lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX compatibility with multicompany transverse mode

Browse Source
This commit is contained in:
Regis Houssin 2018-07-25 17:00:49 +02:00
parent 0c0c9269d5
commit e48eec583d
1 changed files with 29 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
htdocs/user/class/api_users.class.php
View File

@ -231,38 +231,48 @@ class Users extends DolibarrApi
* *
* @param int $id User ID * @param int $id User ID
* @param int $group Group ID * @param int $group Group ID
* @param int $entity Entity ID (valid only for superadmin in multicompany transverse mode)
* @return int 1 if success * @return int 1 if success
* *
* @url GET {id}/setGroup/{group} * @url GET {id}/setGroup/{group}
*/ */
function setGroup($id, $group) { function setGroup($id, $group, $entity = 1) {
global $conf; global $conf;
//if (!DolibarrApiAccess::$user->rights->user->user->supprimer) { //if (!DolibarrApiAccess::$user->rights->user->user->supprimer) {
//throw new RestException(401); //throw new RestException(401);
//} //}
$result = $this->useraccount->fetch($id); $result = $this->useraccount->fetch($id);
if (!$result) if (!$result)
{ {
throw new RestException(404, 'User not found'); throw new RestException(404, 'User not found');
} }
if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user')) if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user'))
{ {
throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
} }
// When using API, action is done on entity of logged user because a user of entity X with permission to create user should not be able to if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE) && ! empty(DolibarrApiAccess::$user->admin) && empty(DolibarrApiAccess::$user->entity))
// hack the security by giving himself permissions on another entity. {
$result = $this->useraccount->SetInGroup($group, DolibarrApiAccess::$user->entity > 0 ? DolibarrApiAccess::$user->entity : $conf->entity); $entity = (! empty($entity) ? $entity : $conf->entity);
if (! ($result > 0)) }
{ else
throw new RestException(500, $this->useraccount->error); {
} // When using API, action is done on entity of logged user because a user of entity X with permission to create user should not be able to
// hack the security by giving himself permissions on another entity.
$entity = (DolibarrApiAccess::$user->entity > 0 ? DolibarrApiAccess::$user->entity : $conf->entity);
}
return 1; $result = $this->useraccount->SetInGroup($group, $entity);
} if (! ($result > 0))
{
throw new RestException(500, $this->useraccount->error);
}
return 1;
}
/** /**
* Delete account * Delete account