Skip to content
Snippets Groups Projects
Commit 4009b183 authored by Laurent Destailleur's avatar Laurent Destailleur
Browse files

Fix permissions

parent 71c0be20
Branches
Tags
No related merge requests found
...@@ -62,7 +62,7 @@ class Contacts extends DolibarrApi ...@@ -62,7 +62,7 @@ class Contacts extends DolibarrApi
function get($id) { function get($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->lire) if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
{ {
throw new RestException(401); throw new RestException(401, 'No permission to read contacts');
} }
$result = $this->contact->fetch($id); $result = $this->contact->fetch($id);
...@@ -99,6 +99,11 @@ class Contacts extends DolibarrApi ...@@ -99,6 +99,11 @@ class Contacts extends DolibarrApi
$obj_ret = array(); $obj_ret = array();
if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
{
throw new RestException(401, 'No permission to read contacts');
}
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid // case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids; $socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
...@@ -184,7 +189,7 @@ class Contacts extends DolibarrApi ...@@ -184,7 +189,7 @@ class Contacts extends DolibarrApi
function post($request_data = NULL) { function post($request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer) if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{ {
throw new RestException(401); throw new RestException(401, 'No permission to create/update contacts');
} }
// Check mandatory fields // Check mandatory fields
$result = $this->_validate($request_data); $result = $this->_validate($request_data);
...@@ -209,7 +214,7 @@ class Contacts extends DolibarrApi ...@@ -209,7 +214,7 @@ class Contacts extends DolibarrApi
function put($id, $request_data = NULL) { function put($id, $request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer) if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{ {
throw new RestException(401); throw new RestException(401, 'No permission to create/update contacts');
} }
$result = $this->contact->fetch($id); $result = $this->contact->fetch($id);
...@@ -244,7 +249,7 @@ class Contacts extends DolibarrApi ...@@ -244,7 +249,7 @@ class Contacts extends DolibarrApi
function delete($id) { function delete($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->supprimer) if (!DolibarrApiAccess::$user->rights->societe->contact->supprimer)
{ {
throw new RestException(401); throw new RestException(401, 'No permission to delete contacts');
} }
$result = $this->contact->fetch($id); $result = $this->contact->fetch($id);
if (!$result) if (!$result)
...@@ -278,9 +283,14 @@ class Contacts extends DolibarrApi ...@@ -278,9 +283,14 @@ class Contacts extends DolibarrApi
throw new RestException(400, "login field missing"); throw new RestException(400, "login field missing");
if (!isset($request_data["password"])) if (!isset($request_data["password"]))
throw new RestException(400, "password field missing"); throw new RestException(400, "password field missing");
if (!DolibarrApiAccess::$user->rights->societe->contact->lire) { if (!DolibarrApiAccess::$user->rights->societe->contact->lire) {
throw new RestException(401); throw new RestException(401, 'No permission to read contacts');
}
if (!DolibarrApiAccess::$user->rights->user->user->creer) {
throw new RestException(401, 'No permission to create user');
} }
$contact = new Contact($this->db); $contact = new Contact($this->db);
$contact->fetch($id); $contact->fetch($id);
if ($contact->id <= 0) { if ($contact->id <= 0) {
...@@ -290,6 +300,7 @@ class Contacts extends DolibarrApi ...@@ -290,6 +300,7 @@ class Contacts extends DolibarrApi
if (!DolibarrApi::_checkAccessToResource('contact', $contact->id, 'socpeople&societe')) { if (!DolibarrApi::_checkAccessToResource('contact', $contact->id, 'socpeople&societe')) {
throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
} }
// Check mandatory fields // Check mandatory fields
$login = $request_data["login"]; $login = $request_data["login"];
$password = $request_data["password"]; $password = $request_data["password"];
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment