include/Webservices/ConvertLead.php

@@ -145,18 +145,25 @@ function vtws_convertlead($entityvalues, $user) {
 
 
 	try {
-		$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
-		$accountId = $accountIdComponents[1];
-
-		$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
-		$contactId = $contactIdComponents[1];
-
-		if(!empty($entityIds['Potentials'])){
+		$accountId = null;
+		if (isset($entityIds['Accounts']) && $entityIds['Accounts']) {
+			$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
+			$accountId = $accountIdComponents[1];
+		}
+		
+		$contactId = null;		
+		if (isset($entityIds['Contacts']) && $entityIds['Contacts']) {
+			$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
+			$contactId = $contactIdComponents[1];
+		}
+		
+		$potentialId = null;
+		if(isset($entityIds['Potentials']) && $entityIds['Potentials']){
 			$potentialIdComponents = vtws_getIdComponents($entityIds['Potentials']);
 			$potentialId = $potentialIdComponents[1];
 		}
 
-		if (!empty($accountId) && !empty($contactId) && !empty($potentialId)) {
+		if (!empty($contactId) && !empty($potentialId)) {
 			$sql = "insert into vtiger_contpotentialrel values(?,?)";
 			$result = $adb->pquery($sql, array($contactId, $potentialId));
 			if ($result === false) {

include/Webservices/Create.php

@@ -64,7 +64,7 @@ function vtws_create($elementType, $element, $user) {
 				throw new WebServiceException(WebServiceErrorCode::$ACCESSDENIED,
 						"Permission to access reference type is denied" . $referenceObject->getEntityName());
 			}
-		} else if ($element[$fieldName] !== NULL) {
+		} else if (array_key_exists($fieldName, $element) && $element[$fieldName] !== NULL) {
 			unset($element[$fieldName]);
 		}
 	}
@@ -88,4 +88,4 @@ function vtws_create($elementType, $element, $user) {
 		return null;
 	}
 }
-?>
\ No newline at end of file
+?>

include/Webservices/DataTransform.php

@@ -39,7 +39,7 @@
 		}
 
 		static function filterAndSanitize($row,$meta){
-			$recordLabel = $row['label'];
+			$recordLabel = isset($row['label']) ? $row['label'] :"";
 			$row = DataTransform::filterAllColumns($row,$meta);
 			$row = DataTransform::sanitizeData($row,$meta);
 			if(!empty($recordLabel)){
@@ -103,7 +103,7 @@
 			}
 			$references = $meta->getReferenceFieldDetails();
 			foreach($references as $field=>$typeList){
-				if(strpos($row[$field],'x')!==false){
+				if(isset($row[$field]) && strpos($row[$field],'x')!==false){
 					$row[$field] = vtws_getIdComponents($row[$field]);
 					$row[$field] = $row[$field][1];
 				}
@@ -130,7 +130,7 @@
 					}
 				}
 			}
-			if($row["id"]){
+			if(isset($row["id"]) && $row["id"]){
 				unset($row["id"]);
 			}
 			if(isset($row[$meta->getObectIndexColumn()])){
@@ -139,6 +139,7 @@
 
 			$row = DataTransform::sanitizeDateFieldsForInsert($row,$meta);
 			$row = DataTransform::sanitizeCurrencyFieldsForInsert($row,$meta);
+			$row = DataTransform::sanitizeStringFields($row,$meta);
 
