6,051 Reply by apmuthu

(9 replies, posted in FA Modifications)

The same would apply to different databases (assuming db names too are sequential / guessable) if permitted for the same db user. That is why the db user too must be different for each company's different database.

A config variable can be introduced to decide if the session variables (db user, db name, db pwd) should be allowed to pre-populate the create company form with initial values. Each company should have their own db user with privileges for their company's prefix only.

Thankyou for pointing out the vulnerability with fine clarity. In the meanwhile, we should not give restore functionality to the company admins and keep it with the Super Admin only.

Another possible solution (may not apply to limited hosting accounts) would be to auto generate the db name, db username, and db password for the company using a non displayed privileged db user.

One more solution would be to parse the sqls for create / insert (no select or update) statements only and pertaining to the current user's company prefix alone during a restore. Beware of compound insert cum select statements.

Go to forum: FA Modifications

6,052 Reply by apmuthu

(16 replies, posted in Modules Add-on's)

After the release of FA v2.3.12 (Mercurial Changeset 3061), important changes have been made (in Mercurial Changeset 3068) to the all default themes' renderer.php files that need to be backported to the existing non default themes to make them compatible for use in future releases.

In Mercurial Changeset 3068 certain rendering functions viz.,

    check_application_access
    check_module_access
    hide_inaccessible_menu_items

have been shifted from 

    themes/*/renderer.php files

to 

    includes/current_user.inc

Hence in the  hitherto non-default themes, the renderer.php files must get rid of the said functions and replace the following calls:

$this->check_application_access($app)
$this->check_application_access($selected_app)
$this->check_module_access($module)
$this->hide_inaccessible_menu_items()

with 

$_SESSION["wa_current_user"]->check_application_access($app)
$_SESSION["wa_current_user"]->check_application_access($selected_app)
$_SESSION["wa_current_user"]->check_module_access($module)
$_SESSION["wa_current_user"]->hide_inaccessible_menu_items()

respectively.

Consequently, the function menu_header in the themes/*/renderer.php file will no longer need access to the variable $show_inaccessible_menu_items from the global context as it now has access to it's SESSION variable instead.

ie.,

global $path_to_root, $help_base_url, $db_connections, $show_inaccessible_menu_items;

will now be:

global $path_to_root, $help_base_url, $db_connections;

Go to forum: Modules Add-on's

6,053 Reply by apmuthu

(9 replies, posted in FA Modifications)

Disable rights for the dbuser for the said default db in question!

Anyway, only the default admin company (0) gets to use the Create/Add New Company Meny Item - so where's the security vulnerability?

Go to forum: FA Modifications

6,054 Reply by apmuthu

(22 replies, posted in Accounts Receivable)

Web ERP's lead developer Phil Daintree's company LogicWorks provides a compiled POS connector and desktop application (Win, Lin, Mac - Counter-Logic Point of Sale System) for an annual fee of USD 75/-. There is no such equivalent in FA - AFAIK. It is based on Python and compiled and uses the Zadig USB Driver Installer from the libwdi project on Sourceforge and Python esc/pos project at Googlecode.

With rich HTML5 capabilities, it shouldn't be long before a completely free POS becomes available for FA. Chris Muench's PHP Point of Sale was free till they went closed source (USD 99/- per install with 1yr free upgrades), the last free version with all features are available as a WebApp for the BlueQuartz/BlueOnyx project (BQBO-webapp-phpos-11.3.pkg) and is privately available with a few developers.

The current open source version fork of the PHPPOS is available as Open Source POS. Their latest v2.01 released a few days ago is here.

Go to forum: Accounts Receivable

6,055 Reply by apmuthu

(9 replies, posted in FA Modifications)

Even without this, one can still change the database name before submitting the form to add a new company. Infact, the new different database may already have been created outside of FA and that is what v2.3.12 actually solves.

Go to forum: FA Modifications

6,056 Topic by apmuthu

(0 replies, posted in FA Modifications)

Check out the Bug Fix 1792 and control the default exchange rate provider in config.php file.....

Download Xchg_Rate_Fix.zip.

Works wonderfully on v2.3.12.

Hope this and the earlier BugFix 1785 make it to the core code base of v2.3.12 soon.....

Is the development work to be exclusively shifted to the v2.4 branch for now?

Go to forum: FA Modifications

6,057 Reply by apmuthu

(19 replies, posted in Installation)

check permissions of the /var/php_sessions/ folder and ask godaddy to fix it.

