From b514c1afbecbee90881a41353e8aec3a602606cf Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 1 Feb 2024 13:34:55 +0100 Subject: [PATCH] Move code 401 to 403 --- htdocs/adherents/class/api_members.class.php | 40 +++++------ .../class/api_memberstypes.class.php | 20 +++--- .../class/api_subscriptions.class.php | 20 +++--- htdocs/bom/class/api_boms.class.php | 66 +++++++++---------- htdocs/contrat/class/api_contracts.class.php | 10 +-- htdocs/societe/class/api_contacts.class.php | 6 +- htdocs/user/class/api_users.class.php | 31 +++++---- 7 files changed, 96 insertions(+), 97 deletions(-) diff --git a/htdocs/adherents/class/api_members.class.php b/htdocs/adherents/class/api_members.class.php index 5cb0ee3c09c..053f1eb34ab 100644 --- a/htdocs/adherents/class/api_members.class.php +++ b/htdocs/adherents/class/api_members.class.php @@ -58,13 +58,13 @@ class Members extends DolibarrApi * @param int $id ID of member * @return Object Object with cleaned properties * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member not found */ public function get($id) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $member = new Adherent($this->db); @@ -95,13 +95,13 @@ class Members extends DolibarrApi * * @url GET thirdparty/{thirdparty} * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member not found */ public function getByThirdparty($thirdparty) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $member = new Adherent($this->db); @@ -128,13 +128,13 @@ class Members extends DolibarrApi * * @url GET thirdparty/email/{email} * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member or ThirdParty not found */ public function getByThirdpartyEmail($email) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $thirdparty = new Societe($this->db); @@ -167,13 +167,13 @@ class Members extends DolibarrApi * * @url GET thirdparty/barcode/{barcode} * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member or ThirdParty not found */ public function getByThirdpartyBarcode($barcode) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $thirdparty = new Societe($this->db); @@ -212,7 +212,7 @@ class Members extends DolibarrApi * @return array Array of member objects * * @throws RestException 400 Error on SQL filters - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Member found * @throws RestException 503 Error when retrieving Member list */ @@ -221,7 +221,7 @@ class Members extends DolibarrApi $obj_ret = array(); if (!DolibarrApiAccess::$user->hasRight('adherent', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $sql = "SELECT t.rowid"; @@ -283,13 +283,13 @@ class Members extends DolibarrApi * @param array $request_data Request data * @return int ID of member * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 500 Error when creating Member */ public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'creer')) { - throw new RestException(401); + throw new RestException(403); } // Check mandatory fields $result = $this->_validate($request_data); @@ -317,14 +317,14 @@ class Members extends DolibarrApi * @param array $request_data Datas * @return Object Updated object * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member not found * @throws RestException 500 Error when resiliating, validating, excluding, updating a Member */ public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'creer')) { - throw new RestException(401); + throw new RestException(403); } $member = new Adherent($this->db); @@ -386,14 +386,14 @@ class Members extends DolibarrApi * @param int $id member ID * @return array * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member not found * @throws RestException 500 Error when deleting a Member */ public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'supprimer')) { - throw new RestException(401); + throw new RestException(403); } $member = new Adherent($this->db); $result = $member->fetch($id); @@ -478,7 +478,7 @@ class Members extends DolibarrApi * * @url GET {id}/subscriptions * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member not found */ public function getSubscriptions($id) @@ -486,7 +486,7 @@ class Members extends DolibarrApi $obj_ret = array(); if (!DolibarrApiAccess::$user->hasRight('adherent', 'cotisation', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $member = new Adherent($this->db); @@ -514,13 +514,13 @@ class Members extends DolibarrApi * * @url POST {id}/subscriptions * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 Member not found */ public function createSubscription($id, $start_date, $end_date, $amount, $label = '') { if (!DolibarrApiAccess::$user->hasRight('adherent', 'cotisation', 'creer')) { - throw new RestException(401); + throw new RestException(403); } $member = new Adherent($this->db); diff --git a/htdocs/adherents/class/api_memberstypes.class.php b/htdocs/adherents/class/api_memberstypes.class.php index 5b7728af036..f055542d6b4 100644 --- a/htdocs/adherents/class/api_memberstypes.class.php +++ b/htdocs/adherents/class/api_memberstypes.class.php @@ -51,13 +51,13 @@ class MembersTypes extends DolibarrApi * @param int $id ID of member type * @return Object Object with cleaned properties * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Member Type found */ public function get($id) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $membertype = new AdherentType($this->db); @@ -86,7 +86,7 @@ class MembersTypes extends DolibarrApi * @param string $properties Restrict the data returned to these properties. Ignored if