From 667481acd580ce827062883a281e03cdc03859bf Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 8 Apr 2021 19:05:28 +0200 Subject: [PATCH] Fix #yogosha5832 - Missin test on permission for /index routes on APIs --- htdocs/comm/propal/class/api_proposals.class.php | 4 ++++ htdocs/commande/class/api_orders.class.php | 4 ++++ htdocs/compta/facture/class/api_invoices.class.php | 4 ++++ htdocs/contrat/class/api_contracts.class.php | 4 ++++ htdocs/don/class/api_donations.class.php | 7 +++++++ htdocs/expedition/class/api_shipments.class.php | 4 ++++ htdocs/expensereport/class/api_expensereports.class.php | 7 +++++++ htdocs/fichinter/class/api_interventions.class.php | 4 ++++ htdocs/fourn/class/api_supplier_invoices.class.php | 4 ++++ htdocs/fourn/class/api_supplier_orders.class.php | 4 ++++ htdocs/product/class/api_products.class.php | 4 ++++ htdocs/projet/class/api_projects.class.php | 4 ++++ htdocs/projet/class/api_tasks.class.php | 4 ++++ htdocs/societe/class/api_contacts.class.php | 2 ++ htdocs/societe/class/api_thirdparties.class.php | 6 ++++++ .../class/api_supplier_proposals.class.php | 4 ++++ htdocs/ticket/class/api_tickets.class.php | 4 ++++ htdocs/zapier/class/api_zapier.class.php | 7 +++++++ 18 files changed, 81 insertions(+) diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 9f5cdea8000..042303b7eed 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -155,6 +155,10 @@ class Proposals extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->propal->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index 17b7d4285b4..1bf3b97a040 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -158,6 +158,10 @@ class Orders extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->commande->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 87bcbe12b3e..0633affef49 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -165,6 +165,10 @@ class Invoices extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->facture->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index cf821ccb2c6..1de8f0c480d 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -106,6 +106,10 @@ class Contracts extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->contrat->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/don/class/api_donations.class.php b/htdocs/don/class/api_donations.class.php index ab0d6e5f483..2773ab62c14 100644 --- a/htdocs/don/class/api_donations.class.php +++ b/htdocs/don/class/api_donations.class.php @@ -103,6 +103,10 @@ class Donations extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->don->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid @@ -179,6 +183,7 @@ class Donations extends DolibarrApi if (!DolibarrApiAccess::$user->rights->don->creer) { throw new RestException(401, "Insuffisant rights"); } + // Check mandatory fields $result = $this->_validate($request_data); @@ -247,6 +252,7 @@ class Donations extends DolibarrApi if (!DolibarrApiAccess::$user->rights->don->supprimer) { throw new RestException(401); } + $result = $this->don->fetch($id); if (!$result) { throw new RestException(404, 'Donation not found'); @@ -295,6 +301,7 @@ class Donations extends DolibarrApi if (!DolibarrApiAccess::$user->rights->don->creer) { throw new RestException(401); } + $result = $this->don->fetch($id); if (!$result) { throw new RestException(404, 'Donation not found'); diff --git a/htdocs/expedition/class/api_shipments.class.php b/htdocs/expedition/class/api_shipments.class.php index cc5267cdd47..961790cc3bd 100644 --- a/htdocs/expedition/class/api_shipments.class.php +++ b/htdocs/expedition/class/api_shipments.class.php @@ -103,6 +103,10 @@ class Shipments extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->expedition->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/expensereport/class/api_expensereports.class.php b/htdocs/expensereport/class/api_expensereports.class.php index 13148e4247a..7321cb40625 100644 --- a/htdocs/expensereport/class/api_expensereports.class.php +++ b/htdocs/expensereport/class/api_expensereports.class.php @@ -99,6 +99,10 @@ class ExpenseReports extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->expensereport->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $societe param is ignored and replaced by user's socid @@ -164,6 +168,7 @@ class ExpenseReports extends DolibarrApi if (!DolibarrApiAccess::$user->rights->expensereport->creer) { throw new RestException(401, "Insuffisant rights"); } + // Check mandatory fields $result = $this->_validate($request_data); @@ -427,6 +432,7 @@ class ExpenseReports extends DolibarrApi if (!DolibarrApiAccess::$user->rights->expensereport->supprimer) { throw new RestException(401); } + $result = $this->expensereport->fetch($id); if (!