diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php
index ad82db3e00834709ab252f0579c4385d9a98693f..58fe15cf28207173e29bc423707196e70a1e25cb 100644
--- a/htdocs/societe/class/api_contacts.class.php
+++ b/htdocs/societe/class/api_contacts.class.php
@@ -22,14 +22,14 @@ use Luracast\Restler\RestException;
/**
* API class for contacts
*
- * @access protected
+ * @access protected
* @class DolibarrApiAccess {@requires user,external}
*/
class Contacts extends DolibarrApi
{
/**
*
- * @var array $FIELDS Mandatory fields, checked when create and update object
+ * @var array $FIELDS Mandatory fields, checked when create and update object
*/
static $FIELDS = array(
'lastname'
@@ -56,13 +56,13 @@ class Contacts extends DolibarrApi
*
* @param int $id ID of contact
* @return array|mixed data without useless information
- *
+ *
* @throws RestException
*/
function get($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
{
- throw new RestException(401);
+ throw new RestException(401, 'No permission to read contacts');
}
$result = $this->contact->fetch($id);
@@ -81,9 +81,9 @@ class Contacts extends DolibarrApi
/**
* List contacts
- *
+ *
* Get a list of contacts
- *
+ *
* @param string $sortfield Sort field
* @param string $sortorder Sort order
* @param int $limit Limit for list
@@ -91,7 +91,7 @@ class Contacts extends DolibarrApi
* @param string $thirdparty_ids Thirdparty ids to filter projects of. {@example '1' or '1,2,3'} {@pattern /^[0-9,]*$/i}
* @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:'SO-%') and (t.date_creation:<:'20160101')"
* @return array Array of contact objects
- *
+ *
* @throws RestException
*/
function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 0, $page = 0, $thirdparty_ids = '', $sqlfilters = '') {
@@ -99,6 +99,11 @@ class Contacts extends DolibarrApi
$obj_ret = array();
+ if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
+ {
+ throw new RestException(401, 'No permission to read contacts');
+ }
+
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
@@ -111,7 +116,7 @@ class Contacts extends DolibarrApi
$sql.= " FROM " . MAIN_DB_PREFIX . "socpeople as t";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) {
// We need this table joined to the select in order to filter by sale
- $sql.= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc";
+ $sql.= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc";
}
$sql.= " LEFT JOIN " . MAIN_DB_PREFIX . "societe as s ON t.fk_soc = s.rowid";
$sql.= ' WHERE t.entity IN (' . getEntity('socpeople') . ')';
@@ -127,7 +132,7 @@ class Contacts extends DolibarrApi
$sql .= " AND sc.fk_user = " . $search_sale;
}
// Add sql filters
- if ($sqlfilters)
+ if ($sqlfilters)
{
if (! DolibarrApi::_checkFilters($sqlfilters))
{
@@ -136,7 +141,7 @@ class Contacts extends DolibarrApi
$regexstring='\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)';
$sql.=" AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")";
}
-
+
$sql.= $db->order($sortfield, $sortorder);
if ($limit)
@@ -164,7 +169,7 @@ class Contacts extends DolibarrApi
}
$i++;
}
- }
+ }
else {
throw new RestException(503, 'Error when retreive contacts : ' . $sql);
}
@@ -184,7 +189,7 @@ class Contacts extends DolibarrApi
function post($request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{
- throw new RestException(401);
+ throw new RestException(401, 'No permission to create/update contacts');
}
// Check mandatory fields
$result = $this->_validate($request_data);
@@ -203,13 +208,13 @@ class Contacts extends DolibarrApi
* Update contact
*
* @param int $id Id of contact to update
- * @param array $request_data Datas
- * @return int
+ * @param array $request_data Datas
+ * @return int
*/
function put($id, $request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{
- throw new RestException(401);
+ throw new RestException(401, 'No permission to create/update contacts');
}
$result = $this->contact->fetch($id);
@@ -244,7 +249,7 @@ class Contacts extends DolibarrApi
function delete($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->supprimer)
{
- throw new RestException(401);
+ throw new RestException(401, 'No permission to delete contacts');
}
$result = $this->contact->fetch($id);
if (!$result)
@@ -273,23 +278,29 @@ class Contacts extends DolibarrApi
//if (!DolibarrApiAccess::$user->rights->user->user->creer) {
//throw new RestException(401);
//}
-
+
if (!isset($request_data["login"]))
throw new RestException(400, "login field missing");
if (!isset($request_data["password"]))
throw new RestException(400, "password field missing");
+
if (!DolibarrApiAccess::$user->rights->societe->contact->lire) {
- throw new RestException(401);
+ throw new RestException(401, 'No permission to read contacts');
+ }
+ if (!DolibarrApiAccess::$user->rights->user->user->creer) {
+ throw new RestException(401, 'No permission to create user');
}
+
$contact = new Contact($this->db);
$contact->fetch($id);
if ($contact->id <= 0) {
throw new RestException(404, 'Contact not found');
}
-
+
if (!DolibarrApi::_checkAccessToResource('contact', $contact->id, 'socpeople&societe')) {
throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
}
+
// Check mandatory fields
$login = $request_data["login"];
$password = $request_data["password"];
@@ -300,10 +311,10 @@ class Contacts extends DolibarrApi
}
// password parameter not used in create_from_contact
$useraccount->setPassword($useraccount,$password);
-
+
return $result;
}
-
+
/**
* Get categories for a contact
*
@@ -324,7 +335,7 @@ class Contacts extends DolibarrApi
/**
* Validate fields before create or update object
- *
+ *
* @param array|null $data Data to validate
* @return array
* @throws RestException