_XXX constants have been deprecated. Please use array dictionary VERSIONS['XXX'].
 * Properties ->date_update and ->date_modification were merged into date_modification.
-
-
-***** ChangeLog for 19.0.0 compared to 18.0 *****
+* All CLI tools (into /scripts) return a positive value to the shell if error (0 remains success) for a better
+  cross platform compatibility. On linux the exit(-1) was caught as 255, it may be now exit(1) so will be caught as 1.
+* the parameter $filter of method fetchAll does not accept array of SQL but must be a string of an Universal Search Filter syntax.
+* Use of dol_eval with parameter $returnvalue=0 is deprecated.
+* The signature for all ->delete() method has been modified to match the modulebuilder template (so first paramis now always $user), except
+  the delete for thirdparty (still accept the id of thirdparty to delete as first parameter). Will probably be modified into another version.
+* Route for API /thirdparties/gateways has been renamed into /thirdparties/accounts
+* The $userdoneid in actioncomm class is deprecated. Please use $userownerid instead.
+* The field fk_user_done in actioncomm table is deprecated. Please use fk_user_action instead.
+* The AGENDA_ENABLE_DONEBY hidden option is deprecated.
+
+
+***** ChangeLog for 19.0.1 compared to 19.0.0 *****
+
+FIX: 16.0 - parent company gets emptied when updating a third party from the card in edit mode (#28269)
+FIX: #22948
+FIX: #28205
+FIX: 28251 Fixing subpermission name on api_multicurrencies.class.php (#28252)
+FIX: #28369
+FIX: #28429
+FIX: #28491 (#28522)
+FIX: #28518 (#28520)
+FIX: #28533 Mo::deleteLine removes the "main" MoLine if consumed line is delete (#28535)
+FIX: #28564
+FIX: Adding the dependencies list feature for extrafields "select" (#28549)
+FIX: Add new hidden conf "DISABLE_QTY_OVERWRITTEN" (#28523)
+FIX: avoid error "Column 'entity' in where clause is ambiguous" (#28270)
+FIX: avoid Unknown column 'pfp.ref_fourn' (#28145)
+FIX: avoid warning "error parsing attribute name in Entity" (#28543)
+FIX: Bad column for total in bom list
+FIX: Bad condition on button back to draft on recruitment job.
+FIX: Bad CRLF when sending text only content. Fix dol_htmlwithnojs()
+FIX: Bad picto on list of permission of a user when user not admin
+FIX: bad timezone for the start/end date of an event
+FIX: Better test on validity of compute field syntax with parenthesis
+FIX: close #28279
+FIX: disabled pito of menu must be greyed.
+FIX: Don't display column when it's out of date (#28271)
+FIX: duplicate with lines: 414-416 (#28358)
+FIX: Error When cloning fourn price no default value for tva_tx (#28368)
+FIX: migration missing 2 columns in llx_resource and 1 in llx_user
+FIX: missing trans
+FIX: notification module: for supplier orders (any of the 3 triggers), user can choose an e-mail template in conf, but the conf is not used when sending the notification (#28216)
+FIX: Not truncate the multicurrency rate shown on cards (even if the global MAIN_MAX_DECIMALS_SHOWN is set to 0) (#28211)
+FIX: Payment on customer invoice - Remove accountid in url if empty for apply default value (#28156)
+FIX: Pb in redirect of a website page in USEDOLIBARRSERVER mode
+FIX: PHP Warning: Undefined variable $lib (#28342)
+FIX: Picto for mime
+FIX: position of field in list of field in shipment list
+FIX: postgresql error (#28542)
+FIX: quote in sql request
+FIX: Responsive on admin project
+FIX: Shipment closing action has wrong value (#28174)
+FIX: some tooltips has disappeared on invoice action button
+FIX: Special code is now transmitted by args only in order supplier (#28546)
+FIX: subscription must be editable when accounting isn't reconciled (#28469)
+FIX: Value of field int = 0 from modulebuilder must not be set to null
+
+
+***** ChangeLog for 19.0.0 compared to 18.0.0 *****
 