 			// New field added to store Source of Created Record
 			if (!isset($row['source'])) {
@@ -156,7 +157,7 @@
 			$allFields = $meta->getFieldColumnMapping();
 			$newRow = array();
 			foreach($allFields as $field=>$col){
-				$newRow[$field] = $row[$field];
+				$newRow[$field] = isset($row[$field]) ? $row[$field] : null;
 			}
 			if(isset($row[$recordString])){
 				$newRow[$recordString] = $row[$recordString];
@@ -187,7 +188,7 @@
 			}
 
 			if(!isset($row['id'])){
-				if($row[$meta->getObectIndexColumn()] ){
+				if(isset($row[$meta->getObectIndexColumn()] )){
 					$row['id'] = vtws_getId($meta->getEntityId(),$row[$meta->getObectIndexColumn()]);
 				}else{
 					//TODO Handle this.
@@ -198,7 +199,7 @@
 			}
 
 			foreach ($row as $field => $value) {
-				$row[$field] = html_entity_decode($value, ENT_QUOTES, $default_charset);
+				$row[$field] = $value ? html_entity_decode($value, ENT_QUOTES, $default_charset) : $value;
 			}
 			return $row;
 		}
@@ -207,12 +208,15 @@
 			global $adb,$log;
 			$references = $meta->getReferenceFieldDetails();
 			foreach($references as $field=>$typeList){
+				if($meta->getEntityName() == 'Users' && $field == 'roleid'){
+					continue;
+				}
 				if(strtolower($meta->getEntityName()) == "emails"){
-					if(isset($row['parent_id'])){
+					if (isset($row['parent_id']) && $row['parent_id'] !== null && strpos($row['parent_id'], '@') !== false) {					
 						list($row['parent_id'], $fieldId) = explode('@', $row['parent_id']);
 					}
 				}
-				if($row[$field]){
+				if(isset($row[$field]) && $row[$field]){
 					$found = false;
 					foreach ($typeList as $entity) {
 						$webserviceObject = VtigerWebserviceObject::fromName($adb,$entity);
@@ -270,7 +274,7 @@
             foreach ($moduleFields as $fieldName => $fieldObj) {
                 if (in_array($fieldObj->getUIType(), $supportedUITypes)) {
                     //while doing retrieve operation we have record_id and on query operation we have id.
-                    $id = $row['record_id'] ? $row['record_id'] : $row['id'];
+                    $id = isset($row['record_id']) ? $row['record_id'] : (isset($row['id']) ? $row['id'] : null);
                     $ids = Vtiger_Functions::getAttachmentIds($id, $meta->getEntityId());
                 if($ids) {
                         foreach($ids as $id){
@@ -312,7 +316,7 @@
 							$row[$fieldName."_raw"] = $row[$fieldName];
 							$row[$fieldName] = CurrencyField::convertToUserFormat($row[$fieldName],$current_user);
 						} else if($fieldObj->getUIType() == '72') {
-							$currencyConversionRate = $row['conversion_rate'];
+							$currencyConversionRate = isset($row['conversion_rate']) ? $row['conversion_rate'] : 0;
 							if (!empty($currencyConversionRate)) {
 								$rawBaseCurrencyValue = CurrencyField::convertToDollar($row[$fieldName], $currencyConversionRate);
 								$row[$fieldName."_raw"] = $rawBaseCurrencyValue;
@@ -329,5 +333,16 @@
 			}
 			return $row;
 		}
+
+		static function sanitizeStringFields($row,$meta){
+			if(in_array($meta->getEntityName(),array('Groups', 'Currency', 'Tax', 'ProductTaxes'))){
+				foreach ($row as $field => $value) {
+					if(is_string($value)){
+						$row[$field] = vtlib_purify($value);
+					}
+				}
+			}
+			return $row;
+		}
 	}	
 ?>

include/Webservices/EntityMeta.php

@@ -8,6 +8,7 @@
  * All Rights Reserved.
  *************************************************************************************/
 
+#[\AllowDynamicProperties]
 abstract class EntityMeta{
 	
 	public static $RETRIEVE = "DetailView";
@@ -276,4 +277,4 @@ abstract class EntityMeta{
 	abstract public function getName($webserviceId);
 	abstract public function isModuleEntity();
 }
-?>
\ No newline at end of file
+?>

include/Webservices/LineItem/VtigerInventoryMeta.php

@@ -51,7 +51,7 @@ class VtigerInventoryMeta extends VtigerCRMObjectMeta {
 		$field['displaytype'] = 1;
 		$field['uitype'] = 1;
 		$fieldDataType = 'V';
-		$typeOfData = $fieldType.'~O';
+		$typeOfData = $fieldDataType.'~O';
 