Go to forum: Installation

6,058 Reply by apmuthu

(6 replies, posted in FA Modifications)

In what way is your login screen different from the standard one? Check the diffs of the login.php and see what has changed....

Go to forum: FA Modifications

6,059 Reply by apmuthu

(66 replies, posted in Modules Add-on's)

Awaiting module for testing.
Looks great.

Will it be availabe for v2.4 only?

Tried out the project (not working) on google code - looks like the install functions do not match the current v2.3.12 module install specs.

Have created a tarball of the latest google repo at:

To get it, had to install Git on Lenny and update it thus:

apt-get update
apt-get install git git-core
cd /usr/src
wget http://ftp.us.debian.org/debian/pool/main/g/git/git_1.7.2.5-3_amd64.deb
dpkg -i git_1.7.2.5-3_amd64.deb
wget http://ftp.us.debian.org/debian/pool/main/g/git/git-core_1.7.2.5-3_all.deb
dpkg -i git-core_1.7.2.5-3_all.deb

Google code repo accepts only Git v1.6.6+ and Lenny had v1.5.6+ only.

Then did a clone:

git clone https://code.google.com/p/fa-payroll-module/
tar -czf FA_Payroll_Module_Git_`date +%Y-%m-%d`.tar.gz fa-payroll-module

Go to forum: Modules Add-on's

6,060 Reply by apmuthu

(34 replies, posted in Modules Add-on's)

Attempting a git clone of the fa payroll module from google results in an error:

# git clone https://code.google.com/p/fa-payroll-module/
Initialized empty Git repository in /var/lib/vz/Repos/Git/fa-payroll-module/.git/
warning: remote HEAD refers to nonexistent ref, unable to checkout.

Go to forum: Modules Add-on's

6,061 Reply by apmuthu

(3 replies, posted in Installation)

Windows or Linux - generally permissions affect all linux boxes and the newer windows server boxes.
In linux, chmod / chown are your friends.

Go to forum: Installation

6,062 Reply by apmuthu

(9 replies, posted in FA Modifications)

Thanks Janusz, no hurry. Meanwhile, have posted updated LoginDelay Fix for BugPost 1785

Go to forum: FA Modifications

6,063 Topic by apmuthu

(7 replies, posted in Announcements)

FrontAccounting v2.3.12 has been released over the weekend and since the primary site is not fully updated, the links are as follows:

Mercurial Dev

Bug Reporting

Download Page

FA Mercurial Usage on Wiki

Please note that the forum post on CAPTCHA integration needs to be modified to suit the new login failed attempts delay feature in this version.

Please see this forum post on same database usage vulnerability and fixes.

Snapshots as on 14th Nov 2012 (Mercurial Build 3099) are available: v2.3.12+ and v2.4a. Please test them extensively to obtain a bug free next release. Those who want to install only the 46 files that have changed in Mercurial Build 3099 since the release of v2.3.12 can take them from the attachment herein. The changes in config.default.php need to be made in the existing config.php file.

Go to forum: Announcements

6,064 Reply by apmuthu

(9 replies, posted in FA Modifications)

If it doesn't make it to the code base, can it find a place in the Wiki? (Placed in Wiki)

Now that the failed login delay feature has been introduced in v2.3.12, the above code needs to modified carefully in the light of changes to login.php and other files listed above.

Go to forum: FA Modifications

6,065 Reply by apmuthu

(9 replies, posted in FA Modifications)

Configurable Delay after specified login attempts is quite nice. May need to store login attempts somewhere or stale failed logins would false trigger.

Since the captcha is only on initial login (not for timeouts) and is configurable in the config.php would it's integration into the base code prove troublesome? The download size would become huge due tot he audio scripts - maybe another config variable for controlling audio enablement on captcha would be desirable. Yes the CAPTCHA proved very tiresome during repetitive testing....

Can it be encapsulated as an optional plugin (bundled with securimage code) ?

Go to forum: FA Modifications

6,066 Topic by apmuthu

(9 replies, posted in FA Modifications)

Would you like the Securimage CAPTCHA integration to get into the code base for the current v2.3.11+ in mercurial repo?

Details at:
Feature Posted At Bugs (#1783) Site

Download in debian with:

cd /var/www
wget -O securimage.tar.gz https://github.com/dapphp/securimage/tarball/master
mkdir -p /var/www/frontac/securimage
tar -xzf securimage.tar.gz -C /var/www/frontac/securimage --strip-components=1

FA Securimage Integration notes:

FA uses it's own session name computed using the domain / uri string it was installed at.
FA's JavaScripts for Ajax and other HttpRequests use the default PHPSESSID session name.
The Securimage SQLite DB is not being used by default andonly SESSION variables are used.
The Audio files account for over 95% of the securimage download size.

