Skip to content
Snippets Groups Projects
Commit 4009b183 authored by Laurent Destailleur's avatar Laurent Destailleur
Browse files

Fix permissions

parent 71c0be20
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
htdocs/societe/class/api_contacts.class.php
+ 33
22
View file @ 4009b183
......@@ -62,7 +62,7 @@ class Contacts extends DolibarrApi
function get($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
{
throw new RestException(401);
throw new RestException(401, 'No permission to read contacts');
}
$result = $this->contact->fetch($id);
......@@ -99,6 +99,11 @@ class Contacts extends DolibarrApi
$obj_ret = array();
if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
{
throw new RestException(401, 'No permission to read contacts');
}
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
......@@ -184,7 +189,7 @@ class Contacts extends DolibarrApi
function post($request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{
throw new RestException(401);
throw new RestException(401, 'No permission to create/update contacts');
}
// Check mandatory fields
$result = $this->_validate($request_data);
......@@ -209,7 +214,7 @@ class Contacts extends DolibarrApi
function put($id, $request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{
throw new RestException(401);
throw new RestException(401, 'No permission to create/update contacts');
}
$result = $this->contact->fetch($id);
......@@ -244,7 +249,7 @@ class Contacts extends DolibarrApi
function delete($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->supprimer)
{
throw new RestException(401);
throw new RestException(401, 'No permission to delete contacts');
}
$result = $this->contact->fetch($id);
if (!$result)
......@@ -278,9 +283,14 @@ class Contacts extends DolibarrApi
throw new RestException(400, "login field missing");
if (!isset($request_data["password"]))
throw new RestException(400, "password field missing");
if (!DolibarrApiAccess::$user->rights->societe->contact->lire) {
throw new RestException(401);
throw new RestException(401, 'No permission to read contacts');
}
if (!DolibarrApiAccess::$user->rights->user->user->creer) {
throw new RestException(401, 'No permission to create user');
}
$contact = new Contact($this->db);
$contact->fetch($id);
if ($contact->id <= 0) {
......@@ -290,6 +300,7 @@ class Contacts extends DolibarrApi
if (!DolibarrApi::_checkAccessToResource('contact', $contact->id, 'socpeople&societe')) {
throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
}
// Check mandatory fields
$login = $request_data["login"];
$password = $request_data["password"];
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment