Merge pull request #9160 from hregis/develop_api

FIX compatibility with multicompany transverse mode
2018-08-02 10:57:27 +02:00 · 2018-08-02 10:57:27 +02:00 · 738caa605f
commit 738caa605f
parent e86a970332 e48eec583d
1 changed files with 29 additions and 19 deletions
--- a/htdocs/user/class/api_users.class.php
+++ b/htdocs/user/class/api_users.class.php
@ -231,38 +231,48 @@ class Users extends DolibarrApi
 	 *
 	 * @param   int     $id        User ID
 	 * @param   int     $group     Group ID
+	 * @param   int     $entity    Entity ID (valid only for superadmin in multicompany transverse mode)
 	 * @return  int                1 if success
     *
 	 * @url	GET {id}/setGroup/{group}
 	 */
-	function setGroup($id, $group) {
+	function setGroup($id, $group, $entity = 1) {

 		global $conf;

 		//if (!DolibarrApiAccess::$user->rights->user->user->supprimer) {
 			//throw new RestException(401);
 		//}
-        $result = $this->useraccount->fetch($id);
-        if (!$result)
-        {
-          throw new RestException(404, 'User not found');
-        }
+		$result = $this->useraccount->fetch($id);
+		if (!$result)
+		{
+			throw new RestException(404, 'User not found');
+		}

-        if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user'))
-        {
-          throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
-        }
+		if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user'))
+		{
+			throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
+		}

-        // When using API, action is done on entity of logged user because a user of entity X with permission to create user should not be able to
-        // hack the security by giving himself permissions on another entity.
-        $result = $this->useraccount->SetInGroup($group, DolibarrApiAccess::$user->entity > 0 ? DolibarrApiAccess::$user->entity : $conf->entity);
-        if (! ($result > 0))
-        {
-            throw new RestException(500, $this->useraccount->error);
-        }
+		if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE) && ! empty(DolibarrApiAccess::$user->admin) && empty(DolibarrApiAccess::$user->entity))
+		{
+			$entity = (! empty($entity) ? $entity : $conf->entity);
+		}
+		else
+		{
+			// When using API, action is done on entity of logged user because a user of entity X with permission to create user should not be able to
+			// hack the security by giving himself permissions on another entity.
+			$entity = (DolibarrApiAccess::$user->entity > 0 ? DolibarrApiAccess::$user->entity : $conf->entity);
+		}

-        return 1;
-    }
+		$result = $this->useraccount->SetInGroup($group, $entity);
+		if (! ($result > 0))
+		{
+			throw new RestException(500, $this->useraccount->error);
+		}
+
+		return 1;
+	}

 	/**
 	 * Delete account