Hi,
IMHO, the better approach would be a MVC design with permission checking
in controllers but that is also lot of work ;-)
Best regards
Le 23/04/2016 14:24, Marcos García a écrit :
Hi,
There is already a bug reported in Github
https://github.com/Dolibarr/dolibarr/issues/4956. Permissions are not
checked within the class but in individual pages.
From my POV, the rights should be checked within the class and throw a
UnauthorizedAccess exception when the logged user does not have enough
rights to perform the action, but that will require a lot of work and
all the developers should give their opinion to find the better approach.
Regards, Marcos.
El vie., 22 abr. 2016 a las 16:53, Christophe Battarel
(<[email protected]
<mailto:[email protected]>>) escribió:
Hello,
I am currently testing Doliwoo (a great stuff) and have just lost
many times to finally discover that my problem was that the
webservice user did not have permission to read thirdparties (a
good thing i think).
But... the webservice can create thirdparties or orders without
having permissions !!!
I checked the code server_thirdparty.php and effectively,
permission checking exists on fetching or deleting thirdparty but
not on creating or updating...
Before i make a pull request or create an issue i would like to be
sure if the "normal" behaviour would be to always check user
permissions (i think so) or not, or if there is a reason for this
lack of permission check in some cases ?
Best regards
---------------------------------------
/Christophe Battarel
Responsable technique Altairis/
+33 (0)9 52 71 70 96
Altairis <http://www.altairis.fr> - Blog
<http://www.altairis.fr/blog> - Modules Dolibarr
<http://www.altairis.fr/modules> - Twitter
<https://www.twitter.com/altairis_fr>
Financez vos projets avec Dolipro <http://www.dolipro.org>
_______________________________________________
Dolibarr-dev mailing list
[email protected] <mailto:[email protected]>
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
_______________________________________________
Dolibarr-dev mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
--
---------------------------------------
/Christophe Battarel
Responsable technique Altairis/
+33 (0)9 52 71 70 96
Altairis <http://www.altairis.fr> - Blog <http://www.altairis.fr/blog> -
Modules Dolibarr <http://www.altairis.fr/modules> - Twitter
<https://www.twitter.com/altairis_fr>
Financez vos projets avec Dolipro <http://www.dolipro.org>
_______________________________________________
Dolibarr-dev mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