 		$field['typeofdata'] = $typeOfData;
 		$field['tabid'] = null;
@@ -61,4 +61,4 @@ class VtigerInventoryMeta extends VtigerCRMObjectMeta {
 	}
 	
 }
-?>
\ No newline at end of file
+?>

include/Webservices/LineItem/VtigerInventoryOperation.php

@@ -204,7 +204,7 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 		$element['LineItems'] = $lineItems;
 		$recordCompoundTaxesElement = $this->getCompoundTaxesElement($element, $lineItems);
 		$element = array_merge($element, $recordCompoundTaxesElement);
-		$element['productid'] = $lineItems[0]['productid'];
+		$element['productid'] = isset($lineItems[0]['productid']) ? $lineItems[0]['productid'] : "";
 		$element['LineItems_FinalDetails'] = $this->getLineItemFinalDetails($idComponents[1]);
 		return $element;
 	}
@@ -480,7 +480,7 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 			$result = $this->pearDB->pquery('SELECT * FROM vtiger_inventorychargesrel WHERE recordid = ?', array($id));
 			$rowData = $this->pearDB->fetch_array($result);
 
-			if ($rowData['charges']) {
+			if (isset($rowData['charges']) && $rowData['charges']) {
 				$allCharges = getAllCharges();
 				$shippingTaxes = array();
 				$allShippingTaxes = getAllTaxes('all', 'sh');

include/Webservices/LineItem/VtigerLineItemMeta.php

@@ -92,7 +92,7 @@ class VtigerLineItemMeta extends VtigerCRMActorMeta {
 		if(in_array($fieldName,$mandatoryFieldList)){
 			$typeOfData = $fieldType.'~M';
 		}else if(($dbField->not_null == 1 && $fieldName != 'incrementondel' 
-				&& $dbField->primary_key != 1) || $dbField->unique_key == 1){
+				&& $dbField->primary_key != 1) || (property_exists($dbField, 'unique_key') && $dbField->unique_key == 1)) {
 			$typeOfData = $fieldType.'~M';
 		}else{
 			$typeOfData = $fieldType.'~O';
@@ -105,4 +105,4 @@ class VtigerLineItemMeta extends VtigerCRMActorMeta {
 	}
 
 }
-?>
\ No newline at end of file
+?>

include/Webservices/OperationManager.php

@@ -9,7 +9,7 @@
  *************************************************************************************/
 	
 	function setBuiltIn($json){
-		$json->useBuiltinEncoderDecoder = true;
+		Zend_Json::$useBuiltinEncoderDecoder = true;
 	}
 	
 	class OperationManager{
@@ -132,10 +132,10 @@
 		}
 		
 		function handleType($type,$value){
-			$result;
-			$value = stripslashes($value);
+			$result = null;
+			$value = $value ? stripslashes($value) : "";
 			$type = strtolower($type);
-			if($this->inParamProcess[$type]){
+			if(isset($this->inParamProcess[$type]) && $this->inParamProcess[$type]){
 				$result = call_user_func($this->inParamProcess[$type],$value);
 			}else{
 				$result = $value;
@@ -210,4 +210,4 @@
 		
 	}
 	
-?>
\ No newline at end of file
+?>

include/Webservices/Update.php

@@ -71,7 +71,7 @@
 					throw new WebServiceException(WebServiceErrorCode::$ACCESSDENIED,
 						"Permission to access reference type is denied ".$referenceObject->getEntityName());
 				}
-			}else if($element[$fieldName] !== NULL){
+			}else if(array_key_exists($fieldName, $element) && $element[$fieldName] !== NULL){
 				unset($element[$fieldName]);
 			}
 		}
@@ -93,4 +93,4 @@
 		return $entity;
 	}
 	