CAPTCHA Session variables used:

$_SESSION = Array (
......

    [securimage_code_disp]  => Array ( [default] => bnGp24 ) 
    [securimage_code_value] => Array ( [default] => bngp24 ) 
    [securimage_code_ctime] => Array ( [default] => 1347630909)

)

The files:

Place the securimage library in the securimage folder at the webroot.
Copy the securimage/securimage_show.php to securimage/securimage_show_n.php

File: securimage/securimage_show_n.php
Insert at the very top after the opening PHP tag:

$sn = (isset($_GET['sn']) ? trim($_GET['sn']) : 'PHPSESSID');
$oldsess = session_name($sn);

Append at the very last:

session_name($oldsess);

File: config.default.php
Append before last closing PHP tag:

/*  Should FA use CAPTCHA for login form?
    false for no       true for yes
    Get the securimage code at https://github.com/dapphp/securimage/zipball/master
    Extract the contents into the securimage folder under the webroot.
*/

    $use_captcha_for_login = false;

The above variable must be set to true for CAPTCHA use.
It defaults to false for backwards compatibility.


File: access/login.php
Insert at Line 102:

//         Use CAPTCHA only for fresh login and not for timeouts
        if ($use_captcha_for_login && !($login_timeout)) 
        {
            start_row();
?>
            <td colspan="2">
                <img id="siimage" 
                    style="border: 1px solid #000; margin-right: 15px" 
                    src="securimage/securimage_show_n.php?sn=<?php echo session_name(); ?>&sid=<?php echo md5(uniqid()) ?>" 
                    alt="CAPTCHA Image" align="left">
                <object type="application/x-shockwave-flash" 
                    data="securimage/securimage_play.swf?bgcol=#ffffff&amp;icon_file=securimage/images/audio_icon.png&amp;audio_file=securimage/securimage_play.php" 
                    height="32" width="32">
                  <param name="movie" 
                    value="securimage/securimage_play.swf?bgcol=#ffffff&amp;icon_file=securimage/images/audio_icon.png&amp;audio_file=securimage/securimage_play.php" />
                </object>
                &nbsp;
                <a tabindex="-1" style="border-style: none;" href="#" title="Refresh Image" 
                    onclick="document.getElementById('siimage').src = 'securimage/securimage_show_n.php?sn=<?php echo session_name(); ?>&sid=' + Math.random(); this.blur(); return false">
                <img src="securimage/images/refresh.png" alt="Reload Image" 
                    height="32" width="32" 
                    onclick="this.blur()" align="bottom" border="0"></a>
                <br />
                <strong>Enter Code*:</strong><br />
                <input type="text" name="ct_captcha" size="12" maxlength="8" />
            </td>
<?php
            end_row();
        }

File: includes/current_user.inc
Insert at Line 78:

            if (!($this->timeout)) captchacheck();

Append following function before last closing PHP tag:

function captchacheck() {
    global $use_captcha_for_login;

    if ($use_captcha_for_login) {
        // make sure that login_timeout is not affected
        if (isset($_POST['ct_captcha'])) $_SESSION['ct_captcha'] = $_POST['ct_captcha'];
        // Check CAPTCHA
        require_once 'securimage/securimage.php';
        $securimage = new Securimage();

        $usrcaptcha = $_SESSION['ct_captcha'];

        if ($securimage->check($usrcaptcha) == false) {
            // CAPTCHA Failed
            echo "The security code entered was incorrect.<br /><br />";
            echo "Please go <a href='javascript:history.go(-1)'>back</a> and try again.";
//            captcha session variables used - unset still cannot prevent cached image
            // unset($_SESSION['securimage_code_disp']);
            // unset($_SESSION['securimage_code_value']);
            // unset($_SESSION['securimage_code_ctime']);
            exit;
//            return false;
        } else {
            // CAPTCHA OK
            return true;
        }
    } else return true;

}

Go to forum: FA Modifications

6,067 Reply by apmuthu

(11 replies, posted in Report Bugs here)

Just check if the following changeset 3055 in Mercurial does the job:

Go to forum: Report Bugs here

6,068 Reply by apmuthu

(18 replies, posted in FA Modifications)

The above does NOT WORK at all. There is no question of including it for now. I am in the process of digging into what all code is getting affected.

