diff --git a/htdocs/accountancy/class/api_accountancy.class.php b/htdocs/accountancy/class/api_accountancy.class.php index 652abb731de..bbb30cbbf3c 100644 --- a/htdocs/accountancy/class/api_accountancy.class.php +++ b/htdocs/accountancy/class/api_accountancy.class.php @@ -93,7 +93,7 @@ class Accountancy extends DolibarrApi // check rights if (!DolibarrApiAccess::$user->hasRight('accounting', 'mouvements', 'export')) { - throw new RestException(401, 'No permission to export accounting'); + throw new RestException(403, 'No permission to export accounting'); } // check parameters diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php index 9cc6467f366..9d32fc142ca 100644 --- a/htdocs/api/class/api_setup.class.php +++ b/htdocs/api/class/api_setup.class.php @@ -1129,7 +1129,7 @@ class Setup extends DolibarrApi $list = array(); if (!DolibarrApiAccess::$user->admin) { - throw new RestException(401, 'Only an admin user can get list of extrafields'); + throw new RestException(403, 'Only an admin user can get list of extrafields'); } if ($type == 'thirdparty') { diff --git a/htdocs/categories/class/api_categories.class.php b/htdocs/categories/class/api_categories.class.php index f3b8c011f11..8ed20ef26e0 100644 --- a/htdocs/categories/class/api_categories.class.php +++ b/htdocs/categories/class/api_categories.class.php @@ -278,7 +278,7 @@ class Categories extends DolibarrApi } if (!$this->category->delete(DolibarrApiAccess::$user)) { - throw new RestException(401, 'error when delete category'); + throw new RestException(500, 'error when delete category'); } return array( @@ -397,7 +397,7 @@ class Categories extends DolibarrApi } $object = new Adherent($this->db); } else { - throw new RestException(401, "this type is not recognized yet."); + throw new RestException(400, "this type is not recognized yet."); } if (!empty($object)) { @@ -477,7 +477,7 @@ class Categories extends DolibarrApi } $object = new Adherent($this->db); } else { - throw new RestException(401, "this type is not recognized yet."); + throw new RestException(400, "this type is not recognized yet."); } if (!empty($object)) { @@ -557,7 +557,7 @@ class Categories extends DolibarrApi } $object = new Adherent($this->db); } else { - throw new RestException(401, "this type is not recognized yet."); + throw new RestException(400, "this type is not recognized yet."); } if (!empty($object)) { @@ -635,7 +635,7 @@ class Categories extends DolibarrApi } $object = new Adherent($this->db); } else { - throw new RestException(401, "this type is not recognized yet."); + throw new RestException(400, "this type is not recognized yet."); } if (!empty($object)) { diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 4f1e49d5166..68283a0f3a3 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -64,7 +64,7 @@ class AgendaEvents extends DolibarrApi public function get($id) { if (!DolibarrApiAccess::$user->hasRight('agenda', 'myactions', 'read')) { - throw new RestException(401, "Insufficient rights to read an event"); + throw new RestException(403, "Insufficient rights to read an event"); } if ($id === 0) { $result = $this->actioncomm->initAsSpecimen(); @@ -80,7 +80,7 @@ class AgendaEvents extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('agenda', 'allactions', 'read') && $this->actioncomm->userownerid != DolibarrApiAccess::$user->id) { - throw new RestException(401, 'Insufficient rights to read event of this owner id. Your id is '.DolibarrApiAccess::$user->id); + throw new RestException(403, 'Insufficient rights to read event of this owner id. Your id is '.DolibarrApiAccess::$user->id); } if (!DolibarrApi::_checkAccessToResource('agenda', $this->actioncomm->id, 'actioncomm', '', 'fk_soc', 'id')) { @@ -110,7 +110,7 @@ class AgendaEvents extends DolibarrApi $obj_ret = array(); if (!DolibarrApiAccess::$user->hasRight('agenda', 'myactions', 'read')) { - throw new RestException(401, "Insufficient rights to read events"); + throw new RestException(403, "Insufficient rights to read events"); } // case of external user @@ -192,10 +192,10 @@ class AgendaEvents extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('agenda', 'myactions', 'create')) { - throw new RestException(401, "Insufficient rights to create your Agenda Event"); + throw new RestException(403, "Insufficient rights to create your Agenda Event"); } if (!DolibarrApiAccess::$user->hasRight('agenda', 'allactions', 'create') && DolibarrApiAccess::$user->id != $request_data['userownerid']) { - throw new RestException(401, "Insufficient rights to create an Agenda Event for owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); + throw new RestException(403, "Insufficient rights to create an Agenda Event for owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); } // Check mandatory fields @@ -236,10 +236,10 @@ class AgendaEvents extends DolibarrApi public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('agenda', 'myactions', 'create')) { - throw new RestException(401, "Insufficient rights to create your Agenda Event"); + throw new RestException(403, "Insufficient rights to create your Agenda Event"); } if (!DolibarrApiAccess::$user->hasRight('agenda', 'allactions', 'create') && DolibarrApiAccess::$user->id != $request_data['userownerid']) { - throw new RestException(401, "Insufficient rights to create an Agenda Event for owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); + throw new RestException(403, "Insufficient rights to create an Agenda Event for owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); } $result = $this->actioncomm->fetch($id); @@ -285,7 +285,7 @@ class AgendaEvents extends DolibarrApi public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('agenda', 'myactions', 'delete')) { - throw new RestException(401, "Insufficient rights to delete your Agenda Event"); + throw new RestException(403, "Insufficient rights to delete your Agenda Event"); } $result = $this->actioncomm->fetch($id); @@ -296,7 +296,7 @@ class AgendaEvents extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('agenda', 'allactions', 'delete') && DolibarrApiAccess::$user->id != $this->actioncomm->userownerid) { - throw new RestException(401, "Insufficient rights to delete an Agenda Event of owner id ".$this->actioncomm->userownerid.' Your id is '.DolibarrApiAccess::$user->id); + throw new RestException(403, "Insufficient rights to delete an Agenda Event of owner id ".$this->actioncomm->userownerid.' Your id is '.DolibarrApiAccess::$user->id); } if (!$result) { diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index b26b935918c..2749800b0dd 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -247,7 +247,7 @@ class Proposals extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('propal', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index 211edeb29ab..6c206bd51d9 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -265,7 +265,7 @@ class Orders extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('commande', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/compta/bank/class/api_bankaccounts.class.php b/htdocs/compta/bank/class/api_bankaccounts.class.php index 94576ab0ebc..03aa8cab525 100644 --- a/htdocs/compta/bank/class/api_bankaccounts.class.php +++ b/htdocs/compta/bank/class/api_bankaccounts.class.php @@ -375,7 +375,7 @@ class BankAccounts extends DolibarrApi } if ($account->delete(DolibarrApiAccess::$user) < 0) { - throw new RestException(401, 'error when deleting account'); + throw new RestException(500, 'error when deleting account'); } return array( @@ -628,7 +628,7 @@ class BankAccounts extends DolibarrApi public function updateLine($id, $line_id, $label) { if (!DolibarrApiAccess::$user->rights->banque->modifier) { - throw new RestException(401); + throw new RestException(403); } $account = new Account($this->db); @@ -664,7 +664,7 @@ class BankAccounts extends DolibarrApi public function deleteLine($id, $line_id) { if (!DolibarrApiAccess::$user->rights->banque->modifier) { - throw new RestException(401); + throw new RestException(403); } $account = new Account($this->db); @@ -680,7 +680,7 @@ class BankAccounts extends DolibarrApi } if ($accountLine->delete(DolibarrApiAccess::$user) < 0) { - throw new RestException(401, 'error when deleting account line'); + throw new RestException(500, 'error when deleting account line'); } return array( diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index fa51439ff72..07abf2c4c33 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -292,7 +292,7 @@ class Invoices extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('facture', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index c599ad6d82e..1503a214162 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -184,7 +184,7 @@ class Contracts extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('contrat', 'creer')) { - throw new RestException(401, "Insufficient rights"); + throw new RestException(403, "Insufficient rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/don/class/api_donations.class.php b/htdocs/don/class/api_donations.class.php index 6773efc4c03..cb2abf8f679 100644 --- a/htdocs/don/class/api_donations.class.php +++ b/htdocs/don/class/api_donations.class.php @@ -176,7 +176,7 @@ class Donations extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('don', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields diff --git a/htdocs/expedition/class/api_shipments.class.php b/htdocs/expedition/class/api_shipments.class.php index b10346c8047..bc7758a4f82 100644 --- a/htdocs/expedition/class/api_shipments.class.php +++ b/htdocs/expedition/class/api_shipments.class.php @@ -183,7 +183,7 @@ class Shipments extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('expedition', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/expensereport/class/api_expensereports.class.php b/htdocs/expensereport/class/api_expensereports.class.php index ead928d6fc5..5973f3b955c 100644 --- a/htdocs/expensereport/class/api_expensereports.class.php +++ b/htdocs/expensereport/class/api_expensereports.class.php @@ -174,7 +174,7 @@ class ExpenseReports extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('expensereport', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields @@ -694,7 +694,7 @@ class ExpenseReports extends DolibarrApi /*public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('expensereport', 'creer') { - throw new RestException(401); + throw new RestException(403); } $paymentExpenseReport = new PaymentExpenseReport($this->db); $result = $paymentExpenseReport->fetch($id); @@ -703,7 +703,7 @@ class ExpenseReports extends DolibarrApi } if ($paymentExpenseReport->delete(DolibarrApiAccess::$user) < 0) { - throw new RestException(401, 'error when deleting paymentExpenseReport'); + throw new RestException(403, 'error when deleting paymentExpenseReport'); } return array( diff --git a/htdocs/fichinter/class/api_interventions.class.php b/htdocs/fichinter/class/api_interventions.class.php index 3c1dbf01b70..08697cc34c2 100644 --- a/htdocs/fichinter/class/api_interventions.class.php +++ b/htdocs/fichinter/class/api_interventions.class.php @@ -191,7 +191,7 @@ class Interventions extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('ficheinter', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); @@ -259,7 +259,7 @@ class Interventions extends DolibarrApi public function postLine($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('ficheinter', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validateLine($request_data); @@ -347,7 +347,7 @@ class Interventions extends DolibarrApi public function validate($id, $notrigger = 0) { if (!DolibarrApiAccess::$user->hasRight('ficheinter', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } $result = $this->fichinter->fetch($id); if (!$result) { @@ -383,7 +383,7 @@ class Interventions extends DolibarrApi public function closeFichinter($id) { if (!DolibarrApiAccess::$user->hasRight('ficheinter', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } $result = $this->fichinter->fetch($id); if (!$result) { diff --git a/htdocs/fourn/class/api_supplier_orders.class.php b/htdocs/fourn/class/api_supplier_orders.class.php index 6f2610c0969..a770f53a39e 100644 --- a/htdocs/fourn/class/api_supplier_orders.class.php +++ b/htdocs/fourn/class/api_supplier_orders.class.php @@ -222,7 +222,7 @@ class SupplierOrders extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "commande", "creer") && !DolibarrApiAccess::$user->hasRight("supplier_order", "creer")) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php index 0a01ba6b471..b64d0d6548c 100644 --- a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php +++ b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php @@ -277,7 +277,7 @@ class KnowledgeManagement extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('knowledgerecord', $this->knowledgerecord->id, 'knowledgemanagement_knowledgerecord')) { - throw new RestException(401, 'Access to instance id='.$this->knowledgerecord->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->knowledgerecord->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } foreach ($request_data as $field => $value) { @@ -324,7 +324,7 @@ class KnowledgeManagement extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('knowledgerecord', $this->knowledgerecord->id, 'knowledgemanagement_knowledgerecord')) { - throw new RestException(401, 'Access to instance id='.