Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX #18627 Allow users with self read / modify rights to get own info.

Browse Source
This commit is contained in:
lainwir3d
2021-09-06 12:07:48 +04:00
parent ae7a309e8d
commit 09d1680ea0
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
htdocs/user/class/api_users.class.php
View File

@@ -151,7 +151,8 @@ class Users extends DolibarrApi
*/
public function get($id, $includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) &&
!(!empty(DolibarrApiAccess::$user->rights->user->self->creer) && (DolibarrApiAccess::$user->id == $id))) {
throw new RestException(401, 'Not allowed');
}
@@ -189,7 +190,8 @@ class Users extends DolibarrApi
*/
public function getByLogin($login, $includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) &&
!(!empty(DolibarrApiAccess::$user->rights->user->self->creer) && (DolibarrApiAccess::$user->login == $login))) {
throw new RestException(401, 'Not allowed');
}
@@ -223,7 +225,8 @@ class Users extends DolibarrApi
*/
public function getByEmail($email, $includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) &&
!(!empty(DolibarrApiAccess::$user->rights->user->self->creer) && (DolibarrApiAccess::$user->email == $email))) {
throw new RestException(401, 'Not allowed');
}
@@ -256,7 +259,7 @@ class Users extends DolibarrApi
*/
public function getInfo($includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if(empty(DolibarrApiAccess::$user->rights->user->self->creer) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
throw new RestException(401, 'Not allowed');
}