dolibarr/htdocs/api/class/api_access.class.php

<?php

use \Luracast\Restler\iAuthenticate;
use \Luracast\Restler\Resources;
use \Luracast\Restler\Defaults;
use Luracast\Restler\RestException;


/**
 * Description of DolibarrApiAccess
 *
 * @author jfefe
 */
class DolibarrApiAccess implements iAuthenticate
{
	const REALM = 'Restricted Dolibarr API';
	
	/**
	 * @var array $requires	role required by API method		user / external / admin	
	 */
	public static $requires = array('user','external','admin');
	
	/**
	 * @var string $role		user role
	 */
    public static $role = 'user';
	
	/**
	 * @var User		$user	Permission of loggued user 
	 */
	public static $user = '';
	 
	
	/**
	 * Check access
	 * 
	 * @return boolean
	 */
	public function __isAllowed()
    {
		global $db;

		$stored_key = '';
		
		$userClass = Defaults::$userIdentifierClass;
		
		
		if (isset($_GET['api_key'])) {
			// @todo : check from database
			$sql = "SELECT u.login, u.datec, u.api_key, ";
			$sql.= " u.tms as date_modification, u.entity";
			$sql.= " FROM ".MAIN_DB_PREFIX."user as u";
			$sql.= " WHERE u.api_key = '".$db->escape($_GET['api_key'])."'";

			
			if ($db->query($sql))
			{
				if ($db->num_rows($result))
				{
					$obj = $db->fetch_object($result);
					$login = $obj->login;
					$stored_key = $obj->api_key;
				}
			}
			else {
				throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);
			}

			if ( $stored_key != $_GET['api_key']) {
				$userClass::setCacheIdentifier($_GET['api_key']);
				return false;
			}
			
			$fuser = new User($db);
			if(! $fuser->fetch('',$login)) {
				throw new RestException(503, 'Error when fetching user :'.$fuser->error);
			}
			$fuser->getrights();
			static::$user = $fuser;
			
			if($fuser->societe_id)
				static::$role = 'external';
			
			if($fuser->admin)
				static::$role = 'admin';
        }
		else
		{
			return false;
		}

        $userClass::setCacheIdentifier(static::$role);
        Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
        return in_array(static::$role, (array) static::$requires) || static::$role == 'admin';
	}
	
	public function __getWWWAuthenticateString()
    {
        return '';
    }
	
	/**
     * @access private
     */
    public static function verifyAccess(array $m)
    {
        $requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])
                ? $m['class']['DolibarrApiAccess']['properties']['requires']
                : false;
		
		
        return $requires
            ? static::$role == 'admin' || in_array(static::$role, (array) $requires)
            : true;
		
    }
}
Work on authentication 2015-05-02 18:14:51 +02:00			`<?php`

			`use \Luracast\Restler\iAuthenticate;`
			`use \Luracast\Restler\Resources;`
			`use \Luracast\Restler\Defaults;`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`use Luracast\Restler\RestException;`
Work on authentication 2015-05-02 18:14:51 +02:00

			`/**`
			`* Description of DolibarrApiAccess`
			`*`
			`* @author jfefe`
			`*/`
			`class DolibarrApiAccess implements iAuthenticate`
			`{`
			`const REALM = 'Restricted Dolibarr API';`

			`/**`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`* @var array $requires role required by API method user / external / admin`
Work on authentication 2015-05-02 18:14:51 +02:00			`*/`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`public static $requires = array('user','external','admin');`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00
			`/**`
			`* @var string $role user role`
			`*/`
Work on authentication 2015-05-02 18:14:51 +02:00			`public static $role = 'user';`

Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`/**`
Verify API access by user to resource API authentication mechanism is supposed to be working with internal or external users 2015-05-03 14:44:37 +02:00			`* @var User $user Permission of loggued user`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`*/`
Verify API access by user to resource API authentication mechanism is supposed to be working with internal or external users 2015-05-03 14:44:37 +02:00			`public static $user = '';`

Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`/**`
			`* Check access`
			`*`
			`* @return boolean`
			`*/`
Work on authentication 2015-05-02 18:14:51 +02:00			`public function __isAllowed()`
			`{`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`global $db;`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`$stored_key = '';`
Work on authentication 2015-05-02 18:14:51 +02:00
			`$userClass = Defaults::$userIdentifierClass;`


New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`if (isset($_GET['api_key'])) {`
Work on authentication 2015-05-02 18:14:51 +02:00			`// @todo : check from database`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`$sql = "SELECT u.login, u.datec, u.api_key, ";`
			`$sql.= " u.tms as date_modification, u.entity";`
			`$sql.= " FROM ".MAIN_DB_PREFIX."user as u";`
			`$sql.= " WHERE u.api_key = '".$db->escape($_GET['api_key'])."'";`


Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`if ($db->query($sql))`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`{`
			`if ($db->num_rows($result))`
			`{`
			`$obj = $db->fetch_object($result);`
			`$login = $obj->login;`
			`$stored_key = $obj->api_key;`
			`}`
			`}`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`else {`
			`throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);`
			`}`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00
			`if ( $stored_key != $_GET['api_key']) {`
Work on authentication 2015-05-02 18:14:51 +02:00			`$userClass::setCacheIdentifier($_GET['api_key']);`
			`return false;`
			`}`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00
			`$fuser = new User($db);`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`if(! $fuser->fetch('',$login)) {`
			`throw new RestException(503, 'Error when fetching user :'.$fuser->error);`
			`}`
			`$fuser->getrights();`
Verify API access by user to resource API authentication mechanism is supposed to be working with internal or external users 2015-05-03 14:44:37 +02:00			`static::$user = $fuser;`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00
			`if($fuser->societe_id)`
			`static::$role = 'external';`

			`if($fuser->admin)`
			`static::$role = 'admin';`
Work on authentication 2015-05-02 18:14:51 +02:00			`}`
			`else`
			`{`
			`return false;`
			`}`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00
Work on authentication 2015-05-02 18:14:51 +02:00			`$userClass::setCacheIdentifier(static::$role);`
			`Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`return in_array(static::$role, (array) static::$requires) \|\| static::$role == 'admin';`
Work on authentication 2015-05-02 18:14:51 +02:00			`}`

			`public function __getWWWAuthenticateString()`
			`{`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`return '';`
Work on authentication 2015-05-02 18:14:51 +02:00			`}`

			`/**`
			`* @access private`
			`*/`
			`public static function verifyAccess(array $m)`
			`{`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`$requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])`
Work on authentication 2015-05-02 18:14:51 +02:00			`? $m['class']['DolibarrApiAccess']['properties']['requires']`
			`: false;`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00

Work on authentication 2015-05-02 18:14:51 +02:00			`return $requires`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`? static::$role == 'admin' \|\| in_array(static::$role, (array) $requires)`
Work on authentication 2015-05-02 18:14:51 +02:00			`: true;`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00
Work on authentication 2015-05-02 18:14:51 +02:00			`}`
			`}`