-?>
\ No newline at end of file
+?>

include/Webservices/Utils.php

@@ -57,7 +57,7 @@ function vtws_generateRandomAccessKey($length=10){
 	$accesskey = "";
 	$maxIndex = strlen($source);
 	for($i=0;$i<$length;++$i){
-		$accesskey = $accesskey.substr($source,rand(null,$maxIndex),1);
+		$accesskey = $accesskey.substr($source,rand(0,$maxIndex),1);
 	}
 	return $accesskey;
 }
@@ -117,10 +117,19 @@ function vtws_getUserWebservicesGroups($tabId,$user){
 }
 
 function vtws_getIdComponents($elementid){
+	$elementid = (string)$elementid;
+	if ($elementid && is_numeric($elementid)) return array($elementid); // during (UserId permission check)
+	if (!$elementid || !preg_match("/[0-9]+x[0-9]+/", $elementid)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return explode("x",$elementid);
 }
 
 function vtws_getId($objId, $elemId){
+	if(is_array($elemId)){$elemId=implode(' ',$elemId);}
+	if(!is_numeric($objId) || !is_numeric($elemId)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return $objId."x".$elemId;
 }
 
@@ -139,9 +148,10 @@ function getEmailFieldId($meta, $entityId){
 function vtws_getParameter($parameterArray, $paramName,$default=null){
 
 	if (!get_magic_quotes_gpc()) {
-		if(is_array($parameterArray[$paramName])) {
+		$param = null;
+		if(isset($parameterArray[$paramName]) && is_array($parameterArray[$paramName])) {
 			$param = array_map('addslashes', $parameterArray[$paramName]);
-		} else {
+		} else if (isset($parameterArray[$paramName]) && $parameterArray[$paramName]) {
 			$param = addslashes($parameterArray[$paramName]);
 		}
 	} else {
@@ -479,13 +489,20 @@ function vtws_CreateCompanyLogoFile($fieldname) {
     $fileSize = $_FILES[$fieldname]['size'];
     if($fileSize != 0) {
         global $root_directory;
-        $uploaddir = $root_directory ."/test/logo/";
-        $binFile = $_FILES[$fieldname]['name'];
-        $saveLogo = validateImageFile($_FILES[$fieldname]);
-        if($saveLogo == 'true') {
-            move_uploaded_file($_FILES[$fieldname]["tmp_name"], $uploaddir.$binFile);
-            copy($uploaddir.$binFile, $uploaddir.'application.ico');
-            return $binFile;
+        //Support formats allowed to upload as per CRM UI.
+        $logoSupportedFormats = array('jpeg', 'jpg', 'png', 'gif', 'pjpeg', 'x-png');
+        
+        $file_type_details = explode("/", $_FILES[$fieldname]['type']);
+        $filetype = $file_type_details['1'];
+        if(in_array($filetype, $logoSupportedFormats)) {
+            $uploaddir = $root_directory ."/test/logo/";
+            $binFile = $_FILES[$fieldname]['name'];
+            $saveLogo = validateImageFile($_FILES[$fieldname]);
+            if($saveLogo) {
+                move_uploaded_file($_FILES[$fieldname]["tmp_name"], $uploaddir.$binFile);
+                copy($uploaddir.$binFile, $uploaddir.'application.ico');
+                return $binFile;
+            }
         }
         throw new WebServiceException(WebServiceErrorCode::$FAILED_TO_UPDATE,
             "$fieldname wrong file type given for upload");
@@ -686,7 +703,7 @@ function vtws_getFieldfromFieldId($fieldId, $fieldObjectList){
  */
 function vtws_getRelatedActivities($leadId,$accountId,$contactId,$relatedId) {
 