$this->knowledgerecord->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->knowledgerecord->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } if (!$this->knowledgerecord->delete(DolibarrApiAccess::$user)) { diff --git a/htdocs/mrp/class/api_mos.class.php b/htdocs/mrp/class/api_mos.class.php index 23d07091d5b..acc7e492e0f 100644 --- a/htdocs/mrp/class/api_mos.class.php +++ b/htdocs/mrp/class/api_mos.class.php @@ -305,7 +305,7 @@ class Mos extends DolibarrApi $error = 0; if (!DolibarrApiAccess::$user->hasRight('mrp', 'write')) { - throw new RestException(401, 'Not enough permission'); + throw new RestException(403, 'Not enough permission'); } $result = $this->mo->fetch($id); if (!$result) { @@ -313,7 +313,7 @@ class Mos extends DolibarrApi } if ($this->mo->status != Mo::STATUS_VALIDATED && $this->mo->status != Mo::STATUS_INPROGRESS) { - throw new RestException(401, 'Error bad status of MO'); + throw new RestException(405, 'Error bad status of MO'); } // Code for consume and produce... diff --git a/htdocs/multicurrency/class/api_multicurrencies.class.php b/htdocs/multicurrency/class/api_multicurrencies.class.php index 77bc13f098b..09ad43b6dbe 100644 --- a/htdocs/multicurrency/class/api_multicurrencies.class.php +++ b/htdocs/multicurrency/class/api_multicurrencies.class.php @@ -58,7 +58,7 @@ class MultiCurrencies extends DolibarrApi global $db; if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'read')) { - throw new RestException(401, "Insufficient rights to read currency"); + throw new RestException(403, "Insufficient rights to read currency"); } $obj_ret = array(); @@ -124,7 +124,7 @@ class MultiCurrencies extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'read')) { - throw new RestException(401, "Insufficient rights to read currency"); + throw new RestException(403, "Insufficient rights to read currency"); } return $this->_cleanObjectDatas($multicurrency); @@ -149,7 +149,7 @@ class MultiCurrencies extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'read')) { - throw new RestException(401, "Insufficient rights to read currency"); + throw new RestException(403, "Insufficient rights to read currency"); } return $this->_cleanObjectDatas($multicurrency); @@ -174,7 +174,7 @@ class MultiCurrencies extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'read')) { - throw new RestException(401, "Insufficient rights to read currency rates"); + throw new RestException(403, "Insufficient rights to read currency rates"); } if ($multicurrency->fetchAllCurrencyRate() < 0) { @@ -199,9 +199,6 @@ class MultiCurrencies extends DolibarrApi */ public function post($request_data = null) { - if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'write')) { - throw new RestException(401, "Insufficient rights to create currency"); - } // Check parameters if (!isset($request_data['code'])) { @@ -211,6 +208,10 @@ class MultiCurrencies extends DolibarrApi throw new RestException(400, "name field missing"); } + if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'write')) { + throw new RestException(403, "Insufficient rights to create currency"); + } + $multicurrency = new MultiCurrency($this->db); foreach ($request_data as $field => $value) { @@ -252,7 +253,7 @@ class MultiCurrencies extends DolibarrApi public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'write')) { - throw new RestException(401, "Insufficient rights to update currency"); + throw new RestException(403, "Insufficient rights to update currency"); } $multicurrency = new MultiCurrency($this->db); @@ -291,7 +292,7 @@ class MultiCurrencies extends DolibarrApi public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'delete')) { - throw new RestException(401, "Insufficient rights to delete currency"); + throw new RestException(403, "Insufficient rights to delete currency"); } $multicurrency = new MultiCurrency($this->db); @@ -325,12 +326,12 @@ class MultiCurrencies extends DolibarrApi public function updateRate($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('multicurrency', 'currency', 'write')) { - throw new RestException(401, "Insufficient rights to update currency rate"); + throw new RestException(403, "Insufficient rights to update currency rate"); } // Check parameters if (!isset($request_data['rate'])) { - throw new RestException(400, "rate field missing"); + throw new RestException(400, "Rate field is missing"); } $multicurrency = new MultiCurrency($this->db); diff --git a/htdocs/partnership/class/api_partnerships.class.php b/htdocs/partnership/class/api_partnerships.class.php index 8261422c64a..42c11b23529 100644 --- a/htdocs/partnership/class/api_partnerships.class.php +++ b/htdocs/partnership/class/api_partnerships.class.php @@ -78,7 +78,7 @@ class Partnerships extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('partnership', $this->partnership->id, 'partnership')) { - throw new RestException(401, 'Access to instance id='.