lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix permissions

Browse Source
This commit is contained in:
Laurent Destailleur 2017-06-15 11:17:02 +02:00
parent 71c0be20b9
commit 4009b1837c
1 changed files with 33 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
htdocs/societe/class/api_contacts.class.php
View File

@ -22,14 +22,14 @@ use Luracast\Restler\RestException;
/**
* API class for contacts
*
* @access protected
* @access protected
* @class DolibarrApiAccess {@requires user,external}
*/
class Contacts extends DolibarrApi
{
/**
*
* @var array $FIELDS Mandatory fields, checked when create and update object
* @var array $FIELDS Mandatory fields, checked when create and update object
*/
static $FIELDS = array(
'lastname'
@ -56,13 +56,13 @@ class Contacts extends DolibarrApi
*
* @param int $id ID of contact
* @return array|mixed data without useless information
*
*
* @throws RestException
*/
function get($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
{
throw new RestException(401);
throw new RestException(401, 'No permission to read contacts');
}
$result = $this->contact->fetch($id);
@ -81,9 +81,9 @@ class Contacts extends DolibarrApi
/**
* List contacts
*
*
* Get a list of contacts
*
*
* @param string $sortfield Sort field
* @param string $sortorder Sort order
* @param int $limit Limit for list
@ -91,7 +91,7 @@ class Contacts extends DolibarrApi
* @param string $thirdparty_ids Thirdparty ids to filter projects of. {@example '1' or '1,2,3'} {@pattern /^[0-9,]*$/i}
* @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:'SO-%') and (t.date_creation:<:'20160101')"
* @return array Array of contact objects
*
*
* @throws RestException
*/
function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 0, $page = 0, $thirdparty_ids = '', $sqlfilters = '') {
@ -99,6 +99,11 @@ class Contacts extends DolibarrApi
$obj_ret = array();
if (!DolibarrApiAccess::$user->rights->societe->contact->lire)
{
throw new RestException(401, 'No permission to read contacts');
}
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
@ -111,7 +116,7 @@ class Contacts extends DolibarrApi
$sql.= " FROM " . MAIN_DB_PREFIX . "socpeople as t";
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) {
// We need this table joined to the select in order to filter by sale
$sql.= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc";
$sql.= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc";
}
$sql.= " LEFT JOIN " . MAIN_DB_PREFIX . "societe as s ON t.fk_soc = s.rowid";
$sql.= ' WHERE t.entity IN (' . getEntity('socpeople') . ')';
@ -127,7 +132,7 @@ class Contacts extends DolibarrApi
$sql .= " AND sc.fk_user = " . $search_sale;
}
// Add sql filters
if ($sqlfilters)
if ($sqlfilters)
{
if (! DolibarrApi::_checkFilters($sqlfilters))
{
@ -136,7 +141,7 @@ class Contacts extends DolibarrApi
$regexstring='\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)';
$sql.=" AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")";
}
$sql.= $db->order($sortfield, $sortorder);
if ($limit)
@ -164,7 +169,7 @@ class Contacts extends DolibarrApi
}
$i++;
}
}
}
else {
throw new RestException(503, 'Error when retreive contacts : ' . $sql);
}
@ -184,7 +189,7 @@ class Contacts extends DolibarrApi
function post($request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{
throw new RestException(401);
throw new RestException(401, 'No permission to create/update contacts');
}
// Check mandatory fields
$result = $this->_validate($request_data);
@ -203,13 +208,13 @@ class Contacts extends DolibarrApi
* Update contact
*
* @param int $id Id of contact to update
* @param array $request_data Datas
* @return int
* @param array $request_data Datas
* @return int
*/
function put($id, $request_data = NULL) {
if (!DolibarrApiAccess::$user->rights->societe->contact->creer)
{
throw new RestException(401);
throw new RestException(401, 'No permission to create/update contacts');
}
$result = $this->contact->fetch($id);
@ -244,7 +249,7 @@ class Contacts extends DolibarrApi
function delete($id) {
if (!DolibarrApiAccess::$user->rights->societe->contact->supprimer)
{
throw new RestException(401);
throw new RestException(401, 'No permission to delete contacts');
}
$result = $this->contact->fetch($id);
if (!$result)
@ -273,23 +278,29 @@ class Contacts extends DolibarrApi
//if (!DolibarrApiAccess::$user->rights->user->user->creer) {
//throw new RestException(401);
//}
if (!isset($request_data["login"]))
throw new RestException(400, "login field missing");
if (!isset($request_data["password"]))
throw new RestException(400, "password field missing");
if (!DolibarrApiAccess::$user->rights->societe->contact->lire) {
throw new RestException(401);
throw new RestException(401, 'No permission to read contacts');
}
if (!DolibarrApiAccess::$user->rights->user->user->creer) {
throw new RestException(401, 'No permission to create user');
}
$contact = new Contact($this->db);
$contact->fetch($id);
if ($contact->id <= 0) {
throw new RestException(404, 'Contact not found');
}
if (!DolibarrApi::_checkAccessToResource('contact', $contact->id, 'socpeople&societe')) {
throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
}
// Check mandatory fields
$login = $request_data["login"];
$password = $request_data["password"];
@ -300,10 +311,10 @@ class Contacts extends DolibarrApi
}
// password parameter not used in create_from_contact
$useraccount->setPassword($useraccount,$password);
return $result;
}
/**
* Get categories for a contact
*
@ -324,7 +335,7 @@ class Contacts extends DolibarrApi
/**
* Validate fields before create or update object
*
*
* @param array|null $data Data to validate
* @return array
* @throws RestException