-	if(empty($leadId) || empty($relatedId) || (empty($accountId) && empty($contactId))){
+	if(empty($leadId) || empty($relatedId) || empty($contactId)){
 		throw new WebServiceException(WebServiceErrorCode::$LEAD_RELATED_UPDATE_FAILED,
 			"Failed to move related Activities/Emails");
 	}
@@ -1263,7 +1280,7 @@ function vtws_getCompanyId() {
 
 function vtws_recordExists($recordId) {
 	$ids = vtws_getIdComponents($recordId);
-	return !Vtiger_Util_Helper::CheckRecordExistance($ids[1]);
+	return isset($ids[1]) ? !Vtiger_Util_Helper::CheckRecordExistance($ids[1]) : null;
 }
 
 function vtws_isDuplicatesAllowed($webserviceObject){
@@ -1309,4 +1326,4 @@ function vtws_getAttachmentRecordId($attachmentId) {
     }
     return $crmid;
 }
-?>
\ No newline at end of file
+?>

include/Webservices/VTQL_Parser.php

@@ -33,16 +33,19 @@ class VTQL_ParseryyToken implements ArrayAccess
         return $this->_string;
     }
 
+    #[\ReturnTypeWillChange]
     function offsetExists($offset)
     {
         return isset($this->metadata[$offset]);
     }
 
+    #[\ReturnTypeWillChange]
     function offsetGet($offset)
     {
         return $this->metadata[$offset];
     }
 
+    #[\ReturnTypeWillChange]
     function offsetSet($offset, $value)
     {
         if ($offset === null) {
@@ -66,6 +69,7 @@ class VTQL_ParseryyToken implements ArrayAccess
         }
     }
 
+    #[\ReturnTypeWillChange]
     function offsetUnset($offset)
     {
         unset($this->metadata[$offset]);
@@ -204,7 +208,7 @@ function buildSelectStmt($sqlDump){
 	$deletedQuery = $meta->getEntityDeletedQuery();
 	$accessControlQuery = $meta->getEntityAccessControlQuery();
 	$this->query = $this->query.' '.$accessControlQuery;
-	if($sqlDump['where_condition']){
+	if(isset($sqlDump['where_condition'])){
 		// ensure init before use
 		if(!isset($sqlDump['where_condition']['operators'])) $sqlDump['where_condition']['operators'] = array();
 
@@ -283,7 +287,7 @@ function buildSelectStmt($sqlDump){
 	
 	$this->query = $this->query.' '.$deletedQuery;
 	
-	if($sqlDump['orderby']){
+	if(isset($sqlDump['orderby'])){
 		$i=0;
 		$this->query = $this->query.' ORDER BY ';
 		foreach($sqlDump['orderby'] as $ind=>$field){
@@ -294,11 +298,11 @@ function buildSelectStmt($sqlDump){
 				$this->query = $this->query.','.$columnTable[$fieldcol[$field]].".".$fieldcol[$field];
 			}
 		}
-		if($sqlDump['sortOrder']) {
+		if(isset($sqlDump['sortOrder'])) {
 			$this->query .= ' '.$sqlDump['sortOrder'];
 		}
 	}
-	if($sqlDump['limit']){
+	if(isset($sqlDump['limit'])){
 		$i=0;
 		$offset =false;
 		if(php7_sizeof($sqlDump['limit'])>1){
@@ -1237,6 +1241,7 @@ $this->out['where_condition']['column_values'][php7_sizeof($this->out['where_con
 #line 1240 "e:\workspace\nonadmin\pkg\vtiger\extensions\Webservices\VTQL_parser.php"
 #line 82 "e:\workspace\nonadmin\pkg\vtiger\extensions\Webservices\VTQL_parser.y"
     function yy_r17(){
+        $this->out['where_condition']['column_values'] = isset($this->out['where_condition']['column_values']) ? $this->out['where_condition']['column_values'] : array();
 $length = ($this->out['where_condition']['column_values'])? php7_sizeof($this->out['where_condition']['column_values']):0;
 $pos = $length - 1;
 if($pos < 0){
@@ -1325,7 +1330,7 @@ $this->out['limit'][] = $this->yystack[$this->yyidx + 0]->minor;
 #line 151 "e:\workspace\nonadmin\pkg\vtiger\extensions\Webservices\VTQL_parser.y"
     function yy_r41(){
 global $adb;
-if(!$this->out['meta']){
+if(!isset($this->out['meta'])){
 $module = $this->out['moduleName'];
 $handler = vtws_getModuleHandlerFromName($module,$this->user);
 $objectMeta = $handler->getMeta();
@@ -1340,7 +1345,7 @@ foreach($this->out['column_list'] as $ind=>$field){
 $columns[] = $fieldcol[$field];
 }
 }
-if($this->out['where_condition']){
+if(isset($this->out['where_condition']) && isset($this->out['where_condition']['column_names'])){
 foreach($this->out['where_condition']['column_names'] as $ind=>$field){
 $columns[] = $fieldcol[$field];
 }
@@ -1358,6 +1363,7 @@ array_push($tables,$tableName);
 $firstTable = $objectMeta->getEntityBaseTable();
 $tabNameIndex = $objectMeta->getEntityTableIndexList();
 $firstIndex = $tabNameIndex[$firstTable];
+if (!isset($this->out['defaultJoinConditons'])) $this->out['defaultJoinConditions'] = '';
 foreach($tables as $ind=>$table){
 if($firstTable!=$table){
 	if(!isset($tabNameIndex[$table]) && $table == "vtiger_crmentity"){

