Fix restore use of API get when ID = 0

htdocs/api/class/api.class.php

@@ -115,6 +115,8 @@ class DolibarrApi
 
 		// Remove linkedObjects. We should already have linkedObjectsIds that avoid huge responses
 		unset($object->linkedObjects);
+		unset($object->linkedObjectsFullLoaded);
+		//unset($object->lines[$i]->linked_objects);		// This is the array to create linked object during create
 
 		unset($object->fields);
 		unset($object->oldline);
@@ -139,6 +141,7 @@ class DolibarrApi
 
 		unset($object->projet); // Should be fk_project
 		unset($object->project); // Should be fk_project
+		unset($object->fk_projet); // Should be fk_project
 		unset($object->author); // Should be fk_user_author
 		unset($object->timespent_old_duration);
 		unset($object->timespent_id);

htdocs/core/lib/security.lib.php

@@ -792,8 +792,8 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 			$sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename); // We change dbtablename, so we set sharedelement too.
 		}
 
-		// Check permission for object on entity only
-		if (in_array($feature, $check)) {
+		// Check permission for objectid on entity only
+		if (in_array($feature, $check) && $objectid > 0) {		// For $objectid = 0, no check
 			$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
 			$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
 			if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled)) {	// Special for multicompany
@@ -825,7 +825,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 			}
 			$checkonentitydone = 1;
 		}
-		if (in_array($feature, $checksoc)) {	// We check feature = checksoc
+		if (in_array($feature, $checksoc) && $objectid > 0) {	// We check feature = checksoc. For $objectid = 0, no check
 			// If external user: Check permission for external users
 			if ($user->socid > 0) {
 				if ($user->socid != $objectid) {
@@ -850,7 +850,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 
 			$checkonentitydone = 1;
 		}
-		if (in_array($feature, $checkother)) {	// Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...).
+		if (in_array($feature, $checkother) && $objectid > 0) {	// Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...).
 			// If external user: Check permission for external users
 			if ($user->socid > 0) {
 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
@@ -875,7 +875,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 
 			$checkonentitydone = 1;
 		}
-		if (in_array($feature, $checkproject)) {
+		if (in_array($feature, $checkproject) && $objectid > 0) {
 			if (!empty($conf->project->enabled) && empty($user->rights->projet->all->lire)) {
 				$projectid = $objectid;
 
@@ -896,7 +896,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 
 			$checkonentitydone = 1;
 		}
-		if (in_array($feature, $checktask)) {
+		if (in_array($feature, $checktask) && $objectid > 0) {
 			if (!empty($conf->project->enabled) && empty($user->rights->projet->all->lire)) {
 				$task = new Task($db);
 				$task->fetch($objectid);
@@ -919,7 +919,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 
 			$checkonentitydone = 1;
 		}
-		if (!$checkonentitydone && !in_array($feature, $nocheck)) {		// By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
+		if (!$checkonentitydone && !in_array($feature, $nocheck) && $objectid > 0) {		// By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
 			// If external user: Check permission for external users
 			if ($user->socid > 0) {
 				if (empty($dbt_keyfield)) {
@@ -962,7 +962,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 		//print $sql;
 
 		// For events, check on users assigned to event
-		if ($feature === 'agenda') {
+		if ($feature === 'agenda' && $objectid > 0) {
 			// Also check owner or attendee for users without allactions->read
 			if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) {
 				require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
@@ -976,7 +976,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 
 		// For some object, we also have to check it is in the user hierarchy
 		// Param $object must be the full object and not a simple id to have this test possible.
-		if (in_array($feature, $checkhierarchy) && is_object($object)) {
+		if (in_array($feature, $checkhierarchy) && is_object($object) && $objectid > 0) {
 			$childids = $user->getAllChildIds(1);
 			$useridtocheck = 0;
 			if ($feature == 'holiday') {

htdocs/societe/class/api_thirdparties.class.php

@@ -1785,6 +1785,10 @@ class Thirdparties extends DolibarrApi
 		unset($object->particulier);
 		unset($object->prefix_comm);
 
+		unset($object->siren);
+		unset($object->siret);
+		unset($object->ape);
+
 		unset($object->commercial_id); // This property is used in create/update only. It does not exists in read mode because there is several sales representatives.
 
 		unset($object->total_ht);
@@ -1857,7 +1861,7 @@ class Thirdparties extends DolibarrApi
 		global $conf;
 
 		if (!DolibarrApiAccess::$user->rights->societe->lire) {
-			throw new RestException(401);
+			throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login.'. No read permission on thirdparties.');
 		}
 
 		if ($rowid === 0) {
@@ -1870,7 +1874,7 @@ class Thirdparties extends DolibarrApi
 		}
 
 		if (!DolibarrApi::_checkAccessToResource('societe', $this->company->id)) {
-			throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
+			throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login.' on this thirdparty');
 		}
 
 		if (!empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) {