The date picker does not work at all correctly for this feature choice as of now.

This is only a preliminary delving into the mire that the code currently is.

Go to forum: FA Modifications

6,069 Reply by apmuthu

(18 replies, posted in FA Modifications)

Anyone wishing to carry on this development can take the modified and unmodified files (based on FA v2.3.11+ Mercurial changeset 3053) altered here from:

http://www.apmuthu.com/bugfixes/fac-dev … format.zip

No way to upload files here!

JS Tute

includes/ui/simple_crud_class.inc has some functions with no change in formatting dates - maybe need to use them - _format_output and _format_input

Go to forum: FA Modifications

6,070 Reply by apmuthu

(18 replies, posted in FA Modifications)

Ref Code:
date_cells(_("From:"), 'AfterDate', '', null, -30);

The html output in FF 15.0.1 for an incorrect display for this format that now shows for one field is:

<input 
    autocomplete="off" 
    _last_val="2012-07-13" 
    name="AfterDate" 
    class="date" 
    size="10" 
    maxlength="12" 
    value="2012-07-13" 
    type="text"> 
<a 
    tabindex="-1" 
    href="javascript:date_picker(document.getElementsByName('AfterDate')[0]);">    
<img 
    src="../../themes/default/images/cal.gif" 
    alt="Click Here to Pick up the date" 
    border="0" 
    height="16" 
    width="16">
</a>

Ref Code:
date_cells(_("To:"), 'BeforeDate');

The html output in FF 15.0.1 for a correct initial display field (but not working input function) would be like:

<input 
    autocomplete="off" 
    _last_val="12-Aug-2012" 
    name="BeforeDate" 
    class="date" 
    size="10" 
    maxlength="12" 
    value="12-Aug-2012" 
    type="text"> 
<a 
    tabindex="-1" 
    href="javascript:date_picker(document.getElementsByName('BeforeDate')[0]);">    
<img 
    src="../../themes/default/images/cal.gif" 
    alt="Click Here to Pick up the date" 
    border="0" 
    height="16" 
    width="16">
</a>

The initial input size value of 10 may need to become 11 for this format....

The parameters for the functions date_cells and date_row are same and for reference are:

$label, 
$name, 
$title = null, 
$check=null, 
$inc_days=0, 
$inc_months=0, 
$inc_years=0, 
$params=null, 
$submit_on_change=false

Go to forum: FA Modifications

6,071 Reply by apmuthu

(18 replies, posted in FA Modifications)

Additional places that need to be modified will be the date picker in the files

includes/ui/ui_input.inc (function date_cells)
and
includes/ui/ui_view.inc (function get_js_date_picker)

The insertion places in function get_js_date_picker would be:
At line 842

    $monthst = array(_("Jan"),_("Feb"),_("Mar"),_("Apr"),_("May"),_("Jun"),_("Jul"),_("Aug"),_("Sep"),_("Oct"),_("Nov"),_("Dec"));

and in the js string at line 922

  var monthst = ['$monthst[0]','$monthst[1]','$monthst[2]','$monthst[3]','$monthst[4]','$monthst[5]','$monthst[6]','$monthst[7]','$monthst[8]','$monthst[9]','$monthst[10]','$monthst[11]'];

Lines around 1043 can now be altered to:

    if ($how == 0)
        $js .= "
      var dateString = month+'$sep'+day+'$sep'+year;
";
    else if ($how == 1)
        $js .= "
      var dateString = day+'$sep'+month+'$sep'+year;
";
    else if ($how == 2)
        $js .= "
      var dateString = year+'$sep'+month+'$sep'+day;
";
    else // ($how == 3)
        $js .= "
      var dateString = year+'$sep'+monthst[month-1]+'$sep'+day;
";

Lines around 1180 can now be altered to:

    if ($how == 3)
        $js .= "
        selectedDay = parseInt(dateParts[0],10);
        selectedMonth = monthst.indexOf(dateParts[1])+1;
        selectedYear = parseInt(dateParts[2],10);
";
    else if ($how == 0)
        $js .= "
        selectedMonth = parseInt(dateParts[0],10);
        selectedDay = parseInt(dateParts[1],10);
        selectedYear = parseInt(dateParts[2],10);
";
    else if ($how == 1)
        $js .= "
        selectedDay = parseInt(dateParts[0],10);
        selectedMonth = parseInt(dateParts[1],10);
        selectedYear = parseInt(dateParts[2],10);
";
    else
        $js .= "
        selectedYear = parseInt(dateParts[0],10);
        selectedMonth = parseInt(dateParts[1],10);
        selectedDay = parseInt(dateParts[2],10);
";

It still does not work fully........

