From 0b3078c2b0809b75e879b1b42be28fe0cb4e6d5a Mon Sep 17 00:00:00 2001
From: Vinciane <vinciane.bizet@maarch.org>
Date: Mon, 18 Feb 2019 16:36:13 +0100
Subject: [PATCH] FIX #9349 Fix update list instances
---
.../controllers/ListInstanceController.php | 31 +++++++++++++++++--
.../user/users-administration.component.ts | 4 +--
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/src/app/entity/controllers/ListInstanceController.php b/src/app/entity/controllers/ListInstanceController.php
index 1d4da3d2aa2..236bff09b7e 100755
--- a/src/app/entity/controllers/ListInstanceController.php
+++ b/src/app/entity/controllers/ListInstanceController.php
@@ -85,12 +85,17 @@ class ListInstanceController
DatabaseModel::beginTransaction();
- foreach ($data['redirectListInstances'] as $ListInstanceByRes) {
+ foreach ($data as $ListInstanceByRes) {
if (empty($ListInstanceByRes['resId'])) {
DatabaseModel::rollbackTransaction();
return $response->withStatus(400)->withJson(['errors' => 'resId is empty']);
}
+ if (!Validator::intVal()->validate($ListInstanceByRes['resId']) || !ResController::hasRightByResId(['resId' => $ListInstanceByRes['resId'], 'userId' => $GLOBALS['userId']])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+ }
+
ListInstanceModel::delete([
'where' => ['res_id = ?', 'difflist_type = ?'],
'data' => [$ListInstanceByRes['resId'], 'entity_id']
@@ -101,9 +106,29 @@ class ListInstanceController
return $response->withStatus(400)->withJson(['listInstances is missing or is empty']);
} else {
foreach ($ListInstanceByRes['listInstances'] as $instance) {
- if (empty($instance['res_id']) || empty($instance['item_id']) || empty($instance['item_type']) || empty($instance['item_mode']) || empty($instance['difflist_type'])) {
+ if (empty($instance['res_id'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'res_id are empty']);
+ }
+
+ if (empty($instance['item_id'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'item_id are empty']);
+ }
+
+ if (empty($instance['item_type'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'item_type are empty']);
+ }
+
+ if (empty($instance['item_mode'])) {
+ DatabaseModel::rollbackTransaction();
+ return $response->withStatus(400)->withJson(['errors' => 'item_mode are empty']);
+ }
+
+ if (empty($instance['difflist_type'])) {
DatabaseModel::rollbackTransaction();
- return $response->withStatus(400)->withJson(['errors' => 'Some data are empty']);
+ return $response->withStatus(400)->withJson(['errors' => 'difflist_type are empty']);
}
unset($instance['listinstance_id']);
diff --git a/src/frontend/app/administration/user/users-administration.component.ts b/src/frontend/app/administration/user/users-administration.component.ts
index 8119ef4546f..6201bc14cc4 100755
--- a/src/frontend/app/administration/user/users-administration.component.ts
+++ b/src/frontend/app/administration/user/users-administration.component.ts
@@ -182,7 +182,7 @@ export class UsersAdministrationComponent extends AutoCompletePlugin implements
} else {
//update listInstances
- this.http.put(this.coreUrl + 'rest/listinstances', user)
+ this.http.put(this.coreUrl + 'rest/listinstances', user.redirectListInstances)
.subscribe((data: any) => {
if (data.errors) {
this.notify.error(data.errors);
@@ -297,7 +297,7 @@ export class UsersAdministrationComponent extends AutoCompletePlugin implements
} else if (!user.inDiffListDest && user.isResDestUser) { //user isResDestUser
//update listInstances
- this.http.put(this.coreUrl + 'rest/listinstances', user)
+ this.http.put(this.coreUrl + 'rest/listinstances', user.redirectListInstances)
.subscribe((data: any) => {
if (data.errors) {
this.notify.error(data.errors);
--
GitLab