Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-08 00:52:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix several security holes on api when used by external users

Browse Source
This commit is contained in:
Laurent Destailleur
2016-12-07 19:02:39 +01:00
parent d23604701c
commit 1838670e31
13 changed files with 60 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/commande/class/api_orders.class.php
View File

@@ -101,10 +101,12 @@ class Orders extends DolibarrApi
global $db, $conf;
$obj_ret = array();
// case of external user, $thirdpartyid param is ignored and replaced by user's socid
// case of external user, $thirdparty_ids param is ignored and replaced by user's socid
$socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids;
// If the internal user must only see his customers, force searching by him
$search_sale = 0;
if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) $search_sale = DolibarrApiAccess::$user->id;
$sql = "SELECT t.rowid";