From c54e010126fb1cc297f644f5bf045a26a0c0b09c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 17 May 2021 16:16:45 +0200
Subject: [PATCH] Fix perms on API user

---
 htdocs/user/class/api_users.class.php | 30 ++++++++++++++++-----------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php
index 39f3b302599..9f5ea935372 100644
--- a/htdocs/user/class/api_users.class.php
+++ b/htdocs/user/class/api_users.class.php
@@ -71,7 +71,7 @@ class Users extends DolibarrApi
 
 	    $obj_ret = array();
 
-		if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) {
+		if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) {
 	        throw new RestException(401, "You are not allowed to read list of users");
 	    }
 
@@ -142,7 +142,7 @@ class Users extends DolibarrApi
 	 */
     public function get($id, $includepermissions = 0)
     {
-		if (!DolibarrApiAccess::$user->rights->user->user->lire  && !DolibarrApiAccess::$user->admin) {
+		if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(401);
 		}
 
@@ -177,7 +177,11 @@ class Users extends DolibarrApi
      */
     public function getInfo()
     {
-        $apiUser = DolibarrApiAccess::$user;
+    	if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
+    		throw new RestException(401, 'Not allowed');
+    	}
+    	
+    	$apiUser = DolibarrApiAccess::$user;
 
         $result = $this->useraccount->fetch($apiUser->id);
         if (!$result) {
@@ -208,7 +212,7 @@ class Users extends DolibarrApi
     public function post($request_data = null)
     {
 	    // check user authorization
-	    if(! DolibarrApiAccess::$user->rights->user->creer && !DolibarrApiAccess::$user->admin) {
+	    if (empty(DolibarrApiAccess::$user->rights->user->creer) && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(401, "User creation not allowed");
 	    }
 	    // check mandatory fields
@@ -242,7 +246,7 @@ class Users extends DolibarrApi
 	 */
     public function put($id, $request_data = null)
     {
-		if (!DolibarrApiAccess::$user->rights->user->user->creer && !DolibarrApiAccess::$user->admin) {
+		if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(401);
 		}
 
@@ -299,7 +303,7 @@ class Users extends DolibarrApi
 	{
 		$obj_ret = array();
 
-		if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) {
+		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(401);
 		}
 
@@ -334,7 +338,7 @@ class Users extends DolibarrApi
 
 		global $conf;
 
-		if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) {
+		if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(401);
 		}
 		$result = $this->useraccount->fetch($id);
@@ -389,9 +393,10 @@ class Users extends DolibarrApi
 
 	    $obj_ret = array();
 
-		if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) {
-	        throw new RestException(401, "You are not allowed to read list of groups");
-	    }
+	    if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) ||
+	    	!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) {
+	    		throw new RestException(401, "You are not allowed to read groups");
+    	}
 
 	    // case of external user, $societe param is ignored and replaced by user's socid
 	    //$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : $societe;
@@ -463,7 +468,8 @@ class Users extends DolibarrApi
     {
 	    global $db, $conf;
 
-		if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) {
+	    if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) ||
+	    	!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) {
 	        throw new RestException(401, "You are not allowed to read groups");
 	    }
 
@@ -486,7 +492,7 @@ class Users extends DolibarrApi
 	 */
     public function delete($id)
     {
-		if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) {
+		if (empty(DolibarrApiAccess::$user->rights->user->user->supprimer) && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(401);
 		}
 		$result = $this->useraccount->fetch($id);