From ba4e97f07bb69031deefd9f5fffbb86869bcf609 Mon Sep 17 00:00:00 2001 From: atm-florian Date: Thu, 16 Jan 2025 10:37:29 +0100 Subject: [PATCH] FIX 17.0 API endpoints "PUT": prevent overwriting all extrafields if only some are supplied in the request cf. PR #29237 + security for Tickets API: disable updating rowid --- htdocs/adherents/class/api_members.class.php | 6 ++++++ htdocs/adherents/class/api_memberstypes.class.php | 6 ++++++ htdocs/adherents/class/api_subscriptions.class.php | 6 ++++++ htdocs/bom/class/api_boms.class.php | 6 ++++++ htdocs/categories/class/api_categories.class.php | 6 ++++++ htdocs/comm/action/class/api_agendaevents.class.php | 6 ++++++ htdocs/comm/propal/class/api_proposals.class.php | 6 ++++++ htdocs/commande/class/api_orders.class.php | 6 ++++++ htdocs/compta/bank/class/api_bankaccounts.class.php | 6 ++++++ htdocs/compta/facture/class/api_invoices.class.php | 6 ++++++ htdocs/contrat/class/api_contracts.class.php | 6 ++++++ htdocs/don/class/api_donations.class.php | 6 ++++++ htdocs/expedition/class/api_shipments.class.php | 6 ++++++ htdocs/expensereport/class/api_expensereports.class.php | 6 ++++++ htdocs/fourn/class/api_supplier_invoices.class.php | 6 ++++++ htdocs/fourn/class/api_supplier_orders.class.php | 6 ++++++ .../class/api_knowledgemanagement.class.php | 6 ++++++ .../modulebuilder/template/class/api_mymodule.class.php | 6 ++++++ htdocs/mrp/class/api_mos.class.php | 6 ++++++ htdocs/partnership/class/api_partnership.class.php | 6 ++++++ htdocs/product/class/api_products.class.php | 6 ++++++ htdocs/product/stock/class/api_warehouses.class.php | 6 ++++++ htdocs/projet/class/api_projects.class.php | 6 ++++++ htdocs/projet/class/api_tasks.class.php | 6 ++++++ htdocs/reception/class/api_receptions.class.php | 6 ++++++ htdocs/societe/class/api_contacts.class.php | 6 ++++++ htdocs/societe/class/api_thirdparties.class.php | 6 ++++++ htdocs/ticket/class/api_tickets.class.php | 9 +++++++++ htdocs/user/class/api_users.class.php | 6 ++++++ 29 files changed, 177 insertions(+) diff --git a/htdocs/adherents/class/api_members.class.php b/htdocs/adherents/class/api_members.class.php index 4ecf79d9079..a224bbdda44 100644 --- a/htdocs/adherents/class/api_members.class.php +++ b/htdocs/adherents/class/api_members.class.php @@ -348,6 +348,12 @@ class Members extends DolibarrApi } } } else { + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $member->array_options[$index] = $this->_checkValForAPI($field, $val, $member); + } + continue; + } $member->$field = $value; } } diff --git a/htdocs/adherents/class/api_memberstypes.class.php b/htdocs/adherents/class/api_memberstypes.class.php index 8179612d769..46443b7b063 100644 --- a/htdocs/adherents/class/api_memberstypes.class.php +++ b/htdocs/adherents/class/api_memberstypes.class.php @@ -193,6 +193,12 @@ class MembersTypes extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $membertype->array_options[$index] = $this->_checkValForAPI($field, $val, $membertype); + } + continue; + } // Process the status separately because it must be updated using // the validate(), resiliate() and exclude() methods of the class AdherentType. $membertype->$field = $value; diff --git a/htdocs/adherents/class/api_subscriptions.class.php b/htdocs/adherents/class/api_subscriptions.class.php index dfde21dc5a1..be97312280c 100644 --- a/htdocs/adherents/class/api_subscriptions.class.php +++ b/htdocs/adherents/class/api_subscriptions.class.php @@ -186,6 +186,12 @@ class Subscriptions extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $subscription->array_options[$index] = $this->_checkValForAPI($field, $val, $subscription); + } + continue; + } $subscription->$field = $value; } diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index 57b0d26e80a..255934368a8 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -237,6 +237,12 @@ class Boms extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->bom->array_options[$index] = $this->_checkValForAPI($field, $val, $this->bom); + } + continue; + } $this->bom->$field = $value; } diff --git a/htdocs/categories/class/api_categories.class.php b/htdocs/categories/class/api_categories.class.php index 77356ba2a87..44aefd694ba 100644 --- a/htdocs/categories/class/api_categories.class.php +++ b/htdocs/categories/class/api_categories.class.php @@ -237,6 +237,12 @@ class Categories extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->category->array_options[$index] = $this->_checkValForAPI($field, $val, $this->category); + } + continue; + } $this->category->$field = $value; } diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 058de48542d..cfb933ed695 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -270,6 +270,12 @@ class AgendaEvents extends DolibarrApi continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->actioncomm->array_options[$index] = $this->_checkValForAPI($field, $val, $this->actioncomm); + } + continue; + } $this->actioncomm->$field = $this->_checkValForAPI($field, $value, $this->actioncomm); } diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index bbdc3cab71d..14ba90aef18 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -696,6 +696,12 @@ class Proposals extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->propal->array_options[$index] = $this->_checkValForAPI($field, $val, $this->propal); + } + continue; + } $this->propal->$field = $value; } diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index af460b3b459..b1571052a2b 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -652,6 +652,12 @@ class Orders extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->commande->array_options[$index] = $this->_checkValForAPI($field, $val, $this->commande); + } + continue; + } $this->commande->$field = $value; } diff --git a/htdocs/compta/bank/class/api_bankaccounts.class.php b/htdocs/compta/bank/class/api_bankaccounts.class.php index 052c45fbc56..1da37b2c760 100644 --- a/htdocs/compta/bank/class/api_bankaccounts.class.php +++ b/htdocs/compta/bank/class/api_bankaccounts.class.php @@ -332,6 +332,12 @@ class BankAccounts extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $account->array_options[$index] = $this->_checkValForAPI($field, $val, $account); + } + continue; + } $account->$field = $this->_checkValForAPI($field, $value, $account); } diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 47fd0263d7e..4dfd1f023aa 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -627,6 +627,12 @@ class Invoices extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->invoice->array_options[$index] = $this->_checkValForAPI($field, $val, $this->invoice); + } + continue; + } $this->invoice->$field = $value; } diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index 2becf6fcfb7..5bbdf7d1525 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -510,6 +510,12 @@ class Contracts extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->contract->array_options[$index] = $this->_checkValForAPI($field, $val, $this->contract); + } + continue; + } $this->contract->$field = $value; } diff --git a/htdocs/don/class/api_donations.class.php b/htdocs/don/class/api_donations.class.php index fee513f2ed7..472c5f8d4b2 100644 --- a/htdocs/don/class/api_donations.class.php +++ b/htdocs/don/class/api_donations.class.php @@ -231,6 +231,12 @@ class Donations extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->don->array_options[$index] = $this->_checkValForAPI($field, $val, $this->don); + } + continue; + } $this->don->$field = $value; } diff --git a/htdocs/expedition/class/api_shipments.class.php b/htdocs/expedition/class/api_shipments.class.php index fea57fbea10..23e1b1d0c84 100644 --- a/htdocs/expedition/class/api_shipments.class.php +++ b/htdocs/expedition/class/api_shipments.class.php @@ -447,6 +447,12 @@ class Shipments extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->shipment->array_options[$index] = $this->_checkValForAPI($field, $val, $this->shipment); + } + continue; + } $this->shipment->$field = $value; } diff --git a/htdocs/expensereport/class/api_expensereports.class.php b/htdocs/expensereport/class/api_expensereports.class.php index c3bfeb2264d..c985c5fe813 100644 --- a/htdocs/expensereport/class/api_expensereports.class.php +++ b/htdocs/expensereport/class/api_expensereports.class.php @@ -420,6 +420,12 @@ class ExpenseReports extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->expensereport->array_options[$index] = $this->_checkValForAPI($field, $val, $this->expensereport); + } + continue; + } $this->expensereport->$field = $value; } diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index cb7072fdca1..84568f2b13c 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -263,6 +263,12 @@ class SupplierInvoices extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->invoice->array_options[$index] = $this->_checkValForAPI($field, $val, $this->invoice); + } + continue; + } $this->invoice->$field = $value; } diff --git a/htdocs/fourn/class/api_supplier_orders.class.php b/htdocs/fourn/class/api_supplier_orders.class.php index 4ad1f951883..b56c5195ee7 100644 --- a/htdocs/fourn/class/api_supplier_orders.class.php +++ b/htdocs/fourn/class/api_supplier_orders.class.php @@ -277,6 +277,12 @@ class SupplierOrders extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->order->array_options[$index] = $this->_checkValForAPI($field, $val, $this->order); + } + continue; + } $this->order->$field = $value; } diff --git a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php index 6d5c15c0dc6..7d777530166 100644 --- a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php +++ b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php @@ -298,6 +298,12 @@ class KnowledgeManagement extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->knowledgerecord->array_options[$index] = $this->_checkValForAPI($field, $val, $this->knowledgerecord); + } + continue; + } $this->knowledgerecord->$field = $this->_checkValForAPI($field, $value, $this->knowledgerecord); } diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index fdb56ff3c67..19bb4f50781 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -255,6 +255,12 @@ class MyModuleApi extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->myobject->array_options[$index] = $this->_checkValForAPI($field, $val, $this->myobject); + } + continue; + } $this->myobject->$field = $this->_checkValForAPI($field, $value, $this->myobject); } diff --git a/htdocs/mrp/class/api_mos.class.php b/htdocs/mrp/class/api_mos.class.php index 2312f4bd636..c524d5533d6 100644 --- a/htdocs/mrp/class/api_mos.class.php +++ b/htdocs/mrp/class/api_mos.class.php @@ -238,6 +238,12 @@ class Mos extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->mo->array_options[$index] = $this->_checkValForAPI($field, $val, $this->mo); + } + continue; + } $this->mo->$field = $value; } diff --git a/htdocs/partnership/class/api_partnership.class.php b/htdocs/partnership/class/api_partnership.class.php index 13bc447c51d..f5cb7293081 100644 --- a/htdocs/partnership/class/api_partnership.class.php +++ b/htdocs/partnership/class/api_partnership.class.php @@ -255,6 +255,12 @@ class PartnershipApi extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->partnership->array_options[$index] = $this->_checkValForAPI($field, $val, $this->partnership); + } + continue; + } $this->partnership->$field = $this->_checkValForAPI($field, $value, $this->partnership); } diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index e95db77d0cc..eeb8427596a 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -361,6 +361,12 @@ class Products extends DolibarrApi if ($field == 'stock_reel') { throw new RestException(400, 'Stock reel cannot be updated here. Use the /stockmovements endpoint instead'); } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->product->array_options[$index] = $this->_checkValForAPI($field, $val, $this->product); + } + continue; + } $this->product->$field = $value; } diff --git a/htdocs/product/stock/class/api_warehouses.class.php b/htdocs/product/stock/class/api_warehouses.class.php index a0646598d96..f39a9fa88d8 100644 --- a/htdocs/product/stock/class/api_warehouses.class.php +++ b/htdocs/product/stock/class/api_warehouses.class.php @@ -206,6 +206,12 @@ class Warehouses extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->warehouse->array_options[$index] = $this->_checkValForAPI($field, $val, $this->warehouse); + } + continue; + } $this->warehouse->$field = $value; } diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index f5c23f4b040..9eed224e99a 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -462,6 +462,12 @@ class Projects extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->project->array_options[$index] = $this->_checkValForAPI($field, $val, $this->project); + } + continue; + } $this->project->$field = $value; } diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index 80fede57563..bb65cfa31e5 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -460,6 +460,12 @@ class Tasks extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->task->array_options[$index] = $this->_checkValForAPI($field, $val, $this->task); + } + continue; + } $this->task->$field = $value; } diff --git a/htdocs/reception/class/api_receptions.class.php b/htdocs/reception/class/api_receptions.class.php index 55e3fa59165..70088db3455 100644 --- a/htdocs/reception/class/api_receptions.class.php +++ b/htdocs/reception/class/api_receptions.class.php @@ -447,6 +447,12 @@ class Receptions extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->reception->array_options[$index] = $this->_checkValForAPI($field, $val, $this->reception); + } + continue; + } $this->reception->$field = $value; } diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index d8839c9a122..efbc1625ea0 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -330,6 +330,12 @@ class Contacts extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->contact->array_options[$index] = $this->_checkValForAPI($field, $val, $this->contact); + } + continue; + } $this->contact->$field = $value; } diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index ef54c3a2299..f35521689da 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -301,6 +301,12 @@ class Thirdparties extends DolibarrApi if ($field == 'id') { continue; } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->company->array_options[$index] = $this->_checkValForAPI($field, $val, $this->company); + } + continue; + } $this->company->$field = $value; } diff --git a/htdocs/ticket/class/api_tickets.class.php b/htdocs/ticket/class/api_tickets.class.php index c27d9195683..d07687ff192 100644 --- a/htdocs/ticket/class/api_tickets.class.php +++ b/htdocs/ticket/class/api_tickets.class.php @@ -381,6 +381,15 @@ class Tickets extends DolibarrApi } foreach ($request_data as $field => $value) { + if ($field == 'id') { + continue; + } + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->ticket->array_options[$index] = $this->_checkValForAPI($field, $val, $this->ticket); + } + continue; + } $this->ticket->$field = $value; } diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 781de4d23cd..fadcde59d53 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -406,6 +406,12 @@ class Users extends DolibarrApi throw new RestException(500, 'Error when updating status of user: '.$this->useraccount->error); } } else { + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->useraccount->array_options[$index] = $this->_checkValForAPI($field, $val, $this->useraccount); + } + continue; + } $this->useraccount->$field = $value; } }