$result) { throw new RestException(404, 'Expense Report not found'); @@ -469,6 +475,7 @@ class ExpenseReports extends DolibarrApi if(! DolibarrApiAccess::$user->rights->expensereport->creer) { throw new RestException(401); } + $result = $this->expensereport->fetch($id); if( ! $result ) { throw new RestException(404, 'expensereport not found'); diff --git a/htdocs/fichinter/class/api_interventions.class.php b/htdocs/fichinter/class/api_interventions.class.php index 17aa2b3db53..423bb31f348 100644 --- a/htdocs/fichinter/class/api_interventions.class.php +++ b/htdocs/fichinter/class/api_interventions.class.php @@ -110,6 +110,10 @@ class Interventions extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->ficheinter->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 5e977473146..b9b541f0229 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -102,6 +102,10 @@ class SupplierInvoices extends DolibarrApi { global $db; + if (!DolibarrApiAccess::$user->rights->fournisseur->facture->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/fourn/class/api_supplier_orders.class.php b/htdocs/fourn/class/api_supplier_orders.class.php index 8076900b100..b09b5677e10 100644 --- a/htdocs/fourn/class/api_supplier_orders.class.php +++ b/htdocs/fourn/class/api_supplier_orders.class.php @@ -101,6 +101,10 @@ class SupplierOrders extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->fournisseur->commande->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index c38437fb2f0..79751ea2e14 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -172,6 +172,10 @@ class Products extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->produit->lire) { + throw new RestException(403); + } + $obj_ret = array(); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index 47536986a80..6a08aa7a4bd 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -103,6 +103,10 @@ class Projects extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->projet->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index 748d9ce2594..cd6df68d590 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -109,6 +109,10 @@ class Tasks extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->projet->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 3993ad38e5f..5a6513ef6e5 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -74,6 +74,7 @@ class Contacts extends DolibarrApi if (!DolibarrApiAccess::$user->rights->societe->contact->lire) { throw new RestException(401, 'No permission to read contacts'); } + if ($id == 0) { $result = $this->contact->initAsSpecimen(); } else { @@ -117,6 +118,7 @@ class Contacts extends DolibarrApi if (!DolibarrApiAccess::$user->rights->societe->contact->lire) { throw new RestException(401, 'No permission to read contacts'); } + if (empty($email)) { $result = $this->contact->initAsSpecimen(); } else { diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index f5eae0be948..b0b486459b1 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -132,6 +132,10 @@ class Thirdparties extends DolibarrApi { $obj_ret = array(); + if (!DolibarrApiAccess::$user->rights->societe->lire) { + throw new RestException(401); + } + // case of external user, we force socids $socids = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -1842,9 +1846,11 @@ class Thirdparties extends DolibarrApi private function _fetch($rowid, $ref = '', $ref_ext = '', $barcode = '', $idprof1 = '', $idprof2 = '', $idprof3 = '', $idprof4 = '', $idprof5 = '', $idprof6 = '', $email = '', $ref_alias = '') { global $conf; + if (!DolibarrApiAccess::$user->rights->societe->lire) { throw new RestException(401); } + if ($rowid === 0) { $result = $this->company->initAsSpecimen(); } else { diff --git a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php index 1368cce7811..3e38ac10b41 100644 --- a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php +++ b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php @@ -98,6 +98,10 @@ class Supplierproposals extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->supplier_proposal->lire) { + throw new RestException(401); + } + $obj_ret = array(); // case of external user, $thirdparty_ids param is ignored and replaced by user's socid diff --git a/htdocs/ticket/class/api_tickets.class.php b/htdocs/ticket/class/api_tickets.class.php index d8e36933ea6..f814beb3398 100644 --- a/htdocs/ticket/class/api_tickets.class.php +++ b/htdocs/ticket/class/api_tickets.class.php @@ -232,6 +232,10 @@ class Tickets extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->ticket->read) { + throw new RestException(403); + } + $obj_ret = array(); if (!$socid && DolibarrApiAccess::$user->socid) { diff --git a/htdocs/zapier/class/api_zapier.class.php b/htdocs/zapier/class/api_zapier.class.php index ebf62d115ab..c141588a7f9 100644 --- a/htdocs/zapier/class/api_zapier.class.php +++ b/htdocs/zapier/class/api_zapier.class.php @@ -104,6 +104,7 @@ class ZapierApi extends DolibarrApi if (!DolibarrApiAccess::$user->rights->zapier->read) { throw new RestException(401); } + $arraychoices = array( 'invoices' => 'Invoices', 'orders' => 'Orders', @@ -143,6 +144,10 @@ class ZapierApi extends DolibarrApi { global $db, $conf; + if (!DolibarrApiAccess::$user->rights->zapier->read) { + throw new RestException(401); + } + $obj_ret = array(); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -242,6 +247,7 @@ class ZapierApi extends DolibarrApi if (!DolibarrApiAccess::$user->rights->zapier->write) { throw new RestException(401); } + // Check mandatory fields $fields = array( 'url', @@ -313,6 +319,7 @@ class ZapierApi extends DolibarrApi if (!DolibarrApiAccess::$user->rights->zapier->delete) { throw new RestException(401); } + $result = $this->hook->fetch($id); if (!$result) { throw new RestException(404, 'Hook not found');