empty. Comma separated list of properties names * @return array Array of member type objects * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Member Type found * @throws RestException 503 Error when retrieving Member list */ @@ -97,7 +97,7 @@ class MembersTypes extends DolibarrApi $obj_ret = array(); if (!DolibarrApiAccess::$user->hasRight('adherent', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $sql = "SELECT t.rowid"; @@ -149,13 +149,13 @@ class MembersTypes extends DolibarrApi * @param array $request_data Request data * @return int ID of member type * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 500 Error when creating Member Type */ public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'configurer')) { - throw new RestException(401); + throw new RestException(403); } // Check mandatory fields $result = $this->_validate($request_data); @@ -183,14 +183,14 @@ class MembersTypes extends DolibarrApi * @param array $request_data Datas * @return int * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Member Type found * @throws RestException 500 Error when updating Member Type */ public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'configurer')) { - throw new RestException(401); + throw new RestException(403); } $membertype = new AdherentType($this->db); @@ -233,14 +233,14 @@ class MembersTypes extends DolibarrApi * @param int $id member type ID * @return array * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Member Type found * @throws RestException 500 Error when deleting Member Type */ public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'configurer')) { - throw new RestException(401); + throw new RestException(403); } $membertype = new AdherentType($this->db); $result = $membertype->fetch($id); diff --git a/htdocs/adherents/class/api_subscriptions.class.php b/htdocs/adherents/class/api_subscriptions.class.php index b98bcb74f6c..285a1948602 100644 --- a/htdocs/adherents/class/api_subscriptions.class.php +++ b/htdocs/adherents/class/api_subscriptions.class.php @@ -54,13 +54,13 @@ class Subscriptions extends DolibarrApi * @param int $id ID of subscription * @return Object Object with cleaned properties * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Subscription found */ public function get($id) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'cotisation', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $subscription = new Subscription($this->db); @@ -85,7 +85,7 @@ class Subscriptions extends DolibarrApi * @param string $properties Restrict the data returned to these properties. Ignored if empty. Comma separated list of properties names * @return array Array of subscription objects * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Subscription found * @throws RestException 503 Error when retrieving Subscription list */ @@ -96,7 +96,7 @@ class Subscriptions extends DolibarrApi $obj_ret = array(); if (!DolibarrApiAccess::$user->hasRight('adherent', 'cotisation', 'lire')) { - throw new RestException(401); + throw new RestException(403); } $sql = "SELECT rowid"; @@ -146,13 +146,13 @@ class Subscriptions extends DolibarrApi * @param array $request_data Request data * @return int ID of subscription * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 500 Error when creating Subscription */ public function post($request_data = null) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'cotisation', 'creer')) { - throw new RestException(401); + throw new RestException(403); } // Check mandatory fields $result = $this->_validate($request_data); @@ -180,14 +180,14 @@ class Subscriptions extends DolibarrApi * @param array $request_data Datas * @return Object * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Subscription found * @throws RestException 500 Error when updating Subscription */ public function put($id, $request_data = null) { if (!DolibarrApiAccess::$user->hasRight('adherent', 'creer')) { - throw new RestException(401); + throw new RestException(403); } $subscription = new Subscription($this->db); @@ -222,7 +222,7 @@ class Subscriptions extends DolibarrApi * @param int $id ID of subscription to delete * @return array * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 No Subscription found * @throws RestException 409 No Subscription deleted * @throws RestException 500 Error when deleting Subscription @@ -231,7 +231,7 @@ class Subscriptions extends DolibarrApi { // The right to delete a subscription comes with the right to create one. if (!DolibarrApiAccess::$user->hasRight('adherent', 'cotisation', 'creer')) { - throw new RestException(401); + throw new RestException(403); } $subscription = new Subscription($this->db); $result = $subscription->fetch($id); diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index 2f68b565394..f9b1a7257de 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -62,13 +62,13 @@ class Boms extends DolibarrApi * * @url GET {id} * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 BOM not found */ public function get($id) { - if (!DolibarrApiAccess::$user->rights->bom->read) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'read')) { + throw new RestException(403); } $result = $this->bom->fetch($id); @@ -77,7 +77,7 @@ class Boms extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('bom', $this->bom->id, 'bom_bom')) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } return $this->_cleanObjectDatas($this->bom); @@ -98,13 +98,13 @@ class Boms extends DolibarrApi * @return array Array of order objects * * @throws RestException 400 Bad sqlfilters - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 503 Error retrieving list of boms */ public function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100, $page = 0, $sqlfilters = '', $properties = '') { - if (!DolibarrApiAccess::$user->rights->bom->read) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'read')) { + throw new RestException(403); } $obj_ret = array(); @@ -181,13 +181,13 @@ class Boms extends DolibarrApi * @param array $request_data Request datas * @return int ID of bom * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 500 Error retrieving list of boms */ public function post($request_data = null) { - if (!DolibarrApiAccess::$user->rights->bom->write) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'write')) { + throw new RestException(403); } // Check mandatory fields $result = $this->_validate($request_data); @@ -218,14 +218,14 @@ class Boms extends DolibarrApi * * @return int * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 BOM not found * @throws RestException 500 Error updating bom */ public function put($id, $request_data = null) { - if (!DolibarrApiAccess::$user->rights->bom->write) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'write')) { + throw new RestException(403); } $result = $this->bom->fetch($id); @@ -234,7 +234,7 @@ class Boms extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('bom', $this->bom->id, 'bom_bom')) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } foreach ($request_data as $field => $value) { @@ -265,14 +265,14 @@ class Boms extends DolibarrApi * @param int $id BOM ID * @return array * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 BOM not found * @throws RestException 500 Error deleting bom */ public function delete($id) { - if (!DolibarrApiAccess::$user->rights->bom->delete) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'delete')) { + throw new RestException(403); } $result = $this->bom->fetch($id); if (!$result) { @@ -304,13 +304,13 @@ class Boms extends DolibarrApi * * @return array * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 BOM not found */ public function getLines($id) { - if (!DolibarrApiAccess::$user->rights->bom->read) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'read')) { + throw new RestException(403); } $result = $this->bom->fetch($id); @@ -319,7 +319,7 @@ class Boms extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('bom_bom', $this->bom->id)) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } $this->bom->getLinesArray(); $result = array(); @@ -339,14 +339,14 @@ class Boms extends DolibarrApi * * @return int * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 BOM not found * @throws RestException 500 Error adding bom line */ public function postLine($id, $request_data = null) { - if (!DolibarrApiAccess::$user->rights->bom->write) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'write')) { + throw new RestException(403); } $result = $this->bom->fetch($id); @@ -355,7 +355,7 @@ class Boms extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('bom_bom', $this->bom->id)) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } $request_data = (object) $request_data; @@ -390,13 +390,13 @@ class Boms extends DolibarrApi * * @return object|bool * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 BOM not found */ public function putLine($id, $lineid, $request_data = null) { - if (!DolibarrApiAccess::$user->rights->bom->write) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'write')) { + throw new RestException(403); } $result = $this->bom->fetch($id); @@ -405,7 +405,7 @@ class Boms extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('bom_bom', $this->bom->id)) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } $request_data = (object) $request_data; @@ -440,14 +440,14 @@ class Boms extends DolibarrApi * * @return int * - * @throws RestException 401 Access denied + * @throws RestException 403 Access denied * @throws RestException 404 BOM not found * @throws RestException 500 Error deleting bom line */ public function deleteLine($id, $lineid) { - if (!DolibarrApiAccess::$user->rights->bom->write) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('bom', 'write')) { + throw new RestException(403); } $result = $this->bom->fetch($id); @@ -456,7 +456,7 @@ class Boms extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('bom_bom', $this->bom->id)) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } //Check the rowid is a line of current bom object diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index 8e54ba37989..4509aa4599a 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -529,7 +529,7 @@ class Contracts extends DolibarrApi public function delete($id) { if (!DolibarrApiAccess::$user->hasRight('contrat', 'supprimer')) { - throw new RestException(401); + throw new RestException(403); } $result = $this->contract->fetch($id); if (!$result) { @@ -537,7 +537,7 @@ class Contracts extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } if (!$this->contract->delete(DolibarrApiAccess::$user)) { @@ -570,8 +570,8 @@ class Contracts extends DolibarrApi */ public function validate($id, $notrigger = 0) { - if (!DolibarrApiAccess::$user->rights->contrat->creer) { - throw new RestException(401); + if (!DolibarrApiAccess::$user->hasRight('contrat', 'creer')) { + throw new RestException(403); } $result = $this->contract->fetch($id); if (!