From d6ce4e1086f37f6b4e9f74e827b359d78f63a164 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 25 Apr 2021 20:23:41 +0200
Subject: [PATCH] Allow option to restrict API endpoints

---
 htdocs/api/class/api_setup.class.php |  8 ++++----
 htdocs/api/index.php                 | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php
index ca716712189..ceaf5f8f7d8 100644
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@@ -1631,8 +1631,8 @@ class Setup extends DolibarrApi
 		global $langs, $conf;
 
 		if (!DolibarrApiAccess::$user->admin
-			&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK)) {
-			throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
+			&& (empty($conf->global->API_LOGINS_ALLOWED_FOR_INTEGRITY_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGINS_ALLOWED_FOR_INTEGRITY_CHECK)) {
+			throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGINS_ALLOWED_FOR_INTEGRITY_CHECK');
 		}
 
 		require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@@ -1937,8 +1937,8 @@ class Setup extends DolibarrApi
 		global $conf;
 
 		if (!DolibarrApiAccess::$user->admin
-			&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_GET_MODULES) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_GET_MODULES)) {
-			throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGIN_ALLOWED_FOR_GET_MODULES');
+			&& (empty($conf->global->API_LOGINS_ALLOWED_FOR_GET_MODULES) || DolibarrApiAccess::$user->login != $conf->global->API_LOGINS_ALLOWED_FOR_GET_MODULES)) {
+			throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGINS_ALLOWED_FOR_GET_MODULES');
 		}
 
 		sort($conf->modules);
diff --git a/htdocs/api/index.php b/htdocs/api/index.php
index 241f33fd98a..7f5b3debbad 100644
--- a/htdocs/api/index.php
+++ b/htdocs/api/index.php
@@ -296,6 +296,29 @@ if (!empty($reg[1]) && ($reg[1] != 'explorer' || ($reg[2] != '/swagger.json' &&
 
 	$classname = ucwords($moduleobject);
 
+	// Test rules on endpoints. For example:
+	// $conf->global->API_ENDPOINT_RULES = 'endpoint1:1,endpoint2:1,...'
+	if (!empty($conf->global->API_ENDPOINT_RULES)) {
+		$listofendpoints = explode(',', $conf->global->API_ENDPOINT_RULES);
+		$endpointisallowed = false;
+
+		foreach($listofendpoints as $endpointrule) {
+			$tmparray = explode(':', $endpointrule);
+			if ($classfile == $tmparray[0] && $tmparray[1] == 1) {
+				$endpointisallowed = true;
+				break;
+			}
+		}
+
+		if (! $endpointisallowed) {
+			dol_syslog('The API with endpoint /'.$classfile.' is forbidden by config API_ENDPOINT_RULES', LOG_WARNING);
+			print 'The API with endpoint /'.$classfile.' is forbidden by config API_ENDPOINT_RULES';
+			header('HTTP/1.1 501 API is forbidden by API_ENDPOINT_RULES');
+			//session_destroy();
+			exit(0);
+		}
+	}
+
 	dol_syslog('Search api file /'.$moduledirforclass.'/class/api_'.$classfile.'.class.php => dir_part_file='.$dir_part_file.' classname='.$classname);
 
 	$res = false;