include/Webservices/VtigerActorOperation.php

@@ -263,7 +263,7 @@ class VtigerActorOperation extends WebserviceEntityOperation {
 			foreach ($moduleFields as $fieldName=>$webserviceField) {
 				array_push($fields,$this->getDescribeFieldArray($webserviceField));
 			}
-			$label = ($app_strings[$this->meta->getObectIndexColumn()])? $app_strings[$this->meta->getObectIndexColumn()]:
+			$label = isset($app_strings[$this->meta->getObectIndexColumn()])? $app_strings[$this->meta->getObectIndexColumn()]:
 				$this->meta->getObectIndexColumn();
 			$this->moduleFields = $fields;
 		}
@@ -276,7 +276,9 @@ class VtigerActorOperation extends WebserviceEntityOperation {
 		if(isset($app_strings[$fieldLabel])){
 			$fieldLabel = $app_strings[$fieldLabel];
 		}
-		if(strcasecmp($webserviceField->getFieldName(),$this->meta->getObectIndexColumn()) === 0){
+		$fieldName = $webserviceField->getFieldName();
+		$fieldColumn = $this->meta->getObectIndexColumn();
+		if($fieldColumn && strcasecmp($fieldName, $fieldColumn) === 0){
 			return $this->getIdField($fieldLabel);
 		}
 		
@@ -334,4 +336,4 @@ class VtigerActorOperation extends WebserviceEntityOperation {
 	}
 
 }
-?>
\ No newline at end of file
+?>

include/Webservices/VtigerCRMObject.php

@@ -185,7 +185,7 @@ class VtigerCRMObject{
 		global $adb;
 		$error = false;
 		$adb->startTransaction();
-		DeleteEntity($this->getTabName(), $this->getTabName(), $this->instance, $id,$returnid);
+		DeleteEntity($this->getTabName(), $this->getTabName(), $this->instance, $id,"");
 		$error = $adb->hasFailedTransaction();
 		$adb->completeTransaction();
 		return !$error;
@@ -199,7 +199,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$exists = false;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select 1 from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){
@@ -213,7 +213,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$seType = null;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select setype from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){

include/Webservices/VtigerCRMObjectMeta.php

@@ -20,6 +20,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 	private $hasWriteAccess;//Edit Access
 	private $hasDeleteAccess;
 	private $assignUsers;
+	private $allowDuplicates;
 	
 	function __construct($webserviceObject,$user)
 	{
@@ -39,6 +40,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 		$this->hasCreateAccess = false;
 		$this->hasWriteAccess = false;
 		$this->hasDeleteAccess = false;
+		$this->allowDuplicates = null;
 		$instance = vtws_getModuleInstance($this->webserviceObject);
 		$this->idColumn = $instance->tab_name_index[$instance->table_name];
 		$this->baseTable = $instance->table_name;
@@ -223,11 +225,12 @@ class VtigerCRMObjectMeta extends EntityMeta {
 	function hasPermission($operation,$webserviceId){
 		
