dolibarr/htdocs/api/class/api_access.class.php

<?php
/* Copyright (C) 2015   Jean-François Ferry     <jfefe@aternatik.fr>
 * Copyright (C) 2016	Laurent Destailleur		<eldy@users.sourceforge.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

// Create the autoloader for Luracast
require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/AutoLoader.php';
call_user_func(function () {
    $loader = Luracast\Restler\AutoLoader::instance();
    spl_autoload_register($loader);
    return $loader;
});

require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iAuthenticate.php';
require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iUseAuthentication.php';
require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Resources.php';
require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Defaults.php';
require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/RestException.php';
use \Luracast\Restler\iAuthenticate;
use \Luracast\Restler\iUseAuthentication;
use \Luracast\Restler\Resources;
use \Luracast\Restler\Defaults;
use \Luracast\Restler\RestException;


/**
 * Dolibarr API access class
 *
 */
class DolibarrApiAccess implements iAuthenticate
{
	const REALM = 'Restricted Dolibarr API';

	/**
	 * @var array $requires	role required by API method		user / external / admin
	 */
	public static $requires = array('user','external','admin');

	/**
	 * @var string $role		user role
	 */
    public static $role = 'user';

	/**
	 * @var User		$user	Loggued user
	 */
	public static $user = '';

    // @codingStandardsIgnoreStart

	/**
	 * Check access
	 *
	 * @return bool
	 * @throws RestException
	 */
	public function __isAllowed()
	{
		global $conf, $db;

		$login = '';
		$stored_key = '';

		$userClass = Defaults::$userIdentifierClass;

		/*foreach ($_SERVER as $key => $val)
		{
		    dol_syslog($key.' - '.$val);
		}*/

		// api key can be provided in url with parameter api_key=xxx or ni header with header DOLAPIKEY:xxx
		$api_key = '';
		if (isset($_GET['api_key']))	// For backward compatibility
		{
		    // TODO Add option to disable use of api key on url. Return errors if used.
		    $api_key = $_GET['api_key'];
		}
		if (isset($_GET['DOLAPIKEY']))
		{
		    // TODO Add option to disable use of api key on url. Return errors if used.
		    $api_key = $_GET['DOLAPIKEY'];                     // With GET method
		}
		if (isset($_SERVER['HTTP_DOLAPIKEY']))         // Param DOLAPIKEY in header can be read with HTTP_DOLAPIKEY
		{
		    $api_key = $_SERVER['HTTP_DOLAPIKEY'];     // With header method (recommanded)
		}

		if ($api_key)
		{
			$userentity = 0;

			$sql = "SELECT u.login, u.datec, u.api_key, ";
			$sql.= " u.tms as date_modification, u.entity";
			$sql.= " FROM ".MAIN_DB_PREFIX."user as u";
			$sql.= " WHERE u.api_key = '".$db->escape($api_key)."'";
			// TODO Check if 2 users has same API key.

			$result = $db->query($sql);
			if ($result)
			{
				if ($db->num_rows($result))
				{
					$obj = $db->fetch_object($result);
					$login = $obj->login;
					$stored_key = $obj->api_key;
					$userentity = $obj->entity;

					if (! defined("DOLENTITY") && $conf->entity != ($obj->entity?$obj->entity:1))		// If API was not forced with HTTP_DOLENTITY, and user is on another entity, so we reset entity to entity of user
					{
						$conf->entity = ($obj->entity?$obj->entity:1);
						// We must also reload global conf to get params from the entity
						dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity .") and we have to reload configuration.", LOG_WARNING);
						$conf->setValues($db);
					}
				}
			}
			else {
				throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);
			}

			if ($stored_key != $api_key) {		// This should not happen since we did a search on api_key
				$userClass::setCacheIdentifier($api_key);
				return false;
			}

			if (! $login)
			{
			    throw new RestException(503, 'Error when searching login user from api key');
			}
			$fuser = new User($db);
			$result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity));	// If user is not entity 0, we search in working entity $conf->entity  (that may have been forced to a different value than user entity)
			if ($result <= 0) {
				throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')');
			}
			$fuser->getrights();
			static::$user = $fuser;

			if($fuser->societe_id)
				static::$role = 'external';

			if($fuser->admin)
				static::$role = 'admin';
        }
		else
		{
		    throw new RestException(401, "Failed to login to API. No parameter 'HTTP_DOLAPIKEY' on HTTP header (and no parameter DOLAPIKEY in URL).");
		}

