Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge pull request #18628 from lainwir3d/fix_rest_api_fix_self_user_info_read

Browse Source 
FIX #18627 REST API: Allow users with self read / modify rights to get own info
This commit is contained in:
Laurent Destailleur
2021-09-10 13:34:56 +02:00
committed by GitHub
parent 1504ff2d6e b1c23b9a93
commit 43684f26c9
1 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
htdocs/user/class/api_users.class.php
View File

@@ -151,7 +151,7 @@ class Users extends DolibarrApi
*/
public function get($id, $includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) && $id != 0 && DolibarrApiAccess::$user->id != $id) {
throw new RestException(401, 'Not allowed');
}
@@ -184,12 +184,17 @@ class Users extends DolibarrApi
*
* @url GET login/{login}
*
* @throws RestException 401 Insufficient rights
* @throws RestException 404 User or group not found
* @throws RestException 400 Bad request
* @throws RestException 401 Insufficient rights
* @throws RestException 404 User or group not found
*/
public function getByLogin($login, $includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if (empty($login)) {
throw new RestException(400, 'Bad parameters');
}
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) && DolibarrApiAccess::$user->login != $login) {
throw new RestException(401, 'Not allowed');
}
@@ -218,12 +223,17 @@ class Users extends DolibarrApi
*
* @url GET email/{email}
*
* @throws RestException 400 Bad request
* @throws RestException 401 Insufficient rights
* @throws RestException 404 User or group not found
*/
public function getByEmail($email, $includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if (empty($email)) {
throw new RestException(400, 'Bad parameters');
}
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) && DolibarrApiAccess::$user->email != $email) {
throw new RestException(401, 'Not allowed');
}
@@ -256,7 +266,7 @@ class Users extends DolibarrApi
*/
public function getInfo($includepermissions = 0)
{
if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
if (empty(DolibarrApiAccess::$user->rights->user->self->creer) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
throw new RestException(401, 'Not allowed');
}