From 24031e12fe4f065dd6cf6d2dcc226fdb1cd344ea Mon Sep 17 00:00:00 2001
From: nuxsmin <nuxsmin@syspass.org>
Date: Wed, 14 Jun 2017 16:14:23 +0200
Subject: [PATCH] * [FIX] Try to fix access denied when adding accounts through
 API.

---
 inc/SP/Forms/ApiTokenForm.class.php      | 11 +++++++++--
 inc/SP/Mgmt/ApiTokens/ApiToken.class.php | 12 ++++++++++--
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/inc/SP/Forms/ApiTokenForm.class.php b/inc/SP/Forms/ApiTokenForm.class.php
index 6eb96b59..7960092d 100644
--- a/inc/SP/Forms/ApiTokenForm.class.php
+++ b/inc/SP/Forms/ApiTokenForm.class.php
@@ -83,9 +83,16 @@ class ApiTokenForm extends FormBase implements FormInterface
     {
         if ($this->ApiTokenData->getAuthtokenUserId() === 0) {
             throw new ValidationException(__('Usuario no indicado', false));
-        } elseif ($this->ApiTokenData->getAuthtokenActionId() === 0) {
+        }
+
+        if ($this->ApiTokenData->getAuthtokenActionId() === 0) {
             throw new ValidationException(__('Acción no indicada', false));
-        } elseif ($this->ApiTokenData->getAuthtokenActionId() === ActionsInterface::ACTION_ACC_VIEW_PASS
+        }
+
+        $action = $this->ApiTokenData->getAuthtokenActionId();
+
+        if (($action === ActionsInterface::ACTION_ACC_VIEW_PASS
+                || $action === ActionsInterface::ACTION_ACC_NEW)
             && $this->ApiTokenData->getAuthtokenHash() === ''
         ) {
             throw new ValidationException(__('La clave no puede estar en blanco', false));
diff --git a/inc/SP/Mgmt/ApiTokens/ApiToken.class.php b/inc/SP/Mgmt/ApiTokens/ApiToken.class.php
index 794699e0..6f2355c6 100644
--- a/inc/SP/Mgmt/ApiTokens/ApiToken.class.php
+++ b/inc/SP/Mgmt/ApiTokens/ApiToken.class.php
@@ -79,7 +79,11 @@ class ApiToken extends ApiTokenBase implements ItemInterface
         $Data->addParam(Session::getUserData()->getUserId());
         $Data->addParam($token);
 
-        if ($this->itemData->getAuthtokenActionId() === ActionsInterface::ACTION_ACC_VIEW_PASS) {
+        $action = $this->itemData->getAuthtokenActionId();
+
+        if ($action === ActionsInterface::ACTION_ACC_VIEW_PASS
+            || $action === ActionsInterface::ACTION_ACC_NEW
+        ) {
             $Data->addParam(serialize($this->getSecureData($token)));
         } else {
             $Data->addParam(null);
@@ -219,7 +223,11 @@ class ApiToken extends ApiTokenBase implements ItemInterface
         $Data->addParam(Session::getUserData()->getUserId());
         $Data->addParam($token);
 
-        if ($this->itemData->getAuthtokenActionId() === ActionsInterface::ACTION_ACC_VIEW_PASS) {
+        $action = $this->itemData->getAuthtokenActionId();
+
+        if ($action === ActionsInterface::ACTION_ACC_VIEW_PASS
+            || $action === ActionsInterface::ACTION_ACC_NEW
+        ) {
             $Data->addParam(serialize($this->getSecureData($token)));
         } else {
             $Data->addParam(null);