	    $userClass::setCacheIdentifier(static::$role);
	    Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
	    $requirefortest = static::$requires;
	    if (! is_array($requirefortest)) $requirefortest=explode(',',$requirefortest);
	    return in_array(static::$role, (array) $requirefortest) || static::$role == 'admin';
	}

	/**
	 * @return string string to be used with WWW-Authenticate header
	 * @example Basic
	 * @example Digest
	 * @example OAuth
	 */
	public function __getWWWAuthenticateString()
    {
        return '';
    }
    // @codingStandardsIgnoreEnd

	/**
	 * Verify access
	 *
	 * @param   array $m Properties of method
	 *
	 * @access private
	 * @return bool
	 */
    public static function verifyAccess(array $m)
    {
        $requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])
                ? $m['class']['DolibarrApiAccess']['properties']['requires']
                : false;


        return $requires
            ? static::$role == 'admin' || in_array(static::$role, (array) $requires)
            : true;

    }
}
Work on authentication 2015-05-02 18:14:51 +02:00			`<?php`
PHPCS again 2015-05-06 01:25:56 +02:00			`/* Copyright (C) 2015 Jean-François Ferry <jfefe@aternatik.fr>`
Merge branch 'rest-api-add-accounts' of https://github.com/EuskalMoneta/dolibarr into EuskalMoneta-rest-api-add-accounts Conflicts: htdocs/api/index.php htdocs/commande/class/api_orders.class.php 2016-09-26 02:18:11 +02:00			`* Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net>`
PHPCS again 2015-05-06 01:25:56 +02:00			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`
Work on authentication 2015-05-02 18:14:51 +02:00
Restler #3544 2015-11-22 17:17:06 +01:00			`// Create the autoloader for Luracast`
			`require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/AutoLoader.php';`
			`call_user_func(function () {`
			`$loader = Luracast\Restler\AutoLoader::instance();`
			`spl_autoload_register($loader);`
			`return $loader;`
			`});`

			`require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iAuthenticate.php';`
			`require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iUseAuthentication.php';`
			`require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Resources.php';`
			`require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Defaults.php';`
			`require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/RestException.php';`
Work on authentication 2015-05-02 18:14:51 +02:00			`use \Luracast\Restler\iAuthenticate;`
Restler #3544 2015-11-22 17:17:06 +01:00			`use \Luracast\Restler\iUseAuthentication;`
Work on authentication 2015-05-02 18:14:51 +02:00			`use \Luracast\Restler\Resources;`
			`use \Luracast\Restler\Defaults;`
Fixed some coding style issues 2015-06-02 15:12:19 +02:00			`use \Luracast\Restler\RestException;`
Work on authentication 2015-05-02 18:14:51 +02:00

			`/**`
Fix PHPCS 2015-05-06 00:55:42 +02:00			`* Dolibarr API access class`
Work on authentication 2015-05-02 18:14:51 +02:00			`*`
			`*/`
			`class DolibarrApiAccess implements iAuthenticate`
			`{`
			`const REALM = 'Restricted Dolibarr API';`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Work on authentication 2015-05-02 18:14:51 +02:00			`/**`
Fix PHPCS 2015-05-12 16:42:35 +02:00			`* @var array $requires role required by API method user / external / admin`
Work on authentication 2015-05-02 18:14:51 +02:00			`*/`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`public static $requires = array('user','external','admin');`
Fix PHPCS 2015-05-12 16:42:35 +02:00
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`/**`
			`* @var string $role user role`
			`*/`
Work on authentication 2015-05-02 18:14:51 +02:00			`public static $role = 'user';`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`/**`
Fix PHPCS 2015-05-12 16:42:35 +02:00			`* @var User $user Loggued user`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`*/`
Verify API access by user to resource API authentication mechanism is supposed to be working with internal or external users 2015-05-03 14:44:37 +02:00			`public static $user = '';`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Fix phpcs 2015-06-05 20:23:04 +02:00			`// @codingStandardsIgnoreStart`

