From c577d1c51eeb16c3abb33c022502d57b011aae5b Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Thu, 13 May 2021 13:35:28 +0200 Subject: [PATCH 01/14] FIX: Impossible to add multiple localtax2 --- htdocs/admin/dict.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index b7f65ddf91f..fbe7d924cbc 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -9,7 +9,7 @@ * Copyright (C) 2012-2015 Marcos García * Copyright (C) 2012 Christophe Battarel * Copyright (C) 2011-2016 Alexandre Spangaro - * Copyright (C) 2015 Ferran Marcet + * Copyright (C) 2015-2021 Ferran Marcet * Copyright (C) 2016 Raphaël Doursenaud * Copyright (C) 2019 Frédéric France * @@ -777,6 +777,9 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) elseif (in_array($keycode, array('joinfile', 'private', 'position', 'scale'))) { $sql .= (int) GETPOST($keycode, 'int'); } + elseif ($keycode == 'localtax2') { + $sql .= "'".GETPOST($keycode, 'alpha')."'"; + } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; } @@ -843,6 +846,9 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) elseif (in_array($keycode, array('private', 'position', 'scale'))) { $sql .= (int) GETPOST($keycode, 'int'); } + elseif ($keycode == 'localtax2') { + $sql .= "'".GETPOST($keycode, 'alpha')."'"; + } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; } From acadef72c1d8bd734573e3afdadff24271f70818 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Fri, 14 May 2021 18:01:22 +0200 Subject: [PATCH 02/14] Fix use supplier relative discount in replenish order creation --- htdocs/product/stock/replenish.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index dbf07c92d01..5d8e1f4a790 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -211,7 +211,9 @@ if ($action == 'order' && isset($_POST['valid'])) if ($resql && $db->num_rows($resql) > 0) { $obj = $db->fetch_object($resql); $order->fetch($obj->rowid); + $order->fetch_thirdparty(); foreach ($supplier['lines'] as $line) { + if(empty($line->remise_percent)) $line->remise_percent = $order->thirdparty->remise_supplier_percent; $result = $order->addline( $line->desc, $line->subprice, @@ -248,6 +250,7 @@ if ($action == 'order' && isset($_POST['valid'])) //trick to know which orders have been generated this way $order->source = 42; foreach ($supplier['lines'] as $line) { + if(empty($line->remise_percent)) $line->remise_percent = $order->thirdparty->remise_supplier_percent; $order->lines[] = $line; } $order->cond_reglement_id = $order->thirdparty->cond_reglement_supplier_id; From 1fbd53993f45901f5fb3d7e5c6bbf9df884e2b06 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Sun, 16 May 2021 19:07:36 +0200 Subject: [PATCH 03/14] Fix missing substitutionarray on ticket presend --- htdocs/ticket/card.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index 6d14d29202f..a32ec67a11e 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -1297,13 +1297,23 @@ elseif (empty($action) || $action == 'view' || $action == 'addlink' || $action = // add a message if ($action == 'presend' || $action == 'presend_addmessage') { + $outputlangs = $langs; + $newlang = ''; + if ($conf->global->MAIN_MULTILANGS && empty($newlang) && !empty($_REQUEST['lang_id'])) { + $newlang = $_REQUEST['lang_id']; + } + if ($conf->global->MAIN_MULTILANGS && empty($newlang)) { + $newlang = $object->thirdparty->default_lang; + } + $arrayoffamiliestoexclude = array('objectamount'); + $action = 'add_message'; // action to use to post the message $modelmail = 'ticket_send'; // Substitution array $morehtmlright = ''; $help = ""; - $substitutionarray = array(); + $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, $arrayoffamiliestoexclude, $object); if ($object->fk_soc > 0) { $object->fetch_thirdparty(); $substitutionarray['__THIRDPARTY_NAME__'] = $object->thirdparty->name; From c36f231f415eb3d6f6eeda42da629eedcb2de27b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 07:34:56 +0200 Subject: [PATCH 04/14] Update card.php --- htdocs/ticket/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index a32ec67a11e..cb428712913 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -1299,8 +1299,8 @@ elseif (empty($action) || $action == 'view' || $action == 'addlink' || $action = { $outputlangs = $langs; $newlang = ''; - if ($conf->global->MAIN_MULTILANGS && empty($newlang) && !empty($_REQUEST['lang_id'])) { - $newlang = $_REQUEST['lang_id']; + if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id', 'aZ09')) { + $newlang = GETPOST('lang_id', 'aZ09'); } if ($conf->global->MAIN_MULTILANGS && empty($newlang)) { $newlang = $object->thirdparty->default_lang; From dd88f9cd767648860589be45a2a752fdd3e4a910 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 07:37:01 +0200 Subject: [PATCH 05/14] Update card.php --- htdocs/ticket/card.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index cb428712913..857365203f8 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -1297,12 +1297,16 @@ elseif (empty($action) || $action == 'view' || $action == 'addlink' || $action = // add a message if ($action == 'presend' || $action == 'presend_addmessage') { + if ($object->fk_soc > 0) { + $object->fetch_thirdparty(); + } + $outputlangs = $langs; $newlang = ''; if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id', 'aZ09')) { $newlang = GETPOST('lang_id', 'aZ09'); } - if ($conf->global->MAIN_MULTILANGS && empty($newlang)) { + if ($conf->global->MAIN_MULTILANGS && empty($newlang) && is_object($object->thirdparty)) { $newlang = $object->thirdparty->default_lang; } $arrayoffamiliestoexclude = array('objectamount'); @@ -1315,7 +1319,6 @@ elseif (empty($action) || $action == 'view' || $action == 'addlink' || $action = $help = ""; $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, $arrayoffamiliestoexclude, $object); if ($object->fk_soc > 0) { - $object->fetch_thirdparty(); $substitutionarray['__THIRDPARTY_NAME__'] = $object->thirdparty->name; } $substitutionarray['__USER_SIGNATURE__'] = $user->signature; From bdf876ead4d36c340c0249c150eecf5f3619d3cb Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 17 May 2021 05:38:46 +0000 Subject: [PATCH 06/14] Fixing style errors. --- htdocs/ticket/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index 857365203f8..186a4461bd3 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -1300,7 +1300,7 @@ elseif (empty($action) || $action == 'view' || $action == 'addlink' || $action = if ($object->fk_soc > 0) { $object->fetch_thirdparty(); } - + $outputlangs = $langs; $newlang = ''; if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id', 'aZ09')) { From d4162f3076a34a26dd9ad1d651d58a0083e00d19 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 08:00:33 +0200 Subject: [PATCH 07/14] Update card.php --- htdocs/ticket/card.php | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index 186a4461bd3..5ed28094e39 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -1317,7 +1317,7 @@ elseif (empty($action) || $action == 'view' || $action == 'addlink' || $action = // Substitution array $morehtmlright = ''; $help = ""; - $substitutionarray = getCommonSubstitutionArray($outputlangs, 0, $arrayoffamiliestoexclude, $object); + $substitutionarray = getCommonSubstitutionArray($newlang, 0, $arrayoffamiliestoexclude, $object); if ($object->fk_soc > 0) { $substitutionarray['__THIRDPARTY_NAME__'] = $object->thirdparty->name; } @@ -1351,16 +1351,6 @@ elseif (empty($action) || $action == 'view' || $action == 'addlink' || $action = print '
'; - // Define output language - $outputlangs = $langs; - $newlang = ''; - if ($conf->global->MAIN_MULTILANGS && empty($newlang) && !empty($_REQUEST['lang_id'])) { - $newlang = $_REQUEST['lang_id']; - } - if ($conf->global->MAIN_MULTILANGS && empty($newlang)) { - $newlang = $object->default_lang; - } - $formticket = new FormTicket($db); $formticket->action = $action; From 7bb71dd89fa1e6552135e2f875cd00cfa174635e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 09:25:18 +0200 Subject: [PATCH 08/14] FIX #17602 --- htdocs/admin/dict.