From 89e8f24e1509de7c37f7d225a05ac93e1d900622 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 18 Sep 2021 22:38:25 +0200
Subject: [PATCH] Fix CSRF protection for all massactions

---
 htdocs/comm/propal/list.php    |  5 +++--
 htdocs/commande/list.php       | 12 +++++++-----
 htdocs/langs/en_US/errors.lang |  1 +
 htdocs/langs/en_US/main.lang   |  1 +
 htdocs/main.inc.php            |  3 ++-
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php
index ff8a583b0efc6..bff848c78e26c 100644
--- a/htdocs/comm/propal/list.php
+++ b/htdocs/comm/propal/list.php
@@ -316,13 +316,14 @@
 			if ($tmpproposal->fetch($checked)) {
 				if ($tmpproposal->statut == 0) {
 					if ($tmpproposal->valid($user)) {
-						setEventMessage($tmpproposal->ref." ".$langs->trans('PassedInOpenStatus'), 'mesgs');
+						setEventMessage($langs->trans('hasBeenValidated', $tmpproposal->ref), 'mesgs');
 					} else {
 						setEventMessage($langs->trans('CantBeValidated'), 'errors');
 						$error++;
 					}
 				} else {
-					setEventMessage($tmpproposal->ref." ".$langs->trans('IsNotADraft'), 'errors');
+					$langs->load("errors");
+					setEventMessage($langs->trans('ErrorIsNotADraft', $tmpproposal->ref), 'errors');
 					$error++;
 				}
 			} else {
diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php
index d91638fcf52cd..22b24c048a26f 100644
--- a/htdocs/commande/list.php
+++ b/htdocs/commande/list.php
@@ -309,13 +309,14 @@
 						$idwarehouse = 0;
 					}
 					if ($objecttmp->valid($user, $idwarehouse)) {
-						setEventMessage($objecttmp->ref." ".$langs->trans('PassedInOpenStatus'), 'mesgs');
+						setEventMessage($langs->trans('hasBeenValidated', $objecttmp->ref), 'mesgs');
 					} else {
 						setEventMessage($langs->trans('CantBeValidated'), 'errors');
 						$error++;
 					}
 				} else {
-					setEventMessage($objecttmp->ref." ".$langs->trans('IsNotADraft'), 'errors');
+					$langs->load("errors");
+					setEventMessage($langs->trans('ErrorIsNotADraft', $objecttmp->ref), 'errors');
 					$error++;
 				}
 			} else {
@@ -339,13 +340,14 @@
 			if ($objecttmp->fetch($checked)) {
 				if ($objecttmp->statut == 1) {
 					if ($objecttmp->cloture($user)) {
-						setEventMessage($objecttmp->ref." ".$langs->trans('PassedInOpenStatus'), 'mesgs');
+						setEventMessage($langs->trans('PassedInClosedStatus', $objecttmp->ref), 'mesgs');
 					} else {
-						setEventMessage($langs->trans('CantBeValidated'), 'errors');
+						setEventMessage($langs->trans('CantBeClosed'), 'errors');
 						$error++;
 					}
 				} else {
-					setEventMessage($objecttmp->ref." ".$langs->trans('IsNotADraft'), 'errors');
+					$langs->load("errors");
+					setEventMessage($langs->trans('ErrorIsNotADraft', $objecttmp->ref), 'errors');
 					$error++;
 				}
 			} else {
diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang
index 79bc0e1c088f4..efe5e069b603b 100644
--- a/htdocs/langs/en_US/errors.lang
+++ b/htdocs/langs/en_US/errors.lang
@@ -270,6 +270,7 @@ ErrorActionCommBadType=Selected event type (id: %n, code: %s) do not exist in Ev
 CheckVersionFail=Version check fail
 ErrorWrongFileName=Name of the file cannot have __SOMETHING__ in it
 ErrorNotInDictionaryPaymentConditions=Not in Payment Terms Dictionary, please modify.
+ErrorIsNotADraft=%s is not a draft
 
 # Warnings
 WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup.
diff --git a/htdocs/langs/en_US/main.lang b/htdocs/langs/en_US/main.lang
index 6c3061a192f2d..b68b62c2a43e6 100644
--- a/htdocs/langs/en_US/main.lang
+++ b/htdocs/langs/en_US/main.lang
@@ -1155,3 +1155,4 @@ ConfirmMassLeaveApproval=Mass leave approval confirmation
 RecordAproved=Record approved
 RecordsApproved=%s Record(s) approved
 Properties=Properties
+hasBeenValidated=%s has been validated
\ No newline at end of file
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index f785ed43e002a..8f7fac9e1c353 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -482,7 +482,8 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 	if (
 		$_SERVER['REQUEST_METHOD'] == 'POST' ||
 		$sensitiveget ||
-		((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN'))
+		GETPOSTISSET('massaction') ||
+		((GETPOSTISSET('actionlogin') || GETPOSTISSET('action')) && defined('CSRFCHECK_WITH_TOKEN'))
 	) {
 		// If token is not provided or empty, error (we are in case it is mandatory)
 		if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {