lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix permission on external user

Browse Source
This commit is contained in:
Laurent Destailleur 2021-04-08 19:52:07 +02:00
parent 667481acd5
commit 60711f415d
2 changed files with 50 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/fourn/class/fournisseur.product.class.php
View File

@ -634,9 +634,10 @@ class ProductFournisseur extends Product
* @param string $sortorder Sort order
* @param int $limit Limit
* @param int $offset Offset
* @param int $socid Filter on a third party id
* @return array Array of Products with new properties to define supplier price
*/
public function list_product_fournisseur_price($prodid, $sortfield = '', $sortorder = '', $limit = 0, $offset = 0)
public function list_product_fournisseur_price($prodid, $sortfield = '', $sortorder = '', $limit = 0, $offset = 0, $socid = 0)
{
// phpcs:enable
global $conf;
@ -652,7 +653,8 @@ class ProductFournisseur extends Product
$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp, ".MAIN_DB_PREFIX."product as p, ".MAIN_DB_PREFIX."societe as s";
$sql .= " WHERE pfp.entity IN (".getEntity('productsupplierprice').")";
$sql .= " AND pfp.fk_soc = s.rowid AND pfp.fk_product = p.rowid";
$sql .= " AND s.status=1"; // only enabled company selected
$sql .= ($socid > 0 ? ' AND pfp.fk_soc = '.((int) $socid) : '');
$sql .= " AND s.status = 1"; // only enabled company selected
$sql .= " AND pfp.fk_product = ".((int) $prodid);
if (empty($sortfield)) {
$sql .= " ORDER BY s.nom, pfp.quantity, pfp.price";