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index f00d670d4a1..caa7a9fdc05 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -802,8 +802,8 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) if ($value == 'price' || preg_match('/^amount/i', $value)) { $_POST[$keycode] = price2num(GETPOST($keycode), 'MU'); } - elseif ($value == 'taux' || $value == 'localtax1' || $value == 'localtax2') { - $_POST[$keycode] = price2num(GETPOST($keycode), 8); + elseif ($value == 'taux' || $value == 'localtax1') { + $_POST[$keycode] = price2num(GETPOST($keycode), 8); // Note that localtax2 can be a list of rates separated by coma like X:Y:Z } elseif ($value == 'entity') { $_POST[$keycode] = getEntity($tabname[$id]); @@ -871,8 +871,8 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) if ($field == 'price' || preg_match('/^amount/i', $field)) { $_POST[$keycode] = price2num(GETPOST($keycode), 'MU'); } - elseif ($field == 'taux' || $field == 'localtax1' || $field == 'localtax2') { - $_POST[$keycode] = price2num(GETPOST($keycode), 8); + elseif ($field == 'taux' || $field == 'localtax1') { + $_POST[$keycode] = price2num(GETPOST($keycode), 8); // Note that localtax2 can be a list of rates separated by coma like X:Y:Z } elseif ($field == 'entity') { $_POST[$keycode] = getEntity($tabname[$id]); From 2f9a504dce7e44e16513a712cab815d58585ffb4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 09:30:09 +0200 Subject: [PATCH 09/14] Fix label --- htdocs/admin/dict.php | 10 +++++----- htdocs/langs/en_US/main.lang | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index caa7a9fdc05..4bd556c5ac3 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -1076,7 +1076,7 @@ if ($id) $sql = $tabsql[$id]; if (!preg_match('/ WHERE /', $sql)) $sql .= " WHERE 1 = 1"; - if ($search_country_id > 0) $sql .= " AND c.rowid = ".$search_country_id; + if ($search_country_id > 0) $sql .= " AND c.rowid = ".((int) $search_country_id); if ($search_code != '' && $id == 9) $sql .= natural_search("code_iso", $search_code); elseif ($search_code != '' && $id == 28) $sql .= natural_search("h.code", $search_code); elseif ($search_code != '' && $id == 32) $sql .= natural_search("a.code", $search_code); @@ -1150,9 +1150,9 @@ if ($id) $class = 'center'; } if ($fieldlist[$field] == 'localtax1_type') { $valuetoshow = $langs->trans("UseLocalTax")." 2"; $class = "center"; $sortable = 0; } - if ($fieldlist[$field] == 'localtax1') { $valuetoshow = $langs->trans("Rate")." 2"; $class = "center"; } + if ($fieldlist[$field] == 'localtax1') { $valuetoshow = $langs->trans("RateOfTaxN", '2'); $class = "center"; } if ($fieldlist[$field] == 'localtax2_type') { $valuetoshow = $langs->trans("UseLocalTax")." 3"; $class = "center"; $sortable = 0; } - if ($fieldlist[$field] == 'localtax2') { $valuetoshow = $langs->trans("Rate")." 3"; $class = "center"; } + if ($fieldlist[$field] == 'localtax2') { $valuetoshow = $langs->trans("RateOfTaxN", '3'); $class = "center"; } if ($fieldlist[$field] == 'organization') { $valuetoshow = $langs->trans("Organization"); } if ($fieldlist[$field] == 'lang') { $valuetoshow = $langs->trans("Language"); } if ($fieldlist[$field] == 'type') { @@ -1380,9 +1380,9 @@ if ($id) $cssprefix = 'center '; } if ($fieldlist[$field] == 'localtax1_type') { $valuetoshow = $langs->trans("UseLocalTax")." 2"; $cssprefix = "center "; $sortable = 0; } - if ($fieldlist[$field] == 'localtax1') { $valuetoshow = $langs->trans("Rate")." 2"; $cssprefix = "center "; $sortable = 0; } + if ($fieldlist[$field] == 'localtax1') { $valuetoshow = $langs->trans("RateOfTaxN", '2'); $cssprefix = "center "; $sortable = 0; } if ($fieldlist[$field] == 'localtax2_type') { $valuetoshow = $langs->trans("UseLocalTax")." 3"; $cssprefix = "center "; $sortable = 0; } - if ($fieldlist[$field] == 'localtax2') { $valuetoshow = $langs->trans("Rate")." 3"; $cssprefix = "center "; $sortable = 0; } + if ($fieldlist[$field] == 'localtax2') { $valuetoshow = $langs->trans("RateOfTaxN", '3'); $cssprefix = "center "; $sortable = 0; } if ($fieldlist[$field] == 'organization') { $valuetoshow = $langs->trans("Organization"); } if ($fieldlist[$field] == 'lang') { $valuetoshow = $langs->trans("Language"); } if ($fieldlist[$field] == 'type') { $valuetoshow = $langs->trans("Type"); } diff --git a/htdocs/langs/en_US/main.lang b/htdocs/langs/en_US/main.lang index 5594c835ba8..39517ca2e1b 100644 --- a/htdocs/langs/en_US/main.lang +++ b/htdocs/langs/en_US/main.lang @@ -427,6 +427,7 @@ LT1IN=CGST LT2IN=SGST LT1GC=Additionnal cents VATRate=Tax Rate +RateOfTaxN=Rate of tax %s VATCode=Tax Rate code VATNPR=Tax Rate NPR DefaultTaxRate=Default tax rate From f923c70f380d4145153b20bcbb8037caf7ea7a4c Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Mon, 17 May 2021 10:17:54 +0200 Subject: [PATCH 10/14] Fix: Before there was no mistake --- htdocs/admin/dict.php | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index fbe7d924cbc..648537ec3f8 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -9,7 +9,7 @@ * Copyright (C) 2012-2015 Marcos García * Copyright (C) 2012 Christophe Battarel * Copyright (C) 2011-2016 Alexandre Spangaro - * Copyright (C) 2015-2021 Ferran Marcet + * Copyright (C) 2015 Ferran Marcet * Copyright (C) 2016 Raphaël Doursenaud * Copyright (C) 2019 Frédéric France * @@ -777,10 +777,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) elseif (in_array($keycode, array('joinfile', 'private', 'position', 'scale'))) { $sql .= (int) GETPOST($keycode, 'int'); } - elseif ($keycode == 'localtax2') { - $sql .= "'".GETPOST($keycode, 'alpha')."'"; - } - else { + else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; } @@ -846,9 +843,6 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) elseif (in_array($keycode, array('private', 'position', 'scale'))) { $sql .= (int) GETPOST($keycode, 'int'); } - elseif ($keycode == 'localtax2') { - $sql .= "'".GETPOST($keycode, 'alpha')."'"; - } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; } From 547f1dd3703a625b72ee594b238c211a0a684297 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Mon, 17 May 2021 11:54:53 +0200 Subject: [PATCH 11/14] Fix: user rest api rights --- htdocs/user/class/api_users.class.php | 38 +++++++++++++-------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index fa139e2c69f..7c1eef84c2c 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -71,7 +71,7 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { throw new RestException(401, "You are not allowed to read list of users"); } @@ -142,9 +142,9 @@ class Users extends DolibarrApi */ public function get($id, $includepermissions = 0) { - //if (!DolibarrApiAccess::$user->rights->user->user->lire) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) @@ -208,9 +208,9 @@ class Users extends DolibarrApi public function post($request_data = null) { // check user authorization - //if(! DolibarrApiAccess::$user->rights->user->creer) { - // throw new RestException(401, "User creation not allowed"); - //} + if(! DolibarrApiAccess::$user->rights->user->creer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401, "User creation not allowed"); + } // check mandatory fields /*if (!isset($request_data["login"])) throw new RestException(400, "login field missing"); @@ -242,9 +242,9 @@ class Users extends DolibarrApi */ public function put($id, $request_data = null) { - //if (!DolibarrApiAccess::$user->rights->user->user->creer) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->creer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) @@ -299,7 +299,7 @@ class Users extends DolibarrApi { $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { throw new RestException(401); } @@ -334,9 +334,9 @@ class Users extends DolibarrApi global $conf; - //if (!DolibarrApiAccess::$user->rights->user->user->supprimer) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) { @@ -389,7 +389,7 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->group_advance->read) { + if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { throw new RestException(401, "You are not allowed to read list of groups"); } @@ -463,7 +463,7 @@ class Users extends DolibarrApi { global $db, $conf; - if (!DolibarrApiAccess::$user->rights->user->group_advance->read) { + if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { throw new RestException(401, "You are not allowed to read groups"); } @@ -486,9 +486,9 @@ class Users extends DolibarrApi */ public function delete($id) { - //if (!DolibarrApiAccess::$user->rights->user->user->supprimer) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) { From a3aba28c95fd41c3db3b390f642b6fd05e873105 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 17 May 2021 10:06:41 +0000 Subject: [PATCH 12/14] Fixing style errors. --- htdocs/user/class/api_users.