 		$idComponents = vtws_getIdComponents($webserviceId);
-		$id=$idComponents[1];
-		
-		$permitted = isPermitted($this->getTabName(),$operation,$id);
-		if(strcmp($permitted,"yes")===0){
-			return true;
+		$id=$idComponents ? array_pop($idComponents):null;
+		if ($id) {
+			$permitted = isPermitted($this->getTabName(),$operation,$id);
+			if(strcmp($permitted,"yes")===0){
+				return true;
+			}
 		}
 		return false;
 	}
@@ -305,6 +308,11 @@ class VtigerCRMObjectMeta extends EntityMeta {
 					if (strcasecmp($webserviceField->getFieldDataType(), 'file') !== 0) {
 						$this->fieldColumnMapping[$fieldName] = $webserviceField->getColumnName();
 					}
+				} else if($this->getEntityName() == "Users") {
+					$restrictedFields = array('user_password', 'confirm_password', 'accesskey');
+					if(!in_array($fieldName, $restrictedFields)) {
+						$this->fieldColumnMapping[$fieldName] = $webserviceField->getColumnName();
+					}	
 				} else {
 					$this->fieldColumnMapping[$fieldName] = $webserviceField->getColumnName();
 				}
@@ -366,7 +374,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 		
 		require_once('modules/CustomView/CustomView.php');
 		$current_user = vtws_preserveGlobal('current_user',$this->user);
-		$theme = vtws_preserveGlobal('theme',$this->user->theme);
+		$theme = vtws_preserveGlobal('theme', isset($this->user->theme) ? $this->user->theme : "");
 		$default_language = VTWS_PreserveGlobal::getGlobal('default_language');
 		global $current_language;
 		if(empty($current_language)) $current_language = $default_language;
@@ -390,7 +398,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 		
 		$heirarchyUsers = get_user_array(false,"ACTIVE",$this->user->id);
 		$groupUsers = vtws_getUsersInTheSameGroup($this->user->id);
-		$this->assignUsers = array_merge($heirarchyUsers, $groupUsers);
+		$this->assignUsers = $heirarchyUsers + $groupUsers;
 		$this->assign = true;
 	}
 	
@@ -561,7 +569,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 	}
 
 	public function isDuplicatesAllowed() {
-		if (!isset($this->allowDuplicates)) {
+		if (is_null($this->allowDuplicates) || $this->allowDuplicates === null) {
 			$this->allowDuplicates = vtws_isDuplicatesAllowed($this->webserviceObject);
 		}
 		return $this->allowDuplicates;

include/Webservices/VtigerModuleOperation.php

@@ -16,6 +16,7 @@ class VtigerModuleOperation extends WebserviceEntityOperation {
 	public function __construct($webserviceObject,$user,$adb,$log)
 	{
 		parent::__construct($webserviceObject,$user,$adb,$log);
+		
 		$this->meta = $this->getMetaInstance();
 		$this->tabId = $this->meta->getTabId();
 	}
@@ -80,6 +81,7 @@ class VtigerModuleOperation extends WebserviceEntityOperation {
 	}
 	
     public function relatedIds($id, $relatedModule, $relatedLabel, $relatedHandler=null) {
+		global $adb;
 		$ids = vtws_getIdComponents($id);
         $sourceModule = $this->webserviceObject->getEntityName();		
         global $currentModule;
@@ -195,7 +197,7 @@ class VtigerModuleOperation extends WebserviceEntityOperation {
 		$output = array();
 		for($i=0; $i<$noofrows; $i++){
 			$row = $this->pearDB->fetchByAssoc($result,$i);
-			if(!$meta->hasPermission(EntityMeta::$RETRIEVE,$row[$tableIdColumn])){
+			if(!isset($row[$tableIdColumn]) || !$meta->hasPermission(EntityMeta::$RETRIEVE,$row[$tableIdColumn])){
 				continue;
 			}
 			$output[$row[$tableIdColumn]] = DataTransform::sanitizeDataWithColumn($row,$meta);