$this->partnership->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->partnership->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } return $this->_cleanObjectDatas($this->partnership); @@ -237,7 +237,7 @@ class Partnerships extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('partnership', $this->partnership->id, 'partnership')) { - throw new RestException(401, 'Access to instance id='.$this->partnership->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->partnership->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } foreach ($request_data as $field => $value) { diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 351fb39e1f7..9fe7145e529 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -673,7 +673,7 @@ class Products extends DolibarrApi $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; if ($socid > 0 && $socid != $thirdparty_id) { - throw new RestException(401, 'Getting prices for all customers or for the customer ID '.$thirdparty_id.' is not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Getting prices for all customers or for the customer ID '.$thirdparty_id.' is not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->product->fetch($id); @@ -785,7 +785,7 @@ class Products extends DolibarrApi $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; if ($socid > 0 && $socid != $fourn_id) { - throw new RestException(401, 'Adding purchase price for the supplier ID '.$fourn_id.' is not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Adding purchase price for the supplier ID '.$fourn_id.' is not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->productsupplier->add_fournisseur(DolibarrApiAccess::$user, $fourn_id, $ref_fourn, $qty); @@ -877,7 +877,7 @@ class Products extends DolibarrApi $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; if ($socid > 0) { if ($supplier != $socid || empty($supplier)) { - throw new RestException(401, 'As an external user, you can request only for your supplier id = '.$socid); + throw new RestException(403, 'As an external user, you can request only for your supplier id = '.$socid); } } diff --git a/htdocs/product/stock/class/api_stockmovements.class.php b/htdocs/product/stock/class/api_stockmovements.class.php index 485aebbc9e6..4ea1c8b08a3 100644 --- a/htdocs/product/stock/class/api_stockmovements.class.php +++ b/htdocs/product/stock/class/api_stockmovements.class.php @@ -264,7 +264,7 @@ class StockMovements extends DolibarrApi } if (! $this->stockmovement->delete(DolibarrApiAccess::$user)) { - throw new RestException(401,'error when delete stock movement'); + throw new RestException(403,'error when delete stock movement'); } return array( diff --git a/htdocs/product/stock/class/api_warehouses.class.php b/htdocs/product/stock/class/api_warehouses.class.php index ecea11b5dea..0f533c39bbe 100644 --- a/htdocs/product/stock/class/api_warehouses.class.php +++ b/htdocs/product/stock/class/api_warehouses.class.php @@ -248,7 +248,7 @@ class Warehouses extends DolibarrApi } if (!$this->warehouse->delete(DolibarrApiAccess::$user)) { - throw new RestException(401, 'error when delete warehouse'); + throw new RestException(403, 'error when delete warehouse'); } return array( diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index 96dee927ac9..c2fa741f21f 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -285,7 +285,7 @@ class Projects extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('projet', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index 2188087a220..569ae523ce3 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -190,7 +190,7 @@ class Tasks extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('projet', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/reception/class/api_receptions.class.php b/htdocs/reception/class/api_receptions.class.php index e5f646cf407..58eff4090a5 100644 --- a/htdocs/reception/class/api_receptions.class.php +++ b/htdocs/reception/class/api_receptions.class.php @@ -180,7 +180,7 @@ class Receptions extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('reception', 'creer')) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); diff --git a/htdocs/recruitment/class/api_recruitments.class.php b/htdocs/recruitment/class/api_recruitments.class.php index 59f9c7e2df0..4d509928372 100644 --- a/htdocs/recruitment/class/api_recruitments.class.php +++ b/htdocs/recruitment/class/api_recruitments.class.php @@ -86,7 +86,7 @@ class Recruitments extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('recruitment', $this->jobposition->id, 'recruitment_recruitmentjobposition')) { - throw new RestException(401, 'Access to instance id='.