From 9df13922e969679ac86bb08c2dd97a81094a1c8e Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Mon, 13 Oct 2025 11:08:51 +0200 Subject: [PATCH] require unrestricted access on document/folder for deletion by rest api --- CHANGELOG | 1 + restapi/index.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 9c724eb59..6ef53b266 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,7 @@ - initial support for installation from git - memcached support can be configured (still rarely used) - fix folder parameter passed to hook 'folderRowAction' +- require unrestricted access on document/folder for deletion by rest api -------------------------------------------------------------------------------- Changes in version 5.1.41 diff --git a/restapi/index.php b/restapi/index.php index eeb6a5f61..808c45f8a 100644 --- a/restapi/index.php +++ b/restapi/index.php @@ -636,7 +636,7 @@ final class SeedDMS_RestapiController { /* {{{ */ } $mfolder = $dms->getFolder($args['id']); if($mfolder) { - if ($mfolder->getAccessMode($userobj, 'removeFolder') >= M_READWRITE) { + if ($mfolder->getAccessMode($userobj, 'removeFolder') > M_READWRITE) { if($mfolder->remove()) { return $this->renderer->json($response, array('success'=>true, 'message'=>'', 'data'=>''))->withStatus(200); } else { @@ -1214,7 +1214,7 @@ final class SeedDMS_RestapiController { /* {{{ */ $document = $dms->getDocument($args['id']); if($document) { - if ($document->getAccessMode($userobj, 'deleteDocument') >= M_READWRITE) { + if ($document->getAccessMode($userobj, 'deleteDocument') > M_READWRITE) { if($document->remove()) { return $this->renderer->json($response, array('success'=>true, 'message'=>'', 'data'=>''))->withStatus(200); } else {