 For users:
 ----------

README.md

@@ -5,21 +5,21 @@
 [![GitHub release](https://img.shields.io/github/v/release/Dolibarr/dolibarr)](https://github.com/Dolibarr/dolibarr)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5521/badge)](https://bestpractices.coreinfrastructure.org/projects/5521)
 
-Dolibarr ERP & CRM is a modern software package that helps manage your organization's activity (contacts, suppliers, invoices, orders, stocks, agenda…).
+Dolibarr ERP & CRM is a modern software package that helps manage your organization's activities (contacts, suppliers, invoices, orders, stocks, agenda…).
 
-It's an Open Source Software suite (written in PHP with optional JavaScript enhancements) designed for small, medium or large companies, foundations and freelancers.
+It's an Open-Source Software suite (written in PHP with optional JavaScript enhancements) designed for small, medium or large companies, foundations and freelancers.
 
 You can freely use, study, modify or distribute it according to its license.
 
-You can use it as a standalone application or as a web application to access it from the Internet or a LAN.
+You can use it as a standalone application or as a web application to access it from the Internet or from a LAN.
 
 Dolibarr has a large community ready to help you, free forums and [preferred partners ready to offer commercial support should you need it](https://partners.dolibarr.org)
 
 ![ScreenShot](https://www.dolibarr.org/medias/dolibarr_screenshot1_1920x1080.jpg)
 
 ## LICENSE
 
-Dolibarr is released under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version (GPL-3+).
+Dolibarr is released under the terms of the GNU General Public License as published by the Free Software Foundation; either Version 3 of the License, or (at your option) any later version (GPL-3+).
 
 See the [COPYING](https://github.com/Dolibarr/dolibarr/blob/develop/COPYING) file for a full copy of the license.
 
@@ -29,7 +29,7 @@ Other licenses apply for some included dependencies. See [COPYRIGHT](https://git
 
 ### Simple setup
 
-If you have low technical skills and you're looking to install Dolibarr ERP/CRM in just a few clicks, you can use one of the packaged versions:
+If you have low technical skills and you're looking to install Dolibarr ERP/CRM with just a few clicks, you can use one of the packaged versions:
 
 - [DoliWamp for Windows](https://wiki.dolibarr.org/index.php/Dolibarr_for_Windows_(DoliWamp))
 - [DoliDeb for Debian](https://wiki.dolibarr.org/index.php/Dolibarr_for_Ubuntu_or_Debian)

SECURITY.md

@@ -11,7 +11,9 @@ Security report are valid only on current stable version (see https://dolibarr.o
 To report a vulnerability, for a private report, you can:
 
 - Send your report on Vulnerability Disclosure Program (VDP) [https://app.yogosha.com/cvd/dolibarr/10VxeNx6Ui3rSEhAgX63US](https://app.yogosha.com/cvd/dolibarr/10VxeNx6Ui3rSEhAgX63US) (recommended for everybody)
+<!--
 - Or if you have permissions, use GitHub security advisory at [https://github.com/Dolibarr/dolibarr/security/advisories/new](https://github.com/Dolibarr/dolibarr/security/advisories/new)
+-->
 - Or send an email to [email protected] with clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
 
 ## Hunting vulnerabilities on Dolibarr
@@ -102,3 +104,5 @@ Scope is the web application (backoffice) and the APIs.
 * SSL/TLS best practices
 * Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
 * Physical or social engineering attempts or issues that require physical access to a victim’s computer/device
+* Vulnerabilities of type XSS exploited by using javascript into a website page (with permission to edit website pages) or by using php code into a website page
+  using the permission to edit php code are not qualified, except if this allow to get higher privileges (being able to set javascript or php code is the expected behaviour).