lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix several security holes on api when used by external users

Browse Source
This commit is contained in:
Laurent Destailleur 2016-12-07 19:02:39 +01:00
parent d23604701c
commit 1838670e31
13 changed files with 60 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
htdocs/comm/action/class/api_agendaevents.class.php
View File

@ -102,13 +102,19 @@ class AgendaEvents extends DolibarrApi
$obj_ret = array();
// case of external user, $societe param is ignored and replaced by user's socid
//$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $societe;
// case of external user
$socid = 0;
if (! empty(DolibarrApiAccess::$user->societe_id)) $socid = DolibarrApiAccess::$user->societe_id;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.id as rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as t";
$sql.= ' WHERE t.entity IN ('.getEntity('agenda', 1).')';
if ($user_ids) $sql.=" AND t.fk_user_action IN (".$user_ids.")";
if ($socid > 0) $sql.= " AND t.fk_soc = ".$socid;
// Insert sale filter
if ($search_sale > 0)
{

4
htdocs/comm/propal/class/api_proposals.class.php
View File

@ -97,10 +97,12 @@ class Proposals extends DolibarrApi
global $db, $conf;
$obj_ret = array();
// case of external user, $thirdpartyid param is ignored and replaced by user's socid
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";

1
htdocs/commande/class/api_deprecated_commande.class.php
View File

@ -115,6 +115,7 @@ class CommandeApi extends DolibarrApi
$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $societe;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT s.rowid";

4
htdocs/commande/class/api_orders.class.php
View File

@ -101,10 +101,12 @@ class Orders extends DolibarrApi
global $db, $conf;
$obj_ret = array();
// case of external user, $thirdpartyid param is ignored and replaced by user's socid
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";

1
htdocs/compta/facture/class/api_deprecated_invoice.class.php
View File

@ -111,6 +111,7 @@ class InvoiceApi extends DolibarrApi
$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $socid;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT s.rowid";

15
htdocs/compta/facture/class/api_invoices.class.php
View File

@ -98,21 +98,24 @@ class Invoices extends DolibarrApi
global $db, $conf;
$obj_ret = array();
// case of external user, $thirdpartyid param is ignored and replaced by user's socid
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects)
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects)
$sql.= " FROM ".MAIN_DB_PREFIX."facture as t";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale
$sql.= ' WHERE t.entity IN ('.getEntity('facture', 1).')';
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc";
if ($socids) $sql.= " AND t.fk_soc IN (".$socids.")";
if ($search_sale > 0) $sql.= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
// Filter by status

7
htdocs/expensereport/class/api_expensereports.class.php
View File

@ -101,17 +101,12 @@ class ExpenseReports extends DolibarrApi
// case of external user, $societe param is ignored and replaced by user's socid
//$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $societe;
$sql = "SELECT t.rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport as t";
$sql.= ' WHERE t.entity IN ('.getEntity('expensereport', 1).')';
if ($user_ids) $sql.=" AND t.fk_user_author IN (".$user_ids.")";
// Insert sale filter
if ($search_sale > 0)
{
$sql .= " AND sc.fk_user = ".$search_sale;
}
// Add sql filters
if ($sqlfilters)
{

4
htdocs/fourn/class/api_supplier_invoices.class.php
View File

@ -99,10 +99,12 @@ class SupplierInvoices extends DolibarrApi
global $db, $conf;
$obj_ret = array();
// case of external user, $thirdpartyid param is ignored and replaced by user's socid
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";

4
htdocs/projet/class/api_projects.class.php
View File

@ -102,10 +102,12 @@ class Projects extends DolibarrApi
global $db, $conf;
$obj_ret = array();
// case of external user, $thirdpartyid param is ignored and replaced by user's socid
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";

4
htdocs/projet/class/api_tasks.class.php
View File

@ -109,10 +109,12 @@ class Tasks extends DolibarrApi
global $db, $conf;
$obj_ret = array();
// case of external user, $thirdpartyid param is ignored and replaced by user's socid
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";

31
htdocs/societe/class/api_contacts.class.php
View File

@ -84,41 +84,40 @@ class Contacts extends DolibarrApi
*
* Get a list of contacts
*
* @param string $sortfield Sort field
* @param string $sortorder Sort order
* @param int $limit Limit for list
* @param int $page Page number
* @param int $socid ID of thirdparty to filter list
* @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:'SO-%') and (t.date_creation:<:'20160101')"
* @return array Array of contact objects
* @param string $sortfield Sort field
* @param string $sortorder Sort order
* @param int $limit Limit for list
* @param int $page Page number
* @param string $thirdparty_ids Thirdparty ids to filter projects of. {@example '1' or '1,2,3'} {@pattern /^[0-9,]*$/i}
* @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:'SO-%') and (t.date_creation:<:'20160101')"
* @return array Array of contact objects
*
* @throws RestException
*/
function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 0, $page = 0, $socid = 0, $sqlfilters = '') {
function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 0, $page = 0, $thirdparty_ids = '', $sqlfilters = '') {
global $db, $conf;
$obj_ret = array();
if (!$socid)
{
$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : '';
}
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
if (!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid)
$search_sale = 0;
if (!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids)
$search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";
$sql.= " FROM " . MAIN_DB_PREFIX . "socpeople as t";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) {
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) {
// We need this table joined to the select in order to filter by sale
$sql.= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc";
}
$sql.= " LEFT JOIN " . MAIN_DB_PREFIX . "societe as s ON t.fk_soc = s.rowid";
$sql.= ' WHERE t.entity IN (' . getEntity('socpeople', 1) . ')';
if ($socid) $sql.= " AND t.fk_soc = " . $socid;
if ($socids) $sql.= " AND t.fk_soc IN (" . $socids . ")";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0)
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0)
$sql.= " AND t.fk_soc = sc.fk_soc";
if ($search_sale > 0)
$sql.= " AND s.rowid = sc.fk_soc"; // Join for the needed table to filter by sale

1
htdocs/societe/class/api_deprecated_thirdparty.class.php
View File

@ -165,6 +165,7 @@ class ThirdpartyApi extends DolibarrApi
$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : '';
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT s.rowid";

14
htdocs/societe/class/api_thirdparties.class.php
View File

@ -102,25 +102,27 @@ class Thirdparties extends DolibarrApi
$obj_ret = array();
$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : '';
// case of external user, we force socids
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : '';
// If the internal user must only see his customers, force searching by him
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects)
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects)
$sql.= " FROM ".MAIN_DB_PREFIX."societe as t";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale
$sql.= ", ".MAIN_DB_PREFIX."c_stcomm as st";
$sql.= " WHERE t.fk_stcomm = st.id";
if ($mode == 1) $sql.= " AND t.client IN (1, 3)";
if ($mode == 2) $sql.= " AND t.client IN (2, 3)";
if ($mode == 3) $sql.= " AND t.client IN (0)";
$sql.= ' AND t.entity IN ('.getEntity('societe', 1).')';
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.rowid = sc.fk_soc";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql.= " AND t.rowid = sc.fk_soc";
//if ($email != NULL) $sql.= " AND s.email = \"".$email."\"";
if ($socid) $sql.= " AND t.rowid = ".$socid;
if ($socid) $sql.= " AND t.rowid IN (".$socids.")";
if ($search_sale > 0) $sql.= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
// Insert sale filter
if ($search_sale > 0)