Re: [Dolibarr-dev] webservices

Hi,

There is already a bug reported in Github https://github.com/Dolibarr/dolibarr/issues/4956. Permissions are not checked within the class but in individual pages.

From my POV, the rights should be checked within the class and throw a UnauthorizedAccess exception when the logged user does not have enough rights to perform the action, but that will require a lot of work and all the developers should give their opinion to find the better approach.

Regards, Marcos.

El vie., 22 abr. 2016 a las 16:53, Christophe Battarel (<address@hidden>) escribió:

Hello,

I am currently testing Doliwoo (a great stuff) and have just lost many times to finally discover that my problem was that the webservice user did not have permission to read thirdparties (a good thing i think).

But... the webservice can create thirdparties or orders without having permissions !!!

I checked the code server_thirdparty.php and effectively, permission checking exists on fetching or deleting thirdparty but not on creating or updating...

Before i make a pull request or create an issue i would like to be sure if the "normal" behaviour would be to always check user permissions (i think so) or not, or if there is a reason for this lack of permission check in some cases ?

Best regards

---------------------------------------
Christophe Battarel
Responsable technique Altairis
+33 (0)9 52 71 70 96
Altairis - Blog - Modules Dolibarr - Twitter
Financez vos projets avec Dolipro

_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

From:	Christophe Battarel
Subject:	Re: [Dolibarr-dev] webservices
Date:	Sat, 23 Apr 2016 14:36:48 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0