Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-10 11:02:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX compatibility with multicompany transverse mode

Browse Source
This commit is contained in:
Regis Houssin
2018-07-25 17:00:49 +02:00
parent 0c0c9269d5
commit e48eec583d
1 changed files with 29 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
htdocs/user/class/api_users.class.php
View File

@@ -231,38 +231,48 @@ class Users extends DolibarrApi
*
* @param int $id User ID
* @param int $group Group ID
* @param int $entity Entity ID (valid only for superadmin in multicompany transverse mode)
* @return int 1 if success
*
* @url GET {id}/setGroup/{group}
*/
function setGroup($id, $group) {
function setGroup($id, $group, $entity = 1) {
global $conf;
//if (!DolibarrApiAccess::$user->rights->user->user->supprimer) {
//throw new RestException(401);
//}
$result = $this->useraccount->fetch($id);
if (!$result)
{
throw new RestException(404, 'User not found');
}
$result = $this->useraccount->fetch($id);
if (!$result)
{
throw new RestException(404, 'User not found');
}
if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user'))
{
throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
}
if (!DolibarrApi::_checkAccessToResource('user', $this->useraccount->id, 'user'))
{
throw new RestException(401, 'Access not allowed for login ' . DolibarrApiAccess::$user->login);
}
// When using API, action is done on entity of logged user because a user of entity X with permission to create user should not be able to
// hack the security by giving himself permissions on another entity.
$result = $this->useraccount->SetInGroup($group, DolibarrApiAccess::$user->entity > 0 ? DolibarrApiAccess::$user->entity : $conf->entity);
if (! ($result > 0))
{
throw new RestException(500, $this->useraccount->error);
}
if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE) && ! empty(DolibarrApiAccess::$user->admin) && empty(DolibarrApiAccess::$user->entity))
{
$entity = (! empty($entity) ? $entity : $conf->entity);
}
else
{
// When using API, action is done on entity of logged user because a user of entity X with permission to create user should not be able to
// hack the security by giving himself permissions on another entity.
$entity = (DolibarrApiAccess::$user->entity > 0 ? DolibarrApiAccess::$user->entity : $conf->entity);
}
return 1;
}
$result = $this->useraccount->SetInGroup($group, $entity);
if (! ($result > 0))
{
throw new RestException(500, $this->useraccount->error);
}
return 1;
}
/**
* Delete account