58
htdocs/product/class/api_products.class.php
View File

@ -574,8 +574,8 @@ class Products extends DolibarrApi
/**
* Get prices per customer for a product
*
* @param int $id ID of product
* @param string $thirdparty_id Thirdparty id to filter orders of (example '1') {@pattern /^[0-9,]*$/i}
* @param int $id ID of product
* @param string $thirdparty_id Thirdparty id to filter orders of (example '1') {@pattern /^[0-9,]*$/i}
*
* @return mixed
*
@ -593,6 +593,11 @@ class Products extends DolibarrApi
throw new RestException(400, 'API not available: this mode of pricing is not enabled by setup');
}
$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : '';
if ($socid > 0 && $socid != $thirdparty_id) {
throw new RestException(401, 'Getting prices for all customers or for the customer ID '.$thirdparty_id.' is not allowed for login '.DolibarrApiAccess::$user->login);
}
$result = $this->product->fetch($id);
if (!$result) {
throw new RestException(404, 'Product not found');
@ -700,6 +705,11 @@ class Products extends DolibarrApi
throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
}
$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : '';
if ($socid > 0 && $socid != $fourn_id) {
throw new RestException(401, 'Adding purchase price for the supplier ID '.$fourn_id.' is not allowed for login '.DolibarrApiAccess::$user->login);
}
$result = $this->productsupplier->add_fournisseur(DolibarrApiAccess::$user, $fourn_id, $ref_fourn, $qty);
if ($result < 0) {
throw new RestException(500, "Error adding supplier to product : ".$this->db->lasterror());
@ -774,9 +784,19 @@ class Products extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->produit->lire) {
throw new RestException(401);
}
$obj_ret = array();
// Force id of company for external users
$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : '';
if ($socid > 0) {
if ($supplier != $socid || empty($supplier)) {
throw new RestException(401, 'As an external user, you can request only for your supplier id = '.$socid);
}
}
$sql = "SELECT t.rowid, t.ref, t.ref_ext";
$sql .= " FROM ".MAIN_DB_PREFIX."product as t";
@ -788,12 +808,15 @@ class Products extends DolibarrApi
$sql .= ' WHERE t.entity IN ('.getEntity('product').')';
if ($supplier > 0) {
$sql .= " AND s.fk_soc = ".$this->db->escape($supplier);
$sql .= " AND s.fk_soc = "((int) $supplier);
}
if ($socid > 0) { // if external user
$sql .= " AND s.fk_soc = ".((int) $socid);
}
$sql .= " AND s.fk_product = t.rowid";
// Select products of given category
if ($category > 0) {
$sql .= " AND c.fk_categorie = ".$this->db->escape($category);
$sql .= " AND c.fk_categorie = ".((int) $category);
$sql .= " AND c.fk_product = t.rowid";
}
if ($mode == 1) {
@ -878,6 +901,8 @@ class Products extends DolibarrApi
throw new RestException(403);
}
$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : '';
$result = $this->product->fetch($id, $ref, $ref_ext, $barcode);
if (!$result) {
throw new RestException(404, 'Product not found');
@ -891,7 +916,7 @@ class Products extends DolibarrApi
if ($result) {
$product_fourn = new ProductFournisseur($this->db);
$product_fourn_list = $product_fourn->list_product_fournisseur_price($this->product->id, '', '', 0, 0);
$product_fourn_list = $product_fourn->list_product_fournisseur_price($this->product->id, '', '', 0, 0, ($socid > 0 ? $socid : 0));
}
foreach ($product_fourn_list as $tmpobj) {
@ -911,7 +936,9 @@ class Products extends DolibarrApi
* @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:color)"
* @return array
*
* @throws RestException
* @throws RestException 401
* @throws RestException 404
* @throws RestException 503
*
* @url GET attributes
*/
@ -976,7 +1003,6 @@ class Products extends DolibarrApi
* @param int $id ID of Attribute
* @return array
*
* @throws RestException
* @throws RestException 401
* @throws RestException 404
*
@ -1020,8 +1046,8 @@ class Products extends DolibarrApi
* @param string $ref Reference of Attribute
* @return array
*
* @throws RestException 500
* @throws RestException 401
* @throws RestException 404
*
* @url GET attributes/ref/{ref}
*/
@ -1272,7 +1298,10 @@ class Products extends DolibarrApi
throw new RestException(401);
}
$sql = "SELECT rowid, fk_product_attribute, ref, value FROM ".MAIN_DB_PREFIX."product_attribute_value WHERE ref LIKE '".trim($ref)."' AND fk_product_attribute = ".(int) $id." AND entity IN (".getEntity('product').")";
$ref = trim($ref);
$sql = "SELECT rowid, fk_product_attribute, ref, value FROM ".MAIN_DB_PREFIX."product_attribute_value";
$sql .= " WHERE ref LIKE '".$this->db->escape($ref)."' AND fk_product_attribute = ".((int) $id)." AND entity IN (".getEntity('product').")";
$query = $this->db->query($sql);
@ -1312,7 +1341,10 @@ class Products extends DolibarrApi
throw new RestException(401);
}
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute_value WHERE ref LIKE '".trim($ref)."' AND fk_product_attribute = ".(int) $id." AND entity IN (".getEntity('product').")";
$ref = trim($ref);
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute_value";
$sql .= " WHERE ref LIKE '".$this->db->escape($ref)."' AND fk_product_attribute = ".((int) $id)." AND entity IN (".getEntity('product').")";
$query = $this->db->query($sql);
if (!$query) {
@ -1383,11 +1415,13 @@ class Products extends DolibarrApi
throw new RestException(401);
}
$ref = trim($ref);
$return = array();
$sql = 'SELECT ';
$sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value as v';
$sql .= " WHERE v.fk_product_attribute IN (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".$this->db->escape(trim($ref))."')";
$sql .= " WHERE v.fk_product_attribute IN (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".$this->db->escape($ref)."')";
$resql = $this->db->query($sql);
@ -1428,7 +1462,7 @@ class Products extends DolibarrApi
}
$objectval = new ProductAttributeValue($this->db);
$objectval->fk_product_attribute = $id;
$objectval->fk_product_attribute = ((int) $id);
$objectval->ref = $ref;
$objectval->value = $value;