diff --git a/ChangeLog b/ChangeLog index 7766fc58f58..5a045136113 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,26 @@ English Dolibarr ChangeLog -------------------------------------------------------------- +***** ChangeLog for 19.0.0 compared to 18.0.0 ***** + +For users: +---------- +NEW: Compatibility with PHP 8.3 +... + +For developers or integrators: +------------------------------ +... + +WARNING: +-------- + +The following changes may create regressions for some external modules, but were necessary to make Dolibarr better: +* More class properties (with old name in french) are now deprecated in favor of the property name in english. +* Some API HTTP return code were moved from 401 to 403 to better follow REST specification. + + + ***** ChangeLog for 19.0.0 compared to 18.0.0 ***** For users: diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 112f4bb1439..2c6251a1249 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -61,12 +61,17 @@ class SupplierInvoices extends DolibarrApi * @param int $id ID of supplier invoice * @return Object Object with cleaned properties * - * @throws RestException + * @throws RestException 403 + * @throws RestException 404 */ public function get($id) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "lire")) { - throw new RestException(401); + throw new RestException(403); + } + + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); @@ -74,10 +79,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(404, 'Supplier invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - $this->invoice->fetchObjectLinked(); return $this->_cleanObjectDatas($this->invoice); } @@ -101,10 +102,8 @@ class SupplierInvoices extends DolibarrApi */ public function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100, $page = 0, $thirdparty_ids = '', $status = '', $sqlfilters = '', $properties = '') { - global $db; - if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "lire")) { - throw new RestException(401); + throw new RestException(403); } $obj_ret = array(); @@ -196,13 +195,13 @@ class SupplierInvoices extends DolibarrApi * * @return int ID of supplier invoice * - * @throws RestException 401 + * @throws RestException 403 * @throws RestException 500 System error */ public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { - throw new RestException(401, "Insuffisant rights"); + throw new RestException(403, "Insuffisant rights"); } // Check mandatory fields $result = $this->_validate($request_data); @@ -234,13 +233,17 @@ class SupplierInvoices extends DolibarrApi * * @return int * - * @throws RestException 401 + * @throws RestException 403 * @throws RestException 404 */ public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { - throw new RestException(401); + throw new RestException(403); + } + + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); @@ -248,10 +251,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(404, 'Supplier invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - foreach ($request_data as $field => $value) { if ($field == 'id') { continue; @@ -279,24 +278,23 @@ class SupplierInvoices extends DolibarrApi * * @return array * - * @throws RestException 401 + * @throws RestException 403 * @throws RestException 404 * @throws RestException 500 System error */ public function delete($id) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "supprimer")) { - throw new RestException(401); + throw new RestException(403); + } + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); if (!$result) { throw new RestException(404, 'Supplier invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - if ($this->invoice->delete(DolibarrApiAccess::$user) < 0) { throw new RestException(500, 'Error when deleting invoice'); } @@ -321,7 +319,7 @@ class SupplierInvoices extends DolibarrApi * @return array * * @throws RestException 304 - * @throws RestException 401 + * @throws RestException 403 * @throws RestException 404 * @throws RestException 405 * @throws RestException 500 System error @@ -329,17 +327,18 @@ class SupplierInvoices extends DolibarrApi public function validate($id, $idwarehouse = 0, $notrigger = 0) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { - throw new RestException(401); + throw new RestException(403); } + + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); + } + $result = $this->invoice->fetch($id); if (!$result) { throw new RestException(404, 'Invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - $result = $this->invoice->validate(DolibarrApiAccess::$user, '', $idwarehouse, $notrigger); if ($result == 0) { throw new RestException(304, 'Error nothing done. The invoice is already validated'); @@ -365,28 +364,28 @@ class SupplierInvoices extends DolibarrApi * * @return array * @throws RestException 400 - * @throws RestException 401 + * @throws RestException 403 * @throws RestException 404 * @throws RestException 405 */ public function getPayments($id) { - if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "lire")) { - throw new RestException(401); - } if (empty($id)) { throw new RestException(400, 'Invoice ID is mandatory'); } + if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "lire")) { + throw new RestException(403); + } + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + $result = $this->invoice->fetch($id); if (!