$this->jobposition->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->jobposition->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } return $this->_cleanObjectDatas($this->jobposition); @@ -117,7 +117,7 @@ class Recruitments extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('recruitment', $this->candidature->id, 'recruitment_recruitmentcandidature')) { - throw new RestException(401, 'Access to instance id='.$this->candidature->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->candidature->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } return $this->_cleanObjectDatas($this->candidature); @@ -406,7 +406,7 @@ class Recruitments extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('recruitment', $this->jobposition->id, 'recruitment_recruitmentjobposition')) { - throw new RestException(401, 'Access to instance id='.$this->jobposition->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->jobposition->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } foreach ($request_data as $field => $value) { @@ -455,7 +455,7 @@ class Recruitments extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('recruitment', $this->candidature->id, 'recruitment_recruitmentcandidature')) { - throw new RestException(401, 'Access to instance id='.$this->candidature->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->candidature->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } foreach ($request_data as $field => $value) { @@ -503,7 +503,7 @@ class Recruitments extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('recruitment', $this->jobposition->id, 'recruitment_recruitmentjobposition')) { - throw new RestException(401, 'Access to instance id='.$this->jobposition->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->jobposition->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } if (!$this->jobposition->delete(DolibarrApiAccess::$user)) { @@ -539,7 +539,7 @@ class Recruitments extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('recruitment', $this->candidature->id, 'recruitment_recruitmentcandidature')) { - throw new RestException(401, 'Access to instance id='.$this->candidature->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$this->candidature->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } if (!$this->candidature->delete(DolibarrApiAccess::$user)) { diff --git a/htdocs/salaries/class/api_salaries.class.php b/htdocs/salaries/class/api_salaries.class.php index c1b6b27313f..648d7d0efaf 100644 --- a/htdocs/salaries/class/api_salaries.class.php +++ b/htdocs/salaries/class/api_salaries.class.php @@ -210,7 +210,7 @@ class Salaries extends DolibarrApi } if ($salary->delete(DolibarrApiAccess::$user) < 0) { - throw new RestException(401, 'error when deleting salary'); + throw new RestException(500, 'error when deleting salary'); } return array( @@ -391,7 +391,7 @@ class Salaries extends DolibarrApi /*public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('salaries', 'delete')) { - throw new RestException(401); + throw new RestException(403); } $paymentsalary = new PaymentSalary($this->db); $result = $paymentsalary->fetch($id); @@ -400,7 +400,7 @@ class Salaries extends DolibarrApi } if ($paymentsalary->delete(DolibarrApiAccess::$user) < 0) { - throw new RestException(401, 'error when deleting paymentsalary'); + throw new RestException(500, 'error when deleting paymentsalary'); } return array( diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 4ff0235e74f..f8ab710e658 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -73,7 +73,7 @@ class Contacts extends DolibarrApi public function get($id, $includecount = 0, $includeroles = 0) { if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'lire')) { - throw new RestException(401, 'No permission to read contacts'); + throw new RestException(403, 