From 547f1dd3703a625b72ee594b238c211a0a684297 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Mon, 17 May 2021 11:54:53 +0200 Subject: [PATCH 1/4] Fix: user rest api rights --- htdocs/user/class/api_users.class.php | 38 +++++++++++++-------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index fa139e2c69f..7c1eef84c2c 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -71,7 +71,7 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { throw new RestException(401, "You are not allowed to read list of users"); } @@ -142,9 +142,9 @@ class Users extends DolibarrApi */ public function get($id, $includepermissions = 0) { - //if (!DolibarrApiAccess::$user->rights->user->user->lire) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) @@ -208,9 +208,9 @@ class Users extends DolibarrApi public function post($request_data = null) { // check user authorization - //if(! DolibarrApiAccess::$user->rights->user->creer) { - // throw new RestException(401, "User creation not allowed"); - //} + if(! DolibarrApiAccess::$user->rights->user->creer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401, "User creation not allowed"); + } // check mandatory fields /*if (!isset($request_data["login"])) throw new RestException(400, "login field missing"); @@ -242,9 +242,9 @@ class Users extends DolibarrApi */ public function put($id, $request_data = null) { - //if (!DolibarrApiAccess::$user->rights->user->user->creer) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->creer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) @@ -299,7 +299,7 @@ class Users extends DolibarrApi { $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { throw new RestException(401); } @@ -334,9 +334,9 @@ class Users extends DolibarrApi global $conf; - //if (!DolibarrApiAccess::$user->rights->user->user->supprimer) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) { @@ -389,7 +389,7 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->group_advance->read) { + if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { throw new RestException(401, "You are not allowed to read list of groups"); } @@ -463,7 +463,7 @@ class Users extends DolibarrApi { global $db, $conf; - if (!DolibarrApiAccess::$user->rights->user->group_advance->read) { + if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { throw new RestException(401, "You are not allowed to read groups"); } @@ -486,9 +486,9 @@ class Users extends DolibarrApi */ public function delete($id) { - //if (!DolibarrApiAccess::$user->rights->user->user->supprimer) { - //throw new RestException(401); - //} + if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + throw new RestException(401); + } $result = $this->useraccount->fetch($id); if (!$result) { From a3aba28c95fd41c3db3b390f642b6fd05e873105 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 17 May 2021 10:06:41 +0000 Subject: [PATCH 2/4] Fixing style errors. --- htdocs/user/class/api_users.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 7c1eef84c2c..39f3b302599 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -209,7 +209,7 @@ class Users extends DolibarrApi { // check user authorization if(! DolibarrApiAccess::$user->rights->user->creer && !DolibarrApiAccess::$user->admin) { - throw new RestException(401, "User creation not allowed"); + throw new RestException(401, "User creation not allowed"); } // check mandatory fields /*if (!isset($request_data["login"])) From c54e010126fb1cc297f644f5bf045a26a0c0b09c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 16:16:45 +0200 Subject: [PATCH 3/4] Fix perms on API user --- htdocs/user/class/api_users.class.php | 30 ++++++++++++++++----------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 39f3b302599..9f5ea935372 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -71,7 +71,7 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "You are not allowed to read list of users"); } @@ -142,7 +142,7 @@ class Users extends DolibarrApi */ public function get($id, $includepermissions = 0) { - if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + if (!DolibarrApiAccess::$user->rights->user->user->lire && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } @@ -177,7 +177,11 @@ class Users extends DolibarrApi */ public function getInfo() { - $apiUser = DolibarrApiAccess::$user; + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { + throw new RestException(401, 'Not allowed'); + } + + $apiUser = DolibarrApiAccess::$user; $result = $this->useraccount->fetch($apiUser->id); if (!$result) { @@ -208,7 +212,7 @@ class Users extends DolibarrApi public function post($request_data = null) { // check user authorization - if(! DolibarrApiAccess::$user->rights->user->creer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "User creation not allowed"); } // check mandatory fields @@ -242,7 +246,7 @@ class Users extends DolibarrApi */ public function put($id, $request_data = null) { - if (!DolibarrApiAccess::$user->rights->user->user->creer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } @@ -299,7 +303,7 @@ class Users extends DolibarrApi { $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->user->lire && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } @@ -334,7 +338,7 @@ class Users extends DolibarrApi global $conf; - if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->creer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } $result = $this->useraccount->fetch($id); @@ -389,9 +393,10 @@ class Users extends DolibarrApi $obj_ret = array(); - if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { - throw new RestException(401, "You are not allowed to read list of groups"); - } + if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || + !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { + throw new RestException(401, "You are not allowed to read groups"); + } // case of external user, $societe param is ignored and replaced by user's socid //$socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : $societe; @@ -463,7 +468,8 @@ class Users extends DolibarrApi { global $db, $conf; - if (!DolibarrApiAccess::$user->rights->user->group_advance->read && !DolibarrApiAccess::$user->admin) { + if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || + !empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, "You are not allowed to read groups"); } @@ -486,7 +492,7 @@ class Users extends DolibarrApi */ public function delete($id) { - if (!DolibarrApiAccess::$user->rights->user->user->supprimer && !DolibarrApiAccess::$user->admin) { + if (empty(DolibarrApiAccess::$user->rights->user->user->supprimer) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401); } $result = $this->useraccount->fetch($id); From a865f49d72049f7ffbb949da11386ab151fdfd16 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 17 May 2021 19:19:26 +0200 Subject: [PATCH 4/4] Fix phpcs --- htdocs/user/class/api_users.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 9f5ea935372..75aedba09bd 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -180,7 +180,7 @@ class Users extends DolibarrApi if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { throw new RestException(401, 'Not allowed'); } - + $apiUser = DolibarrApiAccess::$user; $result = $this->useraccount->fetch($apiUser->id);