* [FIX] Try to fix access denied when adding accounts through API.

2026-03-04 07:34:09 +01:00 · 2017-06-14 16:14:23 +02:00
parent aa45446178
commit 24031e12fe
2 changed files with 19 additions and 4 deletions
--- a/inc/SP/Forms/ApiTokenForm.class.php
+++ b/inc/SP/Forms/ApiTokenForm.class.php
@@ -83,9 +83,16 @@ class ApiTokenForm extends FormBase implements FormInterface
    {
        if ($this->ApiTokenData->getAuthtokenUserId() === 0) {
            throw new ValidationException(__('Usuario no indicado', false));
-        } elseif ($this->ApiTokenData->getAuthtokenActionId() === 0) {
+        }
+
+        if ($this->ApiTokenData->getAuthtokenActionId() === 0) {
            throw new ValidationException(__('Acción no indicada', false));
-        } elseif ($this->ApiTokenData->getAuthtokenActionId() === ActionsInterface::ACTION_ACC_VIEW_PASS
+        }
+
+        $action = $this->ApiTokenData->getAuthtokenActionId();
+
+        if (($action === ActionsInterface::ACTION_ACC_VIEW_PASS
+                || $action === ActionsInterface::ACTION_ACC_NEW)
            && $this->ApiTokenData->getAuthtokenHash() === ''
        ) {
            throw new ValidationException(__('La clave no puede estar en blanco', false));
--- a/inc/SP/Mgmt/ApiTokens/ApiToken.class.php
+++ b/inc/SP/Mgmt/ApiTokens/ApiToken.class.php
@@ -79,7 +79,11 @@ class ApiToken extends ApiTokenBase implements ItemInterface
        $Data->addParam(Session::getUserData()->getUserId());
        $Data->addParam($token);

-        if ($this->itemData->getAuthtokenActionId() === ActionsInterface::ACTION_ACC_VIEW_PASS) {
+        $action = $this->itemData->getAuthtokenActionId();
+
+        if ($action === ActionsInterface::ACTION_ACC_VIEW_PASS
+            || $action === ActionsInterface::ACTION_ACC_NEW
+        ) {
            $Data->addParam(serialize($this->getSecureData($token)));
        } else {
            $Data->addParam(null);
@@ -219,7 +223,11 @@ class ApiToken extends ApiTokenBase implements ItemInterface
        $Data->addParam(Session::getUserData()->getUserId());
        $Data->addParam($token);

-        if ($this->itemData->getAuthtokenActionId() === ActionsInterface::ACTION_ACC_VIEW_PASS) {
+        $action = $this->itemData->getAuthtokenActionId();
+
+        if ($action === ActionsInterface::ACTION_ACC_VIEW_PASS
+            || $action === ActionsInterface::ACTION_ACC_NEW
+        ) {
            $Data->addParam(serialize($this->getSecureData($token)));
        } else {
            $Data->addParam(null);