Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-05 09:08:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

default deny access, allow access if user has the right combination of permissions and/or is the sales representative for the thirdparty

Browse Source
This commit is contained in:
Jon Bendtsen
2025-10-31 19:55:17 +01:00
committed by Jon Bendtsen
parent 36415f1fd2
commit 1c697607b1
1 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
htdocs/contrat/class/api_contracts.class.php
View File

@@ -676,14 +676,31 @@ class Contracts extends DolibarrApi
if (!DolibarrApiAccess::$user->hasRight('contrat', 'creer')) {
throw new RestException(403);
}
if (!DolibarrApiAccess::$user->hasRight('societe', 'client', 'voir')) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login.'. No read permission on all thirdparties.');
}
$result = $this->contract->fetch($id);
if (!$result) {
throw new RestException(404, 'Contrat not found');
}
$deny_access = true;
$why_deny_access = '';
if (DolibarrApiAccess::$user->hasRight('societe', 'lire')) {
if (DolibarrApiAccess::$user->hasRight('societe', 'client', 'voir')) {
$deny_access = false;
} else {
$why_deny_access = 'Extend access to all third parties';
if (DolibarrApi::_checkAccessToResource('societe', $this->contract->socid)) {
$deny_access = false;
} else {
$why_deny_access = $why_deny_access.' and NOT sales representative for this thirdparty='.$this->contract->socid;
}
}
} else {
$why_deny_access = 'Read third parties linked to user';
}
if ($deny_access) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login.' - missing permissions: '.$why_deny_access);
}
if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
}