Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Sanitize input

Browse Source
This commit is contained in:
Laurent Destailleur
2024-04-02 11:57:30 +02:00
parent 49e7f0a215
commit 594da940fa
2 changed files with 42 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
htdocs/modulebuilder/template/class/api_mymodule.class.php
View File

@@ -76,7 +76,7 @@ class MyModuleApi extends DolibarrApi
throw new RestException(403);
}
if (!DolibarrApi::_checkAccessToResource('myobject', $id, 'mymodule_myobject')) {
throw new RestException(403, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to instance id='.$id.' of object not allowed for login '.DolibarrApiAccess::$user->login);
}
$result = $this->myobject->fetch($id);
@@ -255,7 +255,16 @@ class MyModuleApi extends DolibarrApi
}
if ($field === 'caller') {
// Add a mention of caller so on trigger called after action, we can filter to avoid a loop if we try to sync back again with the caller
$this->myobject->context['caller'] = $request_data['caller'];
$this->myobject->context['caller'] = sanitizeVal($request_data['caller'], 'aZ09');
continue;
}
if ($field == 'array_options' && is_array($value)) {
foreach ($value as $index => $val) {
$this->myobject->array_options[$index] = $val;
}
$this->myobject->array_options = $this->_checkValForAPI('extrafields', $this->myobject->array_options, $this->myobject);
continue;
}