New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`/**`
			`* Check access`
Fix PHPCS 2015-05-12 16:42:35 +02:00			`*`
Fixed some coding style issues 2015-06-02 15:12:19 +02:00			`* @return bool`
			`* @throws RestException`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`*/`
Minor fix into rest API : use implemented method name 2015-06-15 13:25:02 +02:00			`public function __isAllowed()`
Fixed some coding style issues 2015-06-02 15:12:19 +02:00			`{`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`global $conf, $db;`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00
Fix not initialized variables 2016-05-08 12:32:18 +02:00			`$login = '';`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`$stored_key = '';`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Work on authentication 2015-05-02 18:14:51 +02:00			`$userClass = Defaults::$userIdentifierClass;`
Fix PHPCS 2015-05-12 16:42:35 +02:00
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`/*foreach ($_SERVER as $key => $val)`
			`{`
			`dol_syslog($key.' - '.$val);`
			`}*/`
Code comment 2017-06-25 12:26:16 +02:00
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`// api key can be provided in url with parameter api_key=xxx or ni header with header DOLAPIKEY:xxx`
			`$api_key = '';`
Move function colorIsLight into functions.lib.php Fix scrutinizer bugs. 2017-10-16 09:29:10 +02:00			`if (isset($_GET['api_key'])) // For backward compatibility`
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`{`
			`// TODO Add option to disable use of api key on url. Return errors if used.`
Move function colorIsLight into functions.lib.php Fix scrutinizer bugs. 2017-10-16 09:29:10 +02:00			`$api_key = $_GET['api_key'];`
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`}`
Code comment 2017-06-25 12:26:16 +02:00			`if (isset($_GET['DOLAPIKEY']))`
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`{`
			`// TODO Add option to disable use of api key on url. Return errors if used.`
			`$api_key = $_GET['DOLAPIKEY']; // With GET method`
			`}`
Code comment 2017-06-25 12:26:16 +02:00			`if (isset($_SERVER['HTTP_DOLAPIKEY'])) // Param DOLAPIKEY in header can be read with HTTP_DOLAPIKEY`
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`{`
			`$api_key = $_SERVER['HTTP_DOLAPIKEY']; // With header method (recommanded)`
			`}`
Code comment 2017-06-25 12:26:16 +02:00
			`if ($api_key)`
A better error message 2015-09-21 15:38:17 +02:00			`{`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`$userentity = 0;`

New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`$sql = "SELECT u.login, u.datec, u.api_key, ";`
			`$sql.= " u.tms as date_modification, u.entity";`
			`$sql.= " FROM ".MAIN_DB_PREFIX."user as u";`
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`$sql.= " WHERE u.api_key = '".$db->escape($api_key)."'";`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`// TODO Check if 2 users has same API key.`
Fix init of environment for a dedicated entity in API 2017-10-19 17:30:08 +02:00
Fixed some coding style issues 2015-06-02 15:12:19 +02:00			`$result = $db->query($sql);`
			`if ($result)`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`{`
			`if ($db->num_rows($result))`
			`{`
			`$obj = $db->fetch_object($result);`
			`$login = $obj->login;`
			`$stored_key = $obj->api_key;`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`$userentity = $obj->entity;`