'No permission to read contacts'); } if ($id === 0) { @@ -121,7 +121,7 @@ class Contacts extends DolibarrApi public function getByEmail($email, $includecount = 0, $includeroles = 0) { if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'lire')) { - throw new RestException(401, 'No permission to read contacts'); + throw new RestException(403, 'No permission to read contacts'); } if (empty($email)) { @@ -179,7 +179,7 @@ class Contacts extends DolibarrApi $obj_ret = array(); if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'lire')) { - throw new RestException(401, 'No permission to read contacts'); + throw new RestException(403, 'No permission to read contacts'); } // case of external user, $thirdparty_ids param is ignored and replaced by user's socid @@ -280,7 +280,7 @@ class Contacts extends DolibarrApi public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'creer')) { - throw new RestException(401, 'No permission to create/update contacts'); + throw new RestException(403, 'No permission to create/update contacts'); } // Check mandatory fields $result = $this->_validate($request_data); @@ -319,7 +319,7 @@ class Contacts extends DolibarrApi public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'creer')) { - throw new RestException(401, 'No permission to create/update contacts'); + throw new RestException(403, 'No permission to create/update contacts'); } $result = $this->contact->fetch($id); @@ -370,7 +370,7 @@ class Contacts extends DolibarrApi public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'supprimer')) { - throw new RestException(401, 'No permission to delete contacts'); + throw new RestException(403, 'No permission to delete contacts'); } $result = $this->contact->fetch($id); if (!$result) { @@ -484,7 +484,7 @@ class Contacts extends DolibarrApi public function addCategory($id, $category_id) { if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'creer')) { - throw new RestException(401, 'Insufficient rights'); + throw new RestException(403, 'Insufficient rights'); } $result = $this->contact->fetch($id); @@ -524,7 +524,7 @@ class Contacts extends DolibarrApi public function deleteCategory($id, $category_id) { if (!DolibarrApiAccess::$user->hasRight('societe', 'contact', 'creer')) { - throw new RestException(401, 'Insufficient rights'); + throw new RestException(403, 'Insufficient rights'); } $result = $this->contact->fetch($id); diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index 185cd61f6bf..3f0eae17eb6 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -447,7 +447,7 @@ class Thirdparties extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('societe', 'creer')) { - throw new RestException(401, 'Access to thirdparty '.$id.' not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to thirdparty '.$id.' not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->company->fetch($id); @@ -460,7 +460,7 @@ class Thirdparties extends DolibarrApi } if (empty(DolibarrApi::_checkAccessToResource('societe', $this->company->id))) { - throw new RestException(401, 'Access to thirdparty '.$id.' not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to thirdparty '.$id.' not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->company->setPriceLevel($priceLevel, DolibarrApiAccess::$user); diff --git a/htdocs/ticket/class/api_tickets.class.php b/htdocs/ticket/class/api_tickets.class.php index 2ba1e31631a..49d8d9beaa4 100644 --- a/htdocs/ticket/class/api_tickets.class.php +++ b/htdocs/ticket/class/api_tickets.class.php @@ -133,7 +133,7 @@ class Tickets extends DolibarrApi // Check parameters if (($id < 0) && !$track_id && !$ref) { - throw new RestException(401, 'Wrong parameters'); + throw new RestException(400, 'Wrong parameters'); } if ($id == 0) { $result = $this->ticket->initAsSpecimen(); diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 417f1f39f3a..9223ebbc24c 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -150,7 +150,7 @@ class Users extends DolibarrApi public function get($id, $includepermissions = 0) { if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'lire') && empty(DolibarrApiAccess::$user->admin) && $id != 0 && DolibarrApiAccess::$user->id != $id) { - throw new RestException(401, 'Not allowed'); + throw new RestException(403, 'Not allowed'); } if ($id == 0) { @@ -193,7 +193,7 @@ class Users extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'lire') && empty(DolibarrApiAccess::$user->admin) && DolibarrApiAccess::$user->login != $login) { - throw new RestException(401, 'Not allowed'); + throw new RestException(403, 'Not allowed'); } $result = $this->useraccount->fetch('', $login); @@ -232,7 +232,7 @@ class Users extends DolibarrApi } if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'lire') && empty(DolibarrApiAccess::$user->admin) && DolibarrApiAccess::$user->email != $email) { - throw new RestException(401, 'Not allowed'); + throw new RestException(403, 'Not allowed'); } $result = $this->useraccount->fetch('', '', '', 0, -1, $email); @@ -265,7 +265,7 @@ class Users extends DolibarrApi public function getInfo($includepermissions = 0) { if (!DolibarrApiAccess::$user->hasRight('user', 'self', 'creer') && !DolibarrApiAccess::$user->hasRight('user', 'user', 'lire') && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401, 'Not allowed'); + throw new RestException(403, 'Not allowed'); } $apiUser = DolibarrApiAccess::$user; @@ -306,7 +306,7 @@ class Users extends DolibarrApi { // Check user authorization if (!DolibarrApiAccess::$user->hasRight('user', 'creer') && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401, "User creation not allowed for login ".DolibarrApiAccess::$user->login); + throw new RestException(403, "User creation not allowed for login ".DolibarrApiAccess::$user->login); } // check mandatory fields @@ -321,7 +321,7 @@ class Users extends DolibarrApi foreach ($request_data as $field => $value) { if (in_array($field, array('pass_crypted', 'pass_indatabase', 'pass_indatabase_crypted', 'pass_temp', 'api_key'))) { // This properties can't be set/modified with API - throw new RestException(401, 'The property '.$field." can't be set/modified using the APIs"); + throw new RestException(405, 'The property '.$field." can't be set/modified using the APIs"); } if ($field === 'caller') { // Add a mention of caller so on trigger called after action, we can filter to avoid a loop if we try to sync back again with the caller @@ -330,7 +330,7 @@ class Users extends DolibarrApi } /*if ($field == 'pass') { if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'password')) { - throw new RestException(401, 'You are not allowed to modify/set password of other users'); + throw new RestException(403, 'You are not allowed to modify/set password of other users'); continue; } } @@ -376,17 +376,17 @@ class Users extends DolibarrApi foreach ($request_data as $field => $value) { if (in_array($field, array('pass_crypted', 'pass_indatabase', 'pass_indatabase_crypted', 'pass_temp', 'api_key'))) { // This properties can't be set/modified with API - throw new RestException(401, 'The property '.$field." can't be set/modified using the APIs"); + throw new RestException(405, 'The property '.$field." can't be set/modified using the APIs"); } if ($field == 'id') { continue; } if ($field == 'pass') { if ($this->useraccount->id != DolibarrApiAccess::$user->id && !DolibarrApiAccess::$user->hasRight('user', 'user', 'password')) { - throw new RestException(401, 'You are not allowed to modify password of other users'); + throw new RestException(403, 'You are not allowed to modify password of other users'); } if ($this->useraccount->id == DolibarrApiAccess::$user->id && !DolibarrApiAccess::$user->hasRight('user', 'self', 'password')) { - throw new RestException(401, 'You are not allowed to modify your own password'); + throw new RestException(403, 'You are not allowed to modify your own password'); } } if ($field === 'caller') { @@ -397,15 +397,15 @@ class Users extends DolibarrApi if (DolibarrApiAccess::$user->admin) { // If user for API is admin if ($field == 'admin' && $value != $this->useraccount->admin && empty($value)) { - throw new RestException(401, 'Reseting the admin status of a user is not possible using the API'); + throw new RestException(403, 'Reseting the admin status of a user is not possible using the API'); } } else { if ($field == 'admin' && $value != $this->useraccount->admin) { - throw new RestException(401, 'Only an admin user can modify the admin status of another user'); + throw new RestException(403, 'Only an admin user can modify the admin status of another user'); } } if ($field == 'entity' && $value != $this->useraccount->entity) { - throw new RestException(401, 'Changing entity of a user using the APIs is not possible'); + throw new RestException(403, 'Changing entity of a user using the APIs is not possible'); } // The status must be updated using setstatus() because it