Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow option to restrict API endpoints

Browse Source
This commit is contained in:
Laurent Destailleur 2021-04-25 20:23:41 +02:00
parent 73c482ca64
commit d6ce4e1086
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/api/class/api_setup.class.php
View File

@ -1631,8 +1631,8 @@ class Setup extends DolibarrApi
global $langs, $conf;
if (!DolibarrApiAccess::$user->admin
&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK)) {
throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
&& (empty($conf->global->API_LOGINS_ALLOWED_FOR_INTEGRITY_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGINS_ALLOWED_FOR_INTEGRITY_CHECK)) {
throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGINS_ALLOWED_FOR_INTEGRITY_CHECK');
}
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@ -1937,8 +1937,8 @@ class Setup extends DolibarrApi
global $conf;
if (!DolibarrApiAccess::$user->admin
&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_GET_MODULES) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_GET_MODULES)) {
throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGIN_ALLOWED_FOR_GET_MODULES');
&& (empty($conf->global->API_LOGINS_ALLOWED_FOR_GET_MODULES) || DolibarrApiAccess::$user->login != $conf->global->API_LOGINS_ALLOWED_FOR_GET_MODULES)) {
throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGINS_ALLOWED_FOR_GET_MODULES');
}
sort($conf->modules);

23
htdocs/api/index.php
View File

@ -296,6 +296,29 @@ if (!empty($reg[1]) && ($reg[1] != 'explorer' || ($reg[2] != '/swagger.json' &&
$classname = ucwords($moduleobject);
// Test rules on endpoints. For example:
// $conf->global->API_ENDPOINT_RULES = 'endpoint1:1,endpoint2:1,...'
if (!empty($conf->global->API_ENDPOINT_RULES)) {
$listofendpoints = explode(',', $conf->global->API_ENDPOINT_RULES);
$endpointisallowed = false;
foreach($listofendpoints as $endpointrule) {
$tmparray = explode(':', $endpointrule);
if ($classfile == $tmparray[0] && $tmparray[1] == 1) {
$endpointisallowed = true;
break;
}
}
if (! $endpointisallowed) {
dol_syslog('The API with endpoint /'.$classfile.' is forbidden by config API_ENDPOINT_RULES', LOG_WARNING);
print 'The API with endpoint /'.$classfile.' is forbidden by config API_ENDPOINT_RULES';
header('HTTP/1.1 501 API is forbidden by API_ENDPOINT_RULES');
//session_destroy();
exit(0);
}
}
dol_syslog('Search api file /'.$moduledirforclass.'/class/api_'.$classfile.'.class.php => dir_part_file='.$dir_part_file.' classname='.$classname);
$res = false;