diff --git a/src/app/entity/controllers/ListInstanceController.php b/src/app/entity/controllers/ListInstanceController.php
index 1d4da3d2aa25f72cf5428df91551213b2ce1468a..236bff09b7ee525413b86986ce5f750fc3ab78b1 100755
--- a/src/app/entity/controllers/ListInstanceController.php
+++ b/src/app/entity/controllers/ListInstanceController.php
@@ -85,12 +85,17 @@ class ListInstanceController
DatabaseModel::beginTransaction();
- foreach ($data['redirectListInstances'] as $ListInstanceByRes) {
+ foreach ($data as $ListInstanceByRes) {
if (empty($ListInstanceByRes['resId'])) {
DatabaseModel::rollbackTransaction();
return $response->withStatus(400)->withJson(['errors' => 'resId is empty']);
}
+ if (!Validator::intVal()->validate($ListInstanceByRes['resId']) || !ResController::hasRightByResId(['resId' => $ListInstanceByRes['resId'], 'userId' => $GLOBALS['userId']])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+ }
+
ListInstanceModel::delete([
'where' => ['res_id = ?', 'difflist_type = ?'],
'data' => [$ListInstanceByRes['resId'], 'entity_id']
@@ -101,9 +106,29 @@ class ListInstanceController
return $response->withStatus(400)->withJson(['listInstances is missing or is empty']);
} else {
foreach ($ListInstanceByRes['listInstances'] as $instance) {
- if (empty($instance['res_id']) || empty($instance['item_id']) || empty($instance['item_type']) || empty($instance['item_mode']) || empty($instance['difflist_type'])) {
+ if (empty($instance['res_id'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'res_id are empty']);
+ }
+
+ if (empty($instance['item_id'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'item_id are empty']);
+ }
+
+ if (empty($instance['item_type'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'item_type are empty']);
+ }
+
+ if (empty($instance['item_mode'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'item_mode are empty']);
+ }
+
+ if (empty($instance['difflist_type'])) {
DatabaseModel::rollbackTransaction();
- return $response->withStatus(400)->withJson(['errors' => 'Some data are empty']);
+ return $response->withStatus(400)->withJson(['errors' => 'difflist_type are empty']);
}
unset($instance['listinstance_id']);
diff --git a/src/frontend/app/administration/user/users-administration.component.ts b/src/frontend/app/administration/user/users-administration.component.ts
index 8119ef4546f0bc4c5a64fe7ea5399887fd4933ab..6201bc14cc4c073e9f2750702325c8a42ebf4acc 100755
--- a/src/frontend/app/administration/user/users-administration.component.ts
+++ b/src/frontend/app/administration/user/users-administration.component.ts
@@ -182,7 +182,7 @@ export class UsersAdministrationComponent extends AutoCompletePlugin implements
} else {
//update listInstances
- this.http.put(this.coreUrl + 'rest/listinstances', user)
+ this.http.put(this.coreUrl + 'rest/listinstances', user.redirectListInstances)
.subscribe((data: any) => {
if (data.errors) {
this.notify.error(data.errors);
@@ -297,7 +297,7 @@ export class UsersAdministrationComponent extends AutoCompletePlugin implements
} else if (!user.inDiffListDest && user.isResDestUser) { //user isResDestUser
//update listInstances
- this.http.put(this.coreUrl + 'rest/listinstances', user)
+ this.http.put(this.coreUrl + 'rest/listinstances', user.redirectListInstances)
.subscribe((data: any) => {
if (data.errors) {
this.notify.error(data.errors);