lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #11346 from ptibogxiv/patch-189

Browse Source 
Fix add / delete contact access in order API
This commit is contained in:
Laurent Destailleur 2019-06-16 17:26:50 +02:00 committed by GitHub
commit a6c5dc9a46
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
htdocs/commande/class/api_orders.class.php
View File

@ -415,21 +415,16 @@ class Orders extends DolibarrApi
*/
public function postContact($id, $contactid, $type)
{
if(!DolibarrApiAccess::$user->rights->commande->creer) {
throw new RestException(401);
}
$result = $this->commande->fetch($id);
if(!$result) {
throw new RestException(404, 'Order not found');
if (! DolibarrApiAccess::$user->rights->commande->creer) {
throw new RestException(401);
}
if (!in_array($type, array('BILLING', 'SHIPPING', 'CUSTOMER'), true)) {
throw new RestException(500, 'Availables types: BILLING, SHIPPING OR CUSTOMER');
$result = $this->commande->fetch($id);
if (! $result) {
throw new RestException(404, 'Order not found');
}
if(!DolibarrApi::_checkAccessToResource('order', $this->commande->id)) {
if (! DolibarrApi::_checkAccessToResource('commande', $this->commande->id)) {
throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
}
@ -457,17 +452,16 @@ class Orders extends DolibarrApi
*/
public function deleteContact($id, $rowid)
{
if(!DolibarrApiAccess::$user->rights->commande->creer) {
throw new RestException(401);
}
$result = $this->commande->fetch($id);
if(!$result) {
throw new RestException(404, 'Order not found');
if (! DolibarrApiAccess::$user->rights->commande->creer) {
throw new RestException(401);
}
if(!DolibarrApi::_checkAccessToResource('order', $this->commande->id)) {
$result = $this->commande->fetch($id);
if (! $result) {
throw new RestException(404, 'Order not found');
}
if (! DolibarrApi::_checkAccessToResource('commande', $this->commande->id)) {
throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
}

5
htdocs/install/mysql/tables/llx_bom_bom.sql
View File

@ -26,7 +26,8 @@ CREATE TABLE llx_bom_bom(
fk_product integer,
qty double(24,8),
efficiency double(8,4) DEFAULT 1,
date_creation datetime NOT NULL,
date_creation datetime NOT NULL,
date_valid datetime NOT NULL,
tms timestamp,
date_valid datetime,
fk_user_creat integer NOT NULL,
@ -35,4 +36,4 @@ CREATE TABLE llx_bom_bom(
import_key varchar(14),
status integer NOT NULL
-- END MODULEBUILDER FIELDS
) ENGINE=innodb;
) ENGINE=innodb;