include/Webservices/VtigerWebserviceObject.php

@@ -92,7 +92,7 @@ class VtigerWebserviceObject{
 			}
 		}
 		
-		$rowData = self::$_fromIdCache[$entityId];
+		$rowData = isset(self::$_fromIdCache[$entityId]) ? self::$_fromIdCache[$entityId] : '';
 		
 		if($rowData) {
 			return new VtigerWebserviceObject($rowData['id'],$rowData['name'],
@@ -129,4 +129,4 @@ class VtigerWebserviceObject{
 	}
 	
 }
-?>
\ No newline at end of file
+?>

include/Webservices/WebserviceEntityOperation.php

@@ -83,7 +83,7 @@ abstract class WebserviceEntityOperation{
 				break;
 			case 'multipicklist':
 			case 'picklist': $typeDetails["picklistValues"] = $webserviceField->getPicklistDetails($webserviceField);
-				$typeDetails['defaultValue'] = $typeDetails["picklistValues"][0]['value'];
+				$typeDetails['defaultValue'] = !empty($typeDetails["picklistValues"]) ? $typeDetails["picklistValues"][0]['value'] : null;
 				break;
 			case 'file': $maxUploadSize = 0;
 				$maxUploadSize = ini_get('upload_max_filesize');
@@ -131,4 +131,4 @@ abstract class WebserviceEntityOperation{
 	
 }
 
-?>
\ No newline at end of file
+?>

include/Webservices/WebserviceField.php

@@ -11,6 +11,7 @@
 require_once 'includes/runtime/Cache.php';
 require_once 'vtlib/Vtiger/Runtime.php';
 
+#[\AllowDynamicProperties]
 class WebserviceField{
 	private $fieldId;
 	private $uitype;
@@ -48,6 +49,8 @@ class WebserviceField{
 	private $readOnly = 0;
 	private $isunique = 0;
 
+	public $parentReferenceField; //To avoid undefined property warning.
+
 	private function __construct($adb,$row){
 		$this->uitype = isset($row['uitype'])? $row['uitype'] : 0;
 		$this->blockId = isset($row['block'])? $row['block'] : 0;
@@ -62,7 +65,7 @@ class WebserviceField{
 		$this->isunique = isset($row['isunique']) && $row['isunique'] ? true : false;
 		$typeOfData = isset($row['typeofdata'])? $row['typeofdata'] : null;
 		$this->typeOfData = $typeOfData;
-		$typeOfData = explode("~",$typeOfData);
+		$typeOfData = explode("~",$typeOfData ? $typeOfData : "");
 		$this->mandatory = (php7_count($typeOfData) > 1 && $typeOfData[1] == 'M')? true: false;
 		if($this->uitype == 4){
 			$this->mandatory = false;
@@ -429,4 +432,4 @@ class WebserviceField{
 
 }
 
-?>
\ No newline at end of file
+?>

include/Zend/Json.php

@@ -56,7 +56,7 @@ class Zend_Json
     public static function decode($encodedValue, $objectDecodeType = Zend_Json::TYPE_ARRAY)
     {
         if (function_exists('json_decode') && self::$useBuiltinEncoderDecoder !== true) {
-            return json_decode($encodedValue, $objectDecodeType);
+            return $encodedValue != null ? json_decode($encodedValue, $objectDecodeType) : $encodedValue;
         }
 
         require_once 'include/Zend/Json/Decoder.php';

include/Zend/Json/Decoder.php

@@ -37,6 +37,8 @@ require_once 'include/Zend/Json/Exception.php';
  * @copyright  Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
  */
+
+#[\AllowDynamicProperties]
 class Zend_Json_Decoder
 {
     /**