vTiger webservice “ACCESS_DENIED : Permission to perform the operation is denied for id”

Question

I want to add SalesOrder through vTiger webservice. I'm using for this vtwsclib. Here is the code:

<?php
include_once('vtwsclib/Vtiger/WSClient.php');
$url = 'http://localhost:8888';
$client = new Vtiger_WSClient($url);
$login = $client->doLogin('admin', 'zzzzzzzz');
if(!$login) echo 'Login Failed';
else {

    $data = array(
        'subject' => 'Test SalesOrder',
        'sostatus' => 'Created',
        'invoicestatus'=>'AutoCreated',
        'account_id'=> '46', // Existing account id
        'bill_street' => 'Bill Street',
        'ship_street' => 'Ship Street',
    );
    $record = $client->doCreate('SalesOrder', $data);

$error = $client->lasterror();
    if($error) {
    echo $error['code'] . ' : ' . $error['message'];
}

if($record) {
    $salesorderid = $client->getRecordId($record['id']);
}

}
?>

And I get only: "ACCESS_DENIED : Permission to perform the operation is denied for id".

Account_id exists in database. Other SalesOrder was added with the same account_id but through webpage. I have also tried variant with accout_id = "6x46" where 6 is module_id. It also didn't work. Any ideas how to solve this problem?

Answer 1

I think you should be trying 11x46 for account id. Vtiger web services entity id's are different from tabids.

To get a correct list of all entity ids, execute this in your MySQL for the CRM:

select id, name from vtiger_ws_entity;

Answer 2

Problem lies in vtiger documentation. add entityName parameter in GET request.

var q = "select * from Users;";
"http://vtigercrm/webservice.php?operation=query&sessionName=ABC&entityName=XYZ&query="+q

This worked well for me. Although still couldn't understand that by giving any entityName or garbage string, program works !!! Please comment if you know more about this.

Answer 3

This is a method that might helps you to generate query q

"http://vtigercrm/webservice.php?operation=query&sessionName=ABC&query="+q

for exemple you expect :

SELECT * FROM INVOICE WEHRE id='72xxx';

you can do

buildVtigerQuery('INVOICE', ['id' => '72xx']);

this is the function :

    protected function buildQuery(
    string $moduleName,
    array $filterData = [],
    string $attributes = '*',
    int $start = 0,
    int $limit = null
): string {
    $query = 'SELECT ' . $attributes . ' FROM ' . $moduleName . ' ';
    if (!empty($filterData)) {
        $query .= 'WHERE ';
        foreach ($filterData as $key => $value) {
            $whereOperator = (is_numeric($value) === true) ? ' = ' : ' like ';
            $value = (is_numeric($value) === true) ? $value : '%' . $value . '%';
            $query .= $key . $whereOperator . '\'' . $value . '\'' . ' AND WHERE ';
        }
    }

    if (substr($query, -11) === ' AND WHERE ') {
        $query = substr_replace($query, "", -11);
    }

    if ((!is_null($limit)) && (0 < $start)) {
        $query .= ' ORDER BY id LIMIT ' . $start . ',' . $limit;
    }


    if (!is_null($limit) && (0 >= $start)) {
        $query .= ' ORDER BY id LIMIT ' . $limit;
    }


    return $query . ';';
}

i didn't take XSS injection into consideration because my expected query q will be written in the url