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 7c1eef84c2c..39f3b302599 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -209,7 +209,7 @@ class Users extends DolibarrApi { // check user authorization if(! DolibarrApiAccess::$user->rights->user->creer && !DolibarrApiAccess::$user->admin) { - throw new RestException(401, "User creation not allowed"); + throw new RestException(401, "User creation not allowed"); } // check mandatory fields /*if (!isset($request_data["login"])) From c54e010126fb1cc297f644f5bf045a26a0c0b09c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 16:16:45 +0200 Subject: [PATCH 13/14] Fix perms on API user --- htdocs/user/class/api_users.class.php | 30 ++++++++++++++++----------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 39f3b302599..9f5ea935372 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -71,7 +71,7 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "You are not allowed to read list of users"); } @@ -142,7 +142,7 @@ class Users extends DolibarrApi */ public function get($id, $includepermissions = 0) { - if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } @@ -177,7 +177,11 @@ class Users extends DolibarrApi */ public function getInfo() { - $apiUser = DolibarrApiAccess::$user; + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { + throw new RestException(401, 'Not allowed'); + } + + $apiUser = DolibarrApiAccess::$user; $result = $this->useraccount->fetch($apiUser->id); if (!$result) { @@ -208,7 +212,7 @@ class Users extends DolibarrApi public function post($request_data = null) { // check user authorization - if(! DolibarrApiAccess::$user->rights->user->creer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "User creation not allowed"); } // check mandatory fields @@ -242,7 +246,7 @@ class Users extends DolibarrApi */ public function put($id, $request_data = null) { - if (!DolibarrApiAccess::$user->rights->user->user->creer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } @@ -299,7 +303,7 @@ class Users extends DolibarrApi { $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } @@ -334,7 +338,7 @@ class Users extends DolibarrApi global $conf; - if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } $result = $this->useraccount->fetch($id); @@ -389,9 +393,10 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { - throw new RestException(401, "You are not allowed to read list of groups"); - } + if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || + !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { + throw new RestException(401, "You are not allowed to read groups"); + } // case of external user, $societe param is ignored and replaced by user's socid //$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : $societe; @@ -463,7 +468,8 @@ class Users extends DolibarrApi { global $db, $conf; - if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { + if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || + !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "You are not allowed to read groups"); } @@ -486,7 +492,7 @@ class Users extends DolibarrApi */ public function delete($id) { - if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->supprimer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } $result = $this->useraccount->fetch($id); From a865f49d72049f7ffbb949da11386ab151fdfd16 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 19:19:26 +0200 Subject: [PATCH 14/14] Fix phpcs --- htdocs/user/class/api_users.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 9f5ea935372..75aedba09bd 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -180,7 +180,7 @@ class Users extends DolibarrApi if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, 'Not allowed'); } - + $apiUser = DolibarrApiAccess::$user; $result = $this->useraccount->fetch($apiUser->id);