Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix several security holes on api when used by external users

Browse Source
This commit is contained in:
Laurent Destailleur
2016-12-07 19:02:39 +01:00
parent d23604701c
commit 1838670e31
13 changed files with 60 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
htdocs/commande/class/api_deprecated_commande.class.php
View File

@@ -115,6 +115,7 @@ class CommandeApi extends DolibarrApi
$socid = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $societe;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT s.rowid";