Re: [Dolibarr-dev] webservices

[Laurent Destailleur (aka Eldy)]

2 point of view are possible:

1) A low level service may not check permission to be fast and let this to then customer.

2) A low level service may always check permission so it can't be used to bypass gui and create holes. This reduce a little speed when doing mass insert web service after web service. 

Web service is alaready natively a slow technology and is designed to provide "unit" service. So performance is not priority because for performance, we will make mass actions and web service is not designed for that. So we must go toward the number 2.  And if some checks are not done in some function, it is just because developer forgot it.

2016-04-23 14:36 GMT+02:00 Christophe Battarel <address@hidden>:

Hi,

IMHO, the better approach would be a MVC design with permission checking in controllers but that is also lot of work ;-)

Best regards

Le 23/04/2016 14:24, Marcos García a écrit :

Hi,

There is already a bug reported in Github https://github.com/Dolibarr/dolibarr/issues/4956. Permissions are not checked within the class but in individual pages.

From my POV, the rights should be checked within the class and throw a UnauthorizedAccess exception when the logged user does not have enough rights to perform the action, but that will require a lot of work and all the developers should give their opinion to find the better approach.

Regards, Marcos.

El vie., 22 abr. 2016 a las 16:53, Christophe Battarel (<address@hidden>) escribió:

Hello,

I am currently testing Doliwoo (a great stuff) and have just lost many times to finally discover that my problem was that the webservice user did not have permission to read thirdparties (a good thing i think).

But... the webservice can create thirdparties or orders without having permissions !!!

I checked the code server_thirdparty.php and effectively, permission checking exists on fetching or deleting thirdparty but not on creating or updating...

Before i make a pull request or create an issue i would like to be sure if the "normal" behaviour would be to always check user permissions (i think so) or not, or if there is a reason for this lack of permission check in some cases ?

Best regards

---------------------------------------
Christophe Battarel
Responsable technique Altairis
+33 (0)9 52 71 70 96
Altairis - Blog - Modules Dolibarr - Twitter
Financez vos projets avec Dolipro

_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

--
---------------------------------------
Christophe Battarel
Responsable technique Altairis
+33 (0)9 52 71 70 96
Altairis - Blog - Modules Dolibarr - Twitter
Financez vos projets avec Dolipro

_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev

--

EMail: address@hidden

Web: http://www.destailleur.fr

------------------------------------------------------------------------------------

Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent

Twitter: http://www.twitter.com/eldy10

------------------------------------------------------------------------------------

* Dolibarr (Project leader): http://www.dolibarr.org (make a donation for Dolibarr project via Paypal: address@hidden)

* AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: address@hidden)

* AWBot (Author) : http://awbot.sourceforge.net

* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net