|
From: | Christophe Battarel |
Subject: | [Dolibarr-dev] webservices |
Date: | Fri, 22 Apr 2016 16:56:04 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
Hello, I am currently testing Doliwoo (a great stuff) and have just lost many times to finally discover that my problem was that the webservice user did not have permission to read thirdparties (a good thing i think). But... the webservice can create thirdparties or orders without having permissions !!! I checked the code server_thirdparty.php and effectively, permission checking exists on fetching or deleting thirdparty but not on creating or updating... Before i make a pull request or create an issue i would like to be sure if the "normal" behaviour would be to always check user permissions (i think so) or not, or if there is a reason for this lack of permission check in some cases ? Best regards ---------------------------------------
Christophe Battarel Responsable technique Altairis +33 (0)9 52 71 70 96 Altairis - Blog - Modules Dolibarr - Twitter Financez vos projets avec Dolipro |
[Prev in Thread] | Current Thread | [Next in Thread] |