From 651f4158ac6c4b122d544adb50df49fb90a00f97 Mon Sep 17 00:00:00 2001
From: ptibogxiv <support@ptibogxiv.net>
Date: Sun, 16 Jun 2019 14:18:26 +0200
Subject: [PATCH] Fix add / delete contact access

---
 htdocs/commande/class/api_orders.class.php | 34 +++++++++-------------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php
index 27b55f9e57f..36df0c0eacb 100644
--- a/htdocs/commande/class/api_orders.class.php
+++ b/htdocs/commande/class/api_orders.class.php
@@ -415,21 +415,16 @@ class Orders extends DolibarrApi
 	 */
     public function postContact($id, $contactid, $type)
     {
-        if(!DolibarrApiAccess::$user->rights->commande->creer) {
-            throw new RestException(401);
-        }
-
-        $result = $this->commande->fetch($id);
-
-		if(!$result) {
-			throw new RestException(404, 'Order not found');
+        if (! DolibarrApiAccess::$user->rights->commande->creer) {
+			throw new RestException(401);
 		}
 
-        if (!in_array($type, array('BILLING', 'SHIPPING', 'CUSTOMER'), true)) {
-            throw new RestException(500, 'Availables types: BILLING, SHIPPING OR CUSTOMER');
+        $result = $this->commande->fetch($id);
+        if (! $result) {
+            throw new RestException(404, 'Order not found');
         }
 
-        if(!DolibarrApi::_checkAccessToResource('order', $this->commande->id)) {
+		if (! DolibarrApi::_checkAccessToResource('commande', $this->commande->id)) {
 			throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
 		}
 
@@ -457,17 +452,16 @@ class Orders extends DolibarrApi
 	 */
     public function deleteContact($id, $rowid)
     {
-        if(!DolibarrApiAccess::$user->rights->commande->creer) {
-            throw new RestException(401);
-        }
-
-        $result = $this->commande->fetch($id);
-
-		if(!$result) {
-			throw new RestException(404, 'Order not found');
+        if (! DolibarrApiAccess::$user->rights->commande->creer) {
+			throw new RestException(401);
 		}
 
-        if(!DolibarrApi::_checkAccessToResource('order', $this->commande->id)) {
+        $result = $this->commande->fetch($id);
+        if (! $result) {
+            throw new RestException(404, 'Order not found');
+        }
+
+		if (! DolibarrApi::_checkAccessToResource('commande', $this->commande->id)) {
 			throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
 		}