From 629c6d93f66dabcb8c15252e2575a62439b3fff2 Mon Sep 17 00:00:00 2001
From: Nicolas Leichtle <software@nico-leichtle.de>
Date: Sun, 1 Oct 2017 14:33:59 +0200
Subject: [PATCH 1/2] FIX: REST function addTimeSpent

---
 htdocs/projet/class/api_tasks.class.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php
index d6303c18a16..168afc2cb0c 100644
--- a/htdocs/projet/class/api_tasks.class.php
+++ b/htdocs/projet/class/api_tasks.class.php
@@ -19,6 +19,7 @@
  use Luracast\Restler\RestException;
 
  require_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
+ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
  
 /**
  * API class for projects
@@ -501,15 +502,17 @@ class Tasks extends DolibarrApi
      */
     function addTimeSpent($id, $date, $duration, $user_id=0, $note='')
     {
-        if(! DolibarrApiAccess::$user->rights->projet->creer) {
+    	
+    	
+        if( ! DolibarrApiAccess::$user->rights->projet->creer) {
             throw new RestException(401);
         }
         $result = $this->task->fetch($id);
         if ($result <= 0) {
             throw new RestException(404, 'Task not found');
         }
-    
-        if( ! DolibarrApi::_checkAccessToResource('project',$this->project->id)) {
+        
+        if( ! DolibarrApi::_checkAccessToResource('project', $this->task->fk_project)) {
             throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
         }
         

From 5f2c5a6c53c83ceca823494dd639d252f240fb5c Mon Sep 17 00:00:00 2001
From: Nicolas Leichtle <software@nico-leichtle.de>
Date: Sun, 8 Oct 2017 23:26:35 +0200
Subject: [PATCH 2/2] New Extend REST POST function "/documents" to support
 projects and tasks

---
 htdocs/api/class/api_documents.class.php | 57 ++++++++++++++++++++++--
 1 file changed, 53 insertions(+), 4 deletions(-)

diff --git a/htdocs/api/class/api_documents.class.php b/htdocs/api/class/api_documents.class.php
index 52ed728a769..6339ce4a91a 100644
--- a/htdocs/api/class/api_documents.class.php
+++ b/htdocs/api/class/api_documents.class.php
@@ -23,6 +23,8 @@ use Luracast\Restler\Format\UploadFormat;
 
 require_once DOL_DOCUMENT_ROOT.'/main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
+require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
+require_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
 
 /**
  * API class for receive files
@@ -148,7 +150,7 @@ class Documents extends DolibarrApi
 	 * Test sample 2: { "filename": "mynewfile.txt", "modulepart": "medias", "ref": "", "subdir": "mysubdir1/mysubdir2", "filecontent": "content text", "fileencoding": "", "overwriteifexists": "0" }.
 	 *
 	 * @param   string  $filename           Name of file to create ('FA1705-0123')
-	 * @param   string  $modulepart         Name of module or area concerned by file upload ('facture', ...)
+	 * @param   string  $modulepart         Name of module or area concerned by file upload ('facture', 'project', 'project_task', ...)
 	 * @param   string  $ref                Reference of object (This will define subdir automatically and store submited file into it)
 	 * @param   string  $subdir             Subdirectory (Only if ref not provided)
 	 * @param   string  $filecontent        File content (string with file content. An empty file will be created if this parameter is not provided)
@@ -166,7 +168,10 @@ class Documents extends DolibarrApi
         var_dump($filecontent);
         exit;*/
 
-		require_once DOL_DOCUMENT_ROOT . '/core/lib/files.lib.php';
+		if(empty($modulepart))
+		{
+			throw new RestException(400, 'Modulepart not provided.');
+		}
 
 		if (!DolibarrApiAccess::$user->rights->ecm->upload) {
 			throw new RestException(401);
@@ -186,8 +191,52 @@ class Documents extends DolibarrApi
 			if ($modulepart == 'facture' || $modulepart == 'invoice')
 			{
 				$modulepart='facture';
-				$object=new Facture($db);
+				$object = new Facture($this->db);
+			}
+			elseif ($modulepart == 'project')
+			{
+				$object = new Project($this->db);
+			}
+			elseif ($modulepart == 'task' || $modulepart == 'project_task')
+			{
+				$modulepart = 'project_task';
+				$object = new Task($this->db);
+
+				$task_result = $object->fetch('', $ref);
+
+				// Fetching the tasks project is required because its out_dir might be a subdirectory of the project
+				if($task_result > 0)
+				{
+					$project_result = $object->fetch_projet();
+
+					if($project_result >= 0)
+					{
+						$tmpreldir = dol_sanitizeFileName($object->project->ref).'/';
+					}
+				}
+				else
+				{
+					throw new RestException(500, 'Error while fetching Task '.$ref);
+				}
+			}
+			// TODO Implement additional moduleparts
+			else
+			{
+				throw new RestException(500, 'Modulepart '.$modulepart.' not implemented yet.');
+			}
+
+			if(is_object($object))
+			{
 				$result = $object->fetch('', $ref);
+
+				if($result == 0)
+				{
+					throw new RestException(500, "Object with ref '".$ref.'" was not found.');
+			}
+				elseif ($result < 0)
+				{
+					throw new RestException(500, 'Error while fetching object.');
+				}
 			}
 
 			if (! ($object->id > 0))
@@ -195,7 +244,7 @@ class Documents extends DolibarrApi
    				throw new RestException(500, 'The object '.$modulepart." with ref '".$ref."' was not found.");
 			}
 
-			$tmp = dol_check_secure_access_document($modulepart, $tmpreldir.$object->ref, $entity, DolibarrApiAccess::$user, $ref, 'write');
+			$tmp = dol_check_secure_access_document($modulepart, $tmpreldir.dol_sanitizeFileName($object->ref), $entity, DolibarrApiAccess::$user, $ref, 'write');
 			$upload_dir = $tmp['original_file'];
 
 			if (empty($upload_dir) || $upload_dir == '/')