dolibarr  7.0.0-beta
api_access.class.php
1 <?php
2 /* Copyright (C) 2015 Jean-Fran├žois Ferry <jfefe@aternatik.fr>
3  * Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 3 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
17  */
18 
19 // Create the autoloader for Luracast
20 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/AutoLoader.php';
21 call_user_func(function () {
22  $loader = Luracast\Restler\AutoLoader::instance();
23  spl_autoload_register($loader);
24  return $loader;
25 });
26 
27 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iAuthenticate.php';
28 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iUseAuthentication.php';
29 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Resources.php';
30 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Defaults.php';
31 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/RestException.php';
32 use \Luracast\Restler\iAuthenticate;
33 use \Luracast\Restler\iUseAuthentication;
34 use \Luracast\Restler\Resources;
35 use \Luracast\Restler\Defaults;
36 use \Luracast\Restler\RestException;
37 
38 
43 class DolibarrApiAccess implements iAuthenticate
44 {
45  const REALM = 'Restricted Dolibarr API';
46 
50  public static $requires = array('user','external','admin');
51 
55  public static $role = 'user';
56 
60  public static $user = '';
61 
62  // @codingStandardsIgnoreStart
63 
70  public function __isAllowed()
71  {
72  global $conf, $db;
73 
74  $login = '';
75  $stored_key = '';
76 
77  $userClass = Defaults::$userIdentifierClass;
78 
79  /*foreach ($_SERVER as $key => $val)
80  {
81  dol_syslog($key.' - '.$val);
82  }*/
83 
84  // api key can be provided in url with parameter api_key=xxx or ni header with header DOLAPIKEY:xxx
85  $api_key = '';
86  if (isset($_GET['api_key'])) // For backward compatibility
87  {
88  // TODO Add option to disable use of api key on url. Return errors if used.
89  $api_key = $_GET['api_key'];
90  }
91  if (isset($_GET['DOLAPIKEY']))
92  {
93  // TODO Add option to disable use of api key on url. Return errors if used.
94  $api_key = $_GET['DOLAPIKEY']; // With GET method
95  }
96  if (isset($_SERVER['HTTP_DOLAPIKEY'])) // Param DOLAPIKEY in header can be read with HTTP_DOLAPIKEY
97  {
98  $api_key = $_SERVER['HTTP_DOLAPIKEY']; // With header method (recommanded)
99  }
100 
101  if ($api_key)
102  {
103  $userentity = 0;
104 
105  $sql = "SELECT u.login, u.datec, u.api_key, ";
106  $sql.= " u.tms as date_modification, u.entity";
107  $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
108  $sql.= " WHERE u.api_key = '".$db->escape($api_key)."'";
109  // TODO Check if 2 users has same API key.
110 
111  $result = $db->query($sql);
112  if ($result)
113  {
114  if ($db->num_rows($result))
115  {
116  $obj = $db->fetch_object($result);
117  $login = $obj->login;
118  $stored_key = $obj->api_key;
119  $userentity = $obj->entity;
120 
121  if (! defined("DOLENTITY") && $conf->entity != ($obj->entity?$obj->entity:1)) // If API was not forced with HTTP_DOLENTITY, and user is on another entity, so we reset entity to entity of user
122  {
123  $conf->entity = ($obj->entity?$obj->entity:1);
124  // We must also reload global conf to get params from the entity
125  dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity .") and we have to reload configuration.", LOG_WARNING);
126  $conf->setValues($db);
127  }
128  }
129  }
130  else {
131  throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);
132  }
133 
134  if ($stored_key != $api_key) { // This should not happen since we did a search on api_key
135  $userClass::setCacheIdentifier($api_key);
136  return false;
137  }
138 
139  if (! $login)
140  {
141  throw new RestException(503, 'Error when searching login user from api key');
142  }
143  $fuser = new User($db);
144  $result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity)
145  if ($result <= 0) {
146  throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')');
147  }
148  $fuser->getrights();
149  static::$user = $fuser;
150 
151  if($fuser->societe_id)
152  static::$role = 'external';
153 
154  if($fuser->admin)
155  static::$role = 'admin';
156  }
157  else
158  {
159  throw new RestException(401, "Failed to login to API. No parameter 'HTTP_DOLAPIKEY' on HTTP header (and no parameter DOLAPIKEY in URL).");
160  }
161 
162  $userClass::setCacheIdentifier(static::$role);
163  Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
164  $requirefortest = static::$requires;
165  if (! is_array($requirefortest)) $requirefortest=explode(',',$requirefortest);
166  return in_array(static::$role, (array) $requirefortest) || static::$role == 'admin';
167  }
168 
175  public function __getWWWAuthenticateString()
176  {
177  return '';
178  }
179  // @codingStandardsIgnoreEnd
180 
189  public static function verifyAccess(array $m)
190  {
191  $requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])
192  ? $m['class']['DolibarrApiAccess']['properties']['requires']
193  : false;
194 
195 
196  return $requires
197  ? static::$role == 'admin' || in_array(static::$role, (array) $requires)
198  : true;
199 
200  }
201 }
static verifyAccess(array $m)
Verify access.
Class to manage Dolibarr users.
Definition: user.class.php:39
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='')
Write log message into outputs.
__isAllowed()
Check access.
Dolibarr API access class.