Fix init of environment for a dedicated entity in API 2017-10-19 17:32:23 +02:00			`if (! defined("DOLENTITY") && $conf->entity != ($obj->entity?$obj->entity:1)) // If API was not forced with HTTP_DOLENTITY, and user is on another entity, so we reset entity to entity of user`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`{`
			`$conf->entity = ($obj->entity?$obj->entity:1);`
Fix init of environment for a dedicated entity in API 2017-10-19 17:30:08 +02:00			`// We must also reload global conf to get params from the entity`
			`dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity .") and we have to reload configuration.", LOG_WARNING);`
			`$conf->setValues($db);`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`}`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`}`
			`}`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`else {`
			`throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);`
			`}`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`if ($stored_key != $api_key) { // This should not happen since we did a search on api_key`
FIX Rename api_key into DOLAPIKEY to allow to use it on http header. 2017-01-22 20:55:26 +01:00			`$userClass::setCacheIdentifier($api_key);`
Work on authentication 2015-05-02 18:14:51 +02:00			`return false;`
			`}`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Fix not initialized variables 2016-05-08 12:32:18 +02:00			`if (! $login)`
			`{`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`throw new RestException(503, 'Error when searching login user from api key');`
Fix not initialized variables 2016-05-08 12:32:18 +02:00			`}`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`$fuser = new User($db);`
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`$result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity)`
			`if ($result <= 0) {`
			`throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')');`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`}`
			`$fuser->getrights();`
Verify API access by user to resource API authentication mechanism is supposed to be working with internal or external users 2015-05-03 14:44:37 +02:00			`static::$user = $fuser;`
Fix PHPCS 2015-05-12 16:42:35 +02:00
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`if($fuser->societe_id)`
			`static::$role = 'external';`
Fix PHPCS 2015-05-12 16:42:35 +02:00
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`if($fuser->admin)`
			`static::$role = 'admin';`
Work on authentication 2015-05-02 18:14:51 +02:00			`}`
			`else`
			`{`
Fix error message 2017-10-16 14:56:56 +02:00			`throw new RestException(401, "Failed to login to API. No parameter 'HTTP_DOLAPIKEY' on HTTP header (and no parameter DOLAPIKEY in URL).");`
Work on authentication 2015-05-02 18:14:51 +02:00			`}`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00
Fix API when using an API key for a user in another entity 2017-10-16 16:23:50 +02:00			`$userClass::setCacheIdentifier(static::$role);`
			`Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';`
			`$requirefortest = static::$requires;`
			`if (! is_array($requirefortest)) $requirefortest=explode(',',$requirefortest);`
			`return in_array(static::$role, (array) $requirefortest) \|\| static::$role == 'admin';`
Work on authentication 2015-05-02 18:14:51 +02:00			`}`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Fixed some coding style issues 2015-06-02 15:12:19 +02:00			`/**`
			`* @return string string to be used with WWW-Authenticate header`
			`* @example Basic`
			`* @example Digest`
			`* @example OAuth`
			`*/`
Minor fix into rest API : use implemented method name 2015-06-15 13:25:02 +02:00			`public function __getWWWAuthenticateString()`
Work on authentication 2015-05-02 18:14:51 +02:00			`{`
New : API key authentication One key is stored by user when login API method is called. Each API request must have api_key parameter 2015-05-02 23:54:35 +02:00			`return '';`
Work on authentication 2015-05-02 18:14:51 +02:00			`}`
Add comment to ignore PHPCs error due to restler framework 2015-05-12 16:35:05 +02:00			`// @codingStandardsIgnoreEnd`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Work on authentication 2015-05-02 18:14:51 +02:00			`/**`
Fixed some coding style issues 2015-06-02 15:12:19 +02:00			`* Verify access`
			`*`
			`* @param array $m Properties of method`
			`*`
			`* @access private`
			`* @return bool`
			`*/`
Work on authentication 2015-05-02 18:14:51 +02:00			`public static function verifyAccess(array $m)`
			`{`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`$requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])`
Work on authentication 2015-05-02 18:14:51 +02:00			`? $m['class']['DolibarrApiAccess']['properties']['requires']`
			`: false;`
Fix PHPCS 2015-05-12 16:42:35 +02:00

Work on authentication 2015-05-02 18:14:51 +02:00			`return $requires`
Fix : verify access method Now we can use tag '@class' into PHPDoc block of method or class. By example: @class DolibarrApiAccess {@requires user,external} 2015-05-03 01:54:04 +02:00			`? static::$role == 'admin' \|\| in_array(static::$role, (array) $requires)`
Work on authentication 2015-05-02 18:14:51 +02:00			`: true;`
Fix PHPCS 2015-05-12 16:42:35 +02:00
Work on authentication 2015-05-02 18:14:51 +02:00			`}`
			`}`