Go to forum: FA Modifications

6,072 Reply by apmuthu

(18 replies, posted in FA Modifications)

Proposed changes for additional date format.

File: config.php / config.default.php
Replace Line 139:
    $dateformats     = array("MMDDYYYY", "DDMMYYYY", "YYYYMMDD");
With:
    $dateformats     = array("MMDDYYYY", "DDMMYYYY", "YYYYMMDD", "DDMmmYYYY");

Correct "defalt" to "default" in commented line 143.

File: includes/date_functions.inc

1.
Replace lines 38-39:
    else
        return $year.$sep.$month.$sep.$day;
With:
    elseif ($how == 2)
        return $year.$sep.$month.$sep.$day;
    else
        return $day.$sep.date('M', $year.$month.$day).$sep.$year;

2. Altered fragment in function is_date($date_) 

    elseif (strlen($date_) == 8)
    {
        if ($how == 3) // So as not to affect Jalali processing
        {
            $day = substr($date_,0,1);
            $month = date('m', strtotime(substr($date_,1,3)));
            $year = substr($date_,4,4);
        }
        elseif ($how == 0)
        {
            $day = substr($date_,2,2);
            $month = substr($date_,0,2);
            $year = substr($date_,4,4);
        } 
        elseif ($how == 1)
        {
            $day = substr($date_,0,2);
            $month = substr($date_,2,2);
            $year = substr($date_,4,4);
        } 
        else
        {
            $day = substr($date_,6,2);
            $month = substr($date_,4,2);
            $year = substr($date_,0,4);
        }
    }
    elseif (strlen($date_) == 9)
    {
        if ($how == 3)
        {
            $day = substr($date_,0,2);
            $month = date('m', strtotime(substr($date_,2,3)));
            $year = substr($date_,5,4);
        }
        else
            return 0;
    }

3. Altered fragment in function sql2date[$date_) 

    // Split up the date by the separator based on "how" to split it
    if ($how == 0) // MMDDYYYY
        list($month, $day, $year) = explode($sep, $date_);
    elseif ($how == 1) // DDMMYYYY
        list($day, $month, $year) = explode($sep, $date_);
    elseif ($how == 2) // YYYYMMDD
        list($year, $month, $day) = explode($sep, $date_);
    elseif ($how == 3) // DDMmmYYYY
        list($year, $month, $day) = explode($sep, date('Y-m-d', strtotime($date_)));
    else
        return "";

Go to forum: FA Modifications

6,073 Reply by apmuthu

(7 replies, posted in Report Bugs here)

Thanks for the details Januz. A comparative review, even if considered biased, it's low degree of such bias will make for a nice ranking and trust if it is from the horse's mouth so to say.

In fact the ease with which FA could be implemented without a ton of ZZ maintenance scripts was what enticed me to offer it to the OpenVZ (ProxMox VE) community and you will therefore see quite a lot of upgrade requests from v2.2.11 (last released OpenVZ template) to the 2.3 versions. From v2.1 to v2.2.11, every significant development state was diff'ed and patches offered to the community, sometimes even twice a day when warranted, that prompted many to take the plunge into FA.

Go to forum: Report Bugs here

6,074 Reply by apmuthu

(18 replies, posted in FA Modifications)

Thanks for the info Janusz. Please direct me to where you have a Roadmap listed.

Will work on this feature when time permits as it needs a complete implementation.  This is the preferred date format in ASEAN countries what with the EU/US confusion on the date score...especially for CPAs who need to cater to clients across the globe and have "unambiguous" reports.

We need to cull out all instances of
1. Date Display
2. Date Form Fields
3. Date Picker (through wrapper function)
4. Date Picker (any unwrapped)
5. Date field computation
6. Date in SQL unabstracted

Any inputs here will help make for a smooth integration without catastrophic suprises.

Go to forum: FA Modifications

6,075 Reply by apmuthu

(2 replies, posted in Misc. Charts of Accounts)

Fair enough. Atleast the order of the SQL statements would make it easier to track the changes - All DROP DATABASE statements first, then all the CREATE DATABASE statements and then the INSERT INTO statements all the while maintaining the alphabetical order of table names.

This way, each COA needs to change only in the last part - INSERT INTO statemenst alone.

Go to forum: Misc. Charts of Accounts