$result) { throw new RestException(404, 'Invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); - } - $result = $this->invoice->getListOfPayments(); if ($result < 0) { throw new RestException(405, $this->invoice->error); @@ -413,19 +412,22 @@ class SupplierInvoices extends DolibarrApi * @url POST {id}/payments * * @return int Payment ID + * * @throws RestException 400 - * @throws RestException 401 + * @throws RestException 403 * @throws RestException 404 */ public function addPayment($id, $datepaye, $payment_mode_id, $closepaidinvoices, $accountid, $num_payment = '', $comment = '', $chqemetteur = '', $chqbank = '', $amount = null) { - global $conf; + if (empty($id)) { + throw new RestException(400, 'Invoice ID is mandatory'); + } if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { throw new RestException(403); } - if (empty($id)) { - throw new RestException(400, 'Invoice ID is mandatory'); + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); @@ -433,10 +435,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(404, 'Invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - if (isModEnabled("banque")) { if (empty($accountid)) { throw new RestException(400, 'Bank account ID is mandatory'); @@ -507,11 +505,17 @@ class SupplierInvoices extends DolibarrApi * @url GET {id}/lines * * @return array + * + * @throws RestException 403 + * @throws RestException 404 */ public function getLines($id) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { - throw new RestException(401); + throw new RestException(403); + } + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); @@ -519,9 +523,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(404, 'Supplier invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } $this->invoice->fetch_lines(); $result = array(); foreach ($this->invoice->lines as $line) { @@ -543,11 +544,18 @@ class SupplierInvoices extends DolibarrApi * @url POST {id}/lines * * @return int|bool + * + * @throws RestException 403 + * @throws RestException 404 */ public function postLine($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { - throw new RestException(401); + throw new RestException(403); + } + + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); @@ -555,10 +563,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(404, 'Supplier invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - $request_data = (object) $request_data; $request_data->description = sanitizeVal($request_data->description, 'restricthtml'); @@ -607,14 +611,18 @@ class SupplierInvoices extends DolibarrApi * * @return object * - * @throws RestException 401 Not allowed + * @throws RestException 403 Not allowed * @throws RestException 404 Not found * @throws RestException 304 Error */ public function putLine($id, $lineid, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { - throw new RestException(401); + throw new RestException(403); + } + + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); @@ -622,10 +630,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(404, 'Supplier invoice not found'); } - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - $request_data = (object) $request_data; $request_data->description = sanitizeVal($request_data->description, 'restricthtml'); @@ -674,14 +678,21 @@ class SupplierInvoices extends DolibarrApi * @return array * * @throws RestException 400 Bad parameters - * @throws RestException 401 Not allowed + * @throws RestException 403 Not allowed * @throws RestException 404 Not found * @throws RestException 405 Error */ public function deleteLine($id, $lineid) { + if (empty($lineid)) { + throw new RestException(400, 'Line ID is mandatory'); + } + if (!DolibarrApiAccess::$user->hasRight("fournisseur", "facture", "creer")) { - throw new RestException(401); + throw new RestException(403); + } + if (!DolibarrApi::_checkAccessToResource('fournisseur', $id, 'facture_fourn', 'facture')) { + throw new RestException(403, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); } $result = $this->invoice->fetch($id); @@ -689,14 +700,6 @@ class SupplierInvoices extends DolibarrApi throw new RestException(404, 'Supplier invoice not found'); } - if (empty($lineid)) { - throw new RestException(400, 'Line ID is mandatory'); - } - - if (!DolibarrApi::_checkAccessToResource('fournisseur', $this->invoice->id, 'facture_fourn', 'facture')) { - throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login); - } - // TODO Check the lineid $lineid is a line of object $updateRes = $this->invoice->deleteline($lineid); diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 25a086f58cd..42c8d9874ba 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -66,13 +66,16 @@ class MyModuleApi extends DolibarrApi * * @url GET myobjects/{id} * - * @throws RestException 401 Not allowed + * @throws RestException 403 Not allowed * @throws RestException 404 Not found */ public function get($id) { if (!DolibarrApiAccess::$user->rights->mymodule->myobject->read) { - throw new RestException(401); + throw new RestException(403); + } + if (!DolibarrApi::_checkAccessToResource('myobject', $id, 'mymodule_myobject')) { + throw new