2 point of view are possible: 1) A low level service may not check permission to be fast and let this to then customer. 2) A low level service may always check permission so it can't be used to bypass gui and create holes. This reduce a little speed when doing mass insert web service after web service.
Web service is alaready natively a slow technology and is designed to provide "unit" service. So performance is not priority because for performance, we will make mass actions and web service is not designed for that. So we must go toward the number 2. And if some checks are not done in some function, it is just because developer forgot it. 2016-04-23 14:36 GMT+02:00 Christophe Battarel < [email protected]>: > Hi, > > IMHO, the better approach would be a MVC design with permission checking > in controllers but that is also lot of work ;-) > > Best regards > > > Le 23/04/2016 14:24, Marcos García a écrit : > > Hi, > > There is already a bug reported in Github > <https://github.com/Dolibarr/dolibarr/issues/4956> > https://github.com/Dolibarr/dolibarr/issues/4956. Permissions are not > checked within the class but in individual pages. > > From my POV, the rights should be checked within the class and throw a > UnauthorizedAccess exception when the logged user does not have enough > rights to perform the action, but that will require a lot of work and all > the developers should give their opinion to find the better approach. > > Regards, Marcos. > > El vie., 22 abr. 2016 a las 16:53, Christophe Battarel (< > [email protected]>) escribió: > >> Hello, >> >> I am currently testing Doliwoo (a great stuff) and have just lost many >> times to finally discover that my problem was that the webservice user did >> not have permission to read thirdparties (a good thing i think). >> >> But... the webservice can create thirdparties or orders without having >> permissions !!! >> >> I checked the code server_thirdparty.php and effectively, permission >> checking exists on fetching or deleting thirdparty but not on creating or >> updating... >> >> Before i make a pull request or create an issue i would like to be sure >> if the "normal" behaviour would be to always check user permissions (i >> think so) or not, or if there is a reason for this lack of permission check >> in some cases ? >> >> Best regards >> --------------------------------------- >> >> *Christophe Battarel Responsable technique Altairis* >> +33 (0)9 52 71 70 96 >> Altairis <http://www.altairis.fr> - Blog <http://www.altairis.fr/blog> - >> Modules >> Dolibarr <http://www.altairis.fr/modules> - Twitter >> <https://www.twitter.com/altairis_fr> >> Financez vos projets avec Dolipro <http://www.dolipro.org> >> >> >> >> _______________________________________________ >> Dolibarr-dev mailing list >> [email protected] >> https://lists.nongnu.org/mailman/listinfo/dolibarr-dev >> > > > _______________________________________________ > Dolibarr-dev mailing > [email protected]https://lists.nongnu.org/mailman/listinfo/dolibarr-dev > > > -- > --------------------------------------- > > *Christophe Battarel Responsable technique Altairis* > +33 (0)9 52 71 70 96 > Altairis <http://www.altairis.fr> - Blog <http://www.altairis.fr/blog> - > Modules > Dolibarr <http://www.altairis.fr/modules> - Twitter > <https://www.twitter.com/altairis_fr> > Financez vos projets avec Dolipro <http://www.dolipro.org> > > > > > _______________________________________________ > Dolibarr-dev mailing list > [email protected] > https://lists.nongnu.org/mailman/listinfo/dolibarr-dev > > -- EMail: [email protected] Web: http://www.destailleur.fr ------------------------------------------------------------------------------------ Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 ------------------------------------------------------------------------------------ * Dolibarr (Project leader): http://www.dolibarr.org (make a donation for Dolibarr project via Paypal: [email protected]) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: [email protected]) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
_______________________________________________ Dolibarr-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
