lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix : bad permission in webservice to get contact

Browse Source
This commit is contained in:
jfefe 2013-02-20 11:37:44 +01:00
parent 1941efa45a
commit 4bf550b25c
1 changed files with 21 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
htdocs/webservices/server_contact.php
View File

@ -259,12 +259,16 @@ function getContact($authentication,$id,$ref='',$ref_ext='')
{
$fuser->getrights();
if ($fuser->rights->societe->contact->lire )
$contact=new Contact($db);
$result=$contact->fetch($id,$ref,$ref_ext);
if ($result > 0)
{
$contact=new Contact($db);
$result=$contact->fetch($id,$ref,$ref_ext);
if ($result > 0)
{
// Only internal user who have contact read permission
// Or for external user who have contact read permission, with restrict on societe_id
if (
$fuser->rights->societe->contact->lire && !$fuser->societe_id
|| ( $fuser->rights->societe->contact->lire && ($fuser->societe_id == $contact->socid))
){
$contact_result_fields =array(
'id' => $contact->id,
'lastname' => $contact->lastname,
@ -317,18 +321,18 @@ function getContact($authentication,$id,$ref='',$ref_ext='')
'result'=>array('result_code'=>'OK', 'result_label'=>''),
'contact'=>$contact_result_fields
);
}
else
{
$error++;
$errorcode='NOT_FOUND'; $errorlabel='Object not found for id='.$id.' nor ref='.$ref.' nor ref_ext='.$ref_ext;
}
}
else
{
$error++;
$errorcode='PERMISSION_DENIED'; $errorlabel='User does not have permission for this request';
}
}
else
{
$error++;
$errorcode='PERMISSION_DENIED'; $errorlabel='User does not have permission for this request';
}
}
else
{
$error++;
$errorcode='NOT_FOUND'; $errorlabel='Object not found for id='.$id.' nor ref='.$ref.' nor ref_ext='.$ref_ext;
}
}
if ($error)