RestException(403, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->myobject->fetch($id); @@ -80,10 +83,6 @@ class MyModuleApi extends DolibarrApi throw new RestException(404, 'MyObject not found'); } - if (!DolibarrApi::_checkAccessToResource('myobject', $this->myobject->id, 'mymodule_myobject')) { - throw new RestException(401, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); - } - return $this->_cleanObjectDatas($this->myobject); } @@ -101,7 +100,8 @@ class MyModuleApi extends DolibarrApi * @param string $properties Restrict the data returned to these properties. Ignored if empty. Comma separated list of properties names * @return array Array of order objects * - * @throws RestException + * @throws RestException 403 Not allowed + * @throws RestException 503 System error * * @url GET /myobjects/ */ @@ -111,7 +111,7 @@ class MyModuleApi extends DolibarrApi $tmpobject = new MyObject($this->db); if (!DolibarrApiAccess::$user->rights->mymodule->myobject->read) { - throw new RestException(401); + throw new RestException(403); } $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : 0; @@ -186,16 +186,17 @@ class MyModuleApi extends DolibarrApi * Create myobject object * * @param array $request_data Request datas - * @return int ID of myobject + * @return int ID of myobject * - * @throws RestException + * @throws RestException 403 Not allowed + * @throws RestException 500 System error * * @url POST myobjects/ */ public function post($request_data = null) { if (!DolibarrApiAccess::$user->rights->mymodule->myobject->write) { - throw new RestException(401); + throw new RestException(403); } // Check mandatory fields @@ -227,14 +228,19 @@ class MyModuleApi extends DolibarrApi * @param array $request_data Datas * @return int * - * @throws RestException + * @throws RestException 403 Not allowed + * @throws RestException 404 Not found + * @throws RestException 500 System error * * @url PUT myobjects/{id} */ public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->rights->mymodule->myobject->write) { - throw new RestException(401); + throw new RestException(403); + } + if (!DolibarrApi::_checkAccessToResource('myobject', $id, 'mymodule_myobject')) { + throw new RestException(403, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->myobject->fetch($id); @@ -242,10 +248,6 @@ class MyModuleApi extends DolibarrApi throw new RestException(404, 'MyObject not found'); } - if (!DolibarrApi::_checkAccessToResource('myobject', $this->myobject->id, 'mymodule_myobject')) { - throw new RestException(401, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); - } - foreach ($request_data as $field => $value) { if ($field == 'id') { continue; @@ -275,24 +277,27 @@ class MyModuleApi extends DolibarrApi * @param int $id MyObject ID * @return array * - * @throws RestException + * @throws RestException 403 Not allowed + * @throws RestException 404 Not found + * @throws RestException 409 Nothing to do + * @throws RestException 500 System error * * @url DELETE myobjects/{id} */ public function delete($id) { - if (!DolibarrApiAccess::$user->rights->mymodule->myobject->delete) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('mymodule', 'myobject', 'delete')) { + throw new RestException(403); } + if (!DolibarrApi::_checkAccessToResource('myobject', $id, 'mymodule_myobject')) { + throw new RestException(403, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + } + $result = $this->myobject->fetch($id); if (!$result) { throw new RestException(404, 'MyObject not found'); } - if (!DolibarrApi::_checkAccessToResource('myobject', $this->myobject->id, 'mymodule_myobject')) { - throw new RestException(401, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); - } - if ($this->myobject->delete(DolibarrApiAccess::$user) == 0) { throw new RestException(409, 'Error when deleting MyObject : '.$this->myobject->error); } elseif ($this->myobject->delete(DolibarrApiAccess::$user) < 0) { @@ -348,40 +353,6 @@ class MyModuleApi extends DolibarrApi unset($object->rowid); unset($object->canvas); - /*unset($object->name); - unset($object->lastname); - unset($object->firstname); - unset($object->civility_id); - unset($object->statut); - unset($object->state); - unset($object->state_id); - unset($object->state_code); - unset($object->region); - unset($object->region_code); - unset($object->country); - unset($object->country_id); - unset($object->country_code); - unset($object->barcode_type); - unset($object->barcode_type_code); - unset($object->barcode_type_label); - unset($object->barcode_type_coder); - unset($object->total_ht); - unset($object->total_tva); - unset($object->total_localtax1); - unset($object->total_localtax2); - unset($object->total_ttc); - unset($object->fk_account); - unset($object->comments); - unset($object->note); - unset($object->mode_reglement_id); - unset($object->cond_reglement_id); - unset($object->cond_reglement); - unset($object->shipping_method_id); - unset($object->fk_incoterms); - unset($object->label_incoterms); - unset($object->location_incoterms); - */ - // If object has lines, remove $db property if (isset($object->lines) && is_array($object->lines) && count($object->lines) > 0) { $nboflines = count($object->lines);