From 3c9d8bc931799f9cbf7e04d6cedcf1a3bff44ab8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 16:17:03 +0200 Subject: [PATCH] Fix perms on API user --- htdocs/user/class/api_users.class.php | 36 +++++++++++++-------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index f5f0b73a70f..6081c3d294f 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -62,7 +62,7 @@ class Users extends DolibarrApi * @param int $limit Limit for list * @param int $page Page number * @param string $user_ids User ids filter field. Example: '1' or '1,2,3' {@pattern /^[0-9,]*$/i} - * @param int $category Use this param to filter list by category + * @param int $category Use this param to filter list by category * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:'SO-%') and (t.date_creation:<:'20160101')" * @return array Array of User objects */ @@ -70,7 +70,7 @@ class Users extends DolibarrApi { global $db, $conf; - if (!DolibarrApiAccess::$user->rights->user->user->lire) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "You are not allowed to read list of users"); } @@ -149,7 +149,7 @@ class Users extends DolibarrApi */ public function get($id, $includepermissions = 0) { - if (empty(DolibarrApiAccess::$user->rights->user->user->lire)) { + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, 'Not allowed'); } @@ -187,7 +187,7 @@ class Users extends DolibarrApi */ public function getByLogin($login, $includepermissions = 0) { - if (empty(DolibarrApiAccess::$user->rights->user->user->lire)) { + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, 'Not allowed'); } @@ -221,7 +221,7 @@ class Users extends DolibarrApi */ public function getByEmail($email, $includepermissions = 0) { - if (empty(DolibarrApiAccess::$user->rights->user->user->lire)) { + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, 'Not allowed'); } @@ -254,7 +254,7 @@ class Users extends DolibarrApi */ public function getInfo($includepermissions = 0) { - if (empty(DolibarrApiAccess::$user->rights->user->user->lire)) { + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, 'Not allowed'); } @@ -295,7 +295,7 @@ class Users extends DolibarrApi public function post($request_data = null) { // Check user authorization - if (empty(DolibarrApiAccess::$user->rights->user->user->creer)) { + if (empty(DolibarrApiAccess::$user->rights->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "User creation not allowed for login ".DolibarrApiAccess::$user->login); } @@ -345,7 +345,7 @@ class Users extends DolibarrApi public function put($id, $request_data = null) { // Check user authorization - if (empty(DolibarrApiAccess::$user->rights->user->creer)) { + if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "User update not allowed"); } @@ -423,12 +423,12 @@ class Users extends DolibarrApi */ public function getGroups($id) { - if (!DolibarrApiAccess::$user->rights->user->user->lire) { + $obj_ret = array(); + + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(403); } - $obj_ret = array(); - $user = new User($this->db); $result = $user->fetch($id); if (!$result) { @@ -463,7 +463,7 @@ class Users extends DolibarrApi { global $conf; - if (empty(DolibarrApiAccess::$user->rights->user->user->creer)) { + if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } @@ -516,9 +516,9 @@ class Users extends DolibarrApi $obj_ret = array(); - if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire)) || - !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read)) { - throw new RestException(401, "You are not allowed to read groups"); + if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || + !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { + throw new RestException(401, "You are not allowed to read groups"); } // case of external user, $societe param is ignored and replaced by user's socid @@ -590,8 +590,8 @@ class Users extends DolibarrApi { global $db, $conf; - if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire)) || - !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read)) { + if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || + !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "You are not allowed to read groups"); } @@ -616,7 +616,7 @@ class Users extends DolibarrApi */ public function delete($id) { - if (empty(DolibarrApiAccess::$user->rights->user->user->supprimer)) { + if (empty(DolibarrApiAccess::$user->rights->user->user->supprimer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, 'Not allowed'); } $result = $this->useraccount->fetch($id);