lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix #yogosha5832 - Missin test on permission for /index routes on APIs

Browse Source
This commit is contained in:
Laurent Destailleur 2021-04-08 19:05:28 +02:00
parent 6c84b858ee
commit 667481acd5
18 changed files with 81 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/comm/propal/class/api_proposals.class.php
View File

@ -155,6 +155,10 @@ class Proposals extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->propal->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/commande/class/api_orders.class.php
View File

@ -158,6 +158,10 @@ class Orders extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->commande->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/compta/facture/class/api_invoices.class.php
View File

@ -165,6 +165,10 @@ class Invoices extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->facture->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/contrat/class/api_contracts.class.php
View File

@ -106,6 +106,10 @@ class Contracts extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->contrat->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

7
htdocs/don/class/api_donations.class.php
View File

@ -103,6 +103,10 @@ class Donations extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->don->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
@ -179,6 +183,7 @@ class Donations extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->don->creer) {
throw new RestException(401, "Insuffisant rights");
}
// Check mandatory fields
$result = $this->_validate($request_data);
@ -247,6 +252,7 @@ class Donations extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->don->supprimer) {
throw new RestException(401);
}
$result = $this->don->fetch($id);
if (!$result) {
throw new RestException(404, 'Donation not found');
@ -295,6 +301,7 @@ class Donations extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->don->creer) {
throw new RestException(401);
}
$result = $this->don->fetch($id);
if (!$result) {
throw new RestException(404, 'Donation not found');

4
htdocs/expedition/class/api_shipments.class.php
View File

@ -103,6 +103,10 @@ class Shipments extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->expedition->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

7
htdocs/expensereport/class/api_expensereports.class.php
View File

@ -99,6 +99,10 @@ class ExpenseReports extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->expensereport->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $societe param is ignored and replaced by user's socid
@ -164,6 +168,7 @@ class ExpenseReports extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->expensereport->creer) {
throw new RestException(401, "Insuffisant rights");
}
// Check mandatory fields
$result = $this->_validate($request_data);
@ -427,6 +432,7 @@ class ExpenseReports extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->expensereport->supprimer) {
throw new RestException(401);
}
$result = $this->expensereport->fetch($id);
if (!$result) {
throw new RestException(404, 'Expense Report not found');
@ -469,6 +475,7 @@ class ExpenseReports extends DolibarrApi
if(! DolibarrApiAccess::$user->rights->expensereport->creer) {
throw new RestException(401);
}
$result = $this->expensereport->fetch($id);
if( ! $result ) {
throw new RestException(404, 'expensereport not found');

4
htdocs/fichinter/class/api_interventions.class.php
View File

@ -110,6 +110,10 @@ class Interventions extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->ficheinter->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/fourn/class/api_supplier_invoices.class.php
View File

@ -102,6 +102,10 @@ class SupplierInvoices extends DolibarrApi
{
global $db;
if (!DolibarrApiAccess::$user->rights->fournisseur->facture->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/fourn/class/api_supplier_orders.class.php
View File

@ -101,6 +101,10 @@ class SupplierOrders extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->fournisseur->commande->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/product/class/api_products.class.php
View File

@ -172,6 +172,10 @@ class Products extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->produit->lire) {
throw new RestException(403);
}
$obj_ret = array();
$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : '';

4
htdocs/projet/class/api_projects.class.php
View File

@ -103,6 +103,10 @@ class Projects extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->projet->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/projet/class/api_tasks.class.php
View File

@ -109,6 +109,10 @@ class Tasks extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->projet->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

2
htdocs/societe/class/api_contacts.class.php
View File

@ -74,6 +74,7 @@ class Contacts extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->societe->contact->lire) {
throw new RestException(401, 'No permission to read contacts');
}
if ($id == 0) {
$result = $this->contact->initAsSpecimen();
} else {
@ -117,6 +118,7 @@ class Contacts extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->societe->contact->lire) {
throw new RestException(401, 'No permission to read contacts');
}
if (empty($email)) {
$result = $this->contact->initAsSpecimen();
} else {

6
htdocs/societe/class/api_thirdparties.class.php
View File

@ -132,6 +132,10 @@ class Thirdparties extends DolibarrApi
{
$obj_ret = array();
if (!DolibarrApiAccess::$user->rights->societe->lire) {
throw new RestException(401);
}
// case of external user, we force socids
$socids = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : '';
@ -1842,9 +1846,11 @@ class Thirdparties extends DolibarrApi
private function _fetch($rowid, $ref = '', $ref_ext = '', $barcode = '', $idprof1 = '', $idprof2 = '', $idprof3 = '', $idprof4 = '', $idprof5 = '', $idprof6 = '', $email = '', $ref_alias = '')
{
global $conf;
if (!DolibarrApiAccess::$user->rights->societe->lire) {
throw new RestException(401);
}
if ($rowid === 0) {
$result = $this->company->initAsSpecimen();
} else {

4
htdocs/supplier_proposal/class/api_supplier_proposals.class.php
View File

@ -98,6 +98,10 @@ class Supplierproposals extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->supplier_proposal->lire) {
throw new RestException(401);
}
$obj_ret = array();
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid

4
htdocs/ticket/class/api_tickets.class.php
View File

@ -232,6 +232,10 @@ class Tickets extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->ticket->read) {
throw new RestException(403);
}
$obj_ret = array();
if (!$socid && DolibarrApiAccess::$user->socid) {

7
htdocs/zapier/class/api_zapier.class.php
View File

@ -104,6 +104,7 @@ class ZapierApi extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->zapier->read) {
throw new RestException(401);
}
$arraychoices = array(
'invoices' => 'Invoices',
'orders' => 'Orders',
@ -143,6 +144,10 @@ class ZapierApi extends DolibarrApi
{
global $db, $conf;
if (!DolibarrApiAccess::$user->rights->zapier->read) {
throw new RestException(401);
}
$obj_ret = array();
$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : '';
@ -242,6 +247,7 @@ class ZapierApi extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->zapier->write) {
throw new RestException(401);
}
// Check mandatory fields
$fields = array(
'url',
@ -313,6 +319,7 @@ class ZapierApi extends DolibarrApi
if (!DolibarrApiAccess::$user->rights->zapier->delete) {
throw new RestException(401);
}
$result = $this->hook->fetch($id);
if (!$result) {
throw new RestException(404, 'Hook not found');