Skip to content
Snippets Groups Projects
Commit 31e5b478 authored by Jean-François Ferry's avatar Jean-François Ferry
Browse files

Fix : verify access method 

Now we can use tag '@class' into PHPDoc block of method or class.

By example: @class  DolibarrApiAccess {@requires user,external}
parent fa494369
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
htdocs/api/class/api.class.php
+ 1
1
View file @ 31e5b478
...@@ -74,7 +74,7 @@ class DolibarrApi { ...@@ -74,7 +74,7 @@ class DolibarrApi {
unset($object->db); unset($object->db);
return array($object); return $object;
} }
} }
......
htdocs/api/class/api_access.class.php
+ 30
14
View file @ 31e5b478
...@@ -3,8 +3,8 @@ ...@@ -3,8 +3,8 @@
use \Luracast\Restler\iAuthenticate; use \Luracast\Restler\iAuthenticate;
use \Luracast\Restler\Resources; use \Luracast\Restler\Resources;
use \Luracast\Restler\Defaults; use \Luracast\Restler\Defaults;
use Luracast\Restler\RestException;
require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
/** /**
* Description of DolibarrApiAccess * Description of DolibarrApiAccess
...@@ -16,15 +16,25 @@ class DolibarrApiAccess implements iAuthenticate ...@@ -16,15 +16,25 @@ class DolibarrApiAccess implements iAuthenticate
const REALM = 'Restricted Dolibarr API'; const REALM = 'Restricted Dolibarr API';
/** /**
* @var string $requires role required by API method user / external / admin * @var array $requires role required by API method user / external / admin
*/ */
public static $requires = 'user'; public static $requires = array('user','external','admin');
/** /**
* @var string $role user role * @var string $role user role
*/ */
public static $role = 'user'; public static $role = 'user';
/**
* @var array $user_perms Permission of loggued user
@todo
public static $user_perms = array();
public static $required_perms = '';
* *
*/
/** /**
* Check access * Check access
* *
...@@ -40,8 +50,6 @@ class DolibarrApiAccess implements iAuthenticate ...@@ -40,8 +50,6 @@ class DolibarrApiAccess implements iAuthenticate
$userClass = Defaults::$userIdentifierClass; $userClass = Defaults::$userIdentifierClass;
// for dev @todo : remove this!
static::$role = 'user';
if (isset($_GET['api_key'])) { if (isset($_GET['api_key'])) {
// @todo : check from database // @todo : check from database
...@@ -50,9 +58,8 @@ class DolibarrApiAccess implements iAuthenticate ...@@ -50,9 +58,8 @@ class DolibarrApiAccess implements iAuthenticate
$sql.= " FROM ".MAIN_DB_PREFIX."user as u"; $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
$sql.= " WHERE u.api_key = '".$db->escape($_GET['api_key'])."'"; $sql.= " WHERE u.api_key = '".$db->escape($_GET['api_key'])."'";
$result=$db->query($sql);
if ($result) if ($db->query($sql))
{ {
if ($db->num_rows($result)) if ($db->num_rows($result))
{ {
...@@ -61,6 +68,9 @@ class DolibarrApiAccess implements iAuthenticate ...@@ -61,6 +68,9 @@ class DolibarrApiAccess implements iAuthenticate
$stored_key = $obj->api_key; $stored_key = $obj->api_key;
} }
} }
else {
throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);
}
if ( $stored_key != $_GET['api_key']) { if ( $stored_key != $_GET['api_key']) {
$userClass::setCacheIdentifier($_GET['api_key']); $userClass::setCacheIdentifier($_GET['api_key']);
...@@ -68,7 +78,11 @@ class DolibarrApiAccess implements iAuthenticate ...@@ -68,7 +78,11 @@ class DolibarrApiAccess implements iAuthenticate
} }
$fuser = new User($db); $fuser = new User($db);
$result = $fuser->fetch('',$login); if(! $fuser->fetch('',$login)) {
throw new RestException(503, 'Error when fetching user :'.$fuser->error);
}
$fuser->getrights();
static::$user_perms = $fuser->rights;
if($fuser->societe_id) if($fuser->societe_id)
static::$role = 'external'; static::$role = 'external';
...@@ -83,7 +97,7 @@ class DolibarrApiAccess implements iAuthenticate ...@@ -83,7 +97,7 @@ class DolibarrApiAccess implements iAuthenticate
$userClass::setCacheIdentifier(static::$role); $userClass::setCacheIdentifier(static::$role);
Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess'; Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
return static::$requires == static::$role || static::$role == 'admin'; return in_array(static::$role, (array) static::$requires) || static::$role == 'admin';
} }
public function __getWWWAuthenticateString() public function __getWWWAuthenticateString()
...@@ -96,12 +110,14 @@ class DolibarrApiAccess implements iAuthenticate ...@@ -96,12 +110,14 @@ class DolibarrApiAccess implements iAuthenticate
*/ */
public static function verifyAccess(array $m) public static function verifyAccess(array $m)
{ {
$requires = $requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])
isset($m['class']['DolibarrApiAccess']['properties']['requires'])
? $m['class']['DolibarrApiAccess']['properties']['requires'] ? $m['class']['DolibarrApiAccess']['properties']['requires']
: false; : false;
return $requires return $requires
? static::$role == 'admin' || static::$role == $requires ? static::$role == 'admin' || in_array(static::$role, (array) $requires)
: true; : true;
} }
} }
htdocs/societe/class/api_thirdparty.class.php
+ 4
1
View file @ 31e5b478
...@@ -24,6 +24,8 @@ ...@@ -24,6 +24,8 @@
* *
* @smart-auto-routing false * @smart-auto-routing false
* @access protected * @access protected
* @class DolibarrApiAccess {@requires user,external}
*
* *
*/ */
class ThirdpartyApi extends DolibarrApi { class ThirdpartyApi extends DolibarrApi {
...@@ -59,6 +61,7 @@ class ThirdpartyApi extends DolibarrApi { ...@@ -59,6 +61,7 @@ class ThirdpartyApi extends DolibarrApi {
* @url GET thirdparty/{id} * @url GET thirdparty/{id}
* @param int $id ID of thirdparty * @param int $id ID of thirdparty
* @return array|mixed data without useless information * @return array|mixed data without useless information
*
* @throws RestException * @throws RestException
*/ */
function get($id) function get($id)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment