Verify API access by user to resource

API authentication mechanism is supposed to be working with internal or external users

htdocs/api/class/api.class.php

@@ -70,13 +70,44 @@ class DolibarrApi {
      * @todo use an array for properties to clean
      *
      */
-    protected function cleanObjectDatas($object){
+    protected function _cleanObjectDatas($object){
 
 		unset($object->db);
 
 		return $object;
     }
 	
+	/**
+	 * Check user access to a resource
+	 * 
+	 * Check access by user to a given resource
+	 * 
+	 * @param string	$resource		element to check
+	 * @param int		$resource_id	Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
+	 * @param type		$dbtablename	'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
+	 * @param string	$feature2		Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
+	 * @param string	$dbt_keyfield   Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
+	 * @param string	$dbt_select     Field name for select if not rowid. Not used if objectid is null (optional)
+	 * @throws RestException
+	 */
+	static function _checkAccessToResource($resource, $resource_id=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') {
+		
+		// Features/modules to check
+		$featuresarray = array($resource);
+		if (preg_match('/&/', $resource)) { 
+			$featuresarray = explode("&", $resource); 
+		}
+		else if (preg_match('/\|/', $resource)) { 
+			$featuresarray = explode("|", $resource); 
+		}
+
+		// More subfeatures to check
+		if (! empty($feature2)) { 
+			$feature2 = explode("|", $feature2);
+		}
+
+		return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray,$resource_id,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
+	}
 }
 
 /**

htdocs/api/class/api_access.class.php

@@ -26,13 +26,9 @@ class DolibarrApiAccess implements iAuthenticate
     public static $role = 'user';
 	
 	/**
-	 * @var array	$user_perms	Permission of loggued user 
-	 @todo
-	public static $user_perms = array();
-	
-	public static $required_perms = '';
-	 * *
+	 * @var User		$user	Permission of loggued user 
 	 */
+	public static $user = '';
 	 
 	
 	/**
@@ -44,8 +40,6 @@ class DolibarrApiAccess implements iAuthenticate
     {
 		global $db;
 
-		//@todo hardcoded api_key=>role for brevity
-		//
 		$stored_key = '';
 		
 		$userClass = Defaults::$userIdentifierClass;
@@ -82,7 +76,7 @@ class DolibarrApiAccess implements iAuthenticate
 				throw new RestException(503, 'Error when fetching user :'.$fuser->error);
 			}
 			$fuser->getrights();
-			static::$user_perms = $fuser->rights;
+			static::$user = $fuser;
 			
 			if($fuser->societe_id)
 				static::$role = 'external';

htdocs/societe/class/api_thirdparty.class.php

@@ -66,12 +66,20 @@ class ThirdpartyApi extends DolibarrApi {
      */
     function get($id)
     {		
+		if(! DolibarrApiAccess::$user->rights->societe->lire) {
+			throw new RestException(401);
+		}
+			
         $result = $this->company->fetch($id);
         if( ! $result ) {
             throw new RestException(404, 'Thirdparty not found');
         }
 		
-		return $this->cleanObjectDatas($this->company);
+		if( ! DolibarrApi::_checkAccessToResource('societe',$this->company->id)) {
+			throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
+		}
+
+		return $this->_cleanObjectDatas($this->company);
     }
 
     /**
@@ -134,7 +142,7 @@ class ThirdpartyApi extends DolibarrApi {
      * @return array
      * @throws RestException
      */
-    private function _validate($data)
+    function _validate($data)
     {
         $thirdparty = array();
         foreach (ThirdpartyApi::$FIELDS as $field) {