Skip to content

FIX #35655 Check if API user has rights to see all thirdparties #36024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: 22.0
Choose a base branch
from
+44 −14
Open

FIX #35655 Check if API user has rights to see all thirdparties #36024

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2391856
Check if API user has rights to see all thirdparties
JonBendtsen Oct 30, 2025
b3ec669
giving a slight better error message
Oct 30, 2025
ef2b86e
default deny access, allow access if user has the right combination o…
Oct 31, 2025
d9e1a6e
both socid exists and access to is checked in api_thirdparty GET :-)
Oct 31, 2025
d3407ec
creating Thirdparties object takes no arguments
Oct 31, 2025
c9fcdb5
Merge branch '22.0' into patch-1
eldy Nov 1, 2025
4f73e80
PUT now checks both existing socid and any potentially updated socid …
Nov 2, 2025
dabdfb0
This commit has errors, if you use PUT in the API with a new socid th…
Nov 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 44 additions & 14 deletions htdocs/contrat/class/api_contracts.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
use Luracast\Restler\RestException;

require_once DOL_DOCUMENT_ROOT.'/contrat/class/contrat.class.php';
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';

/**
* API class for contracts
Expand Down Expand Up @@ -76,7 +77,7 @@ public function get($id)
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$this->contract->fetchObjectLinked();
Expand Down Expand Up @@ -208,8 +209,16 @@ public function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100,
public function post($request_data = null)
{
if (!DolibarrApiAccess::$user->hasRight('contrat', 'creer')) {
throw new RestException(403, "Insufficient rights");
throw new RestException(403, "Missing permission: Create/modify contracts/subscriptions");
}

$socid = (int) $request_data['socid'];
$thirdpartytmp = new Societe($this->db);
$thirdparty_result = $thirdpartytmp->fetch($socid);
if ($thirdparty_result < 1) {
throw new RestException(404, 'Thirdparty with id='.$socid.' not found or not allowed');
}

// Check mandatory fields
$result = $this->_validate($request_data);

Expand Down Expand Up @@ -268,7 +277,7 @@ public function getLines($id, $sortfield = "d.rowid", $sortorder = 'ASC', $limit
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$obj_ret = [];
Expand Down Expand Up @@ -360,7 +369,7 @@ public function postLine($id, $request_data = null)
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$request_data = (object) $request_data;
Expand Down Expand Up @@ -420,7 +429,7 @@ public function putLine($id, $lineid, $request_data = null)
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$request_data = (object) $request_data;
Expand Down Expand Up @@ -568,7 +577,7 @@ public function activateLine($id, $lineid, $datestart, $dateend = null, $comment
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$updateRes = $this->contract->active_line(DolibarrApiAccess::$user, $lineid, (int) $datestart, $dateend, $comment);
Expand Down Expand Up @@ -606,7 +615,7 @@ public function unactivateLine($id, $lineid, $datestart, $comment = null)
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$updateRes = $this->contract->close_line(DolibarrApiAccess::$user, $lineid, (int) $datestart, $comment);
Expand Down Expand Up @@ -646,7 +655,7 @@ public function deleteLine($id, $lineid)
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

// TODO Check the lineid $lineid is a line of object
Expand All @@ -673,14 +682,26 @@ public function put($id, $request_data = null)
if (!DolibarrApiAccess::$user->hasRight('contrat', 'creer')) {
throw new RestException(403);
}

$result = $this->contract->fetch($id);
if (!$result) {
throw new RestException(404, 'Contrat not found');
}

$old_socid = $this->contract->socid;
$oldthirdpartytmp = new Societe($this->db);
$old_thirdparty_result = $oldthirdpartytmp->fetch($old_socid);
if ($old_thirdparty_result < 1) {
throw new RestException(404, 'Thirdparty with id='.$old_socid.' not found or not allowed');
}
$new_socid = (int) $request_data['socid'];
$newthirdpartytmp = new Societe($this->db);
$new_thirdparty_result = $newthirdpartytmp->fetch($new_socid);
if ($new_thirdparty_result < 1) {
throw new RestException(404, 'Thirdparty with id='.$new_socid.' not found or not allowed');
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}
foreach ($request_data as $field => $value) {
if ($field == 'id') {
Expand All @@ -698,6 +719,15 @@ public function put($id, $request_data = null)
continue;
}

if ($field == 'socid') {
$new_socid = (int) $value;
$loopthirdpartytmp = new Societe($this->db);
$new_thirdparty_result = $loopthirdpartytmp->fetch($new_socid);
if ($new_thirdparty_result < 1) {
throw new RestException(404, 'Thirdparty with id='.$new_socid.' not found or not allowed');
}
}

$this->contract->$field = $this->_checkValForAPI($field, $value, $this->contract);
}

Expand All @@ -720,15 +750,15 @@ public function put($id, $request_data = null)
public function delete($id)
{
if (!DolibarrApiAccess::$user->hasRight('contrat', 'supprimer')) {
throw new RestException(403);
throw new RestException(403, 'Missing permission: Delete contracts/subscriptions');
}
$result = $this->contract->fetch($id);
if (!$result) {
throw new RestException(404, 'Contract not found');
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

if (!$this->contract->delete(DolibarrApiAccess::$user)) {
Expand Down Expand Up @@ -773,7 +803,7 @@ public function validate($id, $notrigger = 0)
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$result = $this->contract->validate(DolibarrApiAccess::$user, '', $notrigger);
Expand Down Expand Up @@ -822,7 +852,7 @@ public function close($id, $notrigger = 0)
}

if (!DolibarrApi::_checkAccessToResource('contrat', $this->contract->id)) {
throw new RestException(403, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
throw new RestException(403, 'Access to this contract is not allowed for login '.DolibarrApiAccess::$user->login);
}

$result = $this->contract->closeAll(DolibarrApiAccess::$user, $notrigger);
Expand Down