$result) { @@ -579,7 +579,7 @@ class Contracts extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->contract->validate(DolibarrApiAccess::$user, '', $notrigger); diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index a501ccb8c62..0a47ebe25eb 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -404,10 +404,10 @@ class Contacts extends DolibarrApi } if (!DolibarrApiAccess::$user->rights->societe->contact->lire) { - throw new RestException(401, 'No permission to read contacts'); + throw new RestException(403, 'No permission to read contacts'); } if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'creer')) { - throw new RestException(401, 'No permission to create user'); + throw new RestException(403, 'No permission to create user'); } $contact = new Contact($this->db); @@ -417,7 +417,7 @@ class Contacts extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('contact', $contact->id, 'socpeople&societe')) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } // Check mandatory fields diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index b6e4f1378b7..ea2c9bb3cea 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -47,7 +47,7 @@ class Users extends DolibarrApi */ public function __construct() { - global $db, $conf; + global $db; $this->db = $db; $this->useraccount = new User($this->db); @@ -71,10 +71,8 @@ class Users extends DolibarrApi */ public function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100, $page = 0, $user_ids = '0', $category = 0, $sqlfilters = '', $properties = '') { - global $conf; - - if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401, "You are not allowed to read list of users"); + if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'lire') && empty(DolibarrApiAccess::$user->admin)) { + throw new RestException(403, "You are not allowed to read list of users"); } $obj_ret = array(); @@ -354,7 +352,7 @@ class Users extends DolibarrApi * @param array $request_data Datas * @return array|mixed Record after update * - * @throws RestException 401 Not allowed + * @throws RestException 403 Not allowed * @throws RestException 404 Not found * @throws RestException 500 System error */ @@ -362,7 +360,7 @@ class Users extends DolibarrApi { // Check user authorization if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'creer') && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401, "User update not allowed"); + throw new RestException(403, "User update not allowed"); } $result = $this->useraccount->fetch($id); @@ -474,7 +472,7 @@ class Users extends DolibarrApi * @param int $entity Entity ID (valid only for superadmin in multicompany transverse mode) * @return int 1 if success * - * @throws RestException 401 Not allowed + * @throws RestException 403 Not allowed * @throws RestException 404 User not found * @throws RestException 500 System error * @@ -485,7 +483,7 @@ class Users extends DolibarrApi global $conf; if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'creer') && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401); + throw new RestException(403); } $result = $this->useraccount->fetch($id); @@ -494,7 +492,7 @@ class Users extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user')) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE') && !empty(DolibarrApiAccess::$user->admin) && empty(DolibarrApiAccess::$user->entity)) { @@ -529,6 +527,7 @@ class Users extends DolibarrApi * @param string $properties Restrict the data returned to these properties. Ignored if empty. Comma separated list of properties names * @return array Array of User objects * + * @throws RestException 403 Not allowed * @throws RestException 404 User not found * @throws RestException 503 Error */ @@ -540,7 +539,7 @@ class Users extends DolibarrApi if ((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401, "You are not allowed to read groups"); + throw new RestException(403, "You are not allowed to read groups"); } // case of external user, $societe param is ignored and replaced by user's socid @@ -603,7 +602,7 @@ class Users extends DolibarrApi * @param int $load_members Load members list or not {@min 0} {@max 1} * @return object object of User objects * - * @throws RestException 401 Not allowed + * @throws RestException 403 Not allowed * @throws RestException 404 User not found */ public function infoGroups($group, $load_members = 0) @@ -612,7 +611,7 @@ class Users extends DolibarrApi if ((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) || getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && empty(DolibarrApiAccess::$user->rights->user->group_advance->read) && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401, "You are not allowed to read groups"); + throw new RestException(403, "You are not allowed to read groups"); } $group_static = new UserGroup($this->db); @@ -631,13 +630,13 @@ class Users extends DolibarrApi * @param int $id Account ID * @return array * - * @throws RestException 401 Not allowed + * @throws RestException 403 Not allowed * @throws RestException 404 User not found */ public function delete($id) { if (empty(DolibarrApiAccess::$user->rights->user->user->supprimer) && empty(DolibarrApiAccess::$user->admin)) { - throw new RestException(401, 'Not allowed'); + throw new RestException(403, 'Not allowed'); } $result = $this->useraccount->fetch($id); if (!$result) { @@ -645,7 +644,7 @@ class Users extends DolibarrApi } if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user')) { - throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } $this->useraccount->oldcopy = clone $this->useraccount;