Hi, There is already a bug reported in Github https://github.com/Dolibarr/dolibarr/issues/4956. Permissions are not checked within the class but in individual pages.
>From my POV, the rights should be checked within the class and throw a UnauthorizedAccess exception when the logged user does not have enough rights to perform the action, but that will require a lot of work and all the developers should give their opinion to find the better approach. Regards, Marcos. El vie., 22 abr. 2016 a las 16:53, Christophe Battarel (< [email protected]>) escribió: > Hello, > > I am currently testing Doliwoo (a great stuff) and have just lost many > times to finally discover that my problem was that the webservice user did > not have permission to read thirdparties (a good thing i think). > > But... the webservice can create thirdparties or orders without having > permissions !!! > > I checked the code server_thirdparty.php and effectively, permission > checking exists on fetching or deleting thirdparty but not on creating or > updating... > > Before i make a pull request or create an issue i would like to be sure if > the "normal" behaviour would be to always check user permissions (i think > so) or not, or if there is a reason for this lack of permission check in > some cases ? > > Best regards > --------------------------------------- > > *Christophe Battarel Responsable technique Altairis* > +33 (0)9 52 71 70 96 > Altairis <http://www.altairis.fr> - Blog <http://www.altairis.fr/blog> - > Modules > Dolibarr <http://www.altairis.fr/modules> - Twitter > <https://www.twitter.com/altairis_fr> > Financez vos projets avec Dolipro <http://www.dolipro.org> > > > > _______________________________________________ > Dolibarr-dev mailing list > [email protected] > https://lists.nongnu.org/mailman/listinfo/dolibarr-dev